Chore/Secure Cookies Env Variable (#5281)

Enhanced cookie security handling in the passport middleware to allow explicit configuration of secure cookie settings.

docker/.env.example

@@ -99,6 +99,7 @@ JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
 # EXPRESS_SESSION_SECRET=flowise
+# SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15

docker/docker-compose-queue-prebuilt.yml

@@ -89,6 +89,7 @@ services:
             - PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=${PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS}
             - PASSWORD_SALT_HASH_ROUNDS=${PASSWORD_SALT_HASH_ROUNDS}
             - TOKEN_HASH_SECRET=${TOKEN_HASH_SECRET}
+            - SECURE_COOKIES=${SECURE_COOKIES}
 
             # EMAIL
             - SMTP_HOST=${SMTP_HOST}
@@ -232,6 +233,7 @@ services:
             - PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=${PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS}
             - PASSWORD_SALT_HASH_ROUNDS=${PASSWORD_SALT_HASH_ROUNDS}
             - TOKEN_HASH_SECRET=${TOKEN_HASH_SECRET}
+            - SECURE_COOKIES=${SECURE_COOKIES}
 
             # EMAIL
             - SMTP_HOST=${SMTP_HOST}

docker/docker-compose.yml

@@ -74,6 +74,7 @@ services:
             - PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=${PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS}
             - PASSWORD_SALT_HASH_ROUNDS=${PASSWORD_SALT_HASH_ROUNDS}
             - TOKEN_HASH_SECRET=${TOKEN_HASH_SECRET}
+            - SECURE_COOKIES=${SECURE_COOKIES}
 
             # EMAIL
             - SMTP_HOST=${SMTP_HOST}

docker/worker/.env.example

@@ -99,6 +99,7 @@ JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
 # EXPRESS_SESSION_SECRET=flowise
+# SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15

docker/worker/docker-compose.yml

@@ -74,6 +74,7 @@ services:
             - PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=${PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS}
             - PASSWORD_SALT_HASH_ROUNDS=${PASSWORD_SALT_HASH_ROUNDS}
             - TOKEN_HASH_SECRET=${TOKEN_HASH_SECRET}
+            - SECURE_COOKIES=${SECURE_COOKIES}
 
             # EMAIL
             - SMTP_HOST=${SMTP_HOST}

packages/server/.env.example

@@ -99,6 +99,7 @@ JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
 # EXPRESS_SESSION_SECRET=flowise
+# SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15

packages/server/src/enterprise/middleware/passport/index.ts

@@ -33,7 +33,16 @@ const expireAuthTokensOnRestart = process.env.EXPIRE_AUTH_TOKENS_ON_RESTART ===
 const jwtAuthTokenSecret = process.env.JWT_AUTH_TOKEN_SECRET || 'auth_token'
 const jwtRefreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || process.env.JWT_AUTH_TOKEN_SECRET || 'refresh_token'
 
-const secureCookie = process.env.APP_URL?.startsWith('https') ? true : false
+// Allow explicit override of cookie security settings
+// This is useful when running behind a reverse proxy/load balancer that terminates SSL
+const secureCookie =
+    process.env.SECURE_COOKIES === 'false'
+        ? false
+        : process.env.SECURE_COOKIES === 'true'
+        ? true
+        : process.env.APP_URL?.startsWith('https')
+        ? true
+        : false
 const jwtOptions = {
     secretOrKey: jwtAuthTokenSecret,
     audience: jwtAudience,