From ffc285358c051077d06acb6a6b3917efb2234245 Mon Sep 17 00:00:00 2001
From: "XPS\\Micro" <Rainer Wieland>
Date: Thu, 19 Mar 2026 13:46:25 +0100
Subject: [PATCH] fix: Set JWT cookie domain for all subpaths and subdomains

The spawner_token cookie must be available for all user containers
running under subpaths (e.g., /e220dd278a12-template-dictionary/).

Added domain parameter to set_cookie() to make the JWT available
for all subdomains of BASE_DOMAIN.

This fixes the 401 'no token' error when accessing container APIs.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 api.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/api.py b/api.py
index f27df49..83744d7 100644
--- a/api.py
+++ b/api.py
@@ -38,6 +38,7 @@ def create_auth_response(access_token, user_data, expires_in):
     # HttpOnly verhindert JavaScript-Zugriff
     # Secure: nur über HTTPS
     # SameSite: CSRF-Schutz
+    # Domain: Verfügbar für alle Subpfade und Subdomains
     response.set_cookie(
         'spawner_token',
         access_token,
@@ -45,7 +46,8 @@ def create_auth_response(access_token, user_data, expires_in):
         httponly=True,
         secure=True,  # Nur über HTTPS
         samesite='Lax',  # CSRF-Schutz
-        path='/'  # Für alle Pfade verfügbar
+        path='/',  # Für alle Pfade verfügbar
+        domain=f".{Config.BASE_DOMAIN}"  # Für alle Subpfade und Subdomains
     )
 
     return response