fix: set refresh cookie secure=False, samesite=lax for reverse proxy chain

Nginx terminates TLS and forwards HTTP internally. Secure=True cookies don't get sent when the backend sees HTTP connections. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 06:53:59 +09:00
parent 4ef27fc51c
commit 17c1b7cf30
1 changed files with 2 additions and 2 deletions
--- a/app/api/auth.py
+++ b/app/api/auth.py
@@ -66,8 +66,8 @@ def _set_refresh_cookie(response: Response, token: str):
        key="refresh_token",
        value=token,
        httponly=True,
-        secure=True,
+        secure=False,  # Nginx가 TLS 종료, 내부 트래픽은 HTTP
-        samesite="strict",
+        samesite="lax",
        max_age=REFRESH_TOKEN_EXPIRE_DAYS * 86400,
        path="/api/auth",
    )