PR #2933 introduced secure cookie settings (HttpOnly, Secure, SameSite) in setOauthCookie to fix a CodeQL SAST warning. While these settings are correct for production, they break local development when the control plane is not running behind HTTPS (e.g., accessed via a non-localhost address).
The Secure flag requires HTTPS, which is not available in the default development setup.
Proposed fix: make Secure, HttpOnly, and SameSite conditional on whether the system is running in development mode. Development mode is determined by server.Version == "dev" (the default value, overridden at build time for releases). When in dev mode, these flags should be omitted or relaxed so local OAuth flows continue to work.
Affected code: app/controlplane/internal/service/auth.go — setOauthCookie function.
PR #2933 introduced secure cookie settings (
HttpOnly,Secure,SameSite) insetOauthCookieto fix a CodeQL SAST warning. While these settings are correct for production, they break local development when the control plane is not running behind HTTPS (e.g., accessed via a non-localhost address).The
Secureflag requires HTTPS, which is not available in the default development setup.Proposed fix: make
Secure,HttpOnly, andSameSiteconditional on whether the system is running in development mode. Development mode is determined byserver.Version == "dev"(the default value, overridden at build time for releases). When in dev mode, these flags should be omitted or relaxed so local OAuth flows continue to work.Affected code:
app/controlplane/internal/service/auth.go—setOauthCookiefunction.