From 8d0164208dbda2e9ff7c64f6f5e3a9607bf14055 Mon Sep 17 00:00:00 2001 From: Timothy Yin Date: Thu, 12 Mar 2026 00:36:00 +0800 Subject: [PATCH] feat(auth): update cookie prefix and default cookie attributes for better security --- apps/csms/src/lib/auth.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/apps/csms/src/lib/auth.ts b/apps/csms/src/lib/auth.ts index cde8479..83ad764 100644 --- a/apps/csms/src/lib/auth.ts +++ b/apps/csms/src/lib/auth.ts @@ -8,12 +8,12 @@ import { passkey } from "@better-auth/passkey"; const webOrigin = process.env.WEB_ORIGIN ?? "http://localhost:3000"; const rpID = new URL(webOrigin).hostname; -// 从 WEB_ORIGIN 的主机名推导父域(如 csms.uniiem.com → uniiem.com), +// 从 WEB_ORIGIN 的主机名推导父域(如 csms.uniiem.com → .uniiem.com), // 用于跨子域共享 session cookie;本地开发时返回 undefined 不启用。 function getParentDomain(hostname: string): string | undefined { if (hostname === "localhost" || /^\d/.test(hostname)) return undefined; const parts = hostname.split("."); - return parts.length >= 3 ? parts.slice(1).join(".") : undefined; + return parts.length >= 3 ? "." + parts.slice(1).join(".") : undefined; } const cookieDomain = process.env.COOKIE_DOMAIN ?? getParentDomain(rpID); @@ -44,7 +44,13 @@ export const auth = betterAuth({ }), ], advanced: { - cookiePrefix: "helios_auth", + cookiePrefix: "helios", + defaultCookieAttributes: { + httpOnly: true, + secure: true, + sameSite: "none", + domain: cookieDomain, + }, crossSubdomainCookies: cookieDomain ? { enabled: true, domain: cookieDomain } : { enabled: false },