How does Koa determine if cookies are going over a secure connection?

[christianjuth]

I'm deploying my Koa server to Fly.io. My domain is https, but I think whatever proxy Fly.io has set up is stripping away the encryption layer – I don't have much experience with proxies.

As far as I can tell, Fly.io is doing everything correctly.

I'm also setting proxy.true when creating my fly server.

const app = new Koa({
  proxy: true,
})

I have the following options when I set my cookie.

const option = ctx => ({
  secure: ctx.secure, // Set secure based on the request's secure property
  sameSite: ctx.secure ? 'none' : 'strict', // Set SameSite to 'none' for secure requests
})
app.use((ctx, next) => session(getSessionConfig(ctx), app)(ctx, next)) // add session cookie store

However, cookies package continues to reject the secure cookie saying cannot send secure cookie over unencrypted connection.

But I found this workaround:

// THIS IS A HACK
app.use((ctx, next) => {
  ctx.cookies.secure = ctx.secure
  return next()
})

First, I'm wondering if there are any obvious security issues with this. Does ctx.secure = true imply that it's ok to send a secure cookie? Note, my fly config is set to force https, so I'm pretty sure my connections are secure, at least up to the proxy.

Is there something obvious that I'm missing here? Looking at the Koa source code, I'm guessing request.secure = false but then why would ctx.secure = true?