Chore/Secure Cookies Env Variable (#5281)

Enhanced cookie security handling in the passport middleware to allow explicit configuration of secure cookie settings.

packages/server/.env.example

@@ -99,6 +99,7 @@ JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
 # EXPRESS_SESSION_SECRET=flowise
+# SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15

packages/server/src/enterprise/middleware/passport/index.ts

@@ -33,7 +33,16 @@ const expireAuthTokensOnRestart = process.env.EXPIRE_AUTH_TOKENS_ON_RESTART ===
 const jwtAuthTokenSecret = process.env.JWT_AUTH_TOKEN_SECRET || 'auth_token'
 const jwtRefreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || process.env.JWT_AUTH_TOKEN_SECRET || 'refresh_token'
 
-const secureCookie = process.env.APP_URL?.startsWith('https') ? true : false
+// Allow explicit override of cookie security settings
+// This is useful when running behind a reverse proxy/load balancer that terminates SSL
+const secureCookie =
+    process.env.SECURE_COOKIES === 'false'
+        ? false
+        : process.env.SECURE_COOKIES === 'true'
+        ? true
+        : process.env.APP_URL?.startsWith('https')
+        ? true
+        : false
 const jwtOptions = {
     secretOrKey: jwtAuthTokenSecret,
     audience: jwtAudience,