Add configurable cookie domain for cross-subdomain auth sharing

- Add COOKIE_DOMAIN env var (e.g., ".rose-ash.com") - Auto-derive from ARTDAG_DOMAIN if not set (strips first subdomain) - Set domain on auth cookies for sharing across L1/L2 subdomains - Add secure=True for cross-subdomain cookies Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-08 17:26:42 +00:00
parent 5eb525d107
commit 1d463352a7
1 changed files with 21 additions and 3 deletions
--- a/server.py
+++ b/server.py
@@ -39,6 +39,20 @@ DATA_DIR = Path(os.environ.get("ARTDAG_DATA", str(Path.home() / ".artdag" / "l2"
 L1_PUBLIC_URL = os.environ.get("L1_PUBLIC_URL", "https://celery-artdag.rose-ash.com")
 EFFECTS_REPO_URL = os.environ.get("EFFECTS_REPO_URL", "https://git.rose-ash.com/art-dag/effects")

+# Cookie domain for sharing auth across subdomains (e.g., ".rose-ash.com")
+# If not set, derives from DOMAIN (strips first subdomain, adds leading dot)
+def _get_cookie_domain():
+    env_val = os.environ.get("COOKIE_DOMAIN")
+    if env_val:
+        return env_val
+    # Derive from DOMAIN: artdag.rose-ash.com -> .rose-ash.com
+    parts = DOMAIN.split(".")
+    if len(parts) >= 2:
+        return "." + ".".join(parts[-2:])
+    return None
+
+COOKIE_DOMAIN = _get_cookie_domain()
+
 # Ensure data directory exists
 DATA_DIR.mkdir(parents=True, exist_ok=True)
 (DATA_DIR / "assets").mkdir(exist_ok=True)
@@ -340,7 +354,9 @@ async def ui_login_submit(request: Request):
        value=token.access_token,
        httponly=True,
        max_age=60 * 60 * 24 * 30,  # 30 days
-        samesite="lax"
+        samesite="lax",
+        domain=COOKIE_DOMAIN,  # Share across subdomains
+        secure=True  # Required for cross-subdomain cookies
    )
    return response

@@ -424,7 +440,9 @@ async def ui_register_submit(request: Request):
        value=token.access_token,
        httponly=True,
        max_age=60 * 60 * 24 * 30,  # 30 days
-        samesite="lax"
+        samesite="lax",
+        domain=COOKIE_DOMAIN,  # Share across subdomains
+        secure=True  # Required for cross-subdomain cookies
    )
    return response

@@ -433,7 +451,7 @@ async def ui_register_submit(request: Request):
 async def logout():
    """Handle logout - clear cookie and redirect to home."""
    response = RedirectResponse(url="/", status_code=302)
-    response.delete_cookie("auth_token")
+    response.delete_cookie("auth_token", domain=COOKIE_DOMAIN)
    return response