From f469faf740d7ee3d3a7b0ffaa2bd7364463c7803 Mon Sep 17 00:00:00 2001
From: amaliadwiy <iam.amaliadwi@gmail.com>
Date: Thu, 7 May 2026 11:12:30 +0800
Subject: [PATCH] fix: add Secure flag to session cookies in production

---
 src/app.ts | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/app.ts b/src/app.ts
index 91e2f03..4a4d98d 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -11,6 +11,9 @@ import { getMinioDownloadUrl, uploadBugImage } from './lib/minio'
 import { addConnection, broadcastToAdmins, getOnlineUserIds, removeConnection } from './lib/presence'
 import { parseSchema } from './lib/schema-parser'
 
+const isProduction = process.env.NODE_ENV === 'production'
+const cookieFlags = isProduction ? '; Secure' : ''
+
 function getPublicOrigin(request: Request): string {
   if (process.env.BUN_PUBLIC_BASE_URL) return process.env.BUN_PUBLIC_BASE_URL.replace(/\/$/, '')
   const url = new URL(request.url)
@@ -127,7 +130,7 @@ export function createApp() {
       })
       const headers = new Headers()
       headers.set('Location', `https://accounts.google.com/o/oauth2/v2/auth?${params}`)
-      headers.set('Set-Cookie', `oauth_state=${state}; Path=/; HttpOnly; SameSite=Lax; Max-Age=600`)
+      headers.set('Set-Cookie', `oauth_state=${state}; Path=/; HttpOnly; SameSite=Lax; Max-Age=600${cookieFlags}`)
       return new Response(null, { status: 302, headers })
     }, {
       detail: {
@@ -212,8 +215,8 @@ export function createApp() {
       const redirectPath = user.role === 'DEVELOPER' ? '/dev' : user.role === 'USER' ? '/profile' : '/dashboard'
       const headers = new Headers()
       headers.append('Location', redirectPath)
-      headers.append('Set-Cookie', `session=${token}; Path=/; HttpOnly; SameSite=Lax; Max-Age=86400`)
-      headers.append('Set-Cookie', 'oauth_state=; Path=/; HttpOnly; Max-Age=0')
+      headers.append('Set-Cookie', `session=${token}; Path=/; HttpOnly; SameSite=Lax; Max-Age=86400${cookieFlags}`)
+      headers.append('Set-Cookie', `oauth_state=; Path=/; HttpOnly; Max-Age=0${cookieFlags}`)
       return new Response(null, { status: 302, headers })
     }, {
       detail: {
@@ -241,7 +244,7 @@ export function createApp() {
       const token = crypto.randomUUID()
       const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000) // 24 hours
       await prisma.session.create({ data: { token, userId: user.id, expiresAt } })
-      set.headers['set-cookie'] = `session=${token}; Path=/; HttpOnly; SameSite=Lax; Max-Age=86400`
+      set.headers['set-cookie'] = `session=${token}; Path=/; HttpOnly; SameSite=Lax; Max-Age=86400${cookieFlags}`
       await createSystemLog(user.id, 'LOGIN', 'Logged in successfully')
       return { user: { id: user.id, name: user.name, email: user.email, role: user.role, image: user.image } }
     }, {
@@ -266,7 +269,7 @@ export function createApp() {
           await prisma.session.deleteMany({ where: { token } })
         }
       }
-      set.headers['set-cookie'] = 'session=; Path=/; HttpOnly; Max-Age=0'
+      set.headers['set-cookie'] = `session=; Path=/; HttpOnly; Max-Age=0${cookieFlags}`
       return { ok: true }
     }, {
       detail: {