fix : correctif mr

server/middleware/auth-cookie.ts

@@ -0,0 +1,25 @@
+export default defineEventHandler((event) => {
+  const path = event.path || event.node.req.url || ""
+
+  if (path.startsWith("/api/")) {
+    return
+  }
+
+  const runtimeConfig = useRuntimeConfig(event)
+  const expectedToken = runtimeConfig.apiSecretKey
+
+  if (!expectedToken) {
+    return
+  }
+
+  if (getCookie(event, "api_auth_token") === expectedToken) {
+    return
+  }
+
+  setCookie(event, "api_auth_token", expectedToken, {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    path: "/"
+  })
+})

server/middleware/auth.ts

@@ -9,6 +9,7 @@ export default defineEventHandler((event) => {
 
   const runtimeConfig = useRuntimeConfig(event)
   const authorization = getHeader(event, "authorization")
+  const cookieToken = getCookie(event, "api_auth_token")
   const expectedToken = runtimeConfig.apiSecretKey
 
   // Si aucun secret n'est configure cote serveur, on refuse la requete.
@@ -19,9 +20,9 @@ export default defineEventHandler((event) => {
     })
   }
 
-  // Le header doit correspondre exactement au format attendu :
-  // Authorization: Bearer <token>
-  if (authorization !== `Bearer ${expectedToken}`) {
+  // Le secret peut venir soit d'un header serveur explicite,
+  // soit du cookie httpOnly pose pour l'application web.
+  if (authorization !== `Bearer ${expectedToken}` && cookieToken !== expectedToken) {
     throw createError({
       statusCode: 401,
       statusMessage: "Unauthorized"