Add secure cookie warnings for HTTP development login issues (#1181)

shoummu1 · crivetimihai · web-flow · commit 79707b4b7ea1 · 2025-10-07T18:39:39.000+01:00
* added warning for secure cookies

Signed-off-by: Shoumi &lt;shoumimukherjee@gmail.com&gt;

* Rebase

Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;

---------

Signed-off-by: Shoumi &lt;shoumimukherjee@gmail.com&gt;
Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;
Co-authored-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;
diff --git a/mcpgateway/admin.py b/mcpgateway/admin.py
@@ -2441,8 +2441,13 @@ async def admin_login_page(request: Request) -> Response:
 
     root_path = settings.app_root_path
 
+    # Only show secure cookie warning if there's a login error AND problematic config
+    secure_cookie_warning = None
+    if settings.secure_cookies and settings.environment == "development":
+        secure_cookie_warning = "Serving over HTTP with secure cookies enabled. If you have login issues, try disabling secure cookies in your configuration."
+
     # Use external template file
-    return request.app.state.templates.TemplateResponse("login.html", {"request": request, "root_path": root_path})
+    return request.app.state.templates.TemplateResponse("login.html", {"request": request, "root_path": root_path, "secure_cookie_warning": secure_cookie_warning})
 
 
 @admin_router.post("/login")
@@ -2537,6 +2542,10 @@ async def admin_login_handler(request: Request, db: Session = Depends(get_db)) -
 
         except Exception as e:
             LOGGER.warning(f"Login failed for {email}: {e}")
+
+            if settings.secure_cookies and settings.environment == "development":
+                LOGGER.warning("Login failed - set SECURE_COOKIES to false in config for HTTP development")
+
             root_path = request.scope.get("root_path", "")
             return RedirectResponse(url=f"{root_path}/admin/login?error=invalid_credentials", status_code=303)
 
diff --git a/mcpgateway/static/admin.css b/mcpgateway/static/admin.css
@@ -215,4 +215,4 @@
 /* Modal z-index to prevent sticky header overlap */
 .fixed.z-10 {
     z-index: 9999 !important;
-}
+}
diff --git a/mcpgateway/templates/login.html b/mcpgateway/templates/login.html
@@ -95,6 +95,15 @@
               </div>
             </div>
 
+            {% if secure_cookie_warning %}
+            <div class="mb-6 p-4 bg-amber-50 dark:bg-amber-900/20 border border-amber-200 dark:border-amber-800 text-amber-700 dark:text-amber-400 rounded-xl text-sm">
+              <div class="flex items-start">
+                <i class="fas fa-exclamation-triangle mr-2 mt-0.5 flex-shrink-0"></i>
+                <div class="text-sm">{{ secure_cookie_warning }}</div>
+              </div>
+            </div>
+            {% endif %}
+
             <!-- SSO Providers Section -->
             <div id="sso-section" class="mb-6">
               <div class="text-center mb-6">
