From 7fe77cf3592844237651d773b218dd3043752733 Mon Sep 17 00:00:00 2001
From: Cadence Ember <cadence@disroot.org>
Date: Sun, 17 Aug 2025 14:57:07 +1200
Subject: [PATCH] Persist cookies beyond the session

---
 routes/collection-stats.js | 2 +-
 routes/load-collection.js  | 2 +-
 routes/settings.js         | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/routes/collection-stats.js b/routes/collection-stats.js
index 52732c0..30ee37f 100644
--- a/routes/collection-stats.js
+++ b/routes/collection-stats.js
@@ -75,6 +75,6 @@ router.get("/:account/collection-stats", defineEventHandler(async event => {
 
 router.post("/api/settings/currency", defineEventHandler(async event => {
 	const {currency, account} = await readValidatedBody(event, schema.schema.postCurrency.parse)
-	setCookie(event, "bcex-currency", currency)
+	setCookie(event, "bcex-currency", currency, {secure: true, httpOnly: true, maxAge: 2147483647, sameSite: "lax"})
 	return pugSync.render(event, "includes/collection-stats.pug", {account, currency})
 }))
diff --git a/routes/load-collection.js b/routes/load-collection.js
index 68981ef..db7f511 100644
--- a/routes/load-collection.js
+++ b/routes/load-collection.js
@@ -126,7 +126,7 @@ router.post("/api/load-collection", defineEventHandler(async event => {
 	const {account} = await readValidatedBody(event, schema.schema.account.parse)
 	try {
 		const result = await loadCollection(account)
-		setCookie(event, "accounts", (getCookie(event, "accounts") || "").split("|").concat(account).join("|"))
+		setCookie(event, "accounts", (getCookie(event, "accounts") || "").split("|").concat(account).join("|"), {secure: true, httpOnly: true, maxAge: 2147483647, sameSite: "lax"})
 		return pugSync.render(event, "collection-loaded.pug", result)
 	} catch (cause) {
 		const error = cause instanceof UserVisibleError ? cause
diff --git a/routes/settings.js b/routes/settings.js
index b635cd9..6e2044e 100644
--- a/routes/settings.js
+++ b/routes/settings.js
@@ -11,14 +11,14 @@ const schema = sync.require("./schema")
 
 router.post("/api/settings/inline-player", defineEventHandler(async event => {
 	const {inline_player} = await readValidatedBody(event, schema.schema.inlinePlayer.parse)
-	setCookie(event, "bcex-inline-player-disabled", String(!inline_player))
+	setCookie(event, "bcex-inline-player-disabled", String(!inline_player), {secure: true, httpOnly: true, maxAge: 2147483647, sameSite: "lax"})
 	setResponseHeader(event, "HX-Refresh", "true")
 	return null
 }))
 
 router.post("/api/settings/location-tags", defineEventHandler(async event => {
 	const {location_tags, account, filter, filter_field, filter_fuzzy} = await readValidatedBody(event, schema.schema.locationTags.parse)
-	setCookie(event, "bcex-location-tags", location_tags)
+	setCookie(event, "bcex-location-tags", location_tags, {secure: true, httpOnly: true, maxAge: 2147483647, sameSite: "lax"})
 	const params = new URLSearchParams({arrange: "tag", shape: "grid"})
 	if (filter) params.set("filter", filter)
 	if (filter_field) params.set("filter_field", filter_field)