Fix Safari cross-site tracking cookie blocking

- Set sameSite='none' for secure cookies to allow cross-origin requests
- Update auth controller and auth-providers controller cookie settings
- Document SECURE_SITE env var in .env.example
- Fixes file rendering and download issues on Safari with cross-site tracking prevention enabled

Co-authored-by: danielalves96 <62755605+danielalves96@users.noreply.github.com>

apps/server/.env.example

@@ -4,6 +4,9 @@ DISABLE_FILESYSTEM_ENCRYPTION=true
 # ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # Required only if encryption is enabled (DISABLE_FILESYSTEM_ENCRYPTION=false)
 DATABASE_URL="file:./palmr.db"
 
+# SECURITY SETTINGS
+# SECURE_SITE=true # Set to true when using HTTPS in production. This enables secure cookies with SameSite=none, allowing cross-origin requests (required when frontend and backend are on different domains/subdomains)
+
 # FOR USE WITH S3 COMPATIBLE STORAGE
 # ENABLE_S3=true 
 # S3_ENDPOINT=

apps/server/src/modules/auth-providers/controller.ts

@@ -124,7 +124,7 @@ export class AuthProvidersController {
     reply.setCookie("token", token, {
       httpOnly: true,
       secure: isSecure,
-      sameSite: "lax",
+      sameSite: isSecure ? "none" : "lax",
       maxAge: COOKIE_MAX_AGE,
       path: "/",
     });

apps/server/src/modules/auth/controller.ts

@@ -44,7 +44,7 @@ export class AuthController {
         httpOnly: true,
         path: "/",
         secure: env.SECURE_SITE === "true" ? true : false,
-        sameSite: env.SECURE_SITE === "true" ? "lax" : "strict",
+        sameSite: env.SECURE_SITE === "true" ? "none" : "lax",
       });
 
       return reply.send({ user });
@@ -74,7 +74,7 @@ export class AuthController {
         httpOnly: true,
         path: "/",
         secure: env.SECURE_SITE === "true" ? true : false,
-        sameSite: env.SECURE_SITE === "true" ? "lax" : "strict",
+        sameSite: env.SECURE_SITE === "true" ? "none" : "lax",
       });
 
       return reply.send({ user });