feat(auth): update cookie prefix and default cookie attributes for better security

apps/csms/src/lib/auth.ts

@@ -8,12 +8,12 @@ import { passkey } from "@better-auth/passkey";
 const webOrigin = process.env.WEB_ORIGIN ?? "http://localhost:3000";
 const rpID = new URL(webOrigin).hostname;
 
-// 从 WEB_ORIGIN 的主机名推导父域（如 csms.uniiem.com → uniiem.com），
+// 从 WEB_ORIGIN 的主机名推导父域（如 csms.uniiem.com → .uniiem.com），
 // 用于跨子域共享 session cookie；本地开发时返回 undefined 不启用。
 function getParentDomain(hostname: string): string | undefined {
   if (hostname === "localhost" || /^\d/.test(hostname)) return undefined;
   const parts = hostname.split(".");
-  return parts.length >= 3 ? parts.slice(1).join(".") : undefined;
+  return parts.length >= 3 ? "." + parts.slice(1).join(".") : undefined;
 }
 
 const cookieDomain = process.env.COOKIE_DOMAIN ?? getParentDomain(rpID);
@@ -44,7 +44,13 @@ export const auth = betterAuth({
     }),
   ],
   advanced: {
-    cookiePrefix: "helios_auth",
+    cookiePrefix: "helios",
+    defaultCookieAttributes: {
+      httpOnly: true,
+      secure: true,
+      sameSite: "none",
+      domain: cookieDomain,
+    },
     crossSubdomainCookies: cookieDomain
       ? { enabled: true, domain: cookieDomain }
       : { enabled: false },