From c85fae2d07e04dd3b62ffb7d665de763f21de747 Mon Sep 17 00:00:00 2001
From: Thigazhezhilan J <thigazhezhilanj007@gmail.com>
Date: Wed, 20 May 2026 23:23:30 +0530
Subject: [PATCH] Fix cross-subdomain cookie: add COOKIE_DOMAIN support

Session cookie was scoped to api.quantfortune.com only.
Setting COOKIE_DOMAIN=.quantfortune.com in .env makes the
cookie shared across all subdomains so app.quantfortune.com
can authenticate against api.quantfortune.com.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/routers/auth.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/backend/app/routers/auth.py b/backend/app/routers/auth.py
index 84733e6..6d15928 100644
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -19,6 +19,7 @@ APP_ENV = (os.getenv("APP_ENV") or os.getenv("ENVIRONMENT") or os.getenv("FASTAP
 IS_PRODUCTION = APP_ENV in {"prod", "production"}
 COOKIE_SECURE = True if IS_PRODUCTION else os.getenv("COOKIE_SECURE", "0") == "1"
 COOKIE_SAMESITE = (os.getenv("COOKIE_SAMESITE") or "lax").lower()
+COOKIE_DOMAIN = (os.getenv("COOKIE_DOMAIN") or "").strip() or None
 if IS_PRODUCTION and not COOKIE_SECURE:
     raise RuntimeError("Secure session cookies are mandatory in production")
 
@@ -33,6 +34,7 @@ def _set_session_cookie(response: Response, session_id: str):
         max_age=SESSION_TTL_SECONDS,
         secure=COOKIE_SECURE,
         path="/",
+        domain=COOKIE_DOMAIN,
     )