fix(web-auth): gate Secure cookie on CM_DEBUG, pass CM_AGENT creds to web-next

Previously the session cookie used Secure=NODE_ENV==='production', and the dev override still runs the standalone build with NODE_ENV=production, so the cookie was unreachable from phone-on-LAN testing over HTTP. Switching to CM_DEBUG lets dev (CM_DEBUG=true) drop the Secure flag while keeping prod (CM_DEBUG=false) safe. Also wires CM_AGENT_ID/CM_AGENT_PASSWORD/CM_DEBUG into the web-next service env block so the login Server Action can compare against them.
2026-05-03 09:01:35 +08:00 · 2026-05-03 09:01:35 +08:00 · 312cc4dc21
commit 312cc4dc21
parent a8ee6f068d
2 changed files with 4 additions and 1 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -84,6 +84,9 @@ services:
      NEXT_TELEMETRY_DISABLED: "1"
      API_BASE_URL: http://api-server:3000
      CM_AUTH_SECRET: ${CM_AUTH_SECRET}
+      CM_DEBUG: ${CM_DEBUG:-false}
+      CM_AGENT_ID: ${CM_AGENT_ID}
+      CM_AGENT_PASSWORD: ${CM_AGENT_PASSWORD}
    volumes:
      - web-next-auth-data:/data/auth
      - /etc/timezone:/etc/timezone:ro
--- a/web/lib/auth.ts
+++ b/web/lib/auth.ts
@ -42,7 +42,7 @@ export async function setSession(session: Session): Promise<void> {
  const jar = await cookies();
  jar.set(COOKIE_NAME, sealed, {
    httpOnly: true,
-    secure: process.env.NODE_ENV === "production",
+    secure: process.env.CM_DEBUG !== "true",
    sameSite: "lax",
    path: "/",
    maxAge: COOKIE_TTL_SECONDS,