josh/Vector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deploy): auth/CSRF cookies dropped on plain-HTTP prod
CI / Playwright (smoke) (push) Has been skipped
Details
CI / Lint · Typecheck · Test · Build (push) Successful in 44s
Details
CI / Build & push images (push) Successful in 1m8s
Details

Browse Source 
Every cookie was flagged Secure whenever NODE_ENV=production. Over
plain HTTP (single-host compose deploy without TLS) browsers silently
discard Secure cookies, so the access token, refresh token, and CSRF
cookie all vanished after login — producing 401 Unauthorized on every
GET and 403 "CSRF token missing or invalid" on every mutation.

Add COOKIE_SECURE to ApiEnv: optional boolean, falls back to
NODE_ENV === 'production' when unset. Controllers and middleware now
read env.COOKIE_SECURE instead of the NODE_ENV shortcut. The compose
file sets it to false by default with a comment to flip once TLS is in
front; HTTPS deployments can override via .env or drop the override to
pick up the secure default.
This commit is contained in:
Josh Wright
2026-04-17 08:31:12 -04:00
parent a89cc36489
commit 23bd0f0c6a
5 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/env.ts
+4 -1
View File
@@ -11,4 +11,7 @@ if (!parsed.success) {
process.exit(1);
}
export const env = parsed.data;
export const env = {
...parsed.data,
COOKIE_SECURE: parsed.data.COOKIE_SECURE ?? parsed.data.NODE_ENV === 'production',
};