fix(deploy): auth/CSRF cookies dropped on plain-HTTP prod
Every cookie was flagged Secure whenever NODE_ENV=production. Over plain HTTP (single-host compose deploy without TLS) browsers silently discard Secure cookies, so the access token, refresh token, and CSRF cookie all vanished after login — producing 401 Unauthorized on every GET and 403 "CSRF token missing or invalid" on every mutation. Add COOKIE_SECURE to ApiEnv: optional boolean, falls back to NODE_ENV === 'production' when unset. Controllers and middleware now read env.COOKIE_SECURE instead of the NODE_ENV shortcut. The compose file sets it to false by default with a comment to flip once TLS is in front; HTTPS deployments can override via .env or drop the override to pick up the secure default.
This commit is contained in:
@@ -13,5 +13,10 @@ export const ApiEnv = z.object({
|
||||
message: 'JWT_SECRET still matches the default placeholder — generate a real secret',
|
||||
}),
|
||||
CLIENT_ORIGIN: z.string().url().default('http://localhost:5173'),
|
||||
// Whether to mark auth + CSRF cookies Secure. Must be false for plain-HTTP
|
||||
// deployments (browsers silently drop Secure cookies over http://). Leave
|
||||
// unset to fall back to NODE_ENV === 'production'.
|
||||
COOKIE_SECURE: z
|
||||
.preprocess((v) => (typeof v === 'string' ? v === 'true' : v), z.boolean().optional()),
|
||||
});
|
||||
export type ApiEnv = z.infer<typeof ApiEnv>;
|
||||
|
||||
Reference in New Issue
Block a user