From c3a173de66947d6139adb8c606b2c4beb64f7dd7 Mon Sep 17 00:00:00 2001 From: Kenneth Date: Mon, 29 Dec 2025 00:19:44 +0000 Subject: [PATCH] fix(backend): remove unused secure cookie config --- apps/backend/config.example.yaml | 3 --- apps/backend/internal/auth/cookies.go | 7 +------ apps/backend/internal/drexa/config.go | 3 +-- apps/backend/internal/drexa/server.go | 1 - dev/docs/backend.md | 2 +- 5 files changed, 3 insertions(+), 13 deletions(-) diff --git a/apps/backend/config.example.yaml b/apps/backend/config.example.yaml index 137b763..4a52e45 100644 --- a/apps/backend/config.example.yaml +++ b/apps/backend/config.example.yaml @@ -33,9 +33,6 @@ cookie: # Set this when frontend and API are on different subdomains (e.g., "app.com" for web.app.com + api.app.com). # Leave empty for same-host cookies (localhost, single domain). # domain: app.com - # Secure flag for cookies. If not set, automatically determined from request protocol (true for HTTPS, false for HTTP). - # Set explicitly to override automatic detection (useful for local development with HTTPS). - # secure: false cors: # Allowed origins for cross-origin requests. diff --git a/apps/backend/internal/auth/cookies.go b/apps/backend/internal/auth/cookies.go index e5f2eee..ddde4f3 100644 --- a/apps/backend/internal/auth/cookies.go +++ b/apps/backend/internal/auth/cookies.go @@ -11,10 +11,6 @@ type CookieConfig struct { // Domain for cross-subdomain cookies (e.g., "app.com" for web.app.com + api.app.com). // Leave empty for same-host cookies (localhost, single domain). Domain string - // Secure controls whether cookies are only sent over HTTPS. - // If nil, automatically set based on request protocol (true for HTTPS, false for HTTP). - // If explicitly set, this value is used regardless of protocol. - Secure *bool } // authCookies returns auth cookies from the given fiber context. @@ -33,8 +29,7 @@ func authCookies(c *fiber.Ctx) map[string]string { } // SetAuthCookies sets HTTP-only auth cookies with security settings derived from the request. -// Secure flag is based on actual protocol (works automatically with proxies/tunnels), -// unless explicitly set in cfg.Secure. +// Secure flag is based on the request protocol (works automatically with proxies/tunnels). func SetAuthCookies(c *fiber.Ctx, accessToken, refreshToken string, cfg CookieConfig) { secure := c.Protocol() == "https" diff --git a/apps/backend/internal/drexa/config.go b/apps/backend/internal/drexa/config.go index 44bb650..d541519 100644 --- a/apps/backend/internal/drexa/config.go +++ b/apps/backend/internal/drexa/config.go @@ -56,10 +56,9 @@ type StorageConfig struct { // CookieConfig controls auth cookie behavior. // Domain is optional - only needed for cross-subdomain setups (e.g., "app.com" for web.app.com + api.app.com). -// Secure flag is derived from the request protocol automatically, unless explicitly set. +// Secure flag is derived from the request protocol automatically. type CookieConfig struct { Domain string `yaml:"domain"` - Secure *bool `yaml:"secure"` } // CORSConfig controls Cross-Origin Resource Sharing behavior. diff --git a/apps/backend/internal/drexa/server.go b/apps/backend/internal/drexa/server.go index dc30c64..d3e52f4 100644 --- a/apps/backend/internal/drexa/server.go +++ b/apps/backend/internal/drexa/server.go @@ -110,7 +110,6 @@ func NewServer(c Config) (*Server, error) { cookieConfig := auth.CookieConfig{ Domain: c.Cookie.Domain, - Secure: c.Cookie.Secure, } authMiddleware := auth.NewAuthMiddleware(authService, db, cookieConfig) diff --git a/dev/docs/backend.md b/dev/docs/backend.md index 2b8f5c8..42942a5 100644 --- a/dev/docs/backend.md +++ b/dev/docs/backend.md @@ -44,4 +44,4 @@ # Configuration - Config is YAML-driven; see `apps/backend/config.example.yaml` for required fields and env overrides. -- Keep CORS and cookie settings aligned with the frontend deployment topology. +- Keep CORS and cookie settings aligned with the frontend deployment topology; cookie `Secure` is derived from request protocol.