art-dag/activity-pub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add configurable cookie domain for cross-subdomain auth sharing

Browse Source 
- Add COOKIE_DOMAIN env var (e.g., ".rose-ash.com")
- Auto-derive from ARTDAG_DOMAIN if not set (strips first subdomain)
- Set domain on auth cookies for sharing across L1/L2 subdomains
- Add secure=True for cross-subdomain cookies

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
gilesb
2026-01-08 17:26:42 +00:00
parent 5eb525d107
commit 1d463352a7
1 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
server.py
View File

@@ -39,6 +39,20 @@ DATA_DIR = Path(os.environ.get("ARTDAG_DATA", str(Path.home() / ".artdag" / "l2"
L1_PUBLIC_URL = os.environ.get("L1_PUBLIC_URL", "https://celery-artdag.rose-ash.com") L1_PUBLIC_URL = os.environ.get("L1_PUBLIC_URL", "https://celery-artdag.rose-ash.com")
EFFECTS_REPO_URL = os.environ.get("EFFECTS_REPO_URL", "https://git.rose-ash.com/art-dag/effects") EFFECTS_REPO_URL = os.environ.get("EFFECTS_REPO_URL", "https://git.rose-ash.com/art-dag/effects")
# Cookie domain for sharing auth across subdomains (e.g., ".rose-ash.com")
# If not set, derives from DOMAIN (strips first subdomain, adds leading dot)
def _get_cookie_domain():
env_val = os.environ.get("COOKIE_DOMAIN")
if env_val:
return env_val
# Derive from DOMAIN: artdag.rose-ash.com -> .rose-ash.com
parts = DOMAIN.split(".")
if len(parts) >= 2:
return "." + ".".join(parts[-2:])
return None
COOKIE_DOMAIN = _get_cookie_domain()
# Ensure data directory exists # Ensure data directory exists
DATA_DIR.mkdir(parents=True, exist_ok=True) DATA_DIR.mkdir(parents=True, exist_ok=True)
(DATA_DIR / "assets").mkdir(exist_ok=True) (DATA_DIR / "assets").mkdir(exist_ok=True)
@@ -340,7 +354,9 @@ async def ui_login_submit(request: Request):
value=token.access_token, value=token.access_token,
httponly=True, httponly=True,
max_age=60 * 60 * 24 * 30, # 30 days max_age=60 * 60 * 24 * 30, # 30 days
samesite="lax" samesite="lax",
domain=COOKIE_DOMAIN, # Share across subdomains
secure=True # Required for cross-subdomain cookies
) )
return response return response
@@ -424,7 +440,9 @@ async def ui_register_submit(request: Request):
value=token.access_token, value=token.access_token,
httponly=True, httponly=True,
max_age=60 * 60 * 24 * 30, # 30 days max_age=60 * 60 * 24 * 30, # 30 days
samesite="lax" samesite="lax",
domain=COOKIE_DOMAIN, # Share across subdomains
secure=True # Required for cross-subdomain cookies
) )
return response return response
@@ -433,7 +451,7 @@ async def ui_register_submit(request: Request):
async def logout(): async def logout():
"""Handle logout - clear cookie and redirect to home.""" """Handle logout - clear cookie and redirect to home."""
response = RedirectResponse(url="/", status_code=302) response = RedirectResponse(url="/", status_code=302)
response.delete_cookie("auth_token") response.delete_cookie("auth_token", domain=COOKIE_DOMAIN)
return response return response