From 52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5 Mon Sep 17 00:00:00 2001 From: Fuwn Date: Mon, 1 Jun 2026 13:01:06 +0000 Subject: fix(security): mark auth cookies Secure outside localhost The user and logout cookies were set with secure:false, so the AniList tokens the user cookie carries could traverse plaintext HTTP. Drop the override and let SvelteKit's default apply (Secure everywhere except http://localhost), giving Secure in production and on https://due.localhost while keeping plain-http local dev working. httpOnly is unchanged (the client reads the token from layout data; tightening that is tracked separately as the architectural part of C2). --- src/lib/Utility/oauth.ts | 1 - src/routes/api/authentication/log-out/+server.ts | 1 - src/routes/api/oauth/refresh/+server.ts | 1 - 3 files changed, 3 deletions(-) diff --git a/src/lib/Utility/oauth.ts b/src/lib/Utility/oauth.ts index c225d43c..84dd8ab8 100644 --- a/src/lib/Utility/oauth.ts +++ b/src/lib/Utility/oauth.ts @@ -43,7 +43,6 @@ export const callback = async (options: CallbackOptions) => { maxAge: 31536000 / 2, httpOnly: false, sameSite: "lax", - secure: false, }, ); diff --git a/src/routes/api/authentication/log-out/+server.ts b/src/routes/api/authentication/log-out/+server.ts index 8623dfd1..fd5d37bf 100644 --- a/src/routes/api/authentication/log-out/+server.ts +++ b/src/routes/api/authentication/log-out/+server.ts @@ -8,7 +8,6 @@ export const GET = ({ cookies }) => { maxAge: 60 * 60 * 24 * 7, httpOnly: false, sameSite: "lax", - secure: false, }); redirect(303, root("/")); diff --git a/src/routes/api/oauth/refresh/+server.ts b/src/routes/api/oauth/refresh/+server.ts index d9e33f51..49306076 100644 --- a/src/routes/api/oauth/refresh/+server.ts +++ b/src/routes/api/oauth/refresh/+server.ts @@ -22,7 +22,6 @@ export const GET = async ({ url, cookies }) => { maxAge: 60 * 60 * 24 * 7, httpOnly: false, sameSite: "lax", - secure: false, }); if (url.searchParams.get("redirect")) redirect(303, "/"); -- cgit v1.2.3