vikunja/pkg/modules/auth
kolaente 28f98a7a96
fix(auth): use SameSite=None for refresh token cookie to fix desktop app
SameSite=Strict prevents the browser from sending the HttpOnly refresh
token cookie in cross-origin contexts like the Electron desktop app,
where the page runs on localhost but the API is on a remote host. This
caused sessions to expire quickly because refresh requests never
included the cookie.

SameSite=None allows cross-origin sending while HttpOnly still prevents
JavaScript from reading the cookie value (XSS protection).

Resolves #2309
2026-03-02 13:54:10 +01:00
..
ldap fix: use caller's session in LDAP syncUserGroups to avoid nested transactions 2026-02-25 11:03:02 +01:00
openid fix: eliminate nested database sessions to prevent table locks 2026-02-25 11:03:02 +01:00
auth.go fix(auth): use SameSite=None for refresh token cookie to fix desktop app 2026-03-02 13:54:10 +01:00