From 08544bccb33f098f1e343eac467e65f45e4ce756 Mon Sep 17 00:00:00 2001
From: Lennart Fleischmann <lennart.fleischmann@hanko.io>
Date: Mon, 5 Aug 2024 17:11:50 +0200
Subject: [PATCH] docs: add safari cookie secure flag note

---
 backend/config/config.go              | 5 ++++-
 backend/json_schema/hanko.config.json | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/backend/config/config.go b/backend/config/config.go
index c5ae09299..d0489919d 100644
--- a/backend/config/config.go
+++ b/backend/config/config.go
@@ -278,7 +278,10 @@ type Cookie struct {
 	// more details.
 	SameSite string `yaml:"same_site" json:"same_site,omitempty" koanf:"same_site" split_words:"true" jsonschema:"default=strict,enum=strict,enum=lax,enum=none"`
 	// `secure` indicates whether the cookie is sent to the server only when a request is made with the https: scheme
-	// (except on localhost)
+	// (except on localhost).
+	//
+	// NOTE: `secure` must be set to `false` when working on `localhost` and with the Safari browser because it does
+	// not store secure cookies on `localhost`.
 	Secure bool `yaml:"secure" json:"secure,omitempty" koanf:"secure" jsonschema:"default=true"`
 }
 
diff --git a/backend/json_schema/hanko.config.json b/backend/json_schema/hanko.config.json
index bba524540..b0a4f93e8 100644
--- a/backend/json_schema/hanko.config.json
+++ b/backend/json_schema/hanko.config.json
@@ -149,7 +149,7 @@
         "convert_legacy_config": {
           "type": "boolean",
           "description": "`convert_legacy_config`, if set to `true`, automatically copies the set values of deprecated configuration\noptions, to new ones. If set to `false`, these values have to be set manually if non-default values should be\nused.",
-          "default": true
+          "default": false
         },
         "database": {
           "$ref": "#/$defs/Database",
@@ -284,7 +284,7 @@
         },
         "secure": {
           "type": "boolean",
-          "description": "`secure` indicates whether the cookie is sent to the server only when a request is made with the https: scheme\n(except on localhost)",
+          "description": "`secure` indicates whether the cookie is sent to the server only when a request is made with the https: scheme\n(except on localhost).\n\nNOTE: `secure` must be set to `false` when working on `localhost` and with the Safari browser because it does\nnot store secure cookies on `localhost`.",
           "default": true
         }
       },