boha_admin/app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity

fix: clearCookie must match setCookie options for browser to clear it

Browse Source 
clearCookie was missing httpOnly, secure, sameSite — browser ignored
the Set-Cookie header because the options didn't match the original
cookie attributes. Cookie persisted after logout, allowing F5 to
re-authenticate via silent refresh.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-03-23 20:44:28 +01:00
parent 04828fefe2
commit aec822adc2
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/routes/admin/auth.ts
View File

@@ -158,7 +158,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
const result = await refreshAccessToken(refreshTokenRaw, request);
if (result.type === 'error') {
reply.clearCookie('refresh_token', { path: '/api/admin' });
reply.clearCookie('refresh_token', { path: '/api/admin', httpOnly: true, secure: config.isProduction, sameSite: 'strict' });
return error(reply, result.message, result.status);
}
@@ -177,7 +177,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
await logout(refreshTokenRaw);
}
reply.clearCookie('refresh_token', { path: '/api/admin' });
reply.clearCookie('refresh_token', { path: '/api/admin', httpOnly: true, secure: config.isProduction, sameSite: 'strict' });
return success(reply, null, 200, 'Odhlášení úspěšné');
});