fix: Check x-forwarded-proto header when determining auth cookie samesite attribute (#6383)

2025-10-26 15:54:20 -04:00 · 2025-10-14 12:38:03 -05:00
parent a1b065e5d1
commit 215a18be42
1 changed files with 10 additions and 1 deletions
--- a/mealie/routes/auth/auth.py
+++ b/mealie/routes/auth/auth.py
@@ -85,9 +85,18 @@ def get_samesite(request: Request) -> Literal["lax", "none"]:
    `samesite="lax"` is the default, which works regardless of HTTP or HTTPS,
    but does not support hosting in iframes.
    """
-    if request.url.scheme == "https" and settings.PRODUCTION:
+
+    forwarded_proto = request.headers.get("x-forwarded-proto", "").lower()
+    is_https = request.url.scheme == "https" or forwarded_proto == "https"
+
+    if is_https and settings.PRODUCTION:
        return "none"
    else:
+        # TODO: remove this once we resolve pending iframe issues
+        if settings.PRODUCTION:
+            logger.debug("Setting samesite to 'lax' because connection is not HTTPS")
+            logger.debug(f"{request.url.scheme=} | {forwarded_proto=}")
+
        return "lax"