From 02ee538213db201ea0a71552c5bb0355256f08b5 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Sun, 15 Mar 2026 13:50:22 -0700
Subject: [PATCH] Fix download cookie: SameSite Strict blocks cookie on POST
 redirect

SameSite=Strict prevents the browser from sending the auth cookie when
following a redirect from a cross-context POST (form submission) to a
GET. Changing to SameSite=Lax allows the cookie to be sent on top-level
navigations (including redirects), so the /pki/download/{token} handler
receives the auth cookie and serves the tgz.

Co-authored-by: Junie <junie@jetbrains.com>
---
 .junie/memory/language.json  | 2 +-
 internal/webserver/routes.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.junie/memory/language.json b/.junie/memory/language.json
index 800d49d..8cc035d 100644
--- a/.junie/memory/language.json
+++ b/.junie/memory/language.json
@@ -1 +1 @@
-[{"lang":"en","usageCount":39}]
\ No newline at end of file
+[{"lang":"en","usageCount":40}]
\ No newline at end of file
diff --git a/internal/webserver/routes.go b/internal/webserver/routes.go
index 42e979d..7147fac 100644
--- a/internal/webserver/routes.go
+++ b/internal/webserver/routes.go
@@ -179,7 +179,7 @@ func (ws *WebServer) handleLogin(w http.ResponseWriter, r *http.Request) {
 			Path:     "/",
 			HttpOnly: true,
 			Secure:   true,
-			SameSite: http.SameSiteStrictMode,
+			SameSite: http.SameSiteLaxMode,
 		})
 		http.Redirect(w, r, "/dashboard", http.StatusFound)
 	default: