josh/Vector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deploy): auth/CSRF cookies dropped on plain-HTTP prod
CI / Playwright (smoke) (push) Has been skipped
Details
CI / Lint · Typecheck · Test · Build (push) Successful in 44s
Details
CI / Build & push images (push) Successful in 1m8s
Details

Browse Source 
Every cookie was flagged Secure whenever NODE_ENV=production. Over
plain HTTP (single-host compose deploy without TLS) browsers silently
discard Secure cookies, so the access token, refresh token, and CSRF
cookie all vanished after login — producing 401 Unauthorized on every
GET and 403 "CSRF token missing or invalid" on every mutation.

Add COOKIE_SECURE to ApiEnv: optional boolean, falls back to
NODE_ENV === 'production' when unset. Controllers and middleware now
read env.COOKIE_SECURE instead of the NODE_ENV shortcut. The compose
file sets it to false by default with a comment to flip once TLS is in
front; HTTPS deployments can override via .env or drop the override to
pick up the secure default.
This commit is contained in:
Josh Wright
2026-04-17 08:31:12 -04:00
parent a89cc36489
commit 23bd0f0c6a
5 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/controllers/auth.ts
+2 -2
View File
@@ -9,7 +9,7 @@ import { errors } from '../lib/http-error.js';
const accessCookieOpts: CookieOptions = {
httpOnly: true,
sameSite: 'lax',
secure: env.NODE_ENV === 'production',
secure: env.COOKIE_SECURE,
path: '/',
maxAge: authService.ACCESS_TOKEN_TTL_MS,
};
@@ -17,7 +17,7 @@ const accessCookieOpts: CookieOptions = {
const refreshCookieOpts: CookieOptions = {
httpOnly: true,
sameSite: 'lax',
secure: env.NODE_ENV === 'production',
secure: env.COOKIE_SECURE,
path: '/api/auth',
maxAge: authService.REFRESH_TOKEN_TTL_MS,
};
apps/api/src/env.ts
+4 -1
View File
@@ -11,4 +11,7 @@ if (!parsed.success) {
process.exit(1);
}
export const env = parsed.data;
export const env = {
...parsed.data,
COOKIE_SECURE: parsed.data.COOKIE_SECURE ?? parsed.data.NODE_ENV === 'production',
};
apps/api/src/middleware/csrf.ts
+1 -1
View File
@@ -12,7 +12,7 @@ export function issueCsrfToken(res: Response): string {
const opts: CookieOptions = {
httpOnly: false,
sameSite: 'lax',
secure: env.NODE_ENV === 'production',
secure: env.COOKIE_SECURE,
path: '/',
};
res.cookie(CSRF_COOKIE, token, opts);
docker-compose.yml
+3
View File
@@ -27,6 +27,9 @@ services:
DATABASE_URL: file:/data/vector.db
JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required — see .env.example}
CLIENT_ORIGIN: ${CLIENT_ORIGIN:-http://localhost:8080}
# Browsers drop Secure cookies over plain HTTP. Flip to "true" once
# this deployment sits behind TLS (reverse proxy, Cloudflare, etc).
COOKIE_SECURE: ${COOKIE_SECURE:-false}
volumes:
- vector-data:/data
healthcheck:
packages/shared/src/env.ts
+5
View File
@@ -13,5 +13,10 @@ export const ApiEnv = z.object({
message: 'JWT_SECRET still matches the default placeholder — generate a real secret',
}),
CLIENT_ORIGIN: z.string().url().default('http://localhost:5173'),
// Whether to mark auth + CSRF cookies Secure. Must be false for plain-HTTP
// deployments (browsers silently drop Secure cookies over http://). Leave
// unset to fall back to NODE_ENV === 'production'.
COOKIE_SECURE: z
.preprocess((v) => (typeof v === 'string' ? v === 'true' : v), z.boolean().optional()),
});
export type ApiEnv = z.infer<typeof ApiEnv>;