fix(security): make auth-cookie SecurePolicy configurable for HTTP-only deployments

The cookie SecurePolicy was hard-coded to Always, so the auth cookie was always marked Secure and the browser never sent it over plain HTTP — making login impossible on the HTTP-only Docker dev cluster (login succeeded server-side but every following request was unauthenticated). Add SecurityOptions.RequireHttps- Cookie (default true — production stays HTTPS-only); when false the cookie uses SameAsRequest. The docker/ central nodes set it false.
2026-05-18 02:34:02 -04:00
parent deedf45676
commit 579522c586
4 changed files with 24 additions and 5 deletions
--- a/docker/central-node-a/appsettings.Central.json
+++ b/docker/central-node-a/appsettings.Central.json
@@ -30,7 +30,8 @@
      "LdapServiceAccountPassword": "password",
      "JwtSigningKey": "scadalink-dev-jwt-signing-key-must-be-at-least-32-characters-long",
      "JwtExpiryMinutes": 15,
-      "IdleTimeoutMinutes": 30
+      "IdleTimeoutMinutes": 30,
+      "RequireHttpsCookie": false
    },
    "Communication": {
      "DeploymentTimeout": "00:02:00",
--- a/docker/central-node-b/appsettings.Central.json
+++ b/docker/central-node-b/appsettings.Central.json
@@ -30,7 +30,8 @@
      "LdapServiceAccountPassword": "password",
      "JwtSigningKey": "scadalink-dev-jwt-signing-key-must-be-at-least-32-characters-long",
      "JwtExpiryMinutes": 15,
-      "IdleTimeoutMinutes": 30
+      "IdleTimeoutMinutes": 30,
+      "RequireHttpsCookie": false
    },
    "Communication": {
      "DeploymentTimeout": "00:02:00",