From 6252041631bed0a693e0107f31cf72381e254f47 Mon Sep 17 00:00:00 2001
From: grabowski <berwn@buildfor.life>
Date: Mon, 13 Apr 2026 14:38:20 +0700
Subject: [PATCH] Fix NetBird login: set Secure cookie flag from actual origin,
 not forwarded proto

Caddy sets X-Forwarded-Proto: https on all routes, making SvelteKit
think the request is HTTPS. The session cookie got the Secure flag,
but the browser on http://100.81.174.129 won't send Secure cookies
over plain HTTP. Now checks the actual Origin header to determine
if the connection is truly HTTPS.

Tor works because .onion is treated as a secure context by Tor Browser.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/server/auth/index.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/lib/server/auth/index.ts b/src/lib/server/auth/index.ts
index f81071d..290c85c 100644
--- a/src/lib/server/auth/index.ts
+++ b/src/lib/server/auth/index.ts
@@ -88,10 +88,15 @@ export async function invalidateSession(token: string) {
 }
 
 export function setSessionCookie(event: RequestEvent, token: string, expiresAt: Date) {
+	// Use the actual request origin, not the forwarded protocol
+	// This allows Secure cookies over HTTPS but plain cookies over HTTP (NetBird, LAN)
+	const actualOrigin = event.request.headers.get('origin') ?? event.url.origin;
+	const isSecure = actualOrigin.startsWith('https:');
+
 	event.cookies.set('session', token, {
 		httpOnly: true,
 		sameSite: 'lax',
-		secure: event.url.protocol === 'https:',
+		secure: isSecure,
 		path: '/',
 		expires: expiresAt
 	});