From 17c1b7cf30c861995927f22758ae055710277798 Mon Sep 17 00:00:00 2001
From: Hyungi Ahn <hyungiahn@Hyungiui-MacBookPro.local>
Date: Fri, 3 Apr 2026 06:53:59 +0900
Subject: [PATCH] fix: set refresh cookie secure=False, samesite=lax for
 reverse proxy chain

Nginx terminates TLS and forwards HTTP internally. Secure=True cookies
don't get sent when the backend sees HTTP connections.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/api/auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/api/auth.py b/app/api/auth.py
index b9ce637..4d8edb0 100644
--- a/app/api/auth.py
+++ b/app/api/auth.py
@@ -66,8 +66,8 @@ def _set_refresh_cookie(response: Response, token: str):
         key="refresh_token",
         value=token,
         httponly=True,
-        secure=True,
-        samesite="strict",
+        secure=False,  # Nginx가 TLS 종료, 내부 트래픽은 HTTP
+        samesite="lax",
         max_age=REFRESH_TOKEN_EXPIRE_DAYS * 86400,
         path="/api/auth",
     )