fix: set session cookie on .vibnai.com for subdomain ForwardAuth

Without domain: .vibnai.com the cookie is scoped to vibnai.com only. Browsers don't send it to theia.vibnai.com, so ForwardAuth sees no token and redirects to login even when the user is already logged in. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-18 18:02:06 -08:00
parent d00979f89e
commit e18db985b6
1 changed files with 12 additions and 0 deletions
--- a/lib/auth/authOptions.ts
+++ b/lib/auth/authOptions.ts
@@ -30,4 +30,16 @@ export const authOptions: NextAuthOptions = {
    maxAge: 30 * 24 * 60 * 60, // 30 days
  },
  secret: process.env.NEXTAUTH_SECRET,
+  cookies: {
+    sessionToken: {
+      name: `__Secure-next-auth.session-token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: true,
+        domain: ".vibnai.com", // share across all subdomains (theia.vibnai.com, etc.)
+      },
+    },
+  },
 };