Supervisor/server/middleware/auth-cookie.ts

export default defineEventHandler((event) => {
  const path = event.path || event.node.req.url || ""

  if (path.startsWith("/api/")) {
    return
  }

  const runtimeConfig = useRuntimeConfig(event)
  const expectedToken = runtimeConfig.apiSecretKey

  if (!expectedToken) {
    return
  }

  if (getCookie(event, "api_auth_token") === expectedToken) {
    return
  }

  const secureCookie = process.env.AUTH_COOKIE_SECURE === "true"

  setCookie(event, "api_auth_token", expectedToken, {
    httpOnly: true,
    sameSite: "lax",
    secure: secureCookie,
    path: "/"
  })
})