fix: update cookie settings to include HttpOnly for enhanced security

Ajit Kumar · Ajit Kumar · commit bf50c7aa5bad · 2026-04-28T20:10:33.000+05:30
diff --git a/src/lib/adRewards.js b/src/lib/adRewards.js
@@ -179,7 +179,7 @@ function scheduleExpiryCheck() {
 
 async function getRewardIdentity() {
 	try {
-		const userId = user?.id || "Guest";
+		return String(user?.id || "Guest");
 	} catch (error) {
 		console.warn("Failed to resolve rewarded ad user identity.", error);
 		return String(device?.uuid || "guest");
diff --git a/src/lib/checkPluginsUpdate.js b/src/lib/checkPluginsUpdate.js
@@ -1,5 +1,6 @@
 import fsOperation from "fileSystem";
 import Url from "utils/Url";
+import config from "./config";
 
 export default async function checkPluginsUpdate() {
 	const plugins = await fsOperation(PLUGIN_DIR).lsDir();
@@ -13,9 +14,9 @@ export default async function checkPluginsUpdate() {
 					Url.join(pluginDir.url, "plugin.json"),
 				).readFile("json");
 
-				const res = await fetch({
-					url: `https://acode.app/api/plugin/check-update/${plugin.id}/${plugin.version}`,
-				});
+				const res = await fetch(
+					`${config.API_BASE}/plugin/check-update/${plugin.id}/${plugin.version}`,
+				);
 
 				if (res.ok) {
 					const json = await res.json();
diff --git a/src/pages/sponsor/sponsor.js b/src/pages/sponsor/sponsor.js
@@ -17,7 +17,6 @@ import helpers from "utils/helpers";
  * @param {() => void} onclose
  */
 export default function Sponsor(onclose) {
-	const BASE_URL = "https://acode.app/res/";
 	const $page = Page(strings.sponsor);
 	let cancel = false;
 
@@ -67,12 +66,7 @@ export default function Sponsor(onclose) {
 						msg += `Error: ${rejectedPromise.reason}\n`;
 						msg += `Code: ${rejectedPromise.value.resCode}`;
 					} else {
-						const res = await fetch({
-							url: BASE_URL + "6.jpeg",
-							responseType: "blob",
-						}).catch((err) => {
-							helpers.error(err);
-						});
+						const res = await fetch(`${config.BASE_URL}/res/6.jpeg`);
 
 						if (res.ok) {
 							const url = URL.createObjectURL(await res.blob());
diff --git a/src/plugins/auth/src/android/Authenticator.java b/src/plugins/auth/src/android/Authenticator.java
@@ -58,7 +58,7 @@ public boolean execute(String action, JSONArray args, CallbackContext callbackCo
     private void setTokenCookie(String token) {
         CookieManager cm = CookieManager.getInstance();
         for (String origin : API_ORIGINS) {
-            cm.setCookie(origin, "token=" + token + "; Path=/; Secure; SameSite=None");
+            cm.setCookie(origin, "token=" + token + "; Path=/; Secure; HttpOnly; SameSite=None");
         }
         cm.flush();
     }

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ public boolean execute(String action, JSONArray args, CallbackContext callbackCo`
`58`	`58`	`private void setTokenCookie(String token) {`
`59`	`59`	`CookieManager cm = CookieManager.getInstance();`
`60`	`60`	`for (String origin : API_ORIGINS) {`
`61`		`- cm.setCookie(origin, "token=" + token + "; Path=/; Secure; SameSite=None");`
	`61`	`+ cm.setCookie(origin, "token=" + token + "; Path=/; Secure; HttpOnly; SameSite=None");`
`62`	`62`	`}`
`63`	`63`	`cm.flush();`
`64`	`64`	`}`