fix(auth): use SameSite=None for refresh token cookie to fix desktop app

SameSite=Strict prevents the browser from sending the HttpOnly refresh
token cookie in cross-origin contexts like the Electron desktop app,
where the page runs on localhost but the API is on a remote host. This
caused sessions to expire quickly because refresh requests never
included the cookie.

SameSite=None allows cross-origin sending while HttpOnly still prevents
JavaScript from reading the cookie value (XSS protection).

Resolves #2309
This commit is contained in:
kolaente 2026-03-02 13:40:28 +01:00
parent 79dbb40985
commit 28f98a7a96
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
1 changed files with 1 additions and 1 deletions

View File

@ -62,7 +62,7 @@ func SetRefreshTokenCookie(c *echo.Context, token string, maxAge int) {
MaxAge: maxAge,
HttpOnly: true,
Secure: secure,
SameSite: http.SameSiteStrictMode,
SameSite: http.SameSiteNoneMode,
})
}