jason/rack-planner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix 401 Unauthorized on all API calls after login (HTTP installs)

Browse Source 
Root cause: cookie was set with Secure=true whenever NODE_ENV=production.
Browsers refuse to send Secure cookies over plain HTTP, so the session
cookie was dropped on every request after login — causing every protected
endpoint to return 401.

Fix: replace the NODE_ENV check with an explicit COOKIE_SECURE env var
(default false). Set COOKIE_SECURE=true only when running behind an HTTPS
reverse proxy. Direct HTTP installs (standard Unraid setup) work as-is.

Also updated UNRAID.md to document COOKIE_SECURE with a warning explaining
why it must stay false for plain-HTTP access.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
jason
2026-03-21 22:40:08 -05:00
parent 2c95d01e7a
commit 69b7262535
2 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
server/routes/auth.ts
View File

@@ -5,10 +5,13 @@ import { authMiddleware } from '../middleware/authMiddleware';
export const authRouter = Router();
// secure:true requires HTTPS — for plain-HTTP homelab installs (Unraid, etc.)
// this must be false so the browser actually sends the cookie back.
// Set COOKIE_SECURE=true in your env only if you're behind an HTTPS reverse proxy.
const COOKIE_OPTS = {
httpOnly: true,
sameSite: 'strict' as const,
secure: process.env.NODE_ENV === 'production',
secure: process.env.COOKIE_SECURE === 'true',
path: '/',
};