diff --git a/.gitignore b/.gitignore
index 016b59e..65b5ab2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,4 @@ pnpm-debug.log*
# jetbrains setting folder
.idea/
+/ai/
diff --git a/backend/fly.toml b/backend/fly.toml
index 07438fd..b8d919d 100644
--- a/backend/fly.toml
+++ b/backend/fly.toml
@@ -10,6 +10,10 @@ primary_region = "ams"
GITEA_URL = "https://git.bookageek.ch"
DATABASE_PATH = "/app/data/gallus_cms.db"
GIT_WORKSPACE_DIR = "/app/data/workspace"
+ # Cross-site frontend and OAuth
+ FRONTEND_URL = "https://gallus-pub.ch"
+ CORS_ORIGIN = "https://gallus-pub.ch"
+ GITEA_REDIRECT_URI = "https://cms.gallus-pub.ch/api/auth/callback"
[http_service]
internal_port = 8080
diff --git a/backend/src/routes/auth.ts b/backend/src/routes/auth.ts
index 620681c..951d08e 100644
--- a/backend/src/routes/auth.ts
+++ b/backend/src/routes/auth.ts
@@ -122,11 +122,12 @@ const authRoute: FastifyPluginAsync = async (fastify) => {
);
// Also set token as HttpOnly cookie so subsequent API calls authenticate reliably
+ // Cross-site admin (gallus-pub.ch) -> backend (cms.gallus-pub.ch) requires SameSite=None & Secure in production
reply.setCookie('token', token, {
path: '/',
httpOnly: true,
- sameSite: 'lax',
- secure: !!env.FRONTEND_URL && env.FRONTEND_URL.startsWith('https'),
+ sameSite: (env.NODE_ENV === 'production' ? 'none' : 'lax'),
+ secure: (env.NODE_ENV === 'production') || (!!env.FRONTEND_URL && env.FRONTEND_URL.startsWith('https')),
maxAge: 60 * 60 * 24, // 24h
});
diff --git a/src/pages/admin.astro b/src/pages/admin.astro
index fbceae0..8570387 100644
--- a/src/pages/admin.astro
+++ b/src/pages/admin.astro
@@ -36,7 +36,7 @@ const title = 'Admin';
Authentifizierung
Prüfe Anmeldestatus...
@@ -76,8 +76,11 @@ const title = 'Admin';