fix: add session_https_only to dev config and update README

2026-02-19 15:10:37 +01:00 · 2026-02-19 15:10:37 +01:00 · cedf2a65e2
commit cedf2a65e2
parent 4242f1a40f
4 changed files with 5 additions and 1 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,4 +1,5 @@
 .venv/
+.worktrees/
 .git/
 .gitignore
 .ruff_cache/
--- a/3
+++ b/3
@ -22,7 +22,8 @@ RUN uv sync --frozen --no-install-project

 # Source is bind-mounted at runtime via docker-compose
 ENV OIDC_OP_ISSUER=http://localhost:8000 \
-    OIDC_OP_DEBUG=true
+    OIDC_OP_DEBUG=true \
+    OIDC_OP_SESSION_HTTPS_ONLY=false

 EXPOSE 8000

--- a/README.md
+++ b/README.md
@ -95,6 +95,7 @@ variables always take priority over file values.
 | `OIDC_OP_SIGNING_KEY_PATH` | `data/keys` | OIDC signing key storage |
 | `OIDC_OP_INVITE_TTL` | `86400` | Magic link expiry in seconds |
 | `OIDC_OP_MANAGE_CLIENT_ID` | `manage-app` | Client ID for the management UI |
+| `OIDC_OP_SESSION_HTTPS_ONLY` | `true` | Restrict session cookie to HTTPS (set `false` for local dev) |
 | `OIDC_OP_CONFIG_FILE` | `porchlight.toml` | Path to TOML config file |

 Database migrations run automatically on startup.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -22,6 +22,7 @@ services:
    environment:
      OIDC_OP_ISSUER: "http://localhost:8000"
      OIDC_OP_DEBUG: "true"
+      OIDC_OP_SESSION_HTTPS_ONLY: "false"
    volumes:
      - ./src:/app/src
      - ./pyproject.toml:/app/pyproject.toml