diff --git a/apps/server/.env.example b/apps/server/.env.example index 9ab17e3..fbec35d 100644 --- a/apps/server/.env.example +++ b/apps/server/.env.example @@ -4,6 +4,9 @@ DISABLE_FILESYSTEM_ENCRYPTION=true # ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # Required only if encryption is enabled (DISABLE_FILESYSTEM_ENCRYPTION=false) DATABASE_URL="file:./palmr.db" +# SECURITY SETTINGS +# SECURE_SITE=true # Set to true when using HTTPS in production. This enables secure cookies with SameSite=none, allowing cross-origin requests (required when frontend and backend are on different domains/subdomains) + # FOR USE WITH S3 COMPATIBLE STORAGE # ENABLE_S3=true # S3_ENDPOINT= diff --git a/apps/server/src/modules/auth-providers/controller.ts b/apps/server/src/modules/auth-providers/controller.ts index 55142fb..2358567 100644 --- a/apps/server/src/modules/auth-providers/controller.ts +++ b/apps/server/src/modules/auth-providers/controller.ts @@ -124,7 +124,7 @@ export class AuthProvidersController { reply.setCookie("token", token, { httpOnly: true, secure: isSecure, - sameSite: "lax", + sameSite: isSecure ? "none" : "lax", maxAge: COOKIE_MAX_AGE, path: "/", }); diff --git a/apps/server/src/modules/auth/controller.ts b/apps/server/src/modules/auth/controller.ts index b999f60..f33c545 100644 --- a/apps/server/src/modules/auth/controller.ts +++ b/apps/server/src/modules/auth/controller.ts @@ -44,7 +44,7 @@ export class AuthController { httpOnly: true, path: "/", secure: env.SECURE_SITE === "true" ? true : false, - sameSite: env.SECURE_SITE === "true" ? "lax" : "strict", + sameSite: env.SECURE_SITE === "true" ? "none" : "lax", }); return reply.send({ user }); @@ -74,7 +74,7 @@ export class AuthController { httpOnly: true, path: "/", secure: env.SECURE_SITE === "true" ? true : false, - sameSite: env.SECURE_SITE === "true" ? "lax" : "strict", + sameSite: env.SECURE_SITE === "true" ? "none" : "lax", }); return reply.send({ user });