From a3ea8384d13fee2ebf952ad580a7b7a4dac28f6c Mon Sep 17 00:00:00 2001 From: Nicolas Meienberger Date: Wed, 28 Jan 2026 00:52:32 +0100 Subject: [PATCH] chore: cookie secure by default with env var to disable secure cookie --- .env.test | 1 + app/lib/auth.ts | 4 ++-- app/server/core/config.ts | 2 ++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.env.test b/.env.test index 04a34a89..7ebc87dd 100644 --- a/.env.test +++ b/.env.test @@ -1,2 +1,3 @@ DATABASE_URL=:memory: APP_SECRET=8b9acd4456dd5db0a4a3c4f4e1240b2c3ae08bb59690167197425e4a25dd9a69 +DISABLE_SECURE_COOKIES=true diff --git a/app/lib/auth.ts b/app/lib/auth.ts index 354b73d6..81f2d441 100644 --- a/app/lib/auth.ts +++ b/app/lib/auth.ts @@ -22,10 +22,10 @@ export type AuthMiddlewareContext = MiddlewareContext betterAuth({ secret, - trustedOrigins: config.trustedOrigins ?? ["*"], + trustedOrigins: config.trustedOrigins, advanced: { cookiePrefix: "zerobyte", - useSecureCookies: false, + useSecureCookies: !config.disableSecureCookies, }, onAPIError: { throw: true, diff --git a/app/server/core/config.ts b/app/server/core/config.ts index 27721a9a..6f3f7ccc 100644 --- a/app/server/core/config.ts +++ b/app/server/core/config.ts @@ -34,6 +34,7 @@ const envSchema = type({ APP_VERSION: "string = 'dev'", TRUSTED_ORIGINS: "string?", DISABLE_RATE_LIMITING: 'string = "false"', + DISABLE_SECURE_COOKIES: 'string = "false"', APP_SECRET: "32 <= string <= 256", }).pipe((s) => ({ __prod__: s.NODE_ENV === "production", @@ -46,6 +47,7 @@ const envSchema = type({ appVersion: s.APP_VERSION, trustedOrigins: s.TRUSTED_ORIGINS?.split(",").map((origin) => origin.trim()), disableRateLimiting: s.DISABLE_RATE_LIMITING === "true", + disableSecureCookies: s.DISABLE_SECURE_COOKIES === "true", appSecret: s.APP_SECRET, }));