fix(web-auth): gate Secure cookie on CM_DEBUG, pass CM_AGENT creds to web-next
Previously the session cookie used Secure=NODE_ENV==='production', and the dev override still runs the standalone build with NODE_ENV=production, so the cookie was unreachable from phone-on-LAN testing over HTTP. Switching to CM_DEBUG lets dev (CM_DEBUG=true) drop the Secure flag while keeping prod (CM_DEBUG=false) safe. Also wires CM_AGENT_ID/CM_AGENT_PASSWORD/CM_DEBUG into the web-next service env block so the login Server Action can compare against them.
This commit is contained in:
parent
a8ee6f068d
commit
312cc4dc21
@ -84,6 +84,9 @@ services:
|
|||||||
NEXT_TELEMETRY_DISABLED: "1"
|
NEXT_TELEMETRY_DISABLED: "1"
|
||||||
API_BASE_URL: http://api-server:3000
|
API_BASE_URL: http://api-server:3000
|
||||||
CM_AUTH_SECRET: ${CM_AUTH_SECRET}
|
CM_AUTH_SECRET: ${CM_AUTH_SECRET}
|
||||||
|
CM_DEBUG: ${CM_DEBUG:-false}
|
||||||
|
CM_AGENT_ID: ${CM_AGENT_ID}
|
||||||
|
CM_AGENT_PASSWORD: ${CM_AGENT_PASSWORD}
|
||||||
volumes:
|
volumes:
|
||||||
- web-next-auth-data:/data/auth
|
- web-next-auth-data:/data/auth
|
||||||
- /etc/timezone:/etc/timezone:ro
|
- /etc/timezone:/etc/timezone:ro
|
||||||
|
|||||||
@ -42,7 +42,7 @@ export async function setSession(session: Session): Promise<void> {
|
|||||||
const jar = await cookies();
|
const jar = await cookies();
|
||||||
jar.set(COOKIE_NAME, sealed, {
|
jar.set(COOKIE_NAME, sealed, {
|
||||||
httpOnly: true,
|
httpOnly: true,
|
||||||
secure: process.env.NODE_ENV === "production",
|
secure: process.env.CM_DEBUG !== "true",
|
||||||
sameSite: "lax",
|
sameSite: "lax",
|
||||||
path: "/",
|
path: "/",
|
||||||
maxAge: COOKIE_TTL_SECONDS,
|
maxAge: COOKIE_TTL_SECONDS,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user