make cookies cross-domain compatible

auth.py

@@ -59,6 +59,7 @@ def auth_required(func):
 				resp.set_cookie(
 					'userid',
 					user_id,
+					domain=config.server_domain,
 					max_age=30*24*60*60,
 					secure=True,
 					httponly=True)
@@ -66,6 +67,7 @@ def auth_required(func):
 				resp.set_cookie(
 					'session',
 					sid,
+					domain=config.server_domain,
 					max_age=30*24*60*60,
 					secure=True,
 					httponly=True)
@@ -95,6 +97,7 @@ async def register_begin(request):
 	}, exist_cred, user_verification='discouraged')
 
 	resp = web.Response(body=cbor.encode(registration_data))
+	# no need to set domain on cookie only used for registration
 	resp.set_cookie(
 		'state',
 		json.dumps(state),
@@ -139,13 +142,7 @@ async def register_complete(request):
 			user_id, nick, auth_data.credential_data)
 
 	resp = web.json_response({'ok': True})
-	resp.set_cookie(
-		'state',
-		'',
-		max_age=0,
-		secure=True,
-		httponly=True)
-		#samesite='strict')
+	resp.set_cookie('state', '', max_age=0)
 	return resp
 
 
@@ -206,24 +203,13 @@ async def authenticate_complete(request):
 	if not url:
 		url = request.app.router['index'].url_for()
 	resp = web.json_response({'ok': True, 'redirect': str(url)})
-	resp.set_cookie(
-		'state',
-		'',
-		max_age=0,
-		secure=True,
-		httponly=True)
-		#samesite='strict')
+	resp.set_cookie('state', '', max_age=0)
 
-	resp.set_cookie(
-		'redirect',
-		'',
-		max_age=0,
-		secure=True,
-		httponly=True)
-		#samesite='strict')
+	resp.set_cookie('redirect', '', domain=config.server_domain, max_age=0)
 	resp.set_cookie(
 		'userid',
 		user_id,
+		domain=config.server_domain,
 		max_age=30*24*60*60,
 		secure=True,
 		httponly=True)
@@ -240,6 +226,7 @@ async def authenticate_complete(request):
 	resp.set_cookie(
 		'session',
 		sid,
+		domain=config.server_domain,
 		max_age=30*24*60*60,
 		secure=True,
 		httponly=True)

buckler.py

@@ -112,6 +112,7 @@ async def login(request):
 		resp.set_cookie(
 			'userid',
 			user_info['id'],
+			domain=config.server_domain,
 			secure=True,
 			httponly=True)
 			#samesite='strict')
@@ -124,6 +125,7 @@ async def login(request):
 			resp.set_cookie(
 				'userid',
 				user_info['id'],
+				domain=config.server_domain,
 				secure=True,
 				httponly=True)
 				#samesite='strict')
@@ -133,10 +135,11 @@ async def login(request):
 		if not url:
 			url = request.app.router['index'].url_for()
 		resp = web.HTTPFound(location=url)
-		resp.set_cookie('redirect', '', max_age=0)
+		resp.set_cookie('redirect', '', domain=config.server_domain, max_age=0)
 		resp.set_cookie(
 			'userid',
 			user_info['id'],
+			domain=config.server_domain,
 			max_age=30*24*60*60,
 			secure=True,
 			httponly=True)
@@ -151,7 +154,9 @@ async def login(request):
 				sid,
 				ip_address)
 		resp.set_cookie(
-			'session',sid,
+			'session',
+			sid,
+			domain=config.server_domain,
 			max_age=30*24*60*60,
 			secure=True,
 			httponly=True)

buckler_aiohttp.py

@@ -24,8 +24,7 @@ async def buckler_session(request, handler):
 		'app_id': config.buckler['app_id'],
 		'app_key': config.buckler['app_key'],
 		'userid': user_id,
-		'session': user_sid
-	}
+		'session': user_sid }
 	async with aiohttp.ClientSession() as session:
 		async with session.get(url, params=params) as resp:
 			data = await resp.json()
@@ -34,6 +33,7 @@ async def buckler_session(request, handler):
 				resp.set_cookie(
 					'redirect',
 					request.url,
+					domain=config.server_domain,
 					secure=True,
 					httponly=True)
 					#samesite='strict')
@@ -55,6 +55,7 @@ async def buckler_session(request, handler):
 			resp.set_cookie(
 				'userid',
 				user_id,
+				domain=config.server_domain,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True)
@@ -62,6 +63,7 @@ async def buckler_session(request, handler):
 			resp.set_cookie(
 				'session',
 				user_sid,
+				domain=config.server_domain,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True)

buckler_flask.py

@@ -74,6 +74,7 @@ class BucklerSessionInterface(SessionInterface):
 			response.set_cookie(
 				'userid',
 				session.cookies['userid'],
+				domain=config.server_domain,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True,
@@ -81,6 +82,7 @@ class BucklerSessionInterface(SessionInterface):
 			response.set_cookie(
 				'session',
 				session.cookies['session'],
+				domain=config.server_domain,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True,
@@ -108,6 +110,7 @@ def require_auth():
 		resp.set_cookie(
 			'redirect',
 			request.url,
+			domain=config.server_domain,
 			secure=True,
 			httponly=True,
 			samesite='strict')

config.py.template

@@ -7,7 +7,7 @@ eg. https://example.com/buckler
 `db` specifies parameters for connecting to the PostgreSQL database.
 `email` specifies parameters for connecting to the SMTP server.
 """
-server_domain = 'https://steelbea.me'
+server_domain = 'steelbea.me'
 url_prefix = '/buckler'
 
 db = {