Cinderblock

Cookie scope

Cinderblock's default deployment serves marketing and the authenticated app from two subdomains:

cinderblock.philiprehberger.com       # marketing + docs
app.cinderblock.philiprehberger.com   # authenticated app

Both hostnames resolve to the same Next.js PM2 process; the middleware dispatches by request.headers.host. To share the session across both surfaces, the auth cookie is set with Domain=.cinderblock.philiprehberger.com.

The trade-off

A parent-domain cookie is readable by any subdomain of the apex. Cinderblock controls both subdomains and doesn't host arbitrary user content there, so the blast radius is bounded. But a fork that adds tenant-scoped subdomains (e.g. acme.app.cinderblock.com) must EITHER:

  • Restrict tenant subdomains to first-party content only, OR
  • Split the cookie scope — set the auth cookie on app.cinderblock.philiprehberger.com only (not the parent), and use a separate sign-in flow per host.

Configuration

The cookie domain reads from NEXT_PUBLIC_COOKIE_DOMAIN. Local dev leaves it unset — cookies scope to the request host (localhost:3000). Set it in production:

NEXT_PUBLIC_COOKIE_DOMAIN=.cinderblock.philiprehberger.com

See /src/proxy.ts + /src/lib/supabase/server.ts for the wiring.