fix: 修改 Cookie Path 为 / 以解决存储问题

ExquisiteCore · claude · ExquisiteCore · commit f0822890c7a2 · 2026-02-05T18:58:26.000+08:00
将 refresh_token Cookie 的 Path 从 /api/auth 改为 /，
确保 Cookie 在所有路径下可用，避免路径不匹配导致的存储问题。

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/backend/src/middleware/auth.rs b/backend/src/middleware/auth.rs
@@ -156,13 +156,13 @@ pub fn build_refresh_cookie(token: &str) -> String {
     if is_dev {
         // 开发环境：不设置 Secure，使用 SameSite=Lax
         format!(
-            "refresh_token={}; HttpOnly; SameSite=Lax; Path=/api/auth; Max-Age={}",
+            "refresh_token={}; HttpOnly; SameSite=Lax; Path=/; Max-Age={}",
             token, max_age
         )
     } else {
         // 生产环境：设置 Domain 使 Cookie 在主域下共享，避免被浏览器当作第三方 Cookie 拦截
         format!(
-            "refresh_token={}; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/api/auth; Max-Age={}",
+            "refresh_token={}; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/; Max-Age={}",
             token, max_age
         )
     }
@@ -174,9 +174,9 @@ pub fn build_clear_refresh_cookie() -> String {
     let is_dev = config.cors.allowed_origins.iter().all(|o| o.contains("localhost"));
 
     if is_dev {
-        "refresh_token=; HttpOnly; SameSite=Lax; Path=/api/auth; Max-Age=0".to_string()
+        "refresh_token=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0".to_string()
     } else {
-        "refresh_token=; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/api/auth; Max-Age=0".to_string()
+        "refresh_token=; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/; Max-Age=0".to_string()
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -156,13 +156,13 @@ pub fn build_refresh_cookie(token: &str) -> String {`
`156`	`156`	`if is_dev {`
`157`	`157`	`// 开发环境：不设置 Secure，使用 SameSite=Lax`
`158`	`158`	`format!(`
`159`		`- "refresh_token={}; HttpOnly; SameSite=Lax; Path=/api/auth; Max-Age={}",`
	`159`	`+ "refresh_token={}; HttpOnly; SameSite=Lax; Path=/; Max-Age={}",`
`160`	`160`	`token, max_age`
`161`	`161`	`)`
`162`	`162`	`} else {`
`163`	`163`	`// 生产环境：设置 Domain 使 Cookie 在主域下共享，避免被浏览器当作第三方 Cookie 拦截`
`164`	`164`	`format!(`
`165`		`- "refresh_token={}; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/api/auth; Max-Age={}",`
	`165`	`+ "refresh_token={}; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/; Max-Age={}",`
`166`	`166`	`token, max_age`
`167`	`167`	`)`
`168`	`168`	`}`
`@@ -174,9 +174,9 @@ pub fn build_clear_refresh_cookie() -> String {`
`174`	`174`	`let is_dev = config.cors.allowed_origins.iter().all(\|o\| o.contains("localhost"));`
`175`	`175`
`176`	`176`	`if is_dev {`
`177`		`- "refresh_token=; HttpOnly; SameSite=Lax; Path=/api/auth; Max-Age=0".to_string()`
	`177`	`+ "refresh_token=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0".to_string()`
`178`	`178`	`} else {`
`179`		`- "refresh_token=; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/api/auth; Max-Age=0".to_string()`
	`179`	`+ "refresh_token=; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/; Max-Age=0".to_string()`
`180`	`180`	`}`
`181`	`181`	`}`
`182`	`182`