From 230ee5a067cd9285d7fb917843a94d08719b4b11 Mon Sep 17 00:00:00 2001 From: Marcel Raddatz Date: Fri, 10 Apr 2026 22:25:48 +0200 Subject: [PATCH] fix(join): use secure: !dev for JSESSIONID cookie to work in local dev Hardcoded secure: true silently drops the cookie on HTTP (localhost), causing the post-join redirect to bounce back to /login. Use $app/environment dev flag so the cookie works in development while remaining Secure in production. Co-Authored-By: Claude Sonnet 4.6 --- frontend/src/routes/(public)/join/[token]/+page.server.ts | 3 ++- frontend/src/routes/(public)/join/[token]/page.server.test.ts | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/frontend/src/routes/(public)/join/[token]/+page.server.ts b/frontend/src/routes/(public)/join/[token]/+page.server.ts index 5ba5970..deea5ae 100644 --- a/frontend/src/routes/(public)/join/[token]/+page.server.ts +++ b/frontend/src/routes/(public)/join/[token]/+page.server.ts @@ -1,4 +1,5 @@ import { fail, redirect } from '@sveltejs/kit'; +import { dev } from '$app/environment'; import { apiClient } from '$lib/server/api'; import type { Actions, PageServerLoad } from './$types'; @@ -74,7 +75,7 @@ export const actions = { path: '/', httpOnly: true, sameSite: 'lax', - secure: true + secure: !dev }); } diff --git a/frontend/src/routes/(public)/join/[token]/page.server.test.ts b/frontend/src/routes/(public)/join/[token]/page.server.test.ts index db0ff2f..ae9f9b8 100644 --- a/frontend/src/routes/(public)/join/[token]/page.server.test.ts +++ b/frontend/src/routes/(public)/join/[token]/page.server.test.ts @@ -4,6 +4,8 @@ vi.mock('$env/dynamic/private', () => ({ env: { BACKEND_URL: 'http://localhost:8080' } })); +vi.mock('$app/environment', () => ({ dev: false })); + const mockGet = vi.fn(); const mockPost = vi.fn(); vi.mock('$lib/server/api', () => ({