From 8a8b0453ad950e7ae877bd8273f5fe3f96705d30 Mon Sep 17 00:00:00 2001 From: Ida Dittrich Date: Sun, 12 Oct 2025 16:40:48 +0200 Subject: [PATCH] fix: secure cookies for integration --- modules/security/jwtService.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/security/jwtService.py b/modules/security/jwtService.py index 2be45c5b..87e226c7 100644 --- a/modules/security/jwtService.py +++ b/modules/security/jwtService.py @@ -82,10 +82,13 @@ def clearAccessTokenCookie(response: Response) -> None: Clear access token cookie by setting it to expire immediately. Uses both raw header manipulation and FastAPI's delete_cookie for maximum browser compatibility. """ + # Build secure flag based on environment + secure_flag = "; Secure" if USE_SECURE_COOKIES else "" + # Primary method: Raw Set-Cookie header for guaranteed deletion response.headers.append( "Set-Cookie", - f"auth_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict" + f"auth_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly{secure_flag}; SameSite=Strict" ) # Fallback: Also use FastAPI's built-in method @@ -97,10 +100,13 @@ def clearRefreshTokenCookie(response: Response) -> None: Clear refresh token cookie by setting it to expire immediately. Uses both raw header manipulation and FastAPI's delete_cookie for maximum browser compatibility. """ + # Build secure flag based on environment + secure_flag = "; Secure" if USE_SECURE_COOKIES else "" + # Primary method: Raw Set-Cookie header for guaranteed deletion response.headers.append( "Set-Cookie", - f"refresh_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict" + f"refresh_token=deleted; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly{secure_flag}; SameSite=Strict" ) # Fallback: Also use FastAPI's built-in method