From 0148b81e9cccc90f02387cde4e2d26e72520680f Mon Sep 17 00:00:00 2001 From: Vadym Samoilenko Date: Wed, 13 May 2026 13:04:11 +0100 Subject: [PATCH] fix(auth): correct refresh cookie path for reverse proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cookie was set with path="/api/auth" but browser-visible URL is "/cc-dashboard/api/auth/..." — browser never sent the cookie back. Fix: derive path from BASE_PATH so it matches the full proxy-prefixed URL. Co-Authored-By: Claude Sonnet 4.6 --- src/routers/auth.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/routers/auth.py b/src/routers/auth.py index 59cf1d0..a674c31 100644 --- a/src/routers/auth.py +++ b/src/routers/auth.py @@ -14,6 +14,8 @@ from src.sso import validate_microsoft_id_token _REFRESH_COOKIE = "refresh_token" _REFRESH_MAX_AGE = settings.REFRESH_TOKEN_EXPIRE_DAYS * 86400 +# Cookie path must match the browser-visible URL (including BASE_PATH prefix from reverse proxy) +_COOKIE_PATH = f"{settings.BASE_PATH}/api/auth" if settings.BASE_PATH else "/api/auth" def _set_refresh_cookie(response: Response, token: str) -> None: @@ -24,12 +26,12 @@ def _set_refresh_cookie(response: Response, token: str) -> None: secure=not settings.DEBUG, samesite="lax", max_age=_REFRESH_MAX_AGE, - path="/api/auth", + path=_COOKIE_PATH, ) def _clear_refresh_cookie(response: Response) -> None: - response.delete_cookie(key=_REFRESH_COOKIE, path="/api/auth") + response.delete_cookie(key=_REFRESH_COOKIE, path=_COOKIE_PATH) router = APIRouter(prefix="/api/auth", tags=["auth"])