fix: 添加 Cookie Domain 属性解决第三方 Cookie 拦截问题

ExquisiteCore · claude · ExquisiteCore · commit d032f4590c09 · 2026-02-05T17:35:20.000+08:00
浏览器（Chrome 等）默认阻止第三方 Cookie，导致跨子域的 refresh_token 无法存储。
通过设置 Domain=.exquisitecore.xyz，使 Cookie 成为同站 Cookie，
blog.exquisitecore.xyz 和 api.exquisitecore.xyz 可以共享。

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/backend/src/middleware/auth.rs b/backend/src/middleware/auth.rs
@@ -160,9 +160,9 @@ pub fn build_refresh_cookie(token: &str) -> String {
             token, max_age
         )
     } else {
-        // 生产环境：设置 Secure 和 SameSite=None（跨域需要）
+        // 生产环境：设置 Domain 使 Cookie 在主域下共享，避免被浏览器当作第三方 Cookie 拦截
         format!(
-            "refresh_token={}; HttpOnly; Secure; SameSite=None; Path=/api/auth; Max-Age={}",
+            "refresh_token={}; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/api/auth; Max-Age={}",
             token, max_age
         )
     }
@@ -176,7 +176,7 @@ pub fn build_clear_refresh_cookie() -> String {
     if is_dev {
         "refresh_token=; HttpOnly; SameSite=Lax; Path=/api/auth; Max-Age=0".to_string()
     } else {
-        "refresh_token=; HttpOnly; Secure; SameSite=None; Path=/api/auth; Max-Age=0".to_string()
+        "refresh_token=; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/api/auth; Max-Age=0".to_string()
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -160,9 +160,9 @@ pub fn build_refresh_cookie(token: &str) -> String {`
`160`	`160`	`token, max_age`
`161`	`161`	`)`
`162`	`162`	`} else {`
`163`		`- // 生产环境：设置 Secure 和 SameSite=None（跨域需要）`
	`163`	`+ // 生产环境：设置 Domain 使 Cookie 在主域下共享，避免被浏览器当作第三方 Cookie 拦截`
`164`	`164`	`format!(`
`165`		`- "refresh_token={}; HttpOnly; Secure; SameSite=None; Path=/api/auth; Max-Age={}",`
	`165`	`+ "refresh_token={}; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/api/auth; Max-Age={}",`
`166`	`166`	`token, max_age`
`167`	`167`	`)`
`168`	`168`	`}`
`@@ -176,7 +176,7 @@ pub fn build_clear_refresh_cookie() -> String {`
`176`	`176`	`if is_dev {`
`177`	`177`	`"refresh_token=; HttpOnly; SameSite=Lax; Path=/api/auth; Max-Age=0".to_string()`
`178`	`178`	`} else {`
`179`		`- "refresh_token=; HttpOnly; Secure; SameSite=None; Path=/api/auth; Max-Age=0".to_string()`
	`179`	`+ "refresh_token=; HttpOnly; Secure; SameSite=None; Domain=.exquisitecore.xyz; Path=/api/auth; Max-Age=0".to_string()`
`180`	`180`	`}`
`181`	`181`	`}`
`182`	`182`