Willie.Veldkamp/ProxmoxVE-Local
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #297 from community-scripts/fix/auth

Browse Source 
Fix auth cookie secure flag for HTTP in production
This commit is contained in:
Michel Roegl-Brunner
2025-11-10 12:07:46 +01:00
committed by GitHub
parent 8af011a191 8c27eacff7
commit fbc59d8964
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/app/_components/AuthProvider.tsx
View File

@@ -106,7 +106,12 @@ export function AuthProvider({ children }: AuthProviderProps) {
setUsername(data.username); setUsername(data.username);
// Check auth again to get expiration time // Check auth again to get expiration time
await checkAuth(); // Add a small delay to ensure the httpOnly cookie is available
await new Promise<void>((resolve) => {
setTimeout(() => {
void checkAuth().then(() => resolve());
}, 150);
});
return true; return true;
} else { } else {
const errorData = await response.json(); const errorData = await response.json();

5
src/app/api/auth/login/route.ts
View File

@@ -47,10 +47,13 @@ export async function POST(request: NextRequest) {
username username
}); });
// Determine if request is over HTTPS
const isSecure = request.url.startsWith('https://');
// Set httpOnly cookie with configured duration // Set httpOnly cookie with configured duration
response.cookies.set('auth-token', token, { response.cookies.set('auth-token', token, {
httpOnly: true, httpOnly: true,
secure: process.env.NODE_ENV === 'production', secure: isSecure, // Only secure if actually over HTTPS
sameSite: 'strict', sameSite: 'strict',
maxAge: sessionDurationDays * 24 * 60 * 60, // Use configured duration maxAge: sessionDurationDays * 24 * 60 * 60, // Use configured duration
path: '/', path: '/',