Oliver/cc-dashboard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(auth): correct refresh cookie path for reverse proxy

Browse source 
Cookie was set with path="/api/auth" but browser-visible URL is
"/cc-dashboard/api/auth/..." — browser never sent the cookie back.
Fix: derive path from BASE_PATH so it matches the full proxy-prefixed URL.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Vadym Samoilenko 2026-05-13 13:04:11 +01:00
parent fde9b61465
commit 0148b81e9c
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/routers/auth.py
View file

@ -14,6 +14,8 @@ from src.sso import validate_microsoft_id_token
_REFRESH_COOKIE = "refresh_token"
_REFRESH_MAX_AGE = settings.REFRESH_TOKEN_EXPIRE_DAYS * 86400
# Cookie path must match the browser-visible URL (including BASE_PATH prefix from reverse proxy)
_COOKIE_PATH = f"{settings.BASE_PATH}/api/auth" if settings.BASE_PATH else "/api/auth"
def _set_refresh_cookie(response: Response, token: str) -> None:
@ -24,12 +26,12 @@ def _set_refresh_cookie(response: Response, token: str) -> None:
secure=not settings.DEBUG,
samesite="lax",
max_age=_REFRESH_MAX_AGE,
path="/api/auth",
path=_COOKIE_PATH,
)
def _clear_refresh_cookie(response: Response) -> None:
response.delete_cookie(key=_REFRESH_COOKIE, path="/api/auth")
response.delete_cookie(key=_REFRESH_COOKIE, path=_COOKIE_PATH)
router = APIRouter(prefix="/api/auth", tags=["auth"])