From 8c27eacff75abe08d15caad8ece13ed365653c97 Mon Sep 17 00:00:00 2001
From: Michel Roegl-Brunner <michel.roegl-brunner@htl-braunau.at>
Date: Mon, 10 Nov 2025 12:05:47 +0100
Subject: [PATCH] Fix auth cookie secure flag for HTTP in production

- Changed cookie secure flag to check actual request protocol instead of NODE_ENV
- Cookies now work correctly in production when accessing over HTTP
- Fixes authentication redirect issue in production mode
---
 src/app/api/auth/login/route.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/app/api/auth/login/route.ts b/src/app/api/auth/login/route.ts
index 99d2570..809ceb0 100644
--- a/src/app/api/auth/login/route.ts
+++ b/src/app/api/auth/login/route.ts
@@ -47,10 +47,13 @@ export async function POST(request: NextRequest) {
       username 
     });
 
+    // Determine if request is over HTTPS
+    const isSecure = request.url.startsWith('https://');
+
     // Set httpOnly cookie with configured duration
     response.cookies.set('auth-token', token, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: isSecure, // Only secure if actually over HTTPS
       sameSite: 'strict',
       maxAge: sessionDurationDays * 24 * 60 * 60, // Use configured duration
       path: '/',