From 0b3970d0c07d101980eeddc6ed189394a340d651 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Tue, 9 Jun 2026 23:11:34 +0200
Subject: [PATCH] dev compose: drop Secure flag on auth cookies for HTTP LAN-IP
 dev
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sets LNBITS_AUTH_HTTPS_ONLY=false on the lnbits service so the regtest
stack works when the webapp dev server hits lnbits over a LAN IP
(e.g. http://192.168.0.32:5181 → http://192.168.0.32:5001) instead of
localhost. Browsers silently discard `Secure` cookies over plain HTTP
from non-loopback origins, which kills the /auth/sign-event double-
submit CSRF flow (the GET succeeds, the cookie never lands, every POST
403s).

aiolabs/lnbits#52 made the lnbits-side gate use settings.auth_https_only
for the XSRF-TOKEN cookie (matching the existing auth_cookie_token
behavior). With that fix on dev + this env var here, the regtest stack
finally lets the bookmark/RSVP flow round-trip from a LAN-IP browser.

Production deploys leave the setting unset (default true) — Secure
stays on, behavior unchanged.
---
 docker-compose.dev.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index e50eaa7..b5daf90 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -86,6 +86,14 @@ services:
       # (no credentials); explicit allowlist also covers the
       # /auth/sign-event credentialed flow when bucket-B PRs land.
       LNBITS_CORS_ALLOWED_ORIGINS: '["http://localhost:5173","http://192.168.0.32:5173","http://127.0.0.1:5173","http://localhost:5180","http://192.168.0.32:5180","http://127.0.0.1:5180","http://localhost:5181","http://192.168.0.32:5181","http://127.0.0.1:5181","http://localhost:5182","http://192.168.0.32:5182","http://127.0.0.1:5182","http://localhost:5183","http://192.168.0.32:5183","http://127.0.0.1:5183","http://localhost:5184","http://192.168.0.32:5184","http://127.0.0.1:5184","http://localhost:5185","http://192.168.0.32:5185","http://127.0.0.1:5185","http://localhost:5186","http://192.168.0.32:5186","http://127.0.0.1:5186","http://localhost:5187","http://192.168.0.32:5187","http://127.0.0.1:5187"]'
+      # Drop the `Secure` flag on auth + CSRF cookies so the regtest
+      # stack works over plain HTTP from a LAN IP (e.g. testing the
+      # webapp at http://192.168.0.32:5181 against this lnbits at
+      # http://192.168.0.32:5001). Browsers silently discard `Secure`
+      # cookies served over `http://` from non-loopback origins, which
+      # breaks the /auth/sign-event double-submit CSRF flow. Production
+      # leaves this unset (default `true`) — see aiolabs/lnbits#52.
+      LNBITS_AUTH_HTTPS_ONLY: "false"
       # Lowered from the 40_000 default just to make sharding easy to
       # exercise in local tests without seeding hundreds of payments.
       # Production runs should leave this unset (defaults to 40_000).