dev compose: drop Secure flag on auth cookies for HTTP LAN-IP dev

Sets LNBITS_AUTH_HTTPS_ONLY=false on the lnbits service so the regtest stack works when the webapp dev server hits lnbits over a LAN IP (e.g. http://192.168.0.32:5181 → http://192.168.0.32:5001) instead of localhost. Browsers silently discard `Secure` cookies over plain HTTP from non-loopback origins, which kills the /auth/sign-event double- submit CSRF flow (the GET succeeds, the cookie never lands, every POST 403s). aiolabs/lnbits#52 made the lnbits-side gate use settings.auth_https_only for the XSRF-TOKEN cookie (matching the existing auth_cookie_token behavior). With that fix on dev + this env var here, the regtest stack finally lets the bookmark/RSVP flow round-trip from a LAN-IP browser. Production deploys leave the setting unset (default true) — Secure stays on, behavior unchanged.
2026-06-09 23:11:34 +02:00 · 2026-06-09 23:11:34 +02:00 · 0b3970d0c0
commit 0b3970d0c0
parent c3c531f1f3
1 changed files with 8 additions and 0 deletions
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -86,6 +86,14 @@ services:
      # (no credentials); explicit allowlist also covers the
      # /auth/sign-event credentialed flow when bucket-B PRs land.
      LNBITS_CORS_ALLOWED_ORIGINS: '["http://localhost:5173","http://192.168.0.32:5173","http://127.0.0.1:5173","http://localhost:5180","http://192.168.0.32:5180","http://127.0.0.1:5180","http://localhost:5181","http://192.168.0.32:5181","http://127.0.0.1:5181","http://localhost:5182","http://192.168.0.32:5182","http://127.0.0.1:5182","http://localhost:5183","http://192.168.0.32:5183","http://127.0.0.1:5183","http://localhost:5184","http://192.168.0.32:5184","http://127.0.0.1:5184","http://localhost:5185","http://192.168.0.32:5185","http://127.0.0.1:5185","http://localhost:5186","http://192.168.0.32:5186","http://127.0.0.1:5186","http://localhost:5187","http://192.168.0.32:5187","http://127.0.0.1:5187"]'
+      # Drop the `Secure` flag on auth + CSRF cookies so the regtest
+      # stack works over plain HTTP from a LAN IP (e.g. testing the
+      # webapp at http://192.168.0.32:5181 against this lnbits at
+      # http://192.168.0.32:5001). Browsers silently discard `Secure`
+      # cookies served over `http://` from non-loopback origins, which
+      # breaks the /auth/sign-event double-submit CSRF flow. Production
+      # leaves this unset (default `true`) — see aiolabs/lnbits#52.
+      LNBITS_AUTH_HTTPS_ONLY: "false"
      # Lowered from the 40_000 default just to make sharding easy to
      # exercise in local tests without seeding hundreds of payments.
      # Production runs should leave this unset (defaults to 40_000).