From f354af0876cff87451e113b343381aea966919e3 Mon Sep 17 00:00:00 2001 From: ulsklyc <108589275+ulsklyc@users.noreply.github.com> Date: Wed, 25 Mar 2026 09:11:33 +0100 Subject: [PATCH] =?UTF-8?q?fix:=20Login=20schl=C3=A4gt=20fehl=20bei=20HTTP?= =?UTF-8?q?=20ohne=20Reverse=20Proxy=20(Secure-Cookie)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SESSION_SECURE=false in .env deaktiviert das Secure-Flag für Session- und CSRF-Cookie. Notwendig wenn die App direkt per HTTP erreichbar ist (kein Nginx/HTTPS davor). Standard bleibt secure=true in production. Co-Authored-By: Claude Sonnet 4.6 --- .env.example | 1 + server/auth.js | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.env.example b/.env.example index 8317dce..3953df0 100644 --- a/.env.example +++ b/.env.example @@ -7,6 +7,7 @@ NODE_ENV=production # Session SESSION_SECRET=HIER_EINEN_LANGEN_ZUFAELLIGEN_STRING_EINTRAGEN +# SESSION_SECURE=false # Nur setzen wenn kein HTTPS/Reverse Proxy (z.B. direktes localhost) # Datenbank (SQLite/SQLCipher) DB_PATH=/data/oikos.db diff --git a/server/auth.js b/server/auth.js index 12ff479..4f114f5 100644 --- a/server/auth.js +++ b/server/auth.js @@ -43,7 +43,10 @@ const sessionMiddleware = session({ name: 'oikos.sid', cookie: { httpOnly: true, - secure: process.env.NODE_ENV === 'production', + // SESSION_SECURE=false in .env erlaubt HTTP-Zugriff (z.B. direktes localhost ohne Reverse Proxy) + // Ohne diese Variable: secure=true wenn NODE_ENV=production + secure: process.env.SESSION_SECURE === 'false' ? false + : process.env.NODE_ENV === 'production', sameSite: 'strict', maxAge: 1000 * 60 * 60 * 24 * 7, // 7 Tage in ms }, @@ -130,7 +133,8 @@ router.post('/login', loginLimiter, async (req, res) => { res.cookie('csrf-token', req.session.csrfToken, { httpOnly: false, sameSite: 'strict', - secure: process.env.NODE_ENV === 'production', + secure: process.env.SESSION_SECURE === 'false' ? false + : process.env.NODE_ENV === 'production', maxAge: 1000 * 60 * 60 * 24 * 7, });