From 215a18be421513daacb249f94e48b6c087dde697 Mon Sep 17 00:00:00 2001
From: Michael Genson <71845777+michael-genson@users.noreply.github.com>
Date: Tue, 14 Oct 2025 12:38:03 -0500
Subject: [PATCH] fix: Check `x-forwarded-proto` header when determining auth
 cookie samesite attribute (#6383)

---
 mealie/routes/auth/auth.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/mealie/routes/auth/auth.py b/mealie/routes/auth/auth.py
index 6ec382a72..89b3c09a7 100644
--- a/mealie/routes/auth/auth.py
+++ b/mealie/routes/auth/auth.py
@@ -85,9 +85,18 @@ def get_samesite(request: Request) -> Literal["lax", "none"]:
     `samesite="lax"` is the default, which works regardless of HTTP or HTTPS,
     but does not support hosting in iframes.
     """
-    if request.url.scheme == "https" and settings.PRODUCTION:
+
+    forwarded_proto = request.headers.get("x-forwarded-proto", "").lower()
+    is_https = request.url.scheme == "https" or forwarded_proto == "https"
+
+    if is_https and settings.PRODUCTION:
         return "none"
     else:
+        # TODO: remove this once we resolve pending iframe issues
+        if settings.PRODUCTION:
+            logger.debug("Setting samesite to 'lax' because connection is not HTTPS")
+            logger.debug(f"{request.url.scheme=} | {forwarded_proto=}")
+
         return "lax"