Fix secure restriction

examples/kitchensink/boot.ts

@@ -23,7 +23,10 @@ const { UNCHAINED_COOKIE_NAME = 'unchained_token' } = process.env;
 const start = async () => {
   const app = express();
 
+  // Workaround Express Secure Proxy
+  app.set('trust proxy', 1);
   app.use((req, res, next) => {
+    req.headers['x-forwarded-proto'] = 'https';
     res.setHeader('Access-Control-Allow-Private-Network', 'true');
     next();
   });

packages/api/src/express/index.ts

@@ -31,7 +31,6 @@ const {
   UNCHAINED_COOKIE_NAME = 'unchained_token',
   UNCHAINED_COOKIE_PATH = '/',
   UNCHAINED_COOKIE_DOMAIN,
-  NODE_ENV,
 } = process.env;
 
 const addContext = async function middlewareWithContext(
@@ -133,10 +132,10 @@ export const connect = (
       resave: false,
       cookie: {
         domain: UNCHAINED_COOKIE_DOMAIN,
-        httpOnly: true,
         path: UNCHAINED_COOKIE_PATH,
-        sameSite: 'lax',
-        secure: NODE_ENV === 'production',
+        sameSite: 'none',
+        secure: true,
+        httpOnly: true,
         maxAge: 1000 * 60 * 60 * 24 * 7,
       },
     }),

packages/api/src/resolvers/mutations/accounts/loginWithPassword.ts

@@ -1,5 +1,5 @@
 import { log } from '@unchainedshop/logger';
-import { InvalidCredentialsError } from '../../../errors.js';
+import { InvalidCredentialsError, UserNotFoundError } from '../../../errors.js';
 import { Context } from '../../../types.js';
 
 export default async function loginWithPassword(
@@ -22,6 +22,8 @@ export default async function loginWithPassword(
     ? await context.modules.users.findUserByUsername(username)
     : await context.modules.users.findUserByEmail(email);
 
+  if (!user) throw new InvalidCredentialsError({ username, email });
+
   const verified =
     user.services?.password &&
     (await context.modules.users.verifyPassword(user.services.password, password));