feat: env-driven Secure flag on portal session cookie

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-16 00:16:54 +00:00
parent 01180d5725
commit 20f62a5c0a
4 changed files with 23 additions and 4 deletions
@@ -25,7 +25,7 @@ from backend.models import Client, MonitoringLocation, Project, UnitAssignment
 from backend.templates_config import templates
 from backend.portal_auth import (
    get_current_client, client_from_cookie, make_session_cookie,
-    COOKIE_NAME, COOKIE_MAX_AGE,
+    COOKIE_NAME, COOKIE_MAX_AGE, COOKIE_SECURE,
    resolve_project_by_link_token, mint_portal_session,
    is_locked, register_failure, clear_failures,
 )
@@ -156,7 +156,7 @@ def portal_password_submit(link_token: str, request: Request,
    token_id = mint_portal_session(project, db)
    resp = RedirectResponse(url="/portal", status_code=303)
    resp.set_cookie(COOKIE_NAME, make_session_cookie(token_id),
-                    max_age=COOKIE_MAX_AGE, httponly=True, samesite="lax")
+                    max_age=COOKIE_MAX_AGE, httponly=True, samesite="lax", secure=COOKIE_SECURE)
    logger.info(f"[PORTAL] password ok for project {project.id[:8]} → session opened")
    return resp