fix(auth): use SameSite=None for cross-subdomain SSO

SameSite=Lax only sends cookies on top-level navigations (link clicks), not on programmatic fetch() requests. SSO relies on fetch() with credentials:'include' from app subdomains to auth.mana.how, so SameSite=None is required when COOKIE_DOMAIN is set. Falls back to Lax for local development (no COOKIE_DOMAIN). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-14 23:21:08 +02:00 · 2026-03-20 18:55:34 +01:00 · 2026-03-20 18:55:34 +01:00 · eb859c18bc
commit eb859c18bc
parent 985872330f
1 changed files with 4 additions and 2 deletions
--- a/services/mana-core-auth/src/auth/better-auth.config.ts
+++ b/services/mana-core-auth/src/auth/better-auth.config.ts
@ -215,8 +215,10 @@ export function createBetterAuth(databaseUrl: string) {
 			defaultCookieAttributes: {
 				// Secure in production, allow http in development
 				secure: process.env.NODE_ENV === 'production',
-				// Protect against CSRF while allowing cross-site navigation
-				sameSite: 'lax' as const,
+				// SameSite=None is required for cross-subdomain SSO via fetch()
+				// Lax only sends cookies on top-level navigations, not programmatic fetch()
+				// None requires Secure=true (ensured by production check above)
+				sameSite: process.env.COOKIE_DOMAIN ? ('none' as const) : ('lax' as const),
 				// Cookies accessible to all paths
 				path: '/',
 				// Prevent JavaScript access to cookies