Skip to content

Commit 8a41812

Browse files
AndresL230claude
AndresL230
and
claude
committed
fix(auth): point to api.saplinglearn.com and share cookie across subdomains
Updates wrangler.toml [vars] to api.saplinglearn.com so frontend and backend share saplinglearn.com as the registrable domain. Adds a COOKIE_DOMAIN env var so the session cookie can be set with domain=.saplinglearn.com in production, letting the browser send it to api.saplinglearn.com on cross-origin fetches. Reverts SameSite back to lax since the request is now same-site. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 3491241 commit 8a41812

2 files changed

Lines changed: 7 additions & 4 deletions

File tree

frontend/src/app/api/auth/session/route.ts

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
22
import { signSession, SESSION_MAX_AGE } from '@/lib/sessionToken';
33

44
const SESSION_SECRET = process.env.SESSION_SECRET;
5+
const COOKIE_DOMAIN = process.env.COOKIE_DOMAIN || undefined;
56

67
async function verifyAuthToken(token: string): Promise<string | null> {
78
if (!SESSION_SECRET) return null;
@@ -71,10 +72,11 @@ export async function POST(request: NextRequest) {
7172
const response = NextResponse.json({ ok: true });
7273
response.cookies.set('sapling_session', token, {
7374
httpOnly: true,
74-
sameSite: 'none',
75+
sameSite: 'lax',
7576
secure: true,
7677
path: '/',
7778
maxAge: SESSION_MAX_AGE,
79+
...(COOKIE_DOMAIN ? { domain: COOKIE_DOMAIN } : {}),
7880
});
7981
return response;
8082
} catch {
@@ -86,10 +88,11 @@ export async function DELETE() {
8688
const response = NextResponse.json({ ok: true });
8789
response.cookies.set('sapling_session', '', {
8890
httpOnly: true,
89-
sameSite: 'none',
91+
sameSite: 'lax',
9092
secure: true,
9193
path: '/',
9294
maxAge: 0,
95+
...(COOKIE_DOMAIN ? { domain: COOKIE_DOMAIN } : {}),
9396
});
9497
return response;
9598
}

frontend/wrangler.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,8 @@ binding = "ASSETS"
1414
directory = ".open-next/assets"
1515

1616
[vars]
17-
NEXT_PUBLIC_API_URL = "https://sapling-production-cb12.up.railway.app"
18-
BACKEND_URL = "https://sapling-production-cb12.up.railway.app"
17+
NEXT_PUBLIC_API_URL = "https://api.saplinglearn.com"
18+
BACKEND_URL = "https://api.saplinglearn.com"
1919

2020
[observability]
2121
enabled = true

0 commit comments

Comments
 (0)