Spaces:
Sleeping
Sleeping
| import type { CookieOptions, Request } from "express"; | |
| const LOCAL_HOSTS = new Set(["localhost", "127.0.0.1", "::1"]); | |
| function isIpAddress(host: string) { | |
| // Basic IPv4 check and IPv6 presence detection. | |
| if (/^\d{1,3}(\.\d{1,3}){3}$/.test(host)) return true; | |
| return host.includes(":"); | |
| } | |
| function isSecureRequest(req: Request) { | |
| if (req.protocol === "https") return true; | |
| const forwardedProto = req.headers["x-forwarded-proto"]; | |
| if (!forwardedProto) return false; | |
| const protoList = Array.isArray(forwardedProto) | |
| ? forwardedProto | |
| : forwardedProto.split(","); | |
| return protoList.some(proto => proto.trim().toLowerCase() === "https"); | |
| } | |
| export function getSessionCookieOptions( | |
| req: Request | |
| ): Pick<CookieOptions, "domain" | "httpOnly" | "path" | "sameSite" | "secure"> { | |
| const hostname = req.hostname; | |
| const isLocalhost = LOCAL_HOSTS.has(hostname); | |
| const isSecure = isSecureRequest(req); | |
| // Check if running on HuggingFace Spaces (always HTTPS) | |
| const isHfSpaces = !!process.env.SPACE_HOST; | |
| // Use Lax for same-origin auth (works across all browsers) | |
| // Only use None for cross-site scenarios (not needed here) | |
| return { | |
| httpOnly: true, | |
| path: "/", | |
| sameSite: "lax", | |
| // Force secure on HF Spaces (always HTTPS) or when detected | |
| secure: isHfSpaces || isSecure, | |
| }; | |
| } | |