Description
When running a Nuxt application using nuxt-auth-utils in a production build, the module enforces Secure cookies.
This causes authentication to completely break in local network environments where HTTPS is not available.
Context
- App is deployed in a local network
- Uses a local domain (e.g.
app.local, myapp, or similar)
- No publicly trusted TLS certificate can be issued
- Self-signed certificates are not a viable option due to browser warnings and usability constraints
Problem
nuxt-auth-utils sets cookies with the Secure flag when:
However:
- Browsers reject
Secure cookies over plain HTTP
- Local domains (except
localhost) are not treated as secure contexts
- Result: session cookies are silently dropped
This makes authentication unusable in such environments.
Steps to reproduce
-
Build the app:
nuxi build
-
Run in production:
NODE_ENV=production node .output/server/index.mjs
-
Access via local domain:
http://app.local:3000
-
Attempt login / session creation
Expected behavior
There should be a way to:
- Disable
Secure cookies explicitly
or
- Respect a configuration override (e.g.
cookie.secure = false)
Actual behavior
Secure cookies are always enforced in production- Browser rejects cookies over HTTP
- Authentication fails completely
Additional notes
Works only when:
- using localhost (special browser handling), or
- forcing NODE_ENV=development
Suggested solution
Allow an explicit override, e.g.:
auth: {
cookie: {
secure: false
}
}
or:
allow opt-out for non-HTTPS environments
Use case justification
This affects:
- internal tools
- self-hosted apps
- air-gapped environments
- enterprise LAN deployments
In these scenarios, HTTPS is often not feasible, but authentication is still required.
Summary
Currently, nuxt-auth-utils cannot be used in production builds without HTTPS, which blocks valid local deployment scenarios.
A configurable fallback would make the module usable in a much wider range of environments.
Description
When running a Nuxt application using
nuxt-auth-utils in a production build, the module enforcesSecurecookies.This causes authentication to completely break in local network environments where HTTPS is not available.
Context
app.local,myapp, or similar)Problem
nuxt-auth-utilssets cookies with theSecureflag when:NODE_ENV=productionHowever:
Securecookies over plain HTTPlocalhost) are not treated as secure contextsThis makes authentication unusable in such environments.
Steps to reproduce
Build the app:
nuxi build
Run in production:
NODE_ENV=production node .output/server/index.mjs
Access via local domain:
http://app.local:3000Attempt login / session creation
Expected behavior
There should be a way to:
Securecookies explicitlyor
cookie.secure = false)Actual behavior
Securecookies are always enforced in productionAdditional notes
Works only when:
Suggested solution
Allow an explicit override, e.g.:
or:
allow opt-out for non-HTTPS environments
Use case justification
This affects:
In these scenarios, HTTPS is often not feasible, but authentication is still required.
Summary
Currently,
nuxt-auth-utilscannot be used in production builds without HTTPS, which blocks valid local deployment scenarios.A configurable fallback would make the module usable in a much wider range of environments.