fix(auth): keep sessions across reloads on plain-HTTP deployments (COOKIE_SECURE)#19
Merged
Merged
Conversation
…E_SECURE The refresh cookie was marked Secure whenever NODE_ENV=production. A Secure cookie is silently dropped by the browser when the app is served over plain HTTP on a non-localhost host (e.g. http://mini7:8080), so the in-memory access token worked while navigating but every full page reload — which can only restore the session by exchanging the refresh cookie at /api/auth/refresh — found no cookie and bounced the user to /login. Add a COOKIE_SECURE override (secure-by-default: unset falls back to NODE_ENV==='production'). Operators serving over plain HTTP on a trusted network set COOKIE_SECURE=false; HTTPS deployments are unaffected. Documented in .env.example and wired through docker-compose.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The refresh-token cookie is marked
SecurewheneverNODE_ENV=production. ASecurecookie is silently dropped by the browser when the app is served over plain HTTP on a non-localhost host (e.g.http://mini7:8080). The access token is kept in memory so the app works while navigating, but a full page reload — which can only restore the session by exchanging the refresh cookie at/api/auth/refresh— finds no cookie and bounces the user to/login. So on such deployments every reload logs the user out.Fix
Introduce a
COOKIE_SECUREoverride, secure-by-default:NODE_ENV === 'production'(HTTPS deployments unchanged);COOKIE_SECURE=true/false→ explicit.Operators serving over plain HTTP on a trusted network (e.g. a LAN-only
http://host:port) setCOOKIE_SECURE=false. Serving over HTTPS remains the recommended setup.Changes
isCookieSecure()inauth.controller.ts, used by the shared refresh-cookie attributes (set + clear stay in sync).Secureflag followsCOOKIE_SECURE.docker-compose.ymland documented in.env.example.Verification
Server build 0 issues, auth controller suite 32 tests pass, format:check clean. The existing
refresh-cookiee2e (httpOnly + SameSite=Lax) is unaffected (it asserts nosecureflag).