Enhanced cookie security handling in the passport middleware to allow explicit configuration of secure cookie settings.

2025-10-01 11:45:47 +01:00
7 changed files with 17 additions and 1 deletions
--- a/docker/.env.example
+++ b/docker/.env.example
@ -99,6 +99,7 @@ JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
 # EXPRESS_SESSION_SECRET=flowise
 # SECURE_COOKIES=
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15
--- a/docker/docker-compose-queue-prebuilt.yml
+++ b/docker/docker-compose-queue-prebuilt.yml
@ -89,6 +89,7 @@ services:
            - PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=${PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS}
            - PASSWORD_SALT_HASH_ROUNDS=${PASSWORD_SALT_HASH_ROUNDS}
            - TOKEN_HASH_SECRET=${TOKEN_HASH_SECRET}
            - SECURE_COOKIES=${SECURE_COOKIES}
            # EMAIL
            - SMTP_HOST=${SMTP_HOST}
@ -232,6 +233,7 @@ services:
            - PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=${PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS}
            - PASSWORD_SALT_HASH_ROUNDS=${PASSWORD_SALT_HASH_ROUNDS}
            - TOKEN_HASH_SECRET=${TOKEN_HASH_SECRET}
            - SECURE_COOKIES=${SECURE_COOKIES}
            # EMAIL
            - SMTP_HOST=${SMTP_HOST}
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -74,6 +74,7 @@ services:
            - PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=${PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS}
            - PASSWORD_SALT_HASH_ROUNDS=${PASSWORD_SALT_HASH_ROUNDS}
            - TOKEN_HASH_SECRET=${TOKEN_HASH_SECRET}
            - SECURE_COOKIES=${SECURE_COOKIES}
            # EMAIL
            - SMTP_HOST=${SMTP_HOST}
--- a/docker/worker/.env.example
+++ b/docker/worker/.env.example
@ -99,6 +99,7 @@ JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
 # EXPRESS_SESSION_SECRET=flowise
 # SECURE_COOKIES=
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15
--- a/docker/worker/docker-compose.yml
+++ b/docker/worker/docker-compose.yml
@ -74,6 +74,7 @@ services:
            - PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=${PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS}
            - PASSWORD_SALT_HASH_ROUNDS=${PASSWORD_SALT_HASH_ROUNDS}
            - TOKEN_HASH_SECRET=${TOKEN_HASH_SECRET}
            - SECURE_COOKIES=${SECURE_COOKIES}
            # EMAIL
            - SMTP_HOST=${SMTP_HOST}
--- a/packages/server/.env.example
+++ b/packages/server/.env.example
@ -99,6 +99,7 @@ JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
 # EXPRESS_SESSION_SECRET=flowise
 # SECURE_COOKIES=
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15
--- a/packages/server/src/enterprise/middleware/passport/index.ts
+++ b/packages/server/src/enterprise/middleware/passport/index.ts
@ -33,7 +33,16 @@ const expireAuthTokensOnRestart = process.env.EXPIRE_AUTH_TOKENS_ON_RESTART ===
 const jwtAuthTokenSecret = process.env.JWT_AUTH_TOKEN_SECRET || 'auth_token'
 const jwtRefreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || process.env.JWT_AUTH_TOKEN_SECRET || 'refresh_token'
-const secureCookie = process.env.APP_URL?.startsWith('https') ? true : false
+// Allow explicit override of cookie security settings
 // This is useful when running behind a reverse proxy/load balancer that terminates SSL
 const secureCookie =
    process.env.SECURE_COOKIES === 'false'
        ? false
        : process.env.SECURE_COOKIES === 'true'
        ? true
        : process.env.APP_URL?.startsWith('https')
        ? true
        : false
 const jwtOptions = {
    secretOrKey: jwtAuthTokenSecret,
    audience: jwtAudience,