From 582e06c859ca5d43d21822c6ecc50684628382ee Mon Sep 17 00:00:00 2001
From: ZdenekSrotyr <zdenek.srotyr@keboola.com>
Date: Thu, 9 Apr 2026 19:37:25 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20cookie=20secure=20flag=20based=20on=20DO?=
 =?UTF-8?q?MAIN=20env=20=E2=80=94=20allows=20HTTP=20for=20dev/staging?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/auth/providers/password.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/auth/providers/password.py b/app/auth/providers/password.py
index e9bcbf2..4437055 100644
--- a/app/auth/providers/password.py
+++ b/app/auth/providers/password.py
@@ -77,12 +77,14 @@ async def password_login_web(
         return RedirectResponse(url="/login/password?error=invalid", status_code=302)
 
     token = create_access_token(user["id"], user["email"], user["role"])
-    is_production = os.environ.get("TESTING", "").lower() not in ("1", "true")
+    # Secure cookie only over HTTPS (detect via X-Forwarded-Proto or request scheme)
+    # For dev/staging on plain HTTP, secure=False so the cookie is actually sent
+    use_secure = os.environ.get("DOMAIN", "") != ""  # DOMAIN set = production with TLS
     response = RedirectResponse(url="/dashboard", status_code=302)
     response.set_cookie(
         key="access_token", value=token,
         httponly=True, max_age=86400, samesite="lax",
-        secure=is_production,
+        secure=use_secure,
     )
     return response