From 7e383b3fe24dda198d3c45066667aadea61f84ff Mon Sep 17 00:00:00 2001
From: "DESKTOP-RTLN3BA\\$punk" <vermarohanfinal@gmail.com>
Date: Fri, 19 Dec 2025 15:03:12 -0800
Subject: [PATCH] feat: enhance CSRF cookie configuration for OAuth

- Added support for SameSite attribute in CSRF cookies to handle cross-origin requests.
- Set SameSite to 'none' for secure contexts and 'lax' for local development.
---
 surfsense_backend/app/app.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/surfsense_backend/app/app.py b/surfsense_backend/app/app.py
index 3faa76e1a..e144d165a 100644
--- a/surfsense_backend/app/app.py
+++ b/surfsense_backend/app/app.py
@@ -105,6 +105,12 @@ if config.AUTH_TYPE == "GOOGLE":
     # The CSRF cookie must have secure=False for HTTP (localhost development)
     is_secure_context = config.BACKEND_URL and config.BACKEND_URL.startswith("https://")
 
+    # For cross-origin OAuth (frontend and backend on different domains):
+    # - SameSite=None is required to allow cross-origin cookie setting
+    # - Secure=True is required when SameSite=None
+    # For same-origin or local development, use SameSite=Lax (default)
+    csrf_cookie_samesite = "none" if is_secure_context else "lax"
+
     app.include_router(
         fastapi_users.get_oauth_router(
             google_oauth_client,
@@ -112,6 +118,7 @@ if config.AUTH_TYPE == "GOOGLE":
             SECRET,
             is_verified_by_default=True,
             csrf_token_cookie_secure=is_secure_context,
+            csrf_token_cookie_samesite=csrf_cookie_samesite,
         )
         if not config.BACKEND_URL
         else fastapi_users.get_oauth_router(
@@ -121,6 +128,7 @@ if config.AUTH_TYPE == "GOOGLE":
             is_verified_by_default=True,
             redirect_url=f"{config.BACKEND_URL}/auth/google/callback",
             csrf_token_cookie_secure=is_secure_context,
+            csrf_token_cookie_samesite=csrf_cookie_samesite,
         ),
         prefix="/auth/google",
         tags=["auth"],