From be7ea41d03ce26b0a7e1252cacc1298b9687efbb Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Fri, 13 Sep 2024 20:00:16 +0200
Subject: [PATCH] Always set Secure for multi auth cookies in prod (#1404)

---
 .platform/nginx/conf.d/elasticbeanstalk/00_application.conf | 1 -
 pages/api/auth/[...nextauth].js                             | 2 +-
 pages/api/graphql.js                                        | 2 +-
 pages/api/signout.js                                        | 2 +-
 4 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/.platform/nginx/conf.d/elasticbeanstalk/00_application.conf b/.platform/nginx/conf.d/elasticbeanstalk/00_application.conf
index 7ebb62e8..e853cf2d 100644
--- a/.platform/nginx/conf.d/elasticbeanstalk/00_application.conf
+++ b/.platform/nginx/conf.d/elasticbeanstalk/00_application.conf
@@ -22,5 +22,4 @@ location / {
      proxy_set_header    Host                $host;
      proxy_set_header    X-Real-IP           $remote_addr;
      proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-     proxy_set_header    X-Forwarded-Proto   $scheme;
 }
\ No newline at end of file
diff --git a/pages/api/auth/[...nextauth].js b/pages/api/auth/[...nextauth].js
index c92a242d..9db0b6f5 100644
--- a/pages/api/auth/[...nextauth].js
+++ b/pages/api/auth/[...nextauth].js
@@ -118,7 +118,7 @@ function setMultiAuthCookies (req, res, { id, jwt, name, photoId }) {
 
   // default expiration for next-auth JWTs is in 1 month
   const expiresAt = datePivot(new Date(), { months: 1 })
-  const secure = req.headers['x-forwarded-proto'] === 'https'
+  const secure = process.env.NODE_ENV === 'production'
   const cookieOptions = {
     path: '/',
     httpOnly: true,
diff --git a/pages/api/graphql.js b/pages/api/graphql.js
index 0a117763..297bab09 100644
--- a/pages/api/graphql.js
+++ b/pages/api/graphql.js
@@ -88,7 +88,7 @@ function multiAuthMiddleware (request) {
   const cookiePointerName = 'multi_auth.user-id'
   const hasCookiePointer = !!request.cookies[cookiePointerName]
 
-  const secure = request.headers['x-forwarded-proto'] === 'https'
+  const secure = process.env.NODE_ENV === 'production'
 
   // is there a session?
   const sessionCookieName = secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
diff --git a/pages/api/signout.js b/pages/api/signout.js
index 94e6a14d..61cd82b6 100644
--- a/pages/api/signout.js
+++ b/pages/api/signout.js
@@ -11,7 +11,7 @@ export default (req, res) => {
   const cookiePointerName = 'multi_auth.user-id'
   const userId = req.cookies[cookiePointerName]
 
-  const secure = req.headers['x-forwarded-proto'] === 'https'
+  const secure = process.env.NODE_ENV === 'production'
 
   // is there a session?
   const sessionCookieName = secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'