fix: credentials login not working cause of cookie secure flag not possible for http (#1421)

* fix: credentials login not working cause of cookie secure flag not possible for http

* chore: add missing comment

* fix: lint issue

apps/nextjs/src/app/api/auth/[...nextauth]/route.ts

@@ -5,10 +5,23 @@ import type { SupportedAuthProvider } from "@homarr/definitions";
 import { logger } from "@homarr/log";
 
 export const GET = async (req: NextRequest) => {
-  return await createHandlers(extractProvider(req)).handlers.GET(reqWithTrustedOrigin(req));
+  return await createHandlers(extractProvider(req), isSecureCookieEnabled(req)).handlers.GET(reqWithTrustedOrigin(req));
 };
 export const POST = async (req: NextRequest) => {
-  return await createHandlers(extractProvider(req)).handlers.POST(reqWithTrustedOrigin(req));
+  return await createHandlers(extractProvider(req), isSecureCookieEnabled(req)).handlers.POST(
+    reqWithTrustedOrigin(req),
+  );
+};
+
+/**
+ * wheter to use secure cookies or not, is only supported for https.
+ * For http it will not add the cookie as it is not considered secure.
+ * @param req request containing the url
+ * @returns true if the request is https, false otherwise
+ */
+const isSecureCookieEnabled = (req: NextRequest): boolean => {
+  const url = new URL(req.url);
+  return url.protocol === "https:";
 };
 
 /**

packages/auth/configuration.ts

@@ -18,7 +18,11 @@ import { createRedirectUri } from "./redirect";
 import { expireDateAfter, generateSessionToken, sessionTokenCookieName } from "./session";
 
 // See why it's unknown in the [...nextauth]/route.ts file
-export const createConfiguration = (provider: SupportedAuthProvider | "unknown", headers: ReadonlyHeaders | null) => {
+export const createConfiguration = (
+  provider: SupportedAuthProvider | "unknown",
+  headers: ReadonlyHeaders | null,
+  useSecureCookies: boolean,
+) => {
   const adapter = createAdapter(db, provider);
   return NextAuth({
     logger: {
@@ -37,12 +41,6 @@ export const createConfiguration = (provider: SupportedAuthProvider | "unknown",
     cookies: {
       sessionToken: {
         name: sessionTokenCookieName,
-        options: {
-          httpOnly: true,
-          sameSite: "lax",
-          path: "/",
-          secure: true,
-        },
       },
     },
     adapter,
@@ -81,7 +79,7 @@ export const createConfiguration = (provider: SupportedAuthProvider | "unknown",
           expires: expires,
           httpOnly: true,
           sameSite: "lax",
-          secure: true,
+          secure: useSecureCookies,
         });
 
         return true;

packages/auth/index.ts

@@ -20,6 +20,7 @@ declare module "next-auth" {
 export * from "./security";
 
 // See why it's unknown in the [...nextauth]/route.ts file
-export const createHandlers = (provider: SupportedAuthProvider | "unknown") => createConfiguration(provider, headers());
+export const createHandlers = (provider: SupportedAuthProvider | "unknown", useSecureCookies: boolean) =>
+  createConfiguration(provider, headers(), useSecureCookies);
 
 export { getSessionFromTokenAsync as getSessionFromToken, sessionTokenCookieName } from "./session";

packages/auth/next.ts

@@ -2,7 +2,7 @@ import { cache } from "react";
 
 import { createConfiguration } from "./configuration";
 
-const { auth: defaultAuth } = createConfiguration("unknown", null);
+const { auth: defaultAuth } = createConfiguration("unknown", null, false);
 
 /**
  * This is the main way to get session data for your RSCs.