Add /auth endpoint for iOS Safari cross-subdomain auth

iOS Safari blocks shared cookies. Now L2 can redirect to L1/auth?auth_token=xxx after login, and L1 sets its own first-party cookie. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 17:06:10 +00:00
parent 304f3ad56f
commit 9a51d66aec
1 changed files with 28 additions and 1 deletions
--- a/server.py
+++ b/server.py
@@ -3839,7 +3839,34 @@ def render_ui_html(actor_id: Optional[str] = None, tab: str = "runs") -> str:


 # Auth - L1 doesn't handle login (user logs in at their L2 server)
-# Shared cookie authenticates across L1 and L2
+# Token can be passed via URL from L2 redirect, then L1 sets its own cookie
+
+@app.get("/auth")
+async def auth_callback(auth_token: str = None):
+    """
+    Receive auth token from L2 redirect and set local cookie.
+    This enables cross-subdomain auth on iOS Safari which blocks shared cookies.
+    """
+    if not auth_token:
+        return RedirectResponse(url="/", status_code=302)
+
+    # Verify the token is valid
+    ctx = await get_verified_user_context(auth_token)
+    if not ctx:
+        return RedirectResponse(url="/", status_code=302)
+
+    # Set local first-party cookie and redirect to home
+    response = RedirectResponse(url="/runs", status_code=302)
+    response.set_cookie(
+        key="auth_token",
+        value=auth_token,
+        httponly=True,
+        max_age=60 * 60 * 24 * 30,  # 30 days
+        samesite="lax",
+        secure=True
+    )
+    return response
+

@app.get("/logout")
 async def logout():