fix: address Copilot code review feedback

- settings.py: Improve COOKIE_DOMAIN comment for clarity
- accounts.py: Add secure/samesite params to delete_cookie for reliable deletion
- accounts.py: Clarify max_age comment (43200 min = 30 days)
- main.py: Add FRONTEND_URL validation before adding to CORS origins
- values.yaml: Clarify cookie.secure usage for production vs dev
- CHANGELOG.md: Add Security section for httpOnly cookie migration
- ApiDocs.tsx: Add comment explaining Swagger UI v5 uses Fetch API

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: Clément VALENTIN

apps/api/src/config/settings.py

@@ -55,7 +55,7 @@ def database_type(self) -> str:
     # Cookie settings
     COOKIE_SECURE: bool = False  # Set True in production (HTTPS only)
     COOKIE_SAMESITE: Literal["lax", "strict", "none"] = "lax"
-    COOKIE_DOMAIN: str = ""  # Empty = current domain only
+    COOKIE_DOMAIN: str = ""  # Empty = browser uses current host. If set (e.g. ".example.com"), must match frontend domain
 
     # Mailgun Email
     MAILGUN_API_KEY: str = ""

apps/api/src/main.py

@@ -113,10 +113,15 @@ def get_servers() -> list[dict[str, str]]:
 # CORS middleware - explicit origins required for credentials (httpOnly cookies)
 def get_cors_origins() -> list[str]:
     """Build CORS origins from settings"""
-    origins = [settings.FRONTEND_URL]
+    origins: list[str] = []
+    # Add frontend URL if configured
+    frontend_url = (settings.FRONTEND_URL or "").strip()
+    if frontend_url:
+        origins.append(frontend_url)
     # Add backend URL for Swagger UI
-    if settings.BACKEND_URL and settings.BACKEND_URL != settings.FRONTEND_URL:
-        origins.append(settings.BACKEND_URL)
+    backend_url = (settings.BACKEND_URL or "").strip()
+    if backend_url and backend_url != frontend_url:
+        origins.append(backend_url)
     # Add common development origins
     if settings.DEBUG:
         origins.extend([

apps/api/src/routers/accounts.py

@@ -155,7 +155,7 @@ def _set_auth_cookie(response: Response, token: str) -> None:
         httponly=True,  # Prevents JavaScript access (XSS protection)
         secure=settings.COOKIE_SECURE,  # HTTPS only in production
         samesite=settings.COOKIE_SAMESITE,  # CSRF protection
-        max_age=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,  # Convert to seconds
+        max_age=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,  # 43200 min = 30 days in seconds
         path="/",  # Available for all paths
         domain=settings.COOKIE_DOMAIN or None,  # None = current domain
     )
@@ -167,6 +167,8 @@ def _clear_auth_cookie(response: Response) -> None:
         key="access_token",
         path="/",
         domain=settings.COOKIE_DOMAIN or None,
+        secure=settings.COOKIE_SECURE,
+        samesite=settings.COOKIE_SAMESITE,
     )
 
 

apps/web/src/pages/ApiDocs.tsx

@@ -890,8 +890,8 @@ export default function ApiDocs() {
             displayRequestDuration={true}
             deepLinking={false}
             requestInterceptor={(req) => {
-              // Credentials (httpOnly cookie) will be sent automatically
-              // when withCredentials is enabled on fetch requests
+              // Swagger UI v5+ uses Fetch API, so req.credentials = 'include' is correct
+              // This enables httpOnly cookie to be sent with requests
               req.credentials = 'include'
               return req
             }}

helm/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [1.0.0-dev.3](https://github.com/MyElectricalData/myelectricaldata_new/compare/helm/1.0.0-dev.2...helm/1.0.0-dev.3) (2025-12-21)
 
+### Security
+
+* **auth:** migrate JWT storage from localStorage to httpOnly cookies (XSS protection)
+
 ### Features
 
 * add admin data sharing for PDL debugging ([cfb32b8](https://github.com/MyElectricalData/myelectricaldata_new/commit/cfb32b83ddb435c9c792aec031ead2ad2ae054ab))

helm/myelectricaldata/values.yaml

@@ -177,7 +177,7 @@ config:
 
   # Cookie settings for httpOnly JWT authentication
   cookie:
-    secure: true            # Set to true for HTTPS (recommended for production)
+    secure: true            # true for HTTPS (production), false for HTTP (local dev)
     sameSite: "lax"         # "lax", "strict", or "none" (lax recommended)
     domain: ""              # Cookie domain (empty = current domain only)