40 lines
1008 B
TypeScript
40 lines
1008 B
TypeScript
/**
|
|
* Cookie configuration helpers
|
|
* Automatically uses secure settings in production
|
|
*/
|
|
|
|
const isProduction = process.env.NODE_ENV === 'production';
|
|
|
|
/**
|
|
* Get cookie options for authentication cookies
|
|
*/
|
|
export function getAuthCookieOptions() {
|
|
return {
|
|
httpOnly: true,
|
|
secure: isProduction, // HTTPS only in production
|
|
sameSite: 'lax' as const,
|
|
maxAge: 60 * 60 * 24 * 7, // 7 days
|
|
};
|
|
}
|
|
|
|
/**
|
|
* Get cookie options for CSRF tokens
|
|
* Note: httpOnly is false so the client can read it, but we verify via double-submit pattern
|
|
*/
|
|
export function getCsrfCookieOptions() {
|
|
return {
|
|
httpOnly: false, // Client needs to read this token for the header
|
|
secure: isProduction, // HTTPS only in production
|
|
sameSite: 'lax' as const,
|
|
maxAge: 60 * 60 * 24, // 24 hours
|
|
path: '/', // Available on all paths
|
|
};
|
|
}
|
|
|
|
/**
|
|
* Check if running in production
|
|
*/
|
|
export function isProductionEnvironment(): boolean {
|
|
return isProduction;
|
|
}
|