neogenia/neo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP - fix browser refresh not holding user authentication

Browse Source
This commit is contained in:
Francisco Gaona
2026-02-04 08:55:08 +01:00
parent 0e2f3dddbc
commit 49a571215d
4 changed files with 49 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
frontend/server/utils/session.ts
View File

@@ -1,5 +1,5 @@
import type { H3Event } from 'h3'
import { getCookie, setCookie, deleteCookie } from 'h3'
import { getCookie, setCookie, deleteCookie, getHeader } from 'h3'
const SESSION_COOKIE_NAME = 'routebox_session'
const SESSION_MAX_AGE = 60 * 60 * 24 * 7 // 7 days
@@ -11,6 +11,25 @@ export interface SessionData {
email: string
}
/**
* Determine if the request is over a secure connection
* Checks both direct HTTPS and proxy headers
*/
function isSecureRequest(event: H3Event): boolean {
// Check x-forwarded-proto header (set by reverse proxies)
const forwardedProto = getHeader(event, 'x-forwarded-proto')
if (forwardedProto === 'https') {
return true
}
// Check if NODE_ENV is production (assume HTTPS in production)
if (process.env.NODE_ENV === 'production') {
return true
}
return false
}
/**
* Get the session token from HTTP-only cookie
*/
@@ -22,11 +41,11 @@ export function getSessionToken(event: H3Event): string | null {
* Set the session token in an HTTP-only cookie
*/
export function setSessionCookie(event: H3Event, token: string): void {
const isProduction = process.env.NODE_ENV === 'production'
const secure = isSecureRequest(event)
setCookie(event, SESSION_COOKIE_NAME, token, {
httpOnly: true,
secure: isProduction,
secure,
sameSite: 'lax',
maxAge: SESSION_MAX_AGE,
path: '/',
@@ -54,11 +73,11 @@ export function getTenantIdFromCookie(event: H3Event): string | null {
* Set tenant ID cookie (readable by client for context)
*/
export function setTenantIdCookie(event: H3Event, tenantId: string): void {
const isProduction = process.env.NODE_ENV === 'production'
const secure = isSecureRequest(event)
setCookie(event, 'routebox_tenant', tenantId, {
httpOnly: false, // Allow client to read tenant context
secure: isProduction,
secure,
sameSite: 'lax',
maxAge: SESSION_MAX_AGE,
path: '/',