fix: Set JWT cookie domain for all subpaths and subdomains

The spawner_token cookie must be available for all user containers running under subpaths (e.g., /e220dd278a12-template-dictionary/). Added domain parameter to set_cookie() to make the JWT available for all subdomains of BASE_DOMAIN. This fixes the 401 'no token' error when accessing container APIs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-03-19 13:46:25 +01:00 · 2026-03-19 13:46:25 +01:00 · ffc285358c
commit ffc285358c
parent 24afef32e4
1 changed files with 3 additions and 1 deletions
--- a/api.py
+++ b/api.py
@ -38,6 +38,7 @@ def create_auth_response(access_token, user_data, expires_in):
    # HttpOnly verhindert JavaScript-Zugriff
    # Secure: nur über HTTPS
    # SameSite: CSRF-Schutz
+    # Domain: Verfügbar für alle Subpfade und Subdomains
    response.set_cookie(
        'spawner_token',
        access_token,
@ -45,7 +46,8 @@ def create_auth_response(access_token, user_data, expires_in):
        httponly=True,
        secure=True,  # Nur über HTTPS
        samesite='Lax',  # CSRF-Schutz
-        path='/'  # Für alle Pfade verfügbar
+        path='/',  # Für alle Pfade verfügbar
+        domain=f".{Config.BASE_DOMAIN}"  # Für alle Subpfade und Subdomains
    )

    return response