Skip to content

Commit 74df7d8

Browse files
committed
fix(auth): restrict non-secure cookie fallback to development environment
1 parent 4c04d62 commit 74df7d8

1 file changed

Lines changed: 2 additions & 3 deletions

File tree

src/middleware.ts

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -245,10 +245,9 @@ export async function middleware(req: NextRequest) {
245245
: "next-auth.session-token",
246246
});
247247

248-
if (!token) {
248+
if (!token && !isProduction) {
249249
// Fallback: try the opposite cookie name to handle edge cases such as
250-
// a production build served over HTTP (e.g. a staging environment without TLS)
251-
// or a dev build that somehow received a Secure cookie.
250+
// a dev build that somehow received a Secure cookie.
252251
token = await getToken({
253252
req,
254253
secret: process.env.NEXTAUTH_SECRET,

0 commit comments

Comments
 (0)