fix: force secure cookie in production, reduce max_age to 1 day

Use TESTING env var to detect production instead of relying on request scheme, and align cookie max_age with JWT expiry (86400s).
2026-04-09 16:31:50 +02:00 · 2026-04-09 16:31:50 +02:00 · 7bada9f32b
commit 7bada9f32b
parent c55dd02196
1 changed files with 3 additions and 3 deletions
--- a/app/auth/providers/google.py
+++ b/app/auth/providers/google.py
@ -89,12 +89,12 @@ async def google_callback(request: Request):
        jwt_token = create_access_token(user["id"], user["email"], user["role"])

        # Redirect to dashboard with token in cookie
-        is_https = request.url.scheme == "https"
+        is_production = os.environ.get("TESTING", "").lower() not in ("1", "true")
        response = RedirectResponse(url="/dashboard", status_code=302)
        response.set_cookie(
            key="access_token", value=jwt_token,
-            httponly=True, max_age=86400 * 30, samesite="lax",
-            secure=is_https,
+            httponly=True, max_age=86400, samesite="lax",
+            secure=is_production,
        )
        return response