From 9a51d66aec6864138123f741852e9d59436c687d Mon Sep 17 00:00:00 2001 From: gilesb Date: Fri, 9 Jan 2026 17:06:10 +0000 Subject: [PATCH] Add /auth endpoint for iOS Safari cross-subdomain auth iOS Safari blocks shared cookies. Now L2 can redirect to L1/auth?auth_token=xxx after login, and L1 sets its own first-party cookie. Co-Authored-By: Claude Opus 4.5 --- server.py | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/server.py b/server.py index 850641e..ea79e53 100644 --- a/server.py +++ b/server.py @@ -3839,7 +3839,34 @@ def render_ui_html(actor_id: Optional[str] = None, tab: str = "runs") -> str: # Auth - L1 doesn't handle login (user logs in at their L2 server) -# Shared cookie authenticates across L1 and L2 +# Token can be passed via URL from L2 redirect, then L1 sets its own cookie + +@app.get("/auth") +async def auth_callback(auth_token: str = None): + """ + Receive auth token from L2 redirect and set local cookie. + This enables cross-subdomain auth on iOS Safari which blocks shared cookies. + """ + if not auth_token: + return RedirectResponse(url="/", status_code=302) + + # Verify the token is valid + ctx = await get_verified_user_context(auth_token) + if not ctx: + return RedirectResponse(url="/", status_code=302) + + # Set local first-party cookie and redirect to home + response = RedirectResponse(url="/runs", status_code=302) + response.set_cookie( + key="auth_token", + value=auth_token, + httponly=True, + max_age=60 * 60 * 24 * 30, # 30 days + samesite="lax", + secure=True + ) + return response + @app.get("/logout") async def logout():