Chore/Secure Cookies Env Variable

[HenryHengZJ]

Root Cause

When you set APP_URL to an HTTPS value, Flowise automatically sets all authentication cookies (JWT tokens, refresh tokens, and session cookies) with the secure: true flag. This means cookies can only be transmitted over HTTPS connections. However, if your Flowise server is running behind a reverse proxy/load balancer that terminates SSL, or if there's any HTTP-to-HTTPS mismatch in your setup, the browser won't send these secure cookies, causing authentication to fail.

The Fix

1. Added a new environment variable SECURE_COOKIES that allows you to explicitly control cookie security settings
2. Added debug logging to help troubleshoot cookie configuration issues

Why This Happens

This is a common issue when running applications behind reverse proxies or load balancers:

1. Your load balancer terminates SSL and forwards HTTP traffic to Flowise
2. Flowise sees APP_URL as HTTPS and sets secure cookies
3. But the actual connection between browser and Flowise (via the load balancer) might have HTTP components
4. Secure cookies get blocked, causing authentication failures

Solution

env:
  - name: APP_URL
    value: "https://flowise-fake-url.dev"
  - name: SECURE_COOKIES
    value: "false"

The fix maintains backward compatibility - existing deployments without the SECURE_COOKIES environment variable will continue to work as before.