From 720602343edb75a37c092dff6dddfb653ded64b1 Mon Sep 17 00:00:00 2001 From: Till JS Date: Fri, 20 Mar 2026 19:27:33 +0100 Subject: [PATCH] fix(shared-auth): set SSO session cookie on login The signIn() method only called the custom /api/v1/auth/login endpoint which returns JWT tokens but doesn't set a session cookie. Without the cookie, cross-subdomain SSO (trySSO) can never find an active session. Now also calls Better Auth's native /api/auth/sign-in/email with credentials:'include' after successful login, which sets the session cookie with Domain=.mana.how for cross-subdomain SSO. Co-Authored-By: Claude Opus 4.6 (1M context) --- packages/shared-auth/src/core/authService.ts | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/packages/shared-auth/src/core/authService.ts b/packages/shared-auth/src/core/authService.ts index 2af23e28a..7c44095f6 100644 --- a/packages/shared-auth/src/core/authService.ts +++ b/packages/shared-auth/src/core/authService.ts @@ -95,6 +95,19 @@ export function createAuthService(config: AuthServiceConfig) { storage.setItem(storageKeys.USER_EMAIL, email), ]); + // Also sign in via Better Auth native endpoint to set session cookie + // This enables cross-subdomain SSO (cookie shared across *.mana.how) + try { + await fetch(`${baseUrl}/api/auth/sign-in/email`, { + method: 'POST', + credentials: 'include', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ email, password }), + }); + } catch { + // SSO cookie is nice-to-have, don't fail login if this fails + } + return { success: true }; } catch (error) { console.error('Error signing in:', error);