From 6ba1ab91021d76d6e031f12423e1d74f1cd98066 Mon Sep 17 00:00:00 2001
From: Nevo David <me@nevos.io>
Date: Fri, 24 Jan 2025 13:44:26 +0700
Subject: [PATCH] feat: not secured

---
 .../backend/src/api/routes/auth.controller.ts | 86 +++++++++++++----
 .../src/api/routes/public.controller.ts       | 16 +++-
 .../src/api/routes/users.controller.ts        | 92 +++++++++++++------
 apps/backend/src/main.ts                      | 23 +++--
 .../src/services/auth/auth.middleware.ts      | 15 ++-
 apps/frontend/src/app/layout.tsx              |  1 +
 .../src/components/layout/impersonate.tsx     | 15 ++-
 .../src/components/layout/layout.context.tsx  | 58 ++++++++++--
 .../components/layout/logout.component.tsx    | 19 +++-
 apps/frontend/src/middleware.ts               | 55 +++++++----
 .../helpers/src/utils/custom.fetch.func.ts    | 36 +++++++-
 libraries/helpers/src/utils/custom.fetch.tsx  | 60 +++++++-----
 .../src/helpers/variable.context.tsx          |  2 +
 13 files changed, 356 insertions(+), 122 deletions(-)

diff --git a/apps/backend/src/api/routes/auth.controller.ts b/apps/backend/src/api/routes/auth.controller.ts
index a509855bc..49b31a663 100644
--- a/apps/backend/src/api/routes/auth.controller.ts
+++ b/apps/backend/src/api/routes/auth.controller.ts
@@ -31,7 +31,7 @@ export class AuthController {
 
   @Get('/can-register')
   async canRegister() {
-    return {register: await this._authService.canRegister()};
+    return { register: await this._authService.canRegister() };
   }
 
   @Post('/register')
@@ -66,20 +66,36 @@ export class AuthController {
 
       response.cookie('auth', jwt, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
-        sameSite: 'none',
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
 
+      if (process.env.NOT_SECURED) {
+        response.header('auth', jwt);
+      }
+
       if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
         response.cookie('showorg', addedOrg.organizationId, {
           domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-          secure: true,
-          httpOnly: true,
-          sameSite: 'none',
+          ...(!process.env.NOT_SECURED
+            ? {
+                secure: true,
+                httpOnly: true,
+                sameSite: 'none',
+              }
+            : {}),
           expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
         });
+
+        if (process.env.NOT_SECURED) {
+          response.header('showorg', addedOrg.organizationId);
+        }
       }
 
       response.header('onboarding', 'true');
@@ -114,20 +130,36 @@ export class AuthController {
 
       response.cookie('auth', jwt, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
-        sameSite: 'none',
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
 
+      if (process.env.NOT_SECURED) {
+        response.header('auth', jwt);
+      }
+
       if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
         response.cookie('showorg', addedOrg.organizationId, {
           domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-          secure: true,
-          httpOnly: true,
-          sameSite: 'none',
+          ...(!process.env.NOT_SECURED
+            ? {
+                secure: true,
+                httpOnly: true,
+                sameSite: 'none',
+              }
+            : {}),
           expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
         });
+
+        if (process.env.NOT_SECURED) {
+          response.header('showorg', addedOrg.organizationId);
+        }
       }
 
       response.header('reload', 'true');
@@ -178,12 +210,20 @@ export class AuthController {
 
     response.cookie('auth', activate, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
 
+    if (process.env.NOT_SECURED) {
+      response.header('auth', activate);
+    }
+
     response.header('onboarding', 'true');
     return response.status(200).send({ can: true });
   }
@@ -201,12 +241,20 @@ export class AuthController {
 
     response.cookie('auth', jwt, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
 
+    if (process.env.NOT_SECURED) {
+      response.header('auth', jwt);
+    }
+
     response.header('reload', 'true');
 
     response.status(200).json({
diff --git a/apps/backend/src/api/routes/public.controller.ts b/apps/backend/src/api/routes/public.controller.ts
index 4a5c342a4..2701af180 100644
--- a/apps/backend/src/api/routes/public.controller.ts
+++ b/apps/backend/src/api/routes/public.controller.ts
@@ -101,8 +101,12 @@ export class PublicController {
     if (!req.cookies.track) {
       res.cookie('track', uniqueId, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+            }
+          : {}),
         sameSite: 'none',
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
@@ -111,8 +115,12 @@ export class PublicController {
     if (body.fbclid && !req.cookies.fbclid) {
       res.cookie('fbclid', body.fbclid, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+            }
+          : {}),
         sameSite: 'none',
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
diff --git a/apps/backend/src/api/routes/users.controller.ts b/apps/backend/src/api/routes/users.controller.ts
index c3d851a52..e2b9bf16f 100644
--- a/apps/backend/src/api/routes/users.controller.ts
+++ b/apps/backend/src/api/routes/users.controller.ts
@@ -48,11 +48,13 @@ export class UsersController {
   async getSelf(
     @GetUserFromRequest() user: User,
     @GetOrgFromRequest() organization: Organization,
-    @Req() req: Request,
+    @Req() req: Request
   ) {
     if (!organization) {
       throw new HttpForbiddenException();
     }
+
+    const impersonate = req.cookies.impersonate || req.headers.impersonate;
     // @ts-ignore
     return {
       ...user,
@@ -67,12 +69,10 @@ export class UsersController {
       // @ts-ignore
       isLifetime: !!organization?.subscription?.isLifetime,
       admin: !!user.isSuperAdmin,
-      impersonate: !!req.cookies.impersonate,
+      impersonate: !!impersonate,
       allowTrial: organization?.allowTrial,
       // @ts-ignore
-      publicApi: organization?.users[0]?.role === 'SUPERADMIN' || organization?.users[0]?.role === 'ADMIN'
-          ? organization?.apiKey
-          : '',
+      publicApi: organization?.users[0]?.role === 'SUPERADMIN' || organization?.users[0]?.role === 'ADMIN' ? organization?.apiKey  : '',
     };
   }
 
@@ -105,11 +105,19 @@ export class UsersController {
 
     response.cookie('impersonate', id, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
+
+    if (process.env.NOT_SECURED) {
+      response.header('impersonate', id);
+    }
   }
 
   @Post('/personal')
@@ -175,12 +183,20 @@ export class UsersController {
   ) {
     response.cookie('showorg', id, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
 
+    if (process.env.NOT_SECURED) {
+      response.header('showorg', id);
+    }
+
     response.status(200).send();
   }
 
@@ -188,29 +204,41 @@ export class UsersController {
   logout(@Res({ passthrough: true }) response: Response) {
     response.cookie('auth', '', {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       maxAge: -1,
       expires: new Date(0),
-      sameSite: 'none',
     });
 
     response.cookie('showorg', '', {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       maxAge: -1,
       expires: new Date(0),
-      sameSite: 'none',
     });
 
     response.cookie('impersonate', '', {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       maxAge: -1,
       expires: new Date(0),
-      sameSite: 'none',
     });
 
     response.status(200).send();
@@ -223,22 +251,34 @@ export class UsersController {
     @GetUserFromRequest() user: User,
     @RealIP() ip: string,
     @UserAgent() userAgent: string,
-    @Body() body: { tt: TrackEnum; fbclid: string, additional: Record<string, any> }
+    @Body()
+    body: { tt: TrackEnum; fbclid: string; additional: Record<string, any> }
   ) {
     const uniqueId = req?.cookies?.track || makeId(10);
     const fbclid = req?.cookies?.fbclid || body.fbclid;
-    await this._trackService.track(uniqueId, ip, userAgent, body.tt, body.additional, fbclid, user);
+    await this._trackService.track(
+      uniqueId,
+      ip,
+      userAgent,
+      body.tt,
+      body.additional,
+      fbclid,
+      user
+    );
     if (!req.cookies.track) {
       res.cookie('track', uniqueId, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
-        sameSite: 'none',
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
     }
 
-    console.log('hello');
     res.status(200).json({
       track: uniqueId,
     });
diff --git a/apps/backend/src/main.ts b/apps/backend/src/main.ts
index 30f1be83a..84417f07b 100644
--- a/apps/backend/src/main.ts
+++ b/apps/backend/src/main.ts
@@ -14,8 +14,13 @@ async function bootstrap() {
   const app = await NestFactory.create(AppModule, {
     rawBody: true,
     cors: {
-      credentials: true,
-      exposedHeaders: ['reload', 'onboarding', 'activate'],
+      ...(!process.env.NOT_SECURED ? { credentials: true } : {}),
+      exposedHeaders: [
+        'reload',
+        'onboarding',
+        'activate',
+        ...(process.env.NOT_SECURED ? ['auth', 'showorg', 'impersonate'] : []),
+      ],
       origin: [
         process.env.FRONTEND_URL,
         ...(process.env.MAIN_URL ? [process.env.MAIN_URL] : []),
@@ -39,8 +44,8 @@ async function bootstrap() {
 
   try {
     await app.listen(port);
-    
-    checkConfiguration() // Do this last, so that users will see obvious issues at the end of the startup log without having to scroll up.
+
+    checkConfiguration(); // Do this last, so that users will see obvious issues at the end of the startup log without having to scroll up.
 
     Logger.log(`🚀 Backend is running on: http://localhost:${port}`);
   } catch (e) {
@@ -50,17 +55,17 @@ async function bootstrap() {
 
 function checkConfiguration() {
   const checker = new ConfigurationChecker();
-  checker.readEnvFromProcess()
-  checker.check()
+  checker.readEnvFromProcess();
+  checker.check();
 
   if (checker.hasIssues()) {
     for (const issue of checker.getIssues()) {
-      Logger.warn(issue, 'Configuration issue')
+      Logger.warn(issue, 'Configuration issue');
     }
 
-    Logger.warn("Configuration issues found: " + checker.getIssuesCount())
+    Logger.warn('Configuration issues found: ' + checker.getIssuesCount());
   } else {
-    Logger.log("Configuration check completed without any issues.")
+    Logger.log('Configuration check completed without any issues.');
   }
 }
 
diff --git a/apps/backend/src/services/auth/auth.middleware.ts b/apps/backend/src/services/auth/auth.middleware.ts
index e4457cb5c..0ef8377ad 100644
--- a/apps/backend/src/services/auth/auth.middleware.ts
+++ b/apps/backend/src/services/auth/auth.middleware.ts
@@ -10,9 +10,13 @@ import { HttpForbiddenException } from '@gitroom/nestjs-libraries/services/excep
 export const removeAuth = (res: Response) => {
   res.cookie('auth', '', {
     domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-    secure: true,
-    httpOnly: true,
-    sameSite: 'none',
+    ...(!process.env.NOT_SECURED
+      ? {
+          secure: true,
+          httpOnly: true,
+          sameSite: 'none',
+        }
+      : {}),
     expires: new Date(0),
     maxAge: -1,
   });
@@ -43,9 +47,10 @@ export class AuthMiddleware implements NestMiddleware {
         throw new HttpForbiddenException();
       }
 
-      if (user?.isSuperAdmin && req.cookies.impersonate) {
+      const impersonate = req.cookies.impersonate || req.headers.impersonate;
+      if (user?.isSuperAdmin && impersonate) {
         const loadImpersonate = await this._organizationService.getUserOrg(
-          req.cookies.impersonate
+          impersonate
         );
 
         if (loadImpersonate) {
diff --git a/apps/frontend/src/app/layout.tsx b/apps/frontend/src/app/layout.tsx
index 6592aff8f..07ec93654 100644
--- a/apps/frontend/src/app/layout.tsx
+++ b/apps/frontend/src/app/layout.tsx
@@ -44,6 +44,7 @@ export default async function AppLayout({ children }: { children: ReactNode }) {
           facebookPixel={process.env.NEXT_PUBLIC_FACEBOOK_PIXEL!}
           telegramBotName={process.env.TELEGRAM_BOT_NAME!}
           neynarClientId={process.env.NEYNAR_CLIENT_ID!}
+          isSecured={!process.env.NOT_SECURED}
         >
           <ToltScript />
           <FacebookComponent />
diff --git a/apps/frontend/src/components/layout/impersonate.tsx b/apps/frontend/src/components/layout/impersonate.tsx
index 068341054..d6ae692ba 100644
--- a/apps/frontend/src/components/layout/impersonate.tsx
+++ b/apps/frontend/src/components/layout/impersonate.tsx
@@ -6,6 +6,8 @@ import { useUser } from '@gitroom/frontend/components/layout/user.context';
 import { Select } from '@gitroom/react/form/select';
 import { pricing } from '@gitroom/nestjs-libraries/database/prisma/subscriptions/pricing';
 import { deleteDialog } from '@gitroom/react/helpers/delete.dialog';
+import { useVariables } from '@gitroom/react/helpers/variable.context';
+import { setCookie } from '@gitroom/frontend/components/layout/layout.context';
 
 export const Subscription = () => {
   const fetch = useFetch();
@@ -53,6 +55,7 @@ export const Subscription = () => {
 export const Impersonate = () => {
   const fetch = useFetch();
   const [name, setName] = useState('');
+  const { isSecured } = useVariables();
   const user = useUser();
 
   const load = useCallback(async () => {
@@ -65,10 +68,14 @@ export const Impersonate = () => {
   }, [name]);
 
   const stopImpersonating = useCallback(async () => {
-    await fetch(`/user/impersonate`, {
-      method: 'POST',
-      body: JSON.stringify({ id: '' }),
-    });
+    if (!isSecured) {
+      setCookie('impersonate', '', -10);
+    } else {
+      await fetch(`/user/impersonate`, {
+        method: 'POST',
+        body: JSON.stringify({ id: '' }),
+      });
+    }
 
     window.location.reload();
   }, []);
diff --git a/apps/frontend/src/components/layout/layout.context.tsx b/apps/frontend/src/components/layout/layout.context.tsx
index 1608c0029..86145728b 100644
--- a/apps/frontend/src/components/layout/layout.context.tsx
+++ b/apps/frontend/src/components/layout/layout.context.tsx
@@ -14,13 +14,57 @@ export default function LayoutContext(params: { children: ReactNode }) {
 
   return <></>;
 }
+
+export function setCookie(cname: string, cvalue: string, exdays: number) {
+  if (typeof document === 'undefined') {
+    return;
+  }
+  const d = new Date();
+  d.setTime(d.getTime() + exdays * 24 * 60 * 60 * 1000);
+  const expires = 'expires=' + d.toUTCString();
+  document.cookie = cname + '=' + cvalue + ';' + expires + ';path=/';
+}
+
 function LayoutContextInner(params: { children: ReactNode }) {
   const returnUrl = useReturnUrl();
-  const {backendUrl, isGeneral} = useVariables();
+  const { backendUrl, isGeneral, isSecured } = useVariables();
 
   const afterRequest = useCallback(
     async (url: string, options: RequestInit, response: Response) => {
-      if (typeof window !== 'undefined' && window.location.href.includes('/p/')) {
+      if (
+        typeof window !== 'undefined' &&
+        window.location.href.includes('/p/')
+      ) {
+        return true;
+      }
+
+      const headerAuth =
+        response?.headers?.get('auth') || response?.headers?.get('Auth');
+      const showOrg =
+        response?.headers?.get('showorg') || response?.headers?.get('Showorg');
+      const impersonate =
+        response?.headers?.get('impersonate') ||
+        response?.headers?.get('Impersonate');
+      const logout =
+        response?.headers?.get('logout') || response?.headers?.get('Logout');
+
+      if (headerAuth) {
+        setCookie('auth', headerAuth, 365);
+      }
+
+      if (showOrg) {
+        setCookie('showorg', showOrg, 365);
+      }
+
+      if (impersonate) {
+        setCookie('impersonate', impersonate, 365);
+      }
+
+      if (logout && !isSecured) {
+        setCookie('auth', '', -10);
+        setCookie('showorg', '', -10);
+        setCookie('impersonate', '', -10);
+        window.location.href = '/';
         return true;
       }
 
@@ -50,6 +94,11 @@ function LayoutContextInner(params: { children: ReactNode }) {
       }
 
       if (response.status === 401) {
+        if (!isSecured) {
+          setCookie('auth', '', -10);
+          setCookie('showorg', '', -10);
+          setCookie('impersonate', '', -10);
+        }
         window.location.href = '/';
       }
 
@@ -74,10 +123,7 @@ function LayoutContextInner(params: { children: ReactNode }) {
   );
 
   return (
-    <FetchWrapperComponent
-      baseUrl={backendUrl}
-      afterRequest={afterRequest}
-    >
+    <FetchWrapperComponent baseUrl={backendUrl} afterRequest={afterRequest}>
       {params?.children || <></>}
     </FetchWrapperComponent>
   );
diff --git a/apps/frontend/src/components/layout/logout.component.tsx b/apps/frontend/src/components/layout/logout.component.tsx
index 03d49227c..c0b73a399 100644
--- a/apps/frontend/src/components/layout/logout.component.tsx
+++ b/apps/frontend/src/components/layout/logout.component.tsx
@@ -4,19 +4,28 @@ import { useCallback } from 'react';
 import { deleteDialog } from '@gitroom/react/helpers/delete.dialog';
 import { useFetch } from '@gitroom/helpers/utils/custom.fetch';
 import { useVariables } from '@gitroom/react/helpers/variable.context';
+import { setCookie } from '@gitroom/frontend/components/layout/layout.context';
 
 export const LogoutComponent = () => {
   const fetch = useFetch();
-  const {isGeneral} = useVariables();
+  const { isGeneral, isSecured } = useVariables();
   const logout = useCallback(async () => {
     if (await deleteDialog('Are you sure you want to logout?', 'Yes logout')) {
-      await fetch('/user/logout', {
-        method: 'POST',
-      });
+      if (!isSecured) {
+        setCookie('auth', '', -10);
+      } else {
+        await fetch('/user/logout', {
+          method: 'POST',
+        });
+      }
 
       window.location.href = '/';
     }
   }, []);
 
-  return <div className="text-red-400 cursor-pointer" onClick={logout}>Logout from {isGeneral ? 'Postiz' : 'Gitroom'}</div>;
+  return (
+    <div className="text-red-400 cursor-pointer" onClick={logout}>
+      Logout from {isGeneral ? 'Postiz' : 'Gitroom'}
+    </div>
+  );
 };
diff --git a/apps/frontend/src/middleware.ts b/apps/frontend/src/middleware.ts
index 2e9edf70e..800e3d8cb 100644
--- a/apps/frontend/src/middleware.ts
+++ b/apps/frontend/src/middleware.ts
@@ -7,7 +7,11 @@ import { internalFetch } from '@gitroom/helpers/utils/internal.fetch';
 export async function middleware(request: NextRequest) {
   const nextUrl = request.nextUrl;
   const authCookie = request.cookies.get('auth');
-  if (nextUrl.pathname.startsWith('/uploads/') || nextUrl.pathname.startsWith('/p/') || nextUrl.pathname.startsWith('/icons/')) {
+  if (
+    nextUrl.pathname.startsWith('/uploads/') ||
+    nextUrl.pathname.startsWith('/p/') ||
+    nextUrl.pathname.startsWith('/icons/')
+  ) {
     return NextResponse.next();
   }
   // If the URL is logout, delete the cookie and redirect to login
@@ -17,9 +21,13 @@ export async function middleware(request: NextRequest) {
     );
     response.cookies.set('auth', '', {
       path: '/',
-      sameSite: false,
-      httpOnly: true,
-      secure: true,
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: false,
+          }
+        : {}),
       maxAge: -1,
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
     });
@@ -53,12 +61,16 @@ export async function middleware(request: NextRequest) {
     if (org) {
       const redirect = NextResponse.redirect(new URL(`/`, nextUrl.href));
       redirect.cookies.set('org', org, {
-        path: '/',
-        sameSite: false,
-        httpOnly: true,
-        secure: true,
+        ...(!process.env.NOT_SECURED
+          ? {
+              path: '/',
+              secure: true,
+              httpOnly: true,
+              sameSite: false,
+              domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
+            }
+          : {}),
         expires: new Date(Date.now() + 15 * 60 * 1000),
-        domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
       });
       return redirect;
     }
@@ -81,12 +93,16 @@ export async function middleware(request: NextRequest) {
       );
       if (id) {
         redirect.cookies.set('showorg', id, {
-          path: '/',
-          sameSite: false,
-          httpOnly: true,
-          secure: true,
+          ...(!process.env.NOT_SECURED
+            ? {
+                path: '/',
+                secure: true,
+                httpOnly: true,
+                sameSite: false,
+                domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
+              }
+            : {}),
           expires: new Date(Date.now() + 15 * 60 * 1000),
-          domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
         });
       }
 
@@ -112,9 +128,13 @@ export async function middleware(request: NextRequest) {
 
       next.cookies.set('marketplace', type === 'seller' ? 'seller' : 'buyer', {
         path: '/',
-        sameSite: false,
-        httpOnly: true,
-        secure: true,
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: false,
+            }
+          : {}),
         expires: new Date(Date.now() + 15 * 60 * 1000),
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
       });
@@ -122,6 +142,7 @@ export async function middleware(request: NextRequest) {
 
     return next;
   } catch (err) {
+    console.log('err', err);
     return NextResponse.redirect(new URL('/auth/logout', nextUrl.href));
   }
 }
diff --git a/libraries/helpers/src/utils/custom.fetch.func.ts b/libraries/helpers/src/utils/custom.fetch.func.ts
index 9daf222d5..49ec9a6ae 100644
--- a/libraries/helpers/src/utils/custom.fetch.func.ts
+++ b/libraries/helpers/src/utils/custom.fetch.func.ts
@@ -1,4 +1,3 @@
-
 export interface Params {
   baseUrl: string;
   beforeRequest?: (url: string, options: RequestInit) => Promise<RequestInit>;
@@ -11,21 +10,48 @@ export interface Params {
 export const customFetch = (
   params: Params,
   auth?: string,
-  showorg?: string
+  showorg?: string,
+  secured: boolean = true
 ) => {
   return async function newFetch(url: string, options: RequestInit = {}) {
     const newRequestObject = await params?.beforeRequest?.(url, options);
+    const authNonSecuredCookie = typeof document === 'undefined' ? null : document.cookie
+      .split(';')
+      .find((p) => p.includes('auth='))
+      ?.split('=')[1];
+
+    const authNonSecuredOrg = typeof document === 'undefined' ? null : document.cookie
+      .split(';')
+      .find((p) => p.includes('showorg='))
+      ?.split('=')[1];
+
+    const authNonSecuredImpersonate = typeof document === 'undefined' ? null : document.cookie
+      .split(';')
+      .find((p) => p.includes('impersonate='))
+      ?.split('=')[1];
+
     const fetchRequest = await fetch(params.baseUrl + url, {
-      credentials: 'include',
+      ...(secured ? { credentials: 'include' } : {}),
       ...(newRequestObject || options),
       headers: {
-        ...(auth ? { auth } : {}),
-        ...(showorg ? { showorg } : {}),
+        ...(showorg
+          ? { showorg }
+          : authNonSecuredOrg
+          ? { showorg: authNonSecuredOrg }
+          : {}),
         ...(options.body instanceof FormData
           ? {}
           : { 'Content-Type': 'application/json' }),
         Accept: 'application/json',
         ...options?.headers,
+        ...(auth
+          ? { auth }
+          : authNonSecuredCookie
+          ? { auth: authNonSecuredCookie }
+          : {}),
+        ...(authNonSecuredImpersonate
+          ? { impersonate: authNonSecuredImpersonate }
+          : {}),
       },
       // @ts-ignore
       ...(!options.next && options.cache !== 'force-cache'
diff --git a/libraries/helpers/src/utils/custom.fetch.tsx b/libraries/helpers/src/utils/custom.fetch.tsx
index ee9bb6a85..ef2b05247 100644
--- a/libraries/helpers/src/utils/custom.fetch.tsx
+++ b/libraries/helpers/src/utils/custom.fetch.tsx
@@ -1,30 +1,46 @@
-"use client";
+'use client';
 
-import {createContext, FC, ReactNode, useContext, useRef, useState} from "react";
-import {customFetch, Params} from "./custom.fetch.func";
+import {
+  createContext,
+  FC,
+  ReactNode,
+  useContext,
+  useRef,
+  useState,
+} from 'react';
+import { customFetch, Params } from './custom.fetch.func';
+import { useVariables } from '@gitroom/react/helpers/variable.context';
 
-const FetchProvider = createContext(customFetch(
+const FetchProvider = createContext(
+  customFetch(
     // @ts-ignore
     {
-        baseUrl: '',
-        beforeRequest: () => {},
-        afterRequest: () => {
-            return true;
-        }
-    } as Params));
+      baseUrl: '',
+      beforeRequest: () => {},
+      afterRequest: () => {
+        return true;
+      },
+    } as Params
+  )
+);
 
-export const FetchWrapperComponent: FC<Params & {children: ReactNode}> = (props) => {
-    const {children, ...params} = props;
+export const FetchWrapperComponent: FC<Params & { children: ReactNode }> = (
+  props
+) => {
+  const { children, ...params } = props;
+  const { isSecured } = useVariables();
+  // @ts-ignore
+  const fetchData = useRef(
+    customFetch(params, undefined, undefined, isSecured)
+  );
+  return (
     // @ts-ignore
-    const fetchData = useRef(customFetch(params));
-    return (
-        // @ts-ignore
-        <FetchProvider.Provider value={fetchData.current}>
-            {children}
-        </FetchProvider.Provider>
-    )
-}
+    <FetchProvider.Provider value={fetchData.current}>
+      {children}
+    </FetchProvider.Provider>
+  );
+};
 
 export const useFetch = () => {
-    return useContext(FetchProvider);
-}
\ No newline at end of file
+  return useContext(FetchProvider);
+};
diff --git a/libraries/react-shared-libraries/src/helpers/variable.context.tsx b/libraries/react-shared-libraries/src/helpers/variable.context.tsx
index 98c562fa1..48cb85f5b 100644
--- a/libraries/react-shared-libraries/src/helpers/variable.context.tsx
+++ b/libraries/react-shared-libraries/src/helpers/variable.context.tsx
@@ -14,6 +14,7 @@ interface VariableContextInterface {
   facebookPixel: string;
   telegramBotName: string;
   neynarClientId: string;
+  isSecured: boolean;
   tolt: string;
 }
 const VariableContext = createContext({
@@ -25,6 +26,7 @@ const VariableContext = createContext({
   backendUrl: '',
   discordUrl: '',
   uploadDirectory: '',
+  isSecured: false,
   telegramBotName: '',
   facebookPixel: '',
   neynarClientId: '',