Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-10-28 08:44:36 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: Check x-forwarded-proto header when determining auth cookie samesite attribute (#6383)

Browse Source
This commit is contained in:
Michael Genson
2025-10-14 12:38:03 -05:00
committed by GitHub
parent a1b065e5d1
commit 215a18be42
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
mealie/routes/auth/auth.py
View File

@@ -85,9 +85,18 @@ def get_samesite(request: Request) -> Literal["lax", "none"]:
`samesite="lax"` is the default, which works regardless of HTTP or HTTPS, `samesite="lax"` is the default, which works regardless of HTTP or HTTPS,
but does not support hosting in iframes. but does not support hosting in iframes.
""" """
if request.url.scheme == "https" and settings.PRODUCTION:
forwarded_proto = request.headers.get("x-forwarded-proto", "").lower()
is_https = request.url.scheme == "https" or forwarded_proto == "https"
if is_https and settings.PRODUCTION:
return "none" return "none"
else: else:
# TODO: remove this once we resolve pending iframe issues
if settings.PRODUCTION:
logger.debug("Setting samesite to 'lax' because connection is not HTTPS")
logger.debug(f"{request.url.scheme=} | {forwarded_proto=}")
return "lax" return "lax"