From 579691aeef058cd298d740d1d5f93c098f2f49c2 Mon Sep 17 00:00:00 2001
From: Justin Edmund <justin@jedmund.com>
Date: Tue, 2 Dec 2025 07:54:36 -0800
Subject: [PATCH] fix secure cookie flag behind reverse proxy

---
 src/routes/auth/login/+server.ts   | 6 ++++--
 src/routes/auth/refresh/+server.ts | 6 ++++--
 src/routes/auth/signup/+server.ts  | 6 ++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/routes/auth/login/+server.ts b/src/routes/auth/login/+server.ts
index 4a3d2b4a..e3b199bf 100644
--- a/src/routes/auth/login/+server.ts
+++ b/src/routes/auth/login/+server.ts
@@ -1,5 +1,6 @@
 import type { RequestHandler } from '@sveltejs/kit'
 import { json } from '@sveltejs/kit'
+import { dev } from '$app/environment'
 import { z } from 'zod'
 import { passwordGrantLogin } from '$lib/auth/oauth'
 import { UserAdapter } from '$lib/api/adapters/user.adapter'
@@ -12,7 +13,7 @@ const LoginSchema = z.object({
 	grant_type: z.literal('password')
 })
 
-export const POST: RequestHandler = async ({ request, cookies, url, fetch }) => {
+export const POST: RequestHandler = async ({ request, cookies, fetch }) => {
 	const raw = await request.json().catch(() => ({}))
 	const parsed = LoginSchema.safeParse(raw)
 	if (!parsed.success) {
@@ -33,7 +34,8 @@ export const POST: RequestHandler = async ({ request, cookies, url, fetch }) =>
 
 		const { account, user, accessTokenExpiresAt, refresh } = buildCookies(oauth, info)
 
-		const secure = url.protocol === 'https:'
+		// Use secure cookies in production (dev flag handles this correctly behind proxies)
+		const secure = !dev
 		setAccountCookie(cookies, account, { secure, expires: accessTokenExpiresAt })
 		setUserCookie(cookies, user, { secure, expires: accessTokenExpiresAt })
 		setRefreshCookie(cookies, refresh, { secure, expires: accessTokenExpiresAt })
diff --git a/src/routes/auth/refresh/+server.ts b/src/routes/auth/refresh/+server.ts
index e537c3d7..1489f71c 100644
--- a/src/routes/auth/refresh/+server.ts
+++ b/src/routes/auth/refresh/+server.ts
@@ -1,5 +1,6 @@
 import type { RequestHandler } from '@sveltejs/kit'
 import { json } from '@sveltejs/kit'
+import { dev } from '$app/environment'
 import { PUBLIC_SIERO_API_URL } from '$env/static/public'
 import {
 	getRefreshFromCookies,
@@ -23,7 +24,7 @@ type OAuthRefreshResponse = {
 	}
 }
 
-export const POST: RequestHandler = async ({ cookies, fetch, url }) => {
+export const POST: RequestHandler = async ({ cookies, fetch }) => {
 	const refresh = getRefreshFromCookies(cookies)
 	if (!refresh) {
 		return json({ error: 'no_refresh_token' }, { status: 401 })
@@ -48,7 +49,8 @@ export const POST: RequestHandler = async ({ cookies, fetch, url }) => {
 	}
 
 	const data = (await res.json()) as OAuthRefreshResponse
-	const secure = url.protocol === 'https:'
+	// Use secure cookies in production (dev flag handles this correctly behind proxies)
+	const secure = !dev
 	const accessTokenExpiresAt = new Date((data.created_at + data.expires_in) * 1000)
 
 	setAccountCookie(
diff --git a/src/routes/auth/signup/+server.ts b/src/routes/auth/signup/+server.ts
index 2fdbda70..2167affe 100644
--- a/src/routes/auth/signup/+server.ts
+++ b/src/routes/auth/signup/+server.ts
@@ -1,5 +1,6 @@
 import type { RequestHandler } from '@sveltejs/kit'
 import { json } from '@sveltejs/kit'
+import { dev } from '$app/environment'
 import { z } from 'zod'
 import { PUBLIC_SIERO_API_URL } from '$env/static/public'
 import { passwordGrantLogin } from '$lib/auth/oauth'
@@ -26,7 +27,7 @@ const SignupSchema = z
 		path: ['password_confirmation']
 	})
 
-export const POST: RequestHandler = async ({ request, cookies, url, fetch }) => {
+export const POST: RequestHandler = async ({ request, cookies, fetch }) => {
 	const raw = await request.json().catch(() => ({}))
 	const parsed = SignupSchema.safeParse(raw)
 
@@ -84,7 +85,8 @@ export const POST: RequestHandler = async ({ request, cookies, url, fetch }) =>
 		// 4. Build and set cookies
 		const { account, user, accessTokenExpiresAt, refresh } = buildCookies(oauth, info)
 
-		const secure = url.protocol === 'https:'
+		// Use secure cookies in production (dev flag handles this correctly behind proxies)
+		const secure = !dev
 		setAccountCookie(cookies, account, { secure, expires: accessTokenExpiresAt })
 		setUserCookie(cookies, user, { secure, expires: accessTokenExpiresAt })
 		setRefreshCookie(cookies, refresh, { secure, expires: accessTokenExpiresAt })