From 8c7a2741b0e98a0318f7b7cb8357e5a9c6fc49cf Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sun, 17 May 2026 19:18:28 +0200
Subject: [PATCH] feat(auth): configure Spring Session JDBC (fa_session, 8h
 idle, SameSite=strict)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/src/main/resources/application-dev.yaml |  5 +++++
 backend/src/main/resources/application.yaml     | 13 +++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/backend/src/main/resources/application-dev.yaml b/backend/src/main/resources/application-dev.yaml
index 56c49e96..dd6c521d 100644
--- a/backend/src/main/resources/application-dev.yaml
+++ b/backend/src/main/resources/application-dev.yaml
@@ -1,6 +1,11 @@
 spring:
   jpa:
     show-sql: true
+  session:
+    cookie:
+      # Dev runs over HTTP (port 5173 → 8080); Secure=true would prevent the
+      # cookie from being sent on plain HTTP. Override to false for local dev only.
+      secure: false
 
 springdoc:
   api-docs:
diff --git a/backend/src/main/resources/application.yaml b/backend/src/main/resources/application.yaml
index 776b2ab1..53e9b34a 100644
--- a/backend/src/main/resources/application.yaml
+++ b/backend/src/main/resources/application.yaml
@@ -38,6 +38,19 @@ spring:
           starttls:
             enable: true
 
+spring:
+  session:
+    store-type: jdbc
+    timeout: 28800s  # 8 h idle timeout (MaxInactiveIntervalInSeconds)
+    jdbc:
+      initialize-schema: never  # Flyway owns schema creation (V67)
+    cookie:
+      name: fa_session
+      same-site: strict
+      http-only: true
+      # secure: true is the default when forward-headers-strategy detects HTTPS behind Caddy.
+      # application-dev.yaml overrides this to false for local HTTP dev.
+
 server:
   # Behind Caddy/reverse proxy: trust X-Forwarded-{Proto,For,Host} so that
   # request.getScheme(), redirect URLs, and Spring Session "Secure" cookies