fix: restore authorization cookie domain to company wide domain (#10791)

opencollective · Nov 12, 2024 · 0ddb2e5 · 0ddb2e5
1 parent eaf1fa9
commit 0ddb2e5
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/lib/auth.ts b/lib/auth.ts
@@ -20,13 +20,12 @@ export function logout() {
 export function setRestAuthorizationCookie() {
   const accessToken = getFromLocalStorage(LOCAL_STORAGE_KEYS.ACCESS_TOKEN);
   if (typeof document !== 'undefined' && accessToken) {
-    const domain = new URL(process.env.REST_URL || 'https://rest.opencollective.com').hostname;
     document.cookie =
       env === 'development' || env === 'e2e'
-        ? `authorization="Bearer ${accessToken}";path=/;SameSite=strict;max-age=120`
+        ? `authorization="Bearer ${accessToken}";path=/;SameSite=strict;max-age=1200`
         : // It is not possible to use HttpOnly when setting from JavaScript.
           // I'm enforcing SameSite and Domain in production to prevent CSRF.
-          `authorization="Bearer ${accessToken}";path=/;SameSite=strict;max-age=120;domain=${domain};secure`;
+          `authorization="Bearer ${accessToken}";path=/;SameSite=strict;max-age=1200;domain=opencollective.com;secure`;
   }
 }