Enabled cross-subdomain console sessions by making the cookie domain configurable and aligning the frontend so it reads the shared CSRF cookie. (#27190)

2025-10-28 10:04:24 +08:00
parent 543c5236e7
commit ff32dff163
10 changed files with 94 additions and 13 deletions
--- a/web/.env.example
+++ b/web/.env.example
@@ -34,6 +34,9 @@ NEXT_PUBLIC_CSP_WHITELIST=
 # Default is not allow to embed into iframe to prevent Clickjacking: https://owasp.org/www-community/attacks/Clickjacking
 NEXT_PUBLIC_ALLOW_EMBED=

+# Shared cookie domain when console UI and API use different subdomains (e.g. example.com)
+NEXT_PUBLIC_COOKIE_DOMAIN=
+
 # Allow rendering unsafe URLs which have "data:" scheme.
 NEXT_PUBLIC_ALLOW_UNSAFE_DATA_SCHEME=false

--- a/web/config/index.ts
+++ b/web/config/index.ts
@@ -144,7 +144,9 @@ export const getMaxToken = (modelId: string) => {

 export const LOCALE_COOKIE_NAME = 'locale'

+const COOKIE_DOMAIN = (process.env.NEXT_PUBLIC_COOKIE_DOMAIN || '').trim()
 export const CSRF_COOKIE_NAME = () => {
+  if (COOKIE_DOMAIN) return 'csrf_token'
  const isSecure = API_PREFIX.startsWith('https://')
  return isSecure ? '__Host-csrf_token' : 'csrf_token'
 }