From eb859c18bc6214cbb4812cd656e87f47abf7a908 Mon Sep 17 00:00:00 2001 From: Till JS Date: Fri, 20 Mar 2026 18:55:34 +0100 Subject: [PATCH] fix(auth): use SameSite=None for cross-subdomain SSO SameSite=Lax only sends cookies on top-level navigations (link clicks), not on programmatic fetch() requests. SSO relies on fetch() with credentials:'include' from app subdomains to auth.mana.how, so SameSite=None is required when COOKIE_DOMAIN is set. Falls back to Lax for local development (no COOKIE_DOMAIN). Co-Authored-By: Claude Opus 4.6 (1M context) --- services/mana-core-auth/src/auth/better-auth.config.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/mana-core-auth/src/auth/better-auth.config.ts b/services/mana-core-auth/src/auth/better-auth.config.ts index bc8b05d1c..deda4cb6b 100644 --- a/services/mana-core-auth/src/auth/better-auth.config.ts +++ b/services/mana-core-auth/src/auth/better-auth.config.ts @@ -215,8 +215,10 @@ export function createBetterAuth(databaseUrl: string) { defaultCookieAttributes: { // Secure in production, allow http in development secure: process.env.NODE_ENV === 'production', - // Protect against CSRF while allowing cross-site navigation - sameSite: 'lax' as const, + // SameSite=None is required for cross-subdomain SSO via fetch() + // Lax only sends cookies on top-level navigations, not programmatic fetch() + // None requires Secure=true (ensured by production check above) + sameSite: process.env.COOKIE_DOMAIN ? ('none' as const) : ('lax' as const), // Cookies accessible to all paths path: '/', // Prevent JavaScript access to cookies