feat: support for cross-subdomain cookie (#4)

peterpeterparker · web-flow · commit ce398027e034 · 2026-01-23T14:29:15.000+01:00
diff --git a/.env.production.example b/.env.production.example
@@ -1,3 +1,5 @@
 GITHUB_CLIENT_ID=your_github_oauth_client_id
 GITHUB_CLIENT_SECRET=your_github_oauth_client_secret
-GITHUB_AUTH_ISSUER=https://your_unique_authentication_issuer
+GITHUB_AUTH_ISSUER=https://your_unique_authentication_issuer
+COOKIE_DOMAIN=.yourdomain.com
+COOKIE_SAME_SITE=lax
diff --git a/README.md b/README.md
@@ -33,7 +33,17 @@ GITHUB_AUTH_ISSUER=https://your-domain.com/auth/github
 > [!NOTE]
 > The issuer must be unique for the service. The authentication modules use it to distinguish the providers.
 
-3. Start the container:
+3. (Optional) Configure cookie settings for cross-subdomain support in `.env.production`:
+
+```bash
+COOKIE_DOMAIN=.yourdomain.com
+COOKIE_SAME_SITE=lax
+```
+
+> [!TIP]
+> If your API runs on a different subdomain than your frontend (e.g., `api.yourdomain.com` and `app.yourdomain.com`), configure `COOKIE_DOMAIN` with a leading dot (e.g., `.yourdomain.com`) to enable cookie sharing across subdomains. Set `COOKIE_SAME_SITE` to `lax`, `strict`, or `none` as needed. If your API and frontend are on the same domain, you can omit `COOKIE_DOMAIN` or set it without the leading dot.
+
+4. Start the container:
 
 ```bash
 docker compose up -d
diff --git a/src/handlers/auth/github.ts b/src/handlers/auth/github.ts
@@ -35,11 +35,24 @@ export const githubAuthInit = async ({
 
 	const state = await jwt.signOAuthJwt({ payload: stateData });
 
+	const production = Bun.env.NODE_ENV === 'production';
+	const cookieDomain = Bun.env.COOKIE_DOMAIN?.trim();
+	const cookieSameSite = Bun.env.COOKIE_SAME_SITE?.trim();
+
 	auth.set({
 		value: state,
 		httpOnly: true,
-		maxAge: 10 * 60, // 10 minutes, similar as the The GitHub OAuth authorization code which least 10 minutes
-		path: '/v1/auth/finalize/github'
+		maxAge: 10 * 60, // 10 minutes, similar as the GitHub OAuth authorization code which least 10 minutes
+		path: '/v1/auth/finalize/github',
+		...(production && {
+			...(cookieDomain !== undefined && cookieDomain !== '' && { domain: cookieDomain }),
+			...(cookieSameSite !== undefined &&
+				cookieSameSite !== '' &&
+				['strict', 'lax', 'none'].includes(cookieSameSite) && {
+					sameSite: cookieSameSite as 'strict' | 'lax' | 'none'
+				}),
+			secure: true
+		})
 	});
 
 	return { state };
diff --git a/test/handlers/auth/github.ts b/test/handlers/auth/github.ts
