zzstoatzz.io / leaflet-search
search for standard sites pub-search.waow.tech
search zig blog atproto
11
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix: host backend on api.pub-search.waow.tech (first-party cookies)

third-party cookies are dropped by Chrome/Safari on cross-eTLD+1 credentialed
fetches even with SameSite=None; Secure. move the backend hostname under the
same eTLD+1 as the frontend (waow.tech) — matches the plyr.fm / ken pattern.

- frontend (pub-search.waow.tech/subscriptions) and backend
(api.pub-search.waow.tech) share registrable domain waow.tech → same-site
for cookies
- cookie now SameSite=Lax (was None), which works for cross-subdomain
credentialed fetches within a single eTLD+1
- API_URL in site/subscriptions.html swapped to api.pub-search.waow.tech

next step: fly secrets OAUTH_CLIENT_ID + OAUTH_REDIRECT_URI already
staged to the new hostname; this deploy picks them up.

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>

zzstoatzz 2621ae0e a354a7b5

+4 -4
+3 -3
backend/src/oauth.zig
··· 845 845 return; 846 846 }; 847 847 848 - // SameSite=None + Secure — the frontend is on a different origin than 848 + // SameSite=Lax + Secure — the frontend is on a different origin than 849 849 // the backend (pub-search.waow.tech vs leaflet-search-backend.fly.dev) 850 850 // so we need cross-site cookies. Secure is required alongside None. 851 851 var cookie_buf: [512]u8 = undefined; 852 852 const cookie = std.fmt.bufPrint( 853 853 &cookie_buf, 854 - "pubsearch_session={s}; HttpOnly; Secure; SameSite=None; Path=/; Max-Age=2592000", 854 + "pubsearch_session={s}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=2592000", 855 855 .{session_token}, 856 856 ) catch { 857 857 try sendError(request, .internal_server_error, "cookie error"); ··· 885 885 .status = .ok, 886 886 .extra_headers = &.{ 887 887 .{ .name = "content-type", .value = "application/json" }, 888 - .{ .name = "set-cookie", .value = "pubsearch_session=; HttpOnly; Secure; SameSite=None; Path=/; Max-Age=0" }, 888 + .{ .name = "set-cookie", .value = "pubsearch_session=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0" }, 889 889 }, 890 890 }); 891 891 }
+1 -1
site/subscriptions.html
··· 302 302 localStorage.getItem('pubsearch_api') || 303 303 ((location.hostname.endsWith('ngrok.app') || location.hostname.endsWith('ngrok-free.app')) 304 304 ? location.origin 305 - : 'https://leaflet-search-backend.fly.dev'); 305 + : 'https://api.pub-search.waow.tech'); 306 306 307 307 const themeToggle = document.getElementById('theme-toggle'); 308 308 themeToggle.onclick = () => {