fix: Google OAuth redirects to production URL after login

- FRONTEND_URL and COOKIE_SECURE are now read from settings (env vars) - Add COOKIE_SECURE config field (false by default, true in prod) - backend/.env sets FRONTEND_URL=https://www.velxio.dev and COOKIE_SECURE=true Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 21:03:51 -03:00 · 2026-03-06 21:03:51 -03:00 · 7e87afa3ec
parent c58f98920a
commit 7e87afa3ec
2 changed files with 3 additions and 1 deletions
--- a/backend/app/api/routes/auth.py
+++ b/backend/app/api/routes/auth.py
@ -23,7 +23,7 @@ def _set_auth_cookie(response: Response, token: str) -> None:
        httponly=True,
        samesite="lax",
        max_age=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,
-        secure=False,  # set True in production with HTTPS
+        secure=settings.COOKIE_SECURE,
    )


--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@ -9,6 +9,8 @@ class Settings(BaseSettings):
    GOOGLE_CLIENT_SECRET: str = ""
    GOOGLE_REDIRECT_URI: str = "http://localhost:8001/api/auth/google/callback"
    FRONTEND_URL: str = "http://localhost:5173"
+    # Set to true in production (HTTPS). Controls the Secure flag on the JWT cookie.
+    COOKIE_SECURE: bool = False
    ACCESS_TOKEN_EXPIRE_MINUTES: int = 10080  # 7 days

    model_config = {"env_file": ".env", "env_file_encoding": "utf-8"}