From afae2c5f69763e0947ff891cddb46e5142b6b922 Mon Sep 17 00:00:00 2001 From: "DESKTOP-RTLN3BA\\$punk" Date: Thu, 16 Apr 2026 02:36:36 -0700 Subject: [PATCH] feat: update anonymous chat cookie settings for cross-site compatibility - Implemented dynamic SameSite and Secure cookie settings based on the backend URL context. - Enhanced cookie handling to ensure proper functionality in cross-domain scenarios. --- .../app/routes/anonymous_chat_routes.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/surfsense_backend/app/routes/anonymous_chat_routes.py b/surfsense_backend/app/routes/anonymous_chat_routes.py index 4b1ea1141..8681c5df9 100644 --- a/surfsense_backend/app/routes/anonymous_chat_routes.py +++ b/surfsense_backend/app/routes/anonymous_chat_routes.py @@ -26,6 +26,16 @@ router = APIRouter(prefix="/api/v1/public/anon-chat", tags=["anonymous-chat"]) ANON_COOKIE_NAME = "surfsense_anon_session" ANON_COOKIE_MAX_AGE = config.ANON_TOKEN_QUOTA_TTL_DAYS * 86400 +# Cross-site cookie settings: when the backend runs on a different domain +# than the frontend (e.g. api.x.com vs www.y.com), browsers reject +# SameSite=Lax cookies on fetch() calls. Use SameSite=None + Secure +# in production (HTTPS) so the cookie is sent cross-site. +_IS_SECURE_CONTEXT = bool( + config.BACKEND_URL and config.BACKEND_URL.startswith("https://") +) +_COOKIE_SAMESITE: str = "none" if _IS_SECURE_CONTEXT else "lax" +_COOKIE_SECURE: bool = _IS_SECURE_CONTEXT + # --------------------------------------------------------------------------- # Helpers @@ -43,8 +53,8 @@ def _get_or_create_session_id(request: Request, response: Response) -> str: value=session_id, max_age=ANON_COOKIE_MAX_AGE, httponly=True, - samesite="lax", - secure=request.url.scheme == "https", + samesite=_COOKIE_SAMESITE, + secure=_COOKIE_SECURE, path="/", ) return session_id