diff --git a/apps/nextjs/src/app/api/auth/[...nextauth]/route.ts b/apps/nextjs/src/app/api/auth/[...nextauth]/route.ts index 7aae12a0d..ec6065d0c 100644 --- a/apps/nextjs/src/app/api/auth/[...nextauth]/route.ts +++ b/apps/nextjs/src/app/api/auth/[...nextauth]/route.ts @@ -5,10 +5,23 @@ import type { SupportedAuthProvider } from "@homarr/definitions"; import { logger } from "@homarr/log"; export const GET = async (req: NextRequest) => { - return await createHandlers(extractProvider(req)).handlers.GET(reqWithTrustedOrigin(req)); + return await createHandlers(extractProvider(req), isSecureCookieEnabled(req)).handlers.GET(reqWithTrustedOrigin(req)); }; export const POST = async (req: NextRequest) => { - return await createHandlers(extractProvider(req)).handlers.POST(reqWithTrustedOrigin(req)); + return await createHandlers(extractProvider(req), isSecureCookieEnabled(req)).handlers.POST( + reqWithTrustedOrigin(req), + ); +}; + +/** + * wheter to use secure cookies or not, is only supported for https. + * For http it will not add the cookie as it is not considered secure. + * @param req request containing the url + * @returns true if the request is https, false otherwise + */ +const isSecureCookieEnabled = (req: NextRequest): boolean => { + const url = new URL(req.url); + return url.protocol === "https:"; }; /** diff --git a/packages/auth/configuration.ts b/packages/auth/configuration.ts index 65d67d4b4..4c00a0b20 100644 --- a/packages/auth/configuration.ts +++ b/packages/auth/configuration.ts @@ -18,7 +18,11 @@ import { createRedirectUri } from "./redirect"; import { expireDateAfter, generateSessionToken, sessionTokenCookieName } from "./session"; // See why it's unknown in the [...nextauth]/route.ts file -export const createConfiguration = (provider: SupportedAuthProvider | "unknown", headers: ReadonlyHeaders | null) => { +export const createConfiguration = ( + provider: SupportedAuthProvider | "unknown", + headers: ReadonlyHeaders | null, + useSecureCookies: boolean, +) => { const adapter = createAdapter(db, provider); return NextAuth({ logger: { @@ -37,12 +41,6 @@ export const createConfiguration = (provider: SupportedAuthProvider | "unknown", cookies: { sessionToken: { name: sessionTokenCookieName, - options: { - httpOnly: true, - sameSite: "lax", - path: "/", - secure: true, - }, }, }, adapter, @@ -81,7 +79,7 @@ export const createConfiguration = (provider: SupportedAuthProvider | "unknown", expires: expires, httpOnly: true, sameSite: "lax", - secure: true, + secure: useSecureCookies, }); return true; diff --git a/packages/auth/index.ts b/packages/auth/index.ts index 877574b84..44dbde74a 100644 --- a/packages/auth/index.ts +++ b/packages/auth/index.ts @@ -20,6 +20,7 @@ declare module "next-auth" { export * from "./security"; // See why it's unknown in the [...nextauth]/route.ts file -export const createHandlers = (provider: SupportedAuthProvider | "unknown") => createConfiguration(provider, headers()); +export const createHandlers = (provider: SupportedAuthProvider | "unknown", useSecureCookies: boolean) => + createConfiguration(provider, headers(), useSecureCookies); export { getSessionFromTokenAsync as getSessionFromToken, sessionTokenCookieName } from "./session"; diff --git a/packages/auth/next.ts b/packages/auth/next.ts index c1bb37752..848a67f42 100644 --- a/packages/auth/next.ts +++ b/packages/auth/next.ts @@ -2,7 +2,7 @@ import { cache } from "react"; import { createConfiguration } from "./configuration"; -const { auth: defaultAuth } = createConfiguration("unknown", null); +const { auth: defaultAuth } = createConfiguration("unknown", null, false); /** * This is the main way to get session data for your RSCs.