From 28f98a7a968ca5ee1d00db1fce02bb26b61cd410 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 2 Mar 2026 13:40:28 +0100 Subject: [PATCH] fix(auth): use SameSite=None for refresh token cookie to fix desktop app SameSite=Strict prevents the browser from sending the HttpOnly refresh token cookie in cross-origin contexts like the Electron desktop app, where the page runs on localhost but the API is on a remote host. This caused sessions to expire quickly because refresh requests never included the cookie. SameSite=None allows cross-origin sending while HttpOnly still prevents JavaScript from reading the cookie value (XSS protection). Resolves #2309 --- pkg/modules/auth/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/modules/auth/auth.go b/pkg/modules/auth/auth.go index ab5d7f3a5..5dc97cec9 100644 --- a/pkg/modules/auth/auth.go +++ b/pkg/modules/auth/auth.go @@ -62,7 +62,7 @@ func SetRefreshTokenCookie(c *echo.Context, token string, maxAge int) { MaxAge: maxAge, HttpOnly: true, Secure: secure, - SameSite: http.SameSiteStrictMode, + SameSite: http.SameSiteNoneMode, }) }