From b8c38a901e21cf3ed132f0937c2114bf568115b5 Mon Sep 17 00:00:00 2001
From: vegard <vnotnes@pm.me>
Date: Fri, 20 Mar 2026 02:07:33 +0000
Subject: [PATCH] Cookie-domene .synops.no for delt sesjon mellom ws og adm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Session-cookie settes på .synops.no slik at login på ws.synops.no
også gjelder for adm.synops.no. Berettiget nå med to subdomener
som trenger samme sesjon. CSRF-token forblir host-bound (__Host-).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 frontend/src/auth.ts | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/frontend/src/auth.ts b/frontend/src/auth.ts
index 3c837a5..9f57fb5 100644
--- a/frontend/src/auth.ts
+++ b/frontend/src/auth.ts
@@ -56,6 +56,37 @@ async function syncUsername(accessToken: string, username: string): Promise<void
 
 export const { handle, signIn, signOut } = SvelteKitAuth({
 	trustHost: true,
+	cookies: {
+		sessionToken: {
+			name: '__Secure-authjs.session-token',
+			options: {
+				httpOnly: true,
+				sameSite: 'lax',
+				path: '/',
+				secure: true,
+				domain: '.synops.no',
+			},
+		},
+		callbackUrl: {
+			name: '__Secure-authjs.callback-url',
+			options: {
+				httpOnly: true,
+				sameSite: 'lax',
+				path: '/',
+				secure: true,
+				domain: '.synops.no',
+			},
+		},
+		csrfToken: {
+			name: '__Host-authjs.csrf-token',
+			options: {
+				httpOnly: true,
+				sameSite: 'lax',
+				path: '/',
+				secure: true,
+			},
+		},
+	},
 	providers: [
 		{
 			id: 'authentik',