@selvajs/cli 2.0.9 → 2.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/prompts.js +17 -0
package/package.json
CHANGED
package/src/prompts.js
CHANGED
|
@@ -475,6 +475,23 @@ export async function collectConfig({ defaults = {}, mode = 'create' } = {}) {
|
|
|
475
475
|
});
|
|
476
476
|
cancelOn(value);
|
|
477
477
|
origin = String(value);
|
|
478
|
+
|
|
479
|
+
// Plain HTTP + NODE_ENV=production drops the session cookie (Secure
|
|
480
|
+
// flag on, browser refuses to send over http://). Login appears to
|
|
481
|
+
// succeed but the next request is anonymous. Warn loudly here — the
|
|
482
|
+
// fix is either TLS or ALLOW_INSECURE_COOKIES=true in .env.
|
|
483
|
+
if (origin.startsWith('http://')) {
|
|
484
|
+
p.note(
|
|
485
|
+
'Sessions use Secure cookies in production; browsers will silently\n' +
|
|
486
|
+
'drop them over http://, so login will appear to succeed but the\n' +
|
|
487
|
+
'next request will be anonymous.\n\n' +
|
|
488
|
+
'Fix one of:\n' +
|
|
489
|
+
' • put TLS in front (recommended) — e.g. a domain + Caddy auto-cert\n' +
|
|
490
|
+
' • set ALLOW_INSECURE_COOKIES=true in .env (testing only — password\n' +
|
|
491
|
+
' auth over plain HTTP sends credentials in cleartext)',
|
|
492
|
+
pc.yellow('⚠ Plain HTTP origin')
|
|
493
|
+
);
|
|
494
|
+
}
|
|
478
495
|
}
|
|
479
496
|
|
|
480
497
|
// ── Platform flags ─────────────────────────────────────────────────
|