frontend-sdk: cookies set via SDK not valid for subdomains

[lfleischmann]

Checklist

• I could not find a solution in the existing issues or docs.
• I agree to follow this project's Code of Conduct.

Description

Cookies set by the SDK (i.e. set in response to reading the X-Auth-Token header in case of frontend and Hanko API running on different domains) are not valid for subdomains. If my frontend runs on yourapp.com and I have another API running at api.yourapp.com then the cookie will only be valid for yourapp.com but not the api subdomain. This is because we do not set the domain attribute on creating the cookie:

_setAuthCookie(token: string) {
    const secure = !!this.api.match("^https://");
    Cookies.set(this.authCookieName, token, { secure }); // <- no domain set
}

From MDN:

The Domain attribute specifies which hosts can receive a cookie. If the server does not specify a Domain, the browser defaults the domain to the same host that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included.

I think it is a viable scenario that users run another service on such a subdomain and want to use the JWT for authentication with said service as well.

Describe your ideal solution

Set the domain when creating the cookie:

_setAuthCookie(token: string) {
    const secure = !!this.api.match("^https://");
    Cookies.set(this.authCookieName, token, { secure , domain: "<DOMAIN>" }); // 
}

How to get the domain at this point:

1. Determine from current location (not sure how to do this in reliable/robust manner) or
2. Make it configurable and propagate via public configuration

Workarounds or alternatives

No response

Hanko Version

v0.5.0

Additional Context

No response

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.

[IgnisDa]

@lfleischmann Any updates on this?