From 103c86e14dc582f588bbe4207164116c9929e110 Mon Sep 17 00:00:00 2001
From: Timothy Yin <master@uniiem.com>
Date: Wed, 11 Mar 2026 23:39:14 +0800
Subject: [PATCH] feat(auth): add support for cross-subdomain cookies and
 improve environment variable handling

---
 apps/csms/.env.example    |  3 +++
 apps/csms/src/lib/auth.ts | 19 +++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/apps/csms/.env.example b/apps/csms/.env.example
index b798044..fd7c2e4 100644
--- a/apps/csms/.env.example
+++ b/apps/csms/.env.example
@@ -1,2 +1,5 @@
+BETTER_AUTH_SECRET=
 WEB_ORIGIN=http://localhost:3000
 DATABASE_CONNECTION_STRING=
+# 生产环境跨子域 Cookie，例如 .uniiem.com
+COOKIE_DOMAIN=
diff --git a/apps/csms/src/lib/auth.ts b/apps/csms/src/lib/auth.ts
index 8605bb4..8dcbcb8 100644
--- a/apps/csms/src/lib/auth.ts
+++ b/apps/csms/src/lib/auth.ts
@@ -5,6 +5,9 @@ import * as schema from "@/db/schema.ts";
 import { admin, bearer, username } from "better-auth/plugins";
 import { passkey } from "@better-auth/passkey";
 
+const webOrigin = process.env.WEB_ORIGIN ?? "http://localhost:3000";
+const rpID = new URL(webOrigin).hostname;
+
 export const auth = betterAuth({
   database: drizzleAdapter(useDrizzle(), {
     provider: "pg",
@@ -12,7 +15,7 @@ export const auth = betterAuth({
       ...schema,
     },
   }),
-  trustedOrigins: [process.env.WEB_ORIGIN ?? "http://localhost:3000"],
+  trustedOrigins: [webOrigin],
   appName: "Helios EVCS",
   user: {
     additionalFields: {},
@@ -20,8 +23,20 @@ export const auth = betterAuth({
   emailAndPassword: {
     enabled: true,
   },
-  plugins: [admin(), username(), bearer(), passkey()],
+  plugins: [
+    admin(),
+    username(),
+    bearer(),
+    passkey({
+      rpID,
+      rpName: "Helios EVCS",
+      origin: webOrigin,
+    }),
+  ],
   advanced: {
     cookiePrefix: "helios_auth",
+    crossSubdomainCookies: process.env.COOKIE_DOMAIN
+      ? { enabled: true, domain: process.env.COOKIE_DOMAIN }
+      : { enabled: false },
   },
 });