fix(deploy): auth/CSRF cookies dropped on plain-HTTP prod

Every cookie was flagged Secure whenever NODE_ENV=production. Over plain HTTP (single-host compose deploy without TLS) browsers silently discard Secure cookies, so the access token, refresh token, and CSRF cookie all vanished after login — producing 401 Unauthorized on every GET and 403 "CSRF token missing or invalid" on every mutation. Add COOKIE_SECURE to ApiEnv: optional boolean, falls back to NODE_ENV === 'production' when unset. Controllers and middleware now read env.COOKIE_SECURE instead of the NODE_ENV shortcut. The compose file sets it to false by default with a comment to flip once TLS is in front; HTTPS deployments can override via .env or drop the override to pick up the secure default.
2026-04-17 08:31:12 -04:00
parent a89cc36489
commit 23bd0f0c6a
5 changed files with 15 additions and 4 deletions
@@ -27,6 +27,9 @@ services:
      DATABASE_URL: file:/data/vector.db
      JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required — see .env.example}
      CLIENT_ORIGIN: ${CLIENT_ORIGIN:-http://localhost:8080}
+      # Browsers drop Secure cookies over plain HTTP. Flip to "true" once
+      # this deployment sits behind TLS (reverse proxy, Cloudflare, etc).
+      COOKIE_SECURE: ${COOKIE_SECURE:-false}
    volumes:
      - vector-data:/data
    healthcheck: