ad TIMEZONE and more

app/config.py

@@ -46,10 +46,12 @@ if SECRET_KEY == "change-me-in-production":
 
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "1440"))  # 24 hours
+COOKIE_SECURE = os.getenv("COOKIE_SECURE", "false").lower() == "true"
 
 # Server
 HOST = os.getenv("HOST", "0.0.0.0")
 PORT = int(os.getenv("PORT", "8000"))
+TIMEZONE = os.getenv("TIMEZONE", "UTC")
 
 # CORS
 ALLOWED_ORIGINS = os.getenv("ALLOWED_ORIGINS", "http://localhost:8000,http://127.0.0.1:8000,http://lvh.me").split(",")

app/routes/auth.py

@@ -104,7 +104,8 @@ def login(request: Request, data: LoginRequest, response: Response, db: Session
         value=token,
         httponly=True,
         max_age=config.ACCESS_TOKEN_EXPIRE_MINUTES * 60,
-        samesite="lax"
+        samesite="lax",
+        secure=config.COOKIE_SECURE
     )
 
     config.logger.info(f"User logged in: {data.email}")
@@ -114,7 +115,12 @@ def login(request: Request, data: LoginRequest, response: Response, db: Session
 @router.post("/logout")
 def logout(response: Response):
     """Logout and clear session"""
-    response.delete_cookie("session_token")
+    response.delete_cookie(
+        key="session_token",
+        httponly=True,
+        samesite="lax",
+        secure=config.COOKIE_SECURE
+    )
     return {"message": "Logged out"}