瀏覽代碼

fix: set cookie same-site to lax in production

Nicolas Meienberger 2 年之前
父節點
當前提交
26ba5c9656
共有 1 個文件被更改,包括 3 次插入1 次删除
  1. 3 1
      packages/system-api/src/core/middlewares/sessionMiddleware.ts

+ 3 - 1
packages/system-api/src/core/middlewares/sessionMiddleware.ts

@@ -6,10 +6,12 @@ import { COOKIE_MAX_AGE, __prod__ } from '../../config/constants/constants';
 const getSessionMiddleware = () => {
   const FileStore = SessionFileStore(session);
 
+  const sameSite = __prod__ ? 'lax' : 'none';
+
   return session({
     name: 'qid',
     store: new FileStore(),
-    cookie: { maxAge: COOKIE_MAX_AGE, secure: false, sameSite: 'none', httpOnly: true },
+    cookie: { maxAge: COOKIE_MAX_AGE, secure: false, sameSite, httpOnly: true },
     secret: config.JWT_SECRET,
     resave: false,
     saveUninitialized: false,