From 820a936b9836ae83e7a45de1e1ed0488d8cde2fd Mon Sep 17 00:00:00 2001
From: Riqwan Thamir <rmthamir@gmail.com>
Date: Wed, 25 Jun 2025 11:18:28 +0200
Subject: [PATCH] feat: add cookie options (#12720)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat: add cookie options

* feat: allow configuring hmr server port via the HMR_PORT env var

* support configuring HMR host and proto

* allow configuring the hmr client_port

* cleanup

* cleanup

---------

Co-authored-by: Harminder Virk <virk.officials@gmail.com>
Co-authored-by: Salvador Gironès <salvadorgirones@gmail.com>
Co-authored-by: Adrien de Peretti <adrien.deperetti@gmail.com>
---
 .changeset/lemon-birds-switch.md              |  6 ++++
 .../admin/admin-bundler/src/utils/config.ts   | 29 +++++++++++++++----
 .../core/framework/src/http/express-loader.ts |  7 +++--
 .../core/types/src/common/config-module.ts    | 18 ++++++++++++
 4 files changed, 52 insertions(+), 8 deletions(-)
 create mode 100644 .changeset/lemon-birds-switch.md

diff --git a/.changeset/lemon-birds-switch.md b/.changeset/lemon-birds-switch.md
new file mode 100644
index 0000000000..9c2149ca10
--- /dev/null
+++ b/.changeset/lemon-birds-switch.md
@@ -0,0 +1,6 @@
+---
+"@medusajs/framework": patch
+"@medusajs/types": patch
+---
+
+feat(framework,types): add cookie options to project options
diff --git a/packages/admin/admin-bundler/src/utils/config.ts b/packages/admin/admin-bundler/src/utils/config.ts
index fce808368c..12ef88ce6a 100644
--- a/packages/admin/admin-bundler/src/utils/config.ts
+++ b/packages/admin/admin-bundler/src/utils/config.ts
@@ -1,6 +1,6 @@
 import { VIRTUAL_MODULES } from "@medusajs/admin-shared"
 import path from "path"
-import type { InlineConfig } from "vite"
+import type { HmrOptions, InlineConfig } from "vite"
 import { injectTailwindCSS } from "../plugins/inject-tailwindcss"
 import { writeStaticFiles } from "../plugins/write-static-files"
 import { BundlerOptions } from "../types"
@@ -13,7 +13,10 @@ export async function getViteConfig(
   const { default: medusa } = await import("@medusajs/admin-vite-plugin")
 
   const getPort = await import("get-port")
-  const hmrPort = await getPort.default()
+  const hmrPort = process.env.HMR_PORT
+    ? parseInt(process.env.HMR_PORT)
+    : await getPort.default()
+  const hmrOptions = getHmrConfig(hmrPort)
 
   const root = path.resolve(process.cwd(), ".medusa/client")
 
@@ -49,9 +52,7 @@ export async function getViteConfig(
       fs: {
         allow: [searchForWorkspaceRoot(process.cwd())],
       },
-      hmr: {
-        port: hmrPort,
-      },
+      hmr: hmrOptions,
     },
     plugins: [
       writeStaticFiles({
@@ -76,3 +77,21 @@ export async function getViteConfig(
 
   return baseConfig
 }
+
+function getHmrConfig(hmrPort: number): HmrOptions | boolean {
+  const options: HmrOptions = {
+    port: hmrPort,
+  }
+
+  if (process.env.HMR_PROTOCOL) {
+    options.protocol = process.env.HMR_PROTOCOL
+  }
+  if (process.env.HMR_HOST) {
+    options.host = process.env.HMR_HOST
+  }
+  if (process.env.HMR_CLIENT_PORT) {
+    options.clientPort = parseInt(process.env.HMR_CLIENT_PORT)
+  }
+
+  return options
+}
diff --git a/packages/core/framework/src/http/express-loader.ts b/packages/core/framework/src/http/express-loader.ts
index 47ef44deb7..74c1cafc01 100644
--- a/packages/core/framework/src/http/express-loader.ts
+++ b/packages/core/framework/src/http/express-loader.ts
@@ -1,3 +1,4 @@
+import { dynamicImport } from "@medusajs/utils"
 import createStore from "connect-redis"
 import cookieParser from "cookie-parser"
 import express, { Express, RequestHandler } from "express"
@@ -5,10 +6,9 @@ import session from "express-session"
 import Redis from "ioredis"
 import morgan from "morgan"
 import path from "path"
-import { logger } from "../logger"
 import { configManager } from "../config"
+import { logger } from "../logger"
 import { MedusaRequest, MedusaResponse } from "./types"
-import { dynamicImport } from "@medusajs/utils"
 
 const NOISY_ENDPOINTS_CHUNKS = ["@fs", "@id", "@vite", "@react", "node_modules"]
 
@@ -33,7 +33,7 @@ export async function expressLoader({ app }: { app: Express }): Promise<{
     sameSite = "none"
   }
 
-  const { http, sessionOptions } = configModule.projectConfig
+  const { http, sessionOptions, cookieOptions } = configModule.projectConfig
   const sessionOpts = {
     name: sessionOptions?.name ?? "connect.sid",
     resave: sessionOptions?.resave ?? true,
@@ -45,6 +45,7 @@ export async function expressLoader({ app }: { app: Express }): Promise<{
       sameSite,
       secure,
       maxAge: sessionOptions?.ttl ?? 10 * 60 * 60 * 1000,
+      ...cookieOptions,
     },
     store: null,
   }
diff --git a/packages/core/types/src/common/config-module.ts b/packages/core/types/src/common/config-module.ts
index baee934a07..7f5e14c18f 100644
--- a/packages/core/types/src/common/config-module.ts
+++ b/packages/core/types/src/common/config-module.ts
@@ -169,6 +169,22 @@ export type SessionOptions = {
   }
 }
 
+/**
+ * @interface
+ *
+ * Options to pass to `express-session`.
+ */
+export type CookieOptions = Record<string, any> & {
+  secure?: boolean
+  sameSite?: "lax" | "strict" | "none"
+  maxAge?: number
+  httpOnly?: boolean
+  priority?: "low" | "medium" | "high"
+  domain?: string
+  path?: string
+  signed?: boolean
+}
+
 /**
  * @interface
  *
@@ -413,6 +429,8 @@ export type ProjectConfigOptions = {
    */
   sessionOptions?: SessionOptions
 
+  cookieOptions?: CookieOptions
+
   /**
    * Configure the number of staged jobs that are polled from the database. Default is `1000`.
    *