Fix: trust proxy for cookies behind nginx, sameSite=lax for OAuth

2026-05-05 23:47:42 +02:00
parent 68c2b129fa
commit c9a7144960
2 changed files with 1180 additions and 1 deletions
@@ -45,6 +45,11 @@ async function connectDB() {
 }

 // Middleware
+// Trust proxy in production (needed for secure cookies behind nginx)
+if (isProduction) {
+  app.set("trust proxy", 1);
+}
+
 app.use(express.json({ limit: "10mb" }));
 app.use(
  cors({
@@ -66,7 +71,7 @@ app.use(
    cookie: {
      secure: isProduction, // true в production с HTTPS
      httpOnly: true,
-      sameSite: isProduction ? "strict" : "lax",
+      sameSite: "lax", // "lax" needed for OAuth redirects from Discord
      maxAge: 7 * 24 * 60 * 60 * 1000, // 7 дней
    },
  }),