granblue.team/hensei-web
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix secure cookie flag behind reverse proxy

Browse source
This commit is contained in:
Justin Edmund 2025-12-02 07:54:36 -08:00
parent 513c7660f5
commit 579691aeef
3 changed files with 12 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/routes/auth/login/+server.ts
View file

@ -1,5 +1,6 @@
import type { RequestHandler } from '@sveltejs/kit' import type { RequestHandler } from '@sveltejs/kit'
import { json } from '@sveltejs/kit' import { json } from '@sveltejs/kit'
import { dev } from '$app/environment'
import { z } from 'zod' import { z } from 'zod'
import { passwordGrantLogin } from '$lib/auth/oauth' import { passwordGrantLogin } from '$lib/auth/oauth'
import { UserAdapter } from '$lib/api/adapters/user.adapter' import { UserAdapter } from '$lib/api/adapters/user.adapter'
@ -12,7 +13,7 @@ const LoginSchema = z.object({
grant_type: z.literal('password') grant_type: z.literal('password')
}) })
export const POST: RequestHandler = async ({ request, cookies, url, fetch }) => { export const POST: RequestHandler = async ({ request, cookies, fetch }) => {
const raw = await request.json().catch(() => ({})) const raw = await request.json().catch(() => ({}))
const parsed = LoginSchema.safeParse(raw) const parsed = LoginSchema.safeParse(raw)
if (!parsed.success) { if (!parsed.success) {
@ -33,7 +34,8 @@ export const POST: RequestHandler = async ({ request, cookies, url, fetch }) =>
const { account, user, accessTokenExpiresAt, refresh } = buildCookies(oauth, info) const { account, user, accessTokenExpiresAt, refresh } = buildCookies(oauth, info)
const secure = url.protocol === 'https:' // Use secure cookies in production (dev flag handles this correctly behind proxies)
const secure = !dev
setAccountCookie(cookies, account, { secure, expires: accessTokenExpiresAt }) setAccountCookie(cookies, account, { secure, expires: accessTokenExpiresAt })
setUserCookie(cookies, user, { secure, expires: accessTokenExpiresAt }) setUserCookie(cookies, user, { secure, expires: accessTokenExpiresAt })
setRefreshCookie(cookies, refresh, { secure, expires: accessTokenExpiresAt }) setRefreshCookie(cookies, refresh, { secure, expires: accessTokenExpiresAt })

6
src/routes/auth/refresh/+server.ts
View file

@ -1,5 +1,6 @@
import type { RequestHandler } from '@sveltejs/kit' import type { RequestHandler } from '@sveltejs/kit'
import { json } from '@sveltejs/kit' import { json } from '@sveltejs/kit'
import { dev } from '$app/environment'
import { PUBLIC_SIERO_API_URL } from '$env/static/public' import { PUBLIC_SIERO_API_URL } from '$env/static/public'
import { import {
getRefreshFromCookies, getRefreshFromCookies,
@ -23,7 +24,7 @@ type OAuthRefreshResponse = {
} }
} }
export const POST: RequestHandler = async ({ cookies, fetch, url }) => { export const POST: RequestHandler = async ({ cookies, fetch }) => {
const refresh = getRefreshFromCookies(cookies) const refresh = getRefreshFromCookies(cookies)
if (!refresh) { if (!refresh) {
return json({ error: 'no_refresh_token' }, { status: 401 }) return json({ error: 'no_refresh_token' }, { status: 401 })
@ -48,7 +49,8 @@ export const POST: RequestHandler = async ({ cookies, fetch, url }) => {
} }
const data = (await res.json()) as OAuthRefreshResponse const data = (await res.json()) as OAuthRefreshResponse
const secure = url.protocol === 'https:' // Use secure cookies in production (dev flag handles this correctly behind proxies)
const secure = !dev
const accessTokenExpiresAt = new Date((data.created_at + data.expires_in) * 1000) const accessTokenExpiresAt = new Date((data.created_at + data.expires_in) * 1000)
setAccountCookie( setAccountCookie(

6
src/routes/auth/signup/+server.ts
View file

@ -1,5 +1,6 @@
import type { RequestHandler } from '@sveltejs/kit' import type { RequestHandler } from '@sveltejs/kit'
import { json } from '@sveltejs/kit' import { json } from '@sveltejs/kit'
import { dev } from '$app/environment'
import { z } from 'zod' import { z } from 'zod'
import { PUBLIC_SIERO_API_URL } from '$env/static/public' import { PUBLIC_SIERO_API_URL } from '$env/static/public'
import { passwordGrantLogin } from '$lib/auth/oauth' import { passwordGrantLogin } from '$lib/auth/oauth'
@ -26,7 +27,7 @@ const SignupSchema = z
path: ['password_confirmation'] path: ['password_confirmation']
}) })
export const POST: RequestHandler = async ({ request, cookies, url, fetch }) => { export const POST: RequestHandler = async ({ request, cookies, fetch }) => {
const raw = await request.json().catch(() => ({})) const raw = await request.json().catch(() => ({}))
const parsed = SignupSchema.safeParse(raw) const parsed = SignupSchema.safeParse(raw)
@ -84,7 +85,8 @@ export const POST: RequestHandler = async ({ request, cookies, url, fetch }) =>
// 4. Build and set cookies // 4. Build and set cookies
const { account, user, accessTokenExpiresAt, refresh } = buildCookies(oauth, info) const { account, user, accessTokenExpiresAt, refresh } = buildCookies(oauth, info)
const secure = url.protocol === 'https:' // Use secure cookies in production (dev flag handles this correctly behind proxies)
const secure = !dev
setAccountCookie(cookies, account, { secure, expires: accessTokenExpiresAt }) setAccountCookie(cookies, account, { secure, expires: accessTokenExpiresAt })
setUserCookie(cookies, user, { secure, expires: accessTokenExpiresAt }) setUserCookie(cookies, user, { secure, expires: accessTokenExpiresAt })
setRefreshCookie(cookies, refresh, { secure, expires: accessTokenExpiresAt }) setRefreshCookie(cookies, refresh, { secure, expires: accessTokenExpiresAt })