fix: avoid h3 setCookie, use Set-Cookie header on Response directly

h3 v2's setCookie modifies event response headers but doesn't carry them when handler returns a raw Response object. Build Set-Cookie header manually in redirect helpers instead.
2026-05-26 16:56:33 +00:00 · 2026-05-10 02:53:06 +02:00 · 2026-05-10 02:53:06 +02:00 · 3c5256bbb4
commit 3c5256bbb4
parent a64363258d
2 changed files with 37 additions and 17 deletions
--- a/server/src/plugins/service-admin-http/html-response.ts
+++ b/server/src/plugins/service-admin-http/html-response.ts
@ -10,3 +10,34 @@ export function htmlPage(markup: unknown): Response {
    headers: { "content-type": "text/html; charset=utf-8" },
  });
 }
+
+/**
+ * Build a redirect Response with optional Set-Cookie header.
+ * Avoids h3's setCookie which doesn't play well with returning
+ * a raw Response object.
+ */
+export function redirectWithCookie(
+  location: string,
+  cookie?: { name: string; value: string; maxAge: number },
+  status = 302,
+): Response {
+  const headers = new Headers({ location });
+  if (cookie) {
+    headers.set(
+      "set-cookie",
+      `${cookie.name}=${cookie.value}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=${cookie.maxAge}`,
+    );
+  }
+  return new Response(null, { status, headers });
+}
+
+/** Build a redirect that clears a cookie. */
+export function redirectClearCookie(location: string, cookieName: string): Response {
+  return new Response(null, {
+    status: 302,
+    headers: {
+      location,
+      "set-cookie": `${cookieName}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`,
+    },
+  });
+}
--- a/server/src/plugins/service-admin-http/routes-auth.ts
+++ b/server/src/plugins/service-admin-http/routes-auth.ts
@ -1,17 +1,11 @@
 /**
 * Authentication routes: login, TOTP, recovery, logout.
 */
-import { type H3, readBody, getCookie, setCookie, deleteCookie, getQuery, getRequestHeader } from "h3";
-import { htmlPage } from "./html-response.js";
+import { type H3, readBody, getCookie, getQuery, getRequestHeader } from "h3";
+import { htmlPage, redirectWithCookie, redirectClearCookie } from "./html-response.js";
 import type { AdminDeps } from "./index.js";
 import { LoginPage, TotpPage, RecoveryPage } from "../../web-templates/auth-pages.js";

-const COOKIE_OPTS = {
-  httpOnly: true,
-  secure: true,
-  sameSite: "lax" as const,
-  path: "/",
-};

 export function registerAuthRoutes(app: H3, deps: AdminDeps): void {
  // ---- Login ----------------------------------------------------------------
@ -70,15 +64,11 @@ export function registerAuthRoutes(app: H3, deps: AdminDeps): void {
      totpPending,
    });

-    setCookie(event, deps.cookieName, cookieValue, {
-      ...COOKIE_OPTS,
-      maxAge: deps.auth.config.sessionMaxSeconds,
-    });
-
+    const cookie = { name: deps.cookieName, value: cookieValue, maxAge: deps.auth.config.sessionMaxSeconds };
    if (totpPending) {
-      return new Response(null, { status: 302, headers: { location: "/auth/totp" } });
+      return redirectWithCookie("/auth/totp", cookie);
    }
-    return new Response(null, { status: 302, headers: { location: "/admin/" } });
+    return redirectWithCookie("/admin/", cookie);
  });

  // ---- TOTP -----------------------------------------------------------------
@ -184,7 +174,6 @@ export function registerAuthRoutes(app: H3, deps: AdminDeps): void {
        deps.auth.revokeSession(resolved.session.id);
      }
    }
-    deleteCookie(event, deps.cookieName, { path: "/" });
-    return new Response(null, { status: 302, headers: { location: "/auth/login" } });
+    return redirectClearCookie("/auth/login", deps.cookieName);
  });
 }