dev compose: drop Secure flag on auth cookies for HTTP LAN-IP dev
Sets LNBITS_AUTH_HTTPS_ONLY=false on the lnbits service so the regtest stack works when the webapp dev server hits lnbits over a LAN IP (e.g. http://192.168.0.32:5181 → http://192.168.0.32:5001) instead of localhost. Browsers silently discard `Secure` cookies over plain HTTP from non-loopback origins, which kills the /auth/sign-event double- submit CSRF flow (the GET succeeds, the cookie never lands, every POST 403s). aiolabs/lnbits#52 made the lnbits-side gate use settings.auth_https_only for the XSRF-TOKEN cookie (matching the existing auth_cookie_token behavior). With that fix on dev + this env var here, the regtest stack finally lets the bookmark/RSVP flow round-trip from a LAN-IP browser. Production deploys leave the setting unset (default true) — Secure stays on, behavior unchanged.
This commit is contained in:
parent
c3c531f1f3
commit
0b3970d0c0
1 changed files with 8 additions and 0 deletions
|
|
@ -86,6 +86,14 @@ services:
|
||||||
# (no credentials); explicit allowlist also covers the
|
# (no credentials); explicit allowlist also covers the
|
||||||
# /auth/sign-event credentialed flow when bucket-B PRs land.
|
# /auth/sign-event credentialed flow when bucket-B PRs land.
|
||||||
LNBITS_CORS_ALLOWED_ORIGINS: '["http://localhost:5173","http://192.168.0.32:5173","http://127.0.0.1:5173","http://localhost:5180","http://192.168.0.32:5180","http://127.0.0.1:5180","http://localhost:5181","http://192.168.0.32:5181","http://127.0.0.1:5181","http://localhost:5182","http://192.168.0.32:5182","http://127.0.0.1:5182","http://localhost:5183","http://192.168.0.32:5183","http://127.0.0.1:5183","http://localhost:5184","http://192.168.0.32:5184","http://127.0.0.1:5184","http://localhost:5185","http://192.168.0.32:5185","http://127.0.0.1:5185","http://localhost:5186","http://192.168.0.32:5186","http://127.0.0.1:5186","http://localhost:5187","http://192.168.0.32:5187","http://127.0.0.1:5187"]'
|
LNBITS_CORS_ALLOWED_ORIGINS: '["http://localhost:5173","http://192.168.0.32:5173","http://127.0.0.1:5173","http://localhost:5180","http://192.168.0.32:5180","http://127.0.0.1:5180","http://localhost:5181","http://192.168.0.32:5181","http://127.0.0.1:5181","http://localhost:5182","http://192.168.0.32:5182","http://127.0.0.1:5182","http://localhost:5183","http://192.168.0.32:5183","http://127.0.0.1:5183","http://localhost:5184","http://192.168.0.32:5184","http://127.0.0.1:5184","http://localhost:5185","http://192.168.0.32:5185","http://127.0.0.1:5185","http://localhost:5186","http://192.168.0.32:5186","http://127.0.0.1:5186","http://localhost:5187","http://192.168.0.32:5187","http://127.0.0.1:5187"]'
|
||||||
|
# Drop the `Secure` flag on auth + CSRF cookies so the regtest
|
||||||
|
# stack works over plain HTTP from a LAN IP (e.g. testing the
|
||||||
|
# webapp at http://192.168.0.32:5181 against this lnbits at
|
||||||
|
# http://192.168.0.32:5001). Browsers silently discard `Secure`
|
||||||
|
# cookies served over `http://` from non-loopback origins, which
|
||||||
|
# breaks the /auth/sign-event double-submit CSRF flow. Production
|
||||||
|
# leaves this unset (default `true`) — see aiolabs/lnbits#52.
|
||||||
|
LNBITS_AUTH_HTTPS_ONLY: "false"
|
||||||
# Lowered from the 40_000 default just to make sharding easy to
|
# Lowered from the 40_000 default just to make sharding easy to
|
||||||
# exercise in local tests without seeding hundreds of payments.
|
# exercise in local tests without seeding hundreds of payments.
|
||||||
# Production runs should leave this unset (defaults to 40_000).
|
# Production runs should leave this unset (defaults to 40_000).
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue