Merge pull request #297 from community-scripts/fix/auth

Fix auth cookie secure flag for HTTP in production

Author: michelroegl-brunner

src/app/_components/AuthProvider.tsx

@@ -106,7 +106,12 @@ export function AuthProvider({ children }: AuthProviderProps) {
         setUsername(data.username);
 
         // Check auth again to get expiration time
-        await checkAuth();
+        // Add a small delay to ensure the httpOnly cookie is available
+        await new Promise<void>((resolve) => {
+          setTimeout(() => {
+            void checkAuth().then(() => resolve());
+          }, 150);
+        });
         return true;
       } else {
         const errorData = await response.json();

src/app/api/auth/login/route.ts

@@ -47,10 +47,13 @@ export async function POST(request: NextRequest) {
       username 
     });
 
+    // Determine if request is over HTTPS
+    const isSecure = request.url.startsWith('https://');
+
     // Set httpOnly cookie with configured duration
     response.cookies.set('auth-token', token, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: isSecure, // Only secure if actually over HTTPS
       sameSite: 'strict',
       maxAge: sessionDurationDays * 24 * 60 * 60, // Use configured duration
       path: '/',