fix: cookie secure flag based on DOMAIN env — allows HTTP for dev/staging
This commit is contained in:
ZdenekSrotyr
parent
5ae13b199c
commit
582e06c859
1 changed files with 4 additions and 2 deletions
|
|
@ -77,12 +77,14 @@ async def password_login_web(
|
|||
return RedirectResponse(url="/login/password?error=invalid", status_code=302)
|
||||
|
||||
token = create_access_token(user["id"], user["email"], user["role"])
|
||||
is_production = os.environ.get("TESTING", "").lower() not in ("1", "true")
|
||||
# Secure cookie only over HTTPS (detect via X-Forwarded-Proto or request scheme)
|
||||
# For dev/staging on plain HTTP, secure=False so the cookie is actually sent
|
||||
use_secure = os.environ.get("DOMAIN", "") != "" # DOMAIN set = production with TLS
|
||||
response = RedirectResponse(url="/dashboard", status_code=302)
|
||||
response.set_cookie(
|
||||
key="access_token", value=token,
|
||||
httponly=True, max_age=86400, samesite="lax",
|
||||
secure=is_production,
|
||||
secure=use_secure,
|
||||
)
|
||||
return response
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue