Fix NetBird login: set Secure cookie flag from actual origin, not forwarded proto
Deploy to LXC / deploy (push) Successful in 19s
Deploy to LXC / deploy (push) Successful in 19s
Caddy sets X-Forwarded-Proto: https on all routes, making SvelteKit think the request is HTTPS. The session cookie got the Secure flag, but the browser on http://100.81.174.129 won't send Secure cookies over plain HTTP. Now checks the actual Origin header to determine if the connection is truly HTTPS. Tor works because .onion is treated as a secure context by Tor Browser. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -88,10 +88,15 @@ export async function invalidateSession(token: string) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export function setSessionCookie(event: RequestEvent, token: string, expiresAt: Date) {
|
export function setSessionCookie(event: RequestEvent, token: string, expiresAt: Date) {
|
||||||
|
// Use the actual request origin, not the forwarded protocol
|
||||||
|
// This allows Secure cookies over HTTPS but plain cookies over HTTP (NetBird, LAN)
|
||||||
|
const actualOrigin = event.request.headers.get('origin') ?? event.url.origin;
|
||||||
|
const isSecure = actualOrigin.startsWith('https:');
|
||||||
|
|
||||||
event.cookies.set('session', token, {
|
event.cookies.set('session', token, {
|
||||||
httpOnly: true,
|
httpOnly: true,
|
||||||
sameSite: 'lax',
|
sameSite: 'lax',
|
||||||
secure: event.url.protocol === 'https:',
|
secure: isSecure,
|
||||||
path: '/',
|
path: '/',
|
||||||
expires: expiresAt
|
expires: expiresAt
|
||||||
});
|
});
|
||||||
|
|||||||
Reference in New Issue
Block a user