fix(security): mark auth cookies Secure outside localhost

The user and logout cookies were set with secure:false, so the AniList
tokens the user cookie carries could traverse plaintext HTTP. Drop the
override and let SvelteKit's default apply (Secure everywhere except
http://localhost), giving Secure in production and on https://due.localhost
while keeping plain-http local dev working. httpOnly is unchanged (the
client reads the token from layout data; tightening that is tracked
separately as the architectural part of C2).

3 files changed, 0 insertions, 3 deletions

diff --git a/src/lib/Utility/oauth.ts b/src/lib/Utility/oauth.ts
index c225d43c..84dd8ab8 100644
--- a/src/lib/Utility/oauth.ts
+++ b/src/lib/Utility/oauth.ts
@@ -43,7 +43,6 @@ export const callback = async (options: CallbackOptions) => {
 			maxAge: 31536000 / 2,
 			httpOnly: false,
 			sameSite: "lax",
-			secure: false,
 		},
 	);
 
diff --git a/src/routes/api/authentication/log-out/+server.ts b/src/routes/api/authentication/log-out/+server.ts
index 8623dfd1..fd5d37bf 100644
--- a/src/routes/api/authentication/log-out/+server.ts
+++ b/src/routes/api/authentication/log-out/+server.ts
@@ -8,7 +8,6 @@ export const GET = ({ cookies }) => {
 		maxAge: 60 * 60 * 24 * 7,
 		httpOnly: false,
 		sameSite: "lax",
-		secure: false,
 	});
 
 	redirect(303, root("/"));
diff --git a/src/routes/api/oauth/refresh/+server.ts b/src/routes/api/oauth/refresh/+server.ts
index d9e33f51..49306076 100644
--- a/src/routes/api/oauth/refresh/+server.ts
+++ b/src/routes/api/oauth/refresh/+server.ts
@@ -22,7 +22,6 @@ export const GET = async ({ url, cookies }) => {
 		maxAge: 60 * 60 * 24 * 7,
 		httpOnly: false,
 		sameSite: "lax",
-		secure: false,
 	});
 
 	if (url.searchParams.get("redirect")) redirect(303, "/");