search

nhost / hasura-auth

Authentication for Hasura.
https://nhost.io
MIT License
382 stars 114 forks source link

implement authentication across all subdomains #456

Closed xmlking closed 9 months ago

xmlking commented 9 months ago

is it possible to implement authentication across all subdomains like this ?

https://kanakkholwal.medium.com/how-to-implement-authentication-across-all-subdomains-using-next-auth-in-next-js-2ad8393c268d

dbarrosop commented 9 months ago

Please, would you mind summarizing your objective?

xmlking commented 9 months ago

Use case:

in some cases, companies want to host related webapps on multiple subdomains e.g.,
example.com <-- marketing site docs.example.com <-- docs site console.example.com <-- dashboard site billing.example.com <-- billing site

It make sense if end user login to console.example.com, they should be able to seamlessly login to other sister sites with same domain name i.e., *.example.com.

Options

To accomplish this, we should be able to set session cookie at domain level.

I was using like this with AuthJS to setup cross-subdomain session cookie:

export const domain = new URL(envPub.PUBLIC_BASE_URL).hostname.replace(/^[^.]+\./g, '');

cookies: {
sessionToken: {
    name: cookieName,
    options: {
        httpOnly: true,
        sameSite: 'lax',
        path: '/',
        domain: domain == 'localhost' ? domain : '.' + domain,
        secure: useSecureCookie // process.env.NODE_ENV === 'production'
    }
}
}

I am planing to switch to hasura-auth and wonder how to do same with hasura-auth.

dbarrosop commented 9 months ago

Closing as this is already supported.

In hasura-auth you will need to configure the client url and allowed urls (settings -> authentication). On the client side then use the redirectTo based on the domain you are in during sign up/in operations. This assuming each subdomain has their own login page. Otherwise, if you have a single "login" domain you don't need this (well, you will need the client url)

To accomplish this, we should be able to set session cookie at domain level.

Assuming you are using our sdks you can handle the behavior for dealing with cookies yourself overriding the ClientStorage.

If you have doubts or questions I'd suggest you to open a github discussion or reach out to us on discord.