fix: refresh cookie path 改为 /,修复 AppAuthMiddleware 读不到 cookie
REFRESH_COOKIE_PATH 从 /api/auth 改为 /,这样浏览器访问 /app/ 页面时 也会发送 nexus_refresh cookie,AppAuthMiddleware 才能正确验证登录状态。 同时包含之前的 AppAuthMiddleware 定义顺序修复和 422 调试日志。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+2
-2
@@ -24,7 +24,7 @@ logger = logging.getLogger("nexus.auth")
|
||||
# ── Refresh Token Cookie Helpers ──
|
||||
|
||||
REFRESH_COOKIE_NAME = "nexus_refresh"
|
||||
REFRESH_COOKIE_PATH = "/api/auth"
|
||||
REFRESH_COOKIE_PATH = "/"
|
||||
|
||||
|
||||
def _is_secure_request(request: Request) -> bool:
|
||||
@@ -41,7 +41,7 @@ def _set_refresh_cookie(response: Response, refresh_token: str, request: Request
|
||||
- HttpOnly: not accessible from JavaScript (XSS protection)
|
||||
- Secure: only sent over HTTPS
|
||||
- SameSite=Lax: not sent on cross-site POST (CSRF protection)
|
||||
- Path=/api/auth: only sent to auth endpoints (minimal exposure)
|
||||
- Path=/: sent to all paths (needed by AppAuthMiddleware on /app/ pages)
|
||||
"""
|
||||
response.set_cookie(
|
||||
key=REFRESH_COOKIE_NAME,
|
||||
|
||||
Reference in New Issue
Block a user