chore(env): deprecate insecure cookie option in configuration

Author: HoshinoSuzumi

.env.example

@@ -68,9 +68,10 @@ NUXT_PUBLIC_OAUTH_GITHUB_ENABLED=false
 NUXT_OAUTH_GITHUB_CLIENT_ID=
 NUXT_OAUTH_GITHUB_CLIENT_SECRET=
 
+# DEPRECATED
 # INSECURE Options - DO NOT use these options in production or on public networks
 # Allow cookies to be transmitted over insecure connections, effects login session security
-NUXT_ALLOW_INSECURE_COOKIE=false
+# NUXT_ALLOW_INSECURE_COOKIE=false
 
 # Google Analytics Measurement ID (e.g. G-XXXXXXX)
 NUXT_PUBLIC_GTAG_ID=

docs/guide/getting-started.md

@@ -234,12 +234,3 @@ openssl rand -base64 32
 [Convert]::ToBase64String((1..32|%{[byte](Get-Random -Max 256)}))
 ```
 :::
-
-:::details Logged in successfully but redirected home still unauthenticated?
-Make sure you are not accessing the site via raw IP:port. For security, cookies are set for the domain.
-
-If you must use IP + port (not recommended), add:
-```bash
-NUXT_ALLOW_INSECURE_COOKIE=true
-```
-:::

docs/zh/guide/getting-started.md

@@ -245,12 +245,3 @@ openssl rand -base64 32
 [Convert]::ToBase64String((1..32|%{[byte](Get-Random -Max 256)}))
 ```
 :::
-
-:::details 登录后台认证成功后，跳转到首页且仍为未登录状态？
-首先请确保不是直接通过 IP 地址和端口号访问。出于安全考虑，请通过配置的域名访问。
-
-如果出于某些原因，您执意要通过 IP 端口访问，请在配置项中添加：
-```bash
-NUXT_ALLOW_INSECURE_COOKIE=true
-```
-:::

nuxt.config.ts

@@ -128,6 +128,7 @@ export default defineNuxtConfig({
         mode: 'skip' as 'warn' | 'block' | 'skip',
       },
     },
+    /** @deprecated Defaults to allow insecure cookies now */
     allowInsecureCookie: false,
   },
 

server/api/auth/github.get.ts

@@ -40,7 +40,8 @@ export default defineOAuthGitHubEventHandler({
         { user: userFromEmail },
         {
           cookie: {
-            secure: !useRuntimeConfig().allowInsecureCookie,
+            // secure: !useRuntimeConfig().allowInsecureCookie,
+            secure: false,
           },
         },
       )

server/api/login.post.ts

@@ -34,7 +34,8 @@ export default eventHandler(async (event) => {
     { user },
     {
       cookie: {
-        secure: !useRuntimeConfig().allowInsecureCookie,
+        // secure: !useRuntimeConfig().allowInsecureCookie,
+        secure: false,
       },
     },
   )