From 02922adc9ab857dd9462f0ba9722494f68924784 Mon Sep 17 00:00:00 2001 From: Thigazhezhilan J Date: Wed, 20 May 2026 23:31:46 +0530 Subject: [PATCH] Fix reconnect broker: share session cookie across subdomains Frontend (app.quantfortune.com) fetches API (api.quantfortune.com). With SameSite=Lax the browser won't send the cookie on cross-origin fetch calls, so the server sees no session and the request fails. Adding COOKIE_DOMAIN=.quantfortune.com makes the cookie valid for all subdomains. Mohan needs to add this to .env and restart. Co-Authored-By: Claude Sonnet 4.6 --- backend/.env.example | 2 ++ backend/app/routers/auth.py | 2 ++ 2 files changed, 4 insertions(+) diff --git a/backend/.env.example b/backend/.env.example index 43d802d..d8be593 100644 --- a/backend/.env.example +++ b/backend/.env.example @@ -11,6 +11,8 @@ RESET_OTP_SECRET= # ── Environment ─────────────────────────────────────────────────────────────── APP_ENV=production CORS_ORIGINS=https://quantfortune.com,https://www.quantfortune.com,https://app.quantfortune.com,https://www.app.quantfortune.com +# Required when frontend and API are on different subdomains (e.g. app. vs api.) +COOKIE_DOMAIN=.quantfortune.com # ── Database ────────────────────────────────────────────────────────────────── DATABASE_URL=postgresql://user:password@localhost:5432/quantfortune diff --git a/backend/app/routers/auth.py b/backend/app/routers/auth.py index 84733e6..6d15928 100644 --- a/backend/app/routers/auth.py +++ b/backend/app/routers/auth.py @@ -19,6 +19,7 @@ APP_ENV = (os.getenv("APP_ENV") or os.getenv("ENVIRONMENT") or os.getenv("FASTAP IS_PRODUCTION = APP_ENV in {"prod", "production"} COOKIE_SECURE = True if IS_PRODUCTION else os.getenv("COOKIE_SECURE", "0") == "1" COOKIE_SAMESITE = (os.getenv("COOKIE_SAMESITE") or "lax").lower() +COOKIE_DOMAIN = (os.getenv("COOKIE_DOMAIN") or "").strip() or None if IS_PRODUCTION and not COOKIE_SECURE: raise RuntimeError("Secure session cookies are mandatory in production") @@ -33,6 +34,7 @@ def _set_session_cookie(response: Response, session_id: str): max_age=SESSION_TTL_SECONDS, secure=COOKIE_SECURE, path="/", + domain=COOKIE_DOMAIN, )