7e3e6b2a28
User reported infinite login loop on dragonflight.live. Root cause: openresty fronts both http:// and https:// without redirecting, and a user landing on http:// gets the Set-Cookie response silently dropped — cookies are Secure-only when TRUST_PROXY=true, and the CORS allowlist refuses the http:// origin. Result: login appears to succeed, next request has no session cookie, AuthGate bounces back to login. Two defensive layers (the openresty box is not in our reach): - web-ui index.html: tiny inline redirect; if location is http://dragonflight.live, rewrite to https:// before anything else runs. Bounded to that exact hostname so local / LAN access on http://172.18.91.x stays as-is. - mam-api: emit Strict-Transport-Security on HTTPS responses when AUTH_ENABLED=true. After one successful HTTPS visit, browsers auto-upgrade future http:// requests on their own — closes the loophole even if someone bypasses the index.html JS. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| ampp | ||
| auth | ||
| db | ||
| middleware | ||
| routes | ||
| s3 | ||
| tasks | ||
| index.js | ||
| scheduler.js | ||