From 9f3af5ab48795b9e093b6729cce5e10948e74cb4 Mon Sep 17 00:00:00 2001
From: Ida Dittrich <i.dittrich@valueon.ch>
Date: Sun, 12 Oct 2025 16:35:59 +0200
Subject: [PATCH] fix: secure cookies for integration

---
 modules/security/jwtService.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/security/jwtService.py b/modules/security/jwtService.py
index 2726db35..2be45c5b 100644
--- a/modules/security/jwtService.py
+++ b/modules/security/jwtService.py
@@ -17,10 +17,10 @@ ALGORITHM = APP_CONFIG.get("Auth_ALGORITHM")
 ACCESS_TOKEN_EXPIRE_MINUTES = int(APP_CONFIG.get("APP_TOKEN_EXPIRY"))
 REFRESH_TOKEN_EXPIRE_DAYS = int(APP_CONFIG.get("APP_REFRESH_TOKEN_EXPIRY", "7"))
 
-# Cookie security settings - use secure cookies only in production (HTTPS)
-# In development (HTTP), secure=True would prevent cookies from being set/cleared properly
-ENV_TYPE = APP_CONFIG.get("APP_ENV_TYPE", "dev")
-USE_SECURE_COOKIES = ENV_TYPE in ["prod", "production"]
+# Cookie security settings - use secure cookies based on whether API uses HTTPS
+# Cookies must have secure=True on HTTPS sites, secure=False on HTTP sites
+APP_API_URL = APP_CONFIG.get("APP_API_URL", "http://localhost:8000")
+USE_SECURE_COOKIES = APP_API_URL.startswith("https://") if APP_API_URL else False
 
 
 def createAccessToken(data: dict, expiresDelta: Optional[timedelta] = None) -> Tuple[str, "datetime"]: