fix: secure cookies for integration

2025-10-12 16:40:48 +02:00 · 2025-10-12 16:40:48 +02:00 · 8a8b0453ad
commit 8a8b0453ad
parent 9f3af5ab48
1 changed files with 8 additions and 2 deletions
--- a/modules/security/jwtService.py
+++ b/modules/security/jwtService.py
@ -82,10 +82,13 @@ def clearAccessTokenCookie(response: Response) -> None:
    Clear access token cookie by setting it to expire immediately.
    Uses both raw header manipulation and FastAPI's delete_cookie for maximum browser compatibility.
    """
+    # Build secure flag based on environment
+    secure_flag = "; Secure" if USE_SECURE_COOKIES else ""
+    
    # Primary method: Raw Set-Cookie header for guaranteed deletion
    response.headers.append(
        "Set-Cookie",
-        f"auth_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict"
+        f"auth_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly{secure_flag}; SameSite=Strict"
    )
    
    # Fallback: Also use FastAPI's built-in method
@ -97,10 +100,13 @@ def clearRefreshTokenCookie(response: Response) -> None:
    Clear refresh token cookie by setting it to expire immediately.
    Uses both raw header manipulation and FastAPI's delete_cookie for maximum browser compatibility.
    """
+    # Build secure flag based on environment
+    secure_flag = "; Secure" if USE_SECURE_COOKIES else ""
+    
    # Primary method: Raw Set-Cookie header for guaranteed deletion
    response.headers.append(
        "Set-Cookie",
-        f"refresh_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict"
+        f"refresh_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly{secure_flag}; SameSite=Strict"
    )
    
    # Fallback: Also use FastAPI's built-in method