admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: auth cookies cross-origin, async params, CSRF/web-vitals errors

Browse Source 
- Set SameSite=lax for auth & CSRF cookies in development (cross-port)
- Set refresh_token cookie path to / (was /auth, preventing cross-port send)
- Await params in Next.js 15 async server components (layout, listings, agents)
- Add CSRF token to web-vitals POST requests
- Fix: 401 Unauthorized on all authenticated API calls from web app
- Fix: CSRF token missing on POST requests from different port
- Fix: params.locale sync access warning in generateMetadata

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ho Ngoc Hai
2026-04-13 11:24:45 +07:00
parent a9fa214544
commit 1ebdc5f0b3
6 changed files with 38 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/api/src/modules/shared/infrastructure/middleware/csrf.middleware.ts
View File

@@ -38,10 +38,11 @@ export class CsrfMiddleware implements NestMiddleware {
private setCsrfCookie(res: Response): void {
const token = randomBytes(TOKEN_LENGTH).toString('hex');
const isProduction = process.env['NODE_ENV'] === 'production';
res.cookie(CSRF_COOKIE, token, {
httpOnly: false, // Frontend must read this cookie
secure: process.env['NODE_ENV'] === 'production',
sameSite: 'strict',
secure: isProduction,
sameSite: isProduction ? 'strict' : 'lax',
path: '/',
});
}