Cookie-domene .synops.no for delt sesjon mellom ws og adm

Session-cookie settes på .synops.no slik at login på ws.synops.no også gjelder for adm.synops.no. Berettiget nå med to subdomener som trenger samme sesjon. CSRF-token forblir host-bound (__Host-). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 02:07:33 +00:00 · 2026-03-20 02:07:33 +00:00 · b8c38a901e
commit b8c38a901e
parent da04d42df2
1 changed files with 31 additions and 0 deletions
--- a/frontend/src/auth.ts
+++ b/frontend/src/auth.ts
@ -56,6 +56,37 @@ async function syncUsername(accessToken: string, username: string): Promise<void

 export const { handle, signIn, signOut } = SvelteKitAuth({
 	trustHost: true,
+	cookies: {
+		sessionToken: {
+			name: '__Secure-authjs.session-token',
+			options: {
+				httpOnly: true,
+				sameSite: 'lax',
+				path: '/',
+				secure: true,
+				domain: '.synops.no',
+			},
+		},
+		callbackUrl: {
+			name: '__Secure-authjs.callback-url',
+			options: {
+				httpOnly: true,
+				sameSite: 'lax',
+				path: '/',
+				secure: true,
+				domain: '.synops.no',
+			},
+		},
+		csrfToken: {
+			name: '__Host-authjs.csrf-token',
+			options: {
+				httpOnly: true,
+				sameSite: 'lax',
+				path: '/',
+				secure: true,
+			},
+		},
+	},
 	providers: [
 		{
 			id: 'authentik',