From dcb573ed8a92a68b638530377886a7c7316970db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Rodrigues?= <guga@Goncalos-MacBook-Pro.local>
Date: Sat, 20 Jun 2026 16:43:33 +0100
Subject: [PATCH] fix(auth): set cookie Domain to .homelab.local for subdomain
 coverage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without the leading dot, the auth_token cookie was only sent to the
exact host homelab.local — not to finance.homelab.local, auth.homelab.local,
etc. — so the forward-auth check failed on any subdomain after login.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/auth/services/gateway/main/handler.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/auth/services/gateway/main/handler.go b/apps/auth/services/gateway/main/handler.go
index e5cf087..e6214bc 100644
--- a/apps/auth/services/gateway/main/handler.go
+++ b/apps/auth/services/gateway/main/handler.go
@@ -300,7 +300,7 @@ func (h *Handler) LoginAPI(w http.ResponseWriter, r *http.Request) {
 		Name:     "auth_token",
 		Value:    token,
 		Path:     "/",
-		Domain:   "homelab.local",
+		Domain:   ".homelab.local",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	})
@@ -343,7 +343,7 @@ func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
 		Name:     "auth_token",
 		Value:    token,
 		Path:     "/",
-		Domain:   "homelab.local",
+		Domain:   ".homelab.local",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	})
@@ -364,7 +364,7 @@ func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) {
 		Name:     "auth_token",
 		Value:    "",
 		Path:     "/",
-		Domain:   "homelab.local",
+		Domain:   ".homelab.local",
 		MaxAge:   -1,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,