From 7d224d1db7379a0b82bfbea61fc49984d6082209 Mon Sep 17 00:00:00 2001
From: JSC <jschoisy@carea5.com>
Date: Tue, 8 Jul 2025 22:35:47 +0200
Subject: [PATCH] feat: Restrict JWT access cookie path and update Socket.IO
 CORS path

---
 app/__init__.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index b797b93..afd7ece 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -37,9 +37,8 @@ def create_app():
     app.config["JWT_TOKEN_LOCATION"] = ["cookies"]
     app.config["JWT_COOKIE_SECURE"] = False  # Set to True in production
     app.config["JWT_COOKIE_CSRF_PROTECT"] = False
-    app.config["JWT_ACCESS_COOKIE_PATH"] = (
-        "/"  # Allow access to all paths including SocketIO
-    )
+    app.config["JWT_COOKIE_SAMESITE"] = "Lax"  # Allow cross-origin requests
+    app.config["JWT_ACCESS_COOKIE_PATH"] = "/api/"  # Restrict to API paths only
     app.config["JWT_REFRESH_COOKIE_PATH"] = "/api/auth/refresh"
 
     # Initialize CORS
@@ -56,6 +55,7 @@ def create_app():
         app,
         cors_allowed_origins="http://localhost:3000",
         cors_credentials=True,
+        path="/api/socket.io/",  # Use /api prefix for Socket.IO
     )
 
     # Initialize JWT manager