games: a news session that travels to the games box
preferred_username was being read from the ID token and thrown away after serving as a display-name fallback. It is the whole identity story: MAS imports it as the Matrix localpart, so it is also who the player is in the euro economy. Keep it in the session, and derive @user:server from it. The session cookie was host-only, so a sign-in on news never reached games. Widen it with an opt-in web.auth.cookie_domain — but only the session cookie: the OAuth round-trip cookie pairs with a redirect back to the host that started the login and stays where it was set. And because the redirect must return to that host, the redirect_uri is now derived per-request for hosts inside the cookie domain, with the configured URL as the fallback for anything else — a Host header we don't own is never echoed into a redirect.
This commit is contained in:
@@ -58,6 +58,12 @@ client_secret = "${PETE_OIDC_CLIENT_SECRET}"
|
||||
redirect_url = "https://news.parodia.dev/auth/callback"
|
||||
# HMAC key that signs the session cookie. Generate with: openssl rand -hex 32
|
||||
session_secret = "${PETE_SESSION_SECRET}"
|
||||
# Share the session across sibling hosts, so signing in on news.parodia.dev also
|
||||
# signs you in on games.parodia.dev. This widens the cookie to every host under
|
||||
# the domain, so leave it empty to keep the session host-only. Each host that
|
||||
# starts a login also needs its own redirect URI registered in Authentik
|
||||
# (<host>/auth/callback) — the login round-trip returns to the host it began on.
|
||||
cookie_domain = ""
|
||||
|
||||
# Optional Web Push digests. When enabled, signed-in users can opt in (from the
|
||||
# feed-settings panel) to a periodic "N new stories" notification, delivered via
|
||||
|
||||
Reference in New Issue
Block a user