From e34dfc397c94025670baa2b73b482c01f3033a6a Mon Sep 17 00:00:00 2001
From: chris <chris@chrisedwards.tech>
Date: Mon, 13 Apr 2026 18:51:45 -0400
Subject: [PATCH] Allow COOKIE_SECURE=false to disable Secure flag behind HTTP
 proxy

NODE_ENV=production sets Secure:true but the container may sit behind
an HTTP-only reverse proxy, causing browsers to reject the cookie.
COOKIE_SECURE=false in .env overrides the flag without changing NODE_ENV.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/app/api/admin/login/route.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/app/api/admin/login/route.ts b/src/app/api/admin/login/route.ts
index 74e7dce..0d10302 100644
--- a/src/app/api/admin/login/route.ts
+++ b/src/app/api/admin/login/route.ts
@@ -51,9 +51,12 @@ export async function POST(request: Request) {
 
   const token = deriveSessionToken(process.env.ADMIN_PASSWORD)
   const response = NextResponse.json({ ok: true })
+  // Secure flag: on by default in production, but can be disabled via
+  // COOKIE_SECURE=false in .env when running behind an HTTP-only proxy.
+  const secureCookie = process.env.COOKIE_SECURE !== 'false' && process.env.NODE_ENV === 'production'
   response.cookies.set('admin_token', token, {
     httpOnly: true,
-    secure:   process.env.NODE_ENV === 'production',
+    secure:   secureCookie,
     sameSite: 'strict',
     maxAge:   60 * 60 * 24 * 7, // 7 days
     path:     '/',