domain-wise cookie

Author: drankou

src/app/api/auth/oauth/callback/ory/route.ts

@@ -95,7 +95,11 @@ export async function GET(request: NextRequest) {
 
   const destination = flow.returnTo ?? PROTECTED_URLS.DASHBOARD
   const response = finalize(NextResponse.redirect(new URL(destination, origin)))
-  response.cookies.set(E2B_SESSION_COOKIE, sealed, orySessionCookieOptions())
+  response.cookies.set(
+    E2B_SESSION_COOKIE,
+    sealed,
+    orySessionCookieOptions(request.nextUrl.host)
+  )
   return response
 }
 

src/app/api/auth/sign-out/route.ts

@@ -2,7 +2,7 @@ import 'server-only'
 
 import { type NextRequest, NextResponse } from 'next/server'
 import { signOut } from '@/core/server/auth'
-import { E2B_SESSION_COOKIE } from '@/core/server/auth/ory/session-cookie'
+import { orySessionCookieDeleteOptions } from '@/core/server/auth/ory/session-cookie'
 
 // Sign-out is a plain route handler. It reads the id_token from e2b_session to
 // build Hydra's RP-logout URL, then clears the cookie on the redirect it emits
@@ -14,6 +14,6 @@ export async function GET(request: NextRequest) {
   const response = NextResponse.redirect(
     new URL(redirectTo, request.nextUrl.origin)
   )
-  response.cookies.delete(E2B_SESSION_COOKIE)
+  response.cookies.delete(orySessionCookieDeleteOptions(request.nextUrl.host))
   return response
 }

src/core/server/auth/ory/session-cookie.ts

@@ -29,6 +29,13 @@ export type OrySessionCookieOptions = {
   path: '/'
   secure: boolean
   maxAge: number
+  domain?: string
+}
+
+export type OrySessionCookieDeleteOptions = {
+  name: typeof E2B_SESSION_COOKIE
+  path: '/'
+  domain?: string
 }
 
 // Cache the derived key per secret value so rotating E2B_SESSION_SECRET (and
@@ -78,7 +85,9 @@ export async function openOrySession(
   }
 }
 
-export function orySessionCookieOptions(): OrySessionCookieOptions {
+export function orySessionCookieOptions(
+  host?: string | null
+): OrySessionCookieOptions {
   return {
     httpOnly: true,
     sameSite: 'lax',
@@ -87,7 +96,39 @@ export function orySessionCookieOptions(): OrySessionCookieOptions {
     // and serve over HTTPS; local `next dev` is plain-HTTP loopback.
     secure: process.env.NODE_ENV === 'production',
     maxAge: SESSION_COOKIE_MAX_AGE_SECONDS,
+    domain: resolveSessionCookieDomain(host),
+  }
+}
+
+// Deleting a domain-scoped cookie requires the same domain attribute, so the
+// clear paths must pass these options rather than the bare cookie name.
+export function orySessionCookieDeleteOptions(
+  host?: string | null
+): OrySessionCookieDeleteOptions {
+  return {
+    name: E2B_SESSION_COOKIE,
+    path: '/',
+    domain: resolveSessionCookieDomain(host),
+  }
+}
+
+// Scope the cookie to the parent domain (e.g. `.e2b-staging.dev`) so it is
+// shared across every subdomain of the deployment environment instead of being
+// pinned to the exact host. Hosts that don't belong to NEXT_PUBLIC_E2B_DOMAIN
+// (localhost, Vercel preview URLs) get a host-only cookie — a `.dev` domain
+// attribute there would be rejected by the browser.
+export function resolveSessionCookieDomain(
+  host: string | null | undefined
+): string | undefined {
+  const base = process.env.NEXT_PUBLIC_E2B_DOMAIN
+  if (!base || !host) return undefined
+
+  const hostname = host.split(':')[0] ?? host
+  if (hostname === base || hostname.endsWith(`.${base}`)) {
+    return `.${base}`
   }
+
+  return undefined
 }
 
 function parseTokens(

src/core/server/auth/ory/session.ts

@@ -1,7 +1,7 @@
 import 'server-only'
 
 import { getServerSession } from '@ory/nextjs/app'
-import { cookies } from 'next/headers'
+import { cookies, headers } from 'next/headers'
 import { cache } from 'react'
 import { PROTECTED_URLS } from '@/configs/urls'
 import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
@@ -24,7 +24,11 @@ import { isKratosSessionFresh } from './freshness'
 import { fromKratosSessionIdentity, fromOryIdentity } from './identity'
 import { revokeKratosSessionsForIdentity } from './kratos-session'
 import { revokeOryOAuthSessionsForSubject } from './oauth-session'
-import { E2B_SESSION_COOKIE, openOrySession } from './session-cookie'
+import {
+  E2B_SESSION_COOKIE,
+  openOrySession,
+  orySessionCookieDeleteOptions,
+} from './session-cookie'
 import { completeOrySignOut } from './signout-flow'
 
 const ACCOUNT_SETTINGS_REAUTH_RETURN_TO = `${PROTECTED_URLS.ACCOUNT_SETTINGS}?reauth=1`
@@ -141,8 +145,8 @@ const readOrySessionTokens = cache(async () => {
 
 async function clearOrySessionCookie(): Promise<void> {
   try {
-    const cookieStore = await cookies()
-    cookieStore.delete(E2B_SESSION_COOKIE)
+    const [cookieStore, headerStore] = await Promise.all([cookies(), headers()])
+    cookieStore.delete(orySessionCookieDeleteOptions(headerStore.get('host')))
   } catch (error) {
     l.warn(
       {

src/core/server/proxy/runtime.ts

@@ -11,6 +11,7 @@ import { isKratosSessionActive } from '@/core/server/auth/ory/kratos-session-edg
 import {
   E2B_SESSION_COOKIE,
   openOrySession,
+  orySessionCookieDeleteOptions,
   orySessionCookieOptions,
   sealOrySession,
 } from '@/core/server/auth/ory/session-cookie'
@@ -119,7 +120,7 @@ async function refreshSessionCookie(
           response.cookies.set(
             E2B_SESSION_COOKIE,
             sealed,
-            orySessionCookieOptions()
+            orySessionCookieOptions(request.nextUrl.host)
           )
         }
         return response
@@ -135,7 +136,9 @@ async function refreshSessionCookie(
       hasToken: false,
       persist: (response) => {
         if (response instanceof NextResponse) {
-          response.cookies.delete(E2B_SESSION_COOKIE)
+          response.cookies.delete(
+            orySessionCookieDeleteOptions(request.nextUrl.host)
+          )
         }
         return response
       },

tests/integration/auth-ory-account-security.test.ts

@@ -20,11 +20,20 @@ vi.mock('next/headers', () => ({
       get: vi.fn(() => ({ value: 'sealed-cookie' })),
       delete: cookieDeleteMock,
     }),
+  headers: () =>
+    Promise.resolve({
+      get: vi.fn(() => 'app.e2b.dev'),
+    }),
 }))
 
 vi.mock('@/core/server/auth/ory/session-cookie', () => ({
   E2B_SESSION_COOKIE: 'e2b_session',
   openOrySession: openOrySessionMock,
+  orySessionCookieDeleteOptions: (host: string | null | undefined) => ({
+    name: 'e2b_session',
+    path: '/',
+    domain: host ? `.${host}` : undefined,
+  }),
 }))
 
 vi.mock('@/core/server/auth/ory/client', () => ({
@@ -163,7 +172,11 @@ describe('Ory account security (Kratos session + e2b_session)', () => {
 
     expect(revokeOAuthSessionsMock).toHaveBeenCalledWith('kratos-uuid')
     expect(revokeKratosSessionsMock).toHaveBeenCalledWith('kratos-uuid')
-    expect(cookieDeleteMock).toHaveBeenCalledWith('e2b_session')
+    expect(cookieDeleteMock).toHaveBeenCalledWith({
+      name: 'e2b_session',
+      path: '/',
+      domain: '.app.e2b.dev',
+    })
   })
 
   it('signs out via Hydra RP-logout using the id_token hint', async () => {

tests/integration/auth-ory-entrypoints.test.ts

@@ -23,6 +23,7 @@ vi.mock('@/core/server/auth/ory/session-cookie', () => ({
   openOrySession: openOrySessionMock,
   sealOrySession: sealOrySessionMock,
   orySessionCookieOptions: () => ({ httpOnly: true, path: '/' }),
+  orySessionCookieDeleteOptions: () => ({ name: 'e2b_session', path: '/' }),
 }))
 
 vi.mock('@/core/server/auth/ory/token-refresh', () => ({

tests/unit/session-cookie.test.ts

@@ -2,7 +2,9 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 import {
   type OrySessionTokens,
   openOrySession,
+  orySessionCookieDeleteOptions,
   orySessionCookieOptions,
+  resolveSessionCookieDomain,
   sealOrySession,
 } from '@/core/server/auth/ory/session-cookie'
 
@@ -79,3 +81,56 @@ describe('e2b_session cookie', () => {
     expect(orySessionCookieOptions().secure).toBe(false)
   })
 })
+
+describe('e2b_session cookie domain', () => {
+  beforeEach(() => {
+    vi.stubEnv('NEXT_PUBLIC_E2B_DOMAIN', 'e2b-staging.dev')
+  })
+
+  afterEach(() => {
+    vi.unstubAllEnvs()
+  })
+
+  it('scopes a subdomain host to the parent domain', () => {
+    expect(resolveSessionCookieDomain('dashboard.e2b-staging.dev')).toBe(
+      '.e2b-staging.dev'
+    )
+  })
+
+  it('scopes the apex host to the parent domain', () => {
+    expect(resolveSessionCookieDomain('e2b-staging.dev')).toBe(
+      '.e2b-staging.dev'
+    )
+  })
+
+  it('ignores the port when matching', () => {
+    expect(resolveSessionCookieDomain('e2b-staging.dev:3000')).toBe(
+      '.e2b-staging.dev'
+    )
+  })
+
+  it('returns no domain for unrelated hosts (localhost, previews)', () => {
+    expect(resolveSessionCookieDomain('localhost')).toBeUndefined()
+    expect(resolveSessionCookieDomain('preview.vercel.app')).toBeUndefined()
+    // A suffix that is not a domain boundary must not match.
+    expect(resolveSessionCookieDomain('evil-e2b-staging.dev')).toBeUndefined()
+  })
+
+  it('returns no domain when the env is unset', () => {
+    vi.stubEnv('NEXT_PUBLIC_E2B_DOMAIN', '')
+    expect(
+      resolveSessionCookieDomain('dashboard.e2b-staging.dev')
+    ).toBeUndefined()
+  })
+
+  it('flows the resolved domain into set and delete options', () => {
+    expect(orySessionCookieOptions('app.e2b-staging.dev').domain).toBe(
+      '.e2b-staging.dev'
+    )
+    expect(orySessionCookieDeleteOptions('app.e2b-staging.dev')).toEqual({
+      name: 'e2b_session',
+      path: '/',
+      domain: '.e2b-staging.dev',
+    })
+  })
+})