From 6d6a14ac487d89ceafe0927991269e3191c5de6e Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Sun, 11 Jan 2026 21:10:00 +0100
Subject: [PATCH] Update cookie SameSite configuration and secure options for
 improved security compliance

This commit enhances the cookie handling logic by providing detailed comments on the SameSite attribute options and their implications for security. It sets the default SameSite value to 'none' to allow iframe embedding while ensuring that Secure is true when SameSite is 'none'. Additionally, it adds a warning for cases where SameSite is 'none' but Secure is false, improving the overall security posture of cookie management.
---
 server/utils/cookies.js | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/server/utils/cookies.js b/server/utils/cookies.js
index c4c9bf6..ae8b474 100644
--- a/server/utils/cookies.js
+++ b/server/utils/cookies.js
@@ -11,17 +11,33 @@ export function getCookieSecureDefault() {
 }
 
 export function getSameSiteDefault() {
-  // Erwartung aus Security-Feedback: Strict. In Dev ggf. Lax, damit SSO/Flows nicht nerven.
+  // Cookie SameSite-Konfiguration
+  // - 'none': Erlaubt Cookies in Cross-Site-iframes (erfordert Secure: true)
+  // - 'lax': Erlaubt Cookies bei Navigation (Standard für Cross-Site)
+  // - 'strict': Blockiert alle Cross-Site-Cookies (sicherste Option, blockiert iframes)
   const v = (process.env.COOKIE_SAMESITE || '').toLowerCase().trim()
   if (v === 'strict' || v === 'lax' || v === 'none') return v
-  return isProduction() ? 'strict' : 'lax'
+  
+  // Default: 'none' für Cross-Site-iframes (wenn in iframe eingebettet)
+  // WICHTIG: SameSite: none erfordert Secure: true (HTTPS)
+  // Falls iframe-Einbettung nicht benötigt wird, kann auf 'strict' oder 'lax' geändert werden
+  return 'none' // Ermöglicht Einbettung in iframes (z.B. von harheimertc.de)
 }
 
 export function getAuthCookieOptions() {
+  const sameSite = getSameSiteDefault()
+  const secure = getCookieSecureDefault()
+  
+  // SameSite: none erfordert Secure: true
+  // Wenn SameSite: none gesetzt ist, aber Secure: false, warnen
+  if (sameSite === 'none' && !secure) {
+    console.warn('⚠️  SameSite: none erfordert Secure: true. Cookie könnte in iframes nicht funktionieren.')
+  }
+  
   return {
     httpOnly: true,
-    secure: getCookieSecureDefault(),
-    sameSite: getSameSiteDefault(),
+    secure: secure,
+    sameSite: sameSite,
     maxAge: 60 * 60 * 24 * 7 // 7 days
   }
 }