Bug Fix
Fixes login failure on Safari (iOS/macOS) when accessed via a reverse proxy (e.g. Caddy, Nginx).
Fixed
-
Safari login (401): Session cookie and CSRF cookie were set with
SameSite=Strict. Safari's Intelligent Tracking Prevention (ITP) blocksStrictcookies in certain navigation contexts — direct URL entry, PWA launch, or reverse proxy — causing an emptyX-CSRF-Tokenheader and a 401 response on every login attempt. Firefox and Chrome were unaffected.Fix: Changed both cookies to
SameSite=Lax. This is safe because:- CSRF attacks are still blocked by the double-submit token mechanism
- The
secureflag enforces HTTPS-only transmission Laxonly relaxes same-site enforcement for top-level GET navigations, not cross-site POST requests
Affected files:
server/auth.js,server/middleware/csrf.js
Closes #46