This repository has been archived on 2026-02-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.

giles de93dfdc73 Device cookie + internal endpoint for auth state detection ...

Each client app sets a persistent first-party device cookie ({app}_did).
On each request:
- Logged in: verify grant via account internal endpoint (cached 60s)
- Not logged in + device cookie: check-device endpoint detects if user
  logged in since last grant revocation → triggers OAuth automatically
No cross-domain cookies. No propagation chain. Each app checks independently.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-23 12:50:43 +00:00

9.2 KiB

Raw Blame History

View Raw