From eddfd752c26c991b12152bd793c129d28ca9c8ae Mon Sep 17 00:00:00 2001
From: nyk <93952610+0xNyk@users.noreply.github.com>
Date: Thu, 12 Mar 2026 22:14:47 +0700
Subject: [PATCH] fix(auth): allow login on fresh HTTP Docker installs (#304)

* fix(auth): allow login cookies on HTTP docker deployments

* test(types): avoid readonly process.env writes in session-cookie tests
---
 src/lib/__tests__/session-cookie.test.ts | 40 ++++++++++++++++++++++++
 src/lib/session-cookie.ts                |  2 +-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 src/lib/__tests__/session-cookie.test.ts

diff --git a/src/lib/__tests__/session-cookie.test.ts b/src/lib/__tests__/session-cookie.test.ts
new file mode 100644
index 0000000..7fb1e88
--- /dev/null
+++ b/src/lib/__tests__/session-cookie.test.ts
@@ -0,0 +1,40 @@
+import { afterEach, describe, expect, it } from 'vitest'
+import { getMcSessionCookieOptions } from '../session-cookie'
+
+describe('getMcSessionCookieOptions', () => {
+  const env = process.env as Record<string, string | undefined>
+  const originalNodeEnv = env.NODE_ENV
+  const originalCookieSecure = env.MC_COOKIE_SECURE
+
+  afterEach(() => {
+    if (originalNodeEnv === undefined) delete env.NODE_ENV
+    else env.NODE_ENV = originalNodeEnv
+
+    if (originalCookieSecure === undefined) delete env.MC_COOKIE_SECURE
+    else env.MC_COOKIE_SECURE = originalCookieSecure
+  })
+
+  it('does not force secure cookies on plain HTTP in production when MC_COOKIE_SECURE is unset', () => {
+    env.NODE_ENV = 'production'
+    delete env.MC_COOKIE_SECURE
+
+    const options = getMcSessionCookieOptions({ maxAgeSeconds: 60, isSecureRequest: false })
+    expect(options.secure).toBe(false)
+  })
+
+  it('sets secure cookies for HTTPS requests when MC_COOKIE_SECURE is unset', () => {
+    env.NODE_ENV = 'production'
+    delete env.MC_COOKIE_SECURE
+
+    const options = getMcSessionCookieOptions({ maxAgeSeconds: 60, isSecureRequest: true })
+    expect(options.secure).toBe(true)
+  })
+
+  it('respects MC_COOKIE_SECURE override', () => {
+    env.NODE_ENV = 'production'
+    env.MC_COOKIE_SECURE = '1'
+
+    const options = getMcSessionCookieOptions({ maxAgeSeconds: 60, isSecureRequest: false })
+    expect(options.secure).toBe(true)
+  })
+})
diff --git a/src/lib/session-cookie.ts b/src/lib/session-cookie.ts
index d3ffc4b..a5d9065 100644
--- a/src/lib/session-cookie.ts
+++ b/src/lib/session-cookie.ts
@@ -35,7 +35,7 @@ function envFlag(name: string): boolean | undefined {
 
 export function getMcSessionCookieOptions(input: { maxAgeSeconds: number; isSecureRequest?: boolean }): Partial<ResponseCookie> {
   const secureEnv = envFlag('MC_COOKIE_SECURE')
-  const secure = secureEnv ?? input.isSecureRequest ?? process.env.NODE_ENV === 'production'
+  const secure = secureEnv ?? input.isSecureRequest ?? false
 
   return {
     httpOnly: true,