Allow APP_BASE to be an empty string when setting cookies

- I originally set APP_BASE to '/' instead of '' because setting cookies
requires the slash and I wanted to reuse the APP_BASE env var when
setting cookies
- However, this seems to cause problems with svelte which doesn't allow
APP_BASE to end in a slash (even if it's just a single slash): see
https://svelte.dev/docs/kit/configuration#paths
- Changed the logic so that APP_BASE can be '' if desired and when
setting cookies, we just set the path to '/' if APP_BASE is ''

Author: jonstrutz11

.env

@@ -180,7 +180,7 @@ ADMIN_API_SECRET=# secret to admin API calls, like computing usage stats or expo
 # These values cannot be updated at runtime
 # They need to be passed when building the docker image
 # See https://github.com/huggingface/chat-ui/main/.github/workflows/deploy-prod.yml#L44-L47
-APP_BASE="/" # base path of the app, e.g. /chat
+APP_BASE= # base path of the app, e.g. /chat
 PUBLIC_APP_COLOR=blue # can be any of tailwind colors: https://tailwindcss.com/docs/customizing-colors#default-color-palette
 ### Body size limit for SvelteKit https://svelte.dev/docs/kit/adapter-node#Environment-variables-BODY_SIZE_LIMIT
 BODY_SIZE_LIMIT=15728640

src/lib/server/auth.ts

@@ -211,7 +211,7 @@ export async function logout(cookies: Cookies, locals: App.Locals) {
 
 	for (const cookie_name of cookie_names) {
 		cookies.delete(cookie_name, {
-			path: env.APP_BASE,
+			path: env.APP_BASE || "/",
 			// So that it works inside the space's iframe
 			sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
 			secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),

src/lib/server/providers/microsoft_entra/providerEntra.ts

@@ -59,7 +59,7 @@ async function getAccessToken(
 	};
 
 	cookies.set(ProviderCookieNames.ACCESS_TOKEN, JSON.stringify(accessToken), {
-		path: env.APP_BASE,
+		path: env.APP_BASE || "/",
 		// So that it works inside the space's iframe
 		sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
 		secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),
@@ -68,7 +68,7 @@ async function getAccessToken(
 	});
 
 	cookies.set(ProviderCookieNames.PROVIDER_PARAMS, JSON.stringify(newProviderParameters), {
-		path: env.APP_BASE,
+		path: env.APP_BASE || "/",
 		// So that it works inside the space's iframe
 		sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
 		secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),
@@ -109,7 +109,7 @@ async function refreshMicrosoftGraphToken(
 	};
 
 	cookies.set(ProviderCookieNames.ACCESS_TOKEN, JSON.stringify(refreshedAccessToken), {
-		path: env.APP_BASE,
+		path: env.APP_BASE || "/",
 		// So that it works inside the space's iframe
 		sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
 		secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),

src/routes/login/callback/+server.ts

@@ -89,7 +89,7 @@ async function handleLogin(requestEvent: RequestEvent) {
 				httpOnly: true,
 				secure: true,
 				sameSite: "none",
-				path: env.APP_BASE,
+				path: env.APP_BASE || "/",
 			}
 		);
 	}