feat: Restrict JWT access cookie path and update Socket.IO CORS path

2025-07-08 22:35:47 +02:00
parent 2e464dc977
commit 7d224d1db7
1 changed files with 3 additions and 3 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -37,9 +37,8 @@ def create_app():
    app.config["JWT_TOKEN_LOCATION"] = ["cookies"]
    app.config["JWT_COOKIE_SECURE"] = False  # Set to True in production
    app.config["JWT_COOKIE_CSRF_PROTECT"] = False
-    app.config["JWT_ACCESS_COOKIE_PATH"] = (
-        "/"  # Allow access to all paths including SocketIO
-    )
+    app.config["JWT_COOKIE_SAMESITE"] = "Lax"  # Allow cross-origin requests
+    app.config["JWT_ACCESS_COOKIE_PATH"] = "/api/"  # Restrict to API paths only
    app.config["JWT_REFRESH_COOKIE_PATH"] = "/api/auth/refresh"

    # Initialize CORS
@@ -56,6 +55,7 @@ def create_app():
        app,
        cors_allowed_origins="http://localhost:3000",
        cors_credentials=True,
+        path="/api/socket.io/",  # Use /api prefix for Socket.IO
    )

    # Initialize JWT manager