From 6eca085b6eaeea2e53df1f7837abc09426aadb0f Mon Sep 17 00:00:00 2001
From: eneller <erikneller@gmx.de>
Date: Sun, 8 Mar 2026 20:39:04 +0100
Subject: [PATCH] wip: try to send cookie

---
 README.md                 | 8 +++++---
 client/angular.json       | 3 +++
 client/proxy.json         | 8 ++++++++
 server/src/index.ts       | 7 ++++---
 server/src/routes/auth.ts | 6 ++----
 5 files changed, 22 insertions(+), 10 deletions(-)
 create mode 100644 client/proxy.json

diff --git a/README.md b/README.md
index fc71671..7bf8b23 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,10 @@
 # FakeMoney
 A PayPal-like payment processor for virtual money, intended to be used for simulation games.
 
-## Frontend
+## Development
+
+### Frontend
 Is written in angular + bootstrap.
 
-## Backend
-Uses NextJS + PostgreSQL.
\ No newline at end of file
+### Backend
+Uses NextJS + PostgreSQL with JWT as cookies.
\ No newline at end of file
diff --git a/client/angular.json b/client/angular.json
index eabedc8..58472a4 100644
--- a/client/angular.json
+++ b/client/angular.json
@@ -65,6 +65,9 @@
           "defaultConfiguration": "production"
         },
         "serve": {
+          "options": {
+            "proxyConfig": "proxy.json"
+          },
           "builder": "@angular/build:dev-server",
           "configurations": {
             "production": {
diff --git a/client/proxy.json b/client/proxy.json
new file mode 100644
index 0000000..2cac925
--- /dev/null
+++ b/client/proxy.json
@@ -0,0 +1,8 @@
+{
+  "/api": {
+    "target": "http://localhost:3000",
+    "secure": false,
+    "changeOrigin": true,
+    "withCredentials": true
+  }
+}
diff --git a/server/src/index.ts b/server/src/index.ts
index abdd633..eacf787 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -7,6 +7,7 @@ import { db, testConnection } from "./util/db";
 import { logger } from "./util/logging";
 
 const app: Express = express();
+// TODO replace with frontend URL
 app.use(cors({ origin: 'http://localhost:4200', credentials: true}));
 app.use(cookieParser());
 app.use(express.json());
@@ -20,12 +21,12 @@ app.use('/api/auth', authRouter);
 
 const PORT: number = parseInt(process.env.PORT as string) || 3000;
 
-// Start server after DB connection is established
 async function startServer() {
-  await testConnection(); // Test DB connection first
+  await testConnection();
 
   // Sync models (use migrations in production!)
-  await db.sync({ alter: true }); // Use { force: true } to drop and recreate tables (development only!)
+  // Use { force: true } to drop and recreate tables (development only!)
+  await db.sync({ alter: true });
 
   app.listen(PORT, () => {
     logger.info(`🚀 Backend Server running on http://localhost:${PORT}`);
diff --git a/server/src/routes/auth.ts b/server/src/routes/auth.ts
index abccbce..119438e 100644
--- a/server/src/routes/auth.ts
+++ b/server/src/routes/auth.ts
@@ -17,11 +17,9 @@ router.post('/login', async (req, res) => {
 
     // successfully authenticated
     res.cookie('jwt', 'toekn', {
-      /*
       httpOnly: true,    // Prevent XSS
-      secure: true,      // HTTPS only
-      sameSite: 'strict', // CSRF protection
-      */
+      secure: false,      // HTTPS only
+      sameSite: 'lax', // CSRF protection
       maxAge: 86400000,  // 1 day
     });
     res.json({ message: 'Logged in successfully' });