Fix NetBird login: set Secure cookie flag from actual origin, not forwarded proto
Deploy to LXC / deploy (push) Successful in 19s
Deploy to LXC / deploy (push) Successful in 19s
Caddy sets X-Forwarded-Proto: https on all routes, making SvelteKit think the request is HTTPS. The session cookie got the Secure flag, but the browser on http://100.81.174.129 won't send Secure cookies over plain HTTP. Now checks the actual Origin header to determine if the connection is truly HTTPS. Tor works because .onion is treated as a secure context by Tor Browser. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -88,10 +88,15 @@ export async function invalidateSession(token: string) {
|
||||
}
|
||||
|
||||
export function setSessionCookie(event: RequestEvent, token: string, expiresAt: Date) {
|
||||
// Use the actual request origin, not the forwarded protocol
|
||||
// This allows Secure cookies over HTTPS but plain cookies over HTTP (NetBird, LAN)
|
||||
const actualOrigin = event.request.headers.get('origin') ?? event.url.origin;
|
||||
const isSecure = actualOrigin.startsWith('https:');
|
||||
|
||||
event.cookies.set('session', token, {
|
||||
httpOnly: true,
|
||||
sameSite: 'lax',
|
||||
secure: event.url.protocol === 'https:',
|
||||
secure: isSecure,
|
||||
path: '/',
|
||||
expires: expiresAt
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user