Skip to content

feat: support for cross-subdomain cookie #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
peterpeterparker merged 1 commit into from
Jan 23, 2026
Merged

feat: support for cross-subdomain cookie #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .env.production.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
GITHUB_CLIENT_ID=your_github_oauth_client_id
GITHUB_CLIENT_SECRET=your_github_oauth_client_secret
GITHUB_AUTH_ISSUER=https://your_unique_authentication_issuer
GITHUB_AUTH_ISSUER=https://your_unique_authentication_issuer
COOKIE_DOMAIN=.yourdomain.com
COOKIE_SAME_SITE=lax
12 changes: 11 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,17 @@ GITHUB_AUTH_ISSUER=https://your-domain.com/auth/github
> [!NOTE]
> The issuer must be unique for the service. The authentication modules use it to distinguish the providers.

3. Start the container:
3. (Optional) Configure cookie settings for cross-subdomain support in `.env.production`:

```bash
COOKIE_DOMAIN=.yourdomain.com
COOKIE_SAME_SITE=lax
```

> [!TIP]
> If your API runs on a different subdomain than your frontend (e.g., `api.yourdomain.com` and `app.yourdomain.com`), configure `COOKIE_DOMAIN` with a leading dot (e.g., `.yourdomain.com`) to enable cookie sharing across subdomains. Set `COOKIE_SAME_SITE` to `lax`, `strict`, or `none` as needed. If your API and frontend are on the same domain, you can omit `COOKIE_DOMAIN` or set it without the leading dot.

4. Start the container:

```bash
docker compose up -d
Expand Down
17 changes: 15 additions & 2 deletions src/handlers/auth/github.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,24 @@ export const githubAuthInit = async ({

const state = await jwt.signOAuthJwt({ payload: stateData });

const production = Bun.env.NODE_ENV === 'production';
const cookieDomain = Bun.env.COOKIE_DOMAIN?.trim();
const cookieSameSite = Bun.env.COOKIE_SAME_SITE?.trim();

auth.set({
value: state,
httpOnly: true,
maxAge: 10 * 60, // 10 minutes, similar as the The GitHub OAuth authorization code which least 10 minutes
path: '/v1/auth/finalize/github'
maxAge: 10 * 60, // 10 minutes, similar as the GitHub OAuth authorization code which least 10 minutes
path: '/v1/auth/finalize/github',
...(production && {
...(cookieDomain !== undefined && cookieDomain !== '' && { domain: cookieDomain }),
...(cookieSameSite !== undefined &&
cookieSameSite !== '' &&
['strict', 'lax', 'none'].includes(cookieSameSite) && {
sameSite: cookieSameSite as 'strict' | 'lax' | 'none'
}),
secure: true
})
});

return { state };
Expand Down
Loading