From 312cc4dc2100bf09eed1e239ef2a0fbe81e55296 Mon Sep 17 00:00:00 2001
From: yiekheng <yiekheng@04080616.xyz>
Date: Sun, 3 May 2026 09:01:35 +0800
Subject: [PATCH] fix(web-auth): gate Secure cookie on CM_DEBUG, pass CM_AGENT
 creds to web-next

Previously the session cookie used Secure=NODE_ENV==='production', and the
dev override still runs the standalone build with NODE_ENV=production, so
the cookie was unreachable from phone-on-LAN testing over HTTP. Switching
to CM_DEBUG lets dev (CM_DEBUG=true) drop the Secure flag while keeping
prod (CM_DEBUG=false) safe.

Also wires CM_AGENT_ID/CM_AGENT_PASSWORD/CM_DEBUG into the web-next
service env block so the login Server Action can compare against them.
---
 docker-compose.yml | 3 +++
 web/lib/auth.ts    | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index d1cc633..0454835 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -84,6 +84,9 @@ services:
       NEXT_TELEMETRY_DISABLED: "1"
       API_BASE_URL: http://api-server:3000
       CM_AUTH_SECRET: ${CM_AUTH_SECRET}
+      CM_DEBUG: ${CM_DEBUG:-false}
+      CM_AGENT_ID: ${CM_AGENT_ID}
+      CM_AGENT_PASSWORD: ${CM_AGENT_PASSWORD}
     volumes:
       - web-next-auth-data:/data/auth
       - /etc/timezone:/etc/timezone:ro
diff --git a/web/lib/auth.ts b/web/lib/auth.ts
index b8862b8..484805e 100644
--- a/web/lib/auth.ts
+++ b/web/lib/auth.ts
@@ -42,7 +42,7 @@ export async function setSession(session: Session): Promise<void> {
   const jar = await cookies();
   jar.set(COOKIE_NAME, sealed, {
     httpOnly: true,
-    secure: process.env.NODE_ENV === "production",
+    secure: process.env.CM_DEBUG !== "true",
     sameSite: "lax",
     path: "/",
     maxAge: COOKIE_TTL_SECONDS,