games: a news session that travels to the games box
preferred_username was being read from the ID token and thrown away after serving as a display-name fallback. It is the whole identity story: MAS imports it as the Matrix localpart, so it is also who the player is in the euro economy. Keep it in the session, and derive @user:server from it. The session cookie was host-only, so a sign-in on news never reached games. Widen it with an opt-in web.auth.cookie_domain — but only the session cookie: the OAuth round-trip cookie pairs with a redirect back to the host that started the login and stays where it was set. And because the redirect must return to that host, the redirect_uri is now derived per-request for hosts inside the cookie domain, with the configured URL as the fallback for anything else — a Host header we don't own is never echoed into a redirect.
This commit is contained in:
@@ -118,6 +118,12 @@ type AuthConfig struct {
|
||||
ClientSecret string `toml:"client_secret"`
|
||||
RedirectURL string `toml:"redirect_url"` // e.g. https://news.parodia.dev/auth/callback
|
||||
SessionSecret string `toml:"session_secret"` // HMAC key for signing the session cookie
|
||||
// CookieDomain widens the session cookie beyond the host that set it, so a
|
||||
// sign-in on news.parodia.dev is also a sign-in on games.parodia.dev. Set it
|
||||
// to ".parodia.dev" to share the session across every parodia.dev host —
|
||||
// which is every host, including the landing site, so it is opt-in rather
|
||||
// than the default. Empty keeps the cookie host-only.
|
||||
CookieDomain string `toml:"cookie_domain"`
|
||||
}
|
||||
|
||||
type MatrixConfig struct {
|
||||
|
||||
Reference in New Issue
Block a user