diff --git a/docker-compose.macmini.yml b/docker-compose.macmini.yml index a4d77bb7f..4eb3d2ea6 100644 --- a/docker-compose.macmini.yml +++ b/docker-compose.macmini.yml @@ -94,6 +94,8 @@ services: JWT_PUBLIC_KEY: ${JWT_PUBLIC_KEY:-} JWT_PRIVATE_KEY: ${JWT_PRIVATE_KEY:-} BASE_URL: https://auth.mana.how + # Cross-domain SSO: share session cookies across all *.mana.how subdomains + COOKIE_DOMAIN: .mana.how SMTP_HOST: smtp-relay.brevo.com SMTP_PORT: 587 SMTP_USER: ${SMTP_USER:-94cde5002@smtp-brevo.com} diff --git a/services/mana-core-auth/.env.example b/services/mana-core-auth/.env.example index 65cc8f4bf..0fdee5788 100644 --- a/services/mana-core-auth/.env.example +++ b/services/mana-core-auth/.env.example @@ -33,6 +33,19 @@ REDIS_PASSWORD= # Used for email verification links, OIDC callbacks, etc. BASE_URL=http://localhost:3001 +# ============================================================================ +# Cross-Domain SSO [REQUIRED IN PRODUCTION] +# ============================================================================ +# Cookie domain for Single Sign-On across subdomains. +# Set to '.mana.how' (with leading dot) to share sessions across: +# - calendar.mana.how +# - todo.mana.how +# - chat.mana.how +# - etc. +# +# Leave empty/unset for local development (cookies will be domain-specific) +COOKIE_DOMAIN= + # ============================================================================ # CORS [REQUIRED IN PRODUCTION] # ============================================================================ diff --git a/services/mana-core-auth/src/auth/better-auth.config.ts b/services/mana-core-auth/src/auth/better-auth.config.ts index b028fbafc..c90a11bb4 100644 --- a/services/mana-core-auth/src/auth/better-auth.config.ts +++ b/services/mana-core-auth/src/auth/better-auth.config.ts @@ -190,19 +190,65 @@ export function createBetterAuth(databaseUrl: string) { // Base URL for callbacks and redirects baseURL: process.env.BASE_URL || 'http://localhost:3001', - // Trusted origins for cross-origin requests + /** + * Advanced Cookie Configuration for Cross-Domain SSO + * + * By setting the cookie domain to '.mana.how', session cookies are shared + * across all subdomains (calendar.mana.how, todo.mana.how, etc.). + * This enables Single Sign-On: login once, authenticated everywhere. + * + * For local development (localhost), leave domain undefined to use default behavior. + */ + advanced: { + // Cookie prefix for all auth cookies + cookiePrefix: 'mana', + + // Cross-subdomain cookie configuration + crossSubDomainCookies: { + // Enable cross-subdomain cookies in production + enabled: !!process.env.COOKIE_DOMAIN, + // Domain for cookies (e.g., '.mana.how' - note the leading dot) + domain: process.env.COOKIE_DOMAIN || undefined, + }, + + // Default cookie options for all auth cookies + defaultCookieAttributes: { + // Secure in production, allow http in development + secure: process.env.NODE_ENV === 'production', + // Protect against CSRF while allowing cross-site navigation + sameSite: 'lax' as const, + // Cookies accessible to all paths + path: '/', + // Prevent JavaScript access to cookies + httpOnly: true, + }, + }, + + // Trusted origins for cross-origin requests (must match CORS_ORIGINS in production) trustedOrigins: [ + // Production domains 'https://auth.mana.how', 'https://mana.how', - 'https://mchat.mana.how', - 'https://matrix.mana.how', 'https://chat.mana.how', + 'https://todo.mana.how', 'https://calendar.mana.how', + 'https://clock.mana.how', 'https://contacts.mana.how', + 'https://storage.mana.how', 'https://picture.mana.how', 'https://zitare.mana.how', + 'https://presi.mana.how', + 'https://nutriphi.mana.how', + 'https://skilltree.mana.how', + 'https://matrix.mana.how', + 'https://mchat.mana.how', + 'https://element.mana.how', + 'https://link.mana.how', + 'https://playground.mana.how', + // Local development 'http://localhost:3001', 'http://localhost:5173', + 'http://localhost:5174', ], // Plugins