From e18db985b65b5783f4b389179c890cdebb90b1fe Mon Sep 17 00:00:00 2001
From: Mark Henderson <mark@getacquired.com>
Date: Wed, 18 Feb 2026 18:02:06 -0800
Subject: [PATCH] fix: set session cookie on .vibnai.com for subdomain
 ForwardAuth

Without domain: .vibnai.com the cookie is scoped to vibnai.com only.
Browsers don't send it to theia.vibnai.com, so ForwardAuth sees no
token and redirects to login even when the user is already logged in.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 lib/auth/authOptions.ts | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lib/auth/authOptions.ts b/lib/auth/authOptions.ts
index af81f39..c257c46 100644
--- a/lib/auth/authOptions.ts
+++ b/lib/auth/authOptions.ts
@@ -30,4 +30,16 @@ export const authOptions: NextAuthOptions = {
     maxAge: 30 * 24 * 60 * 60, // 30 days
   },
   secret: process.env.NEXTAUTH_SECRET,
+  cookies: {
+    sessionToken: {
+      name: `__Secure-next-auth.session-token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: true,
+        domain: ".vibnai.com", // share across all subdomains (theia.vibnai.com, etc.)
+      },
+    },
+  },
 };