feat: Update session cookie domain handling using publicsuffix2 and psl libraries

frontend/package.json

@@ -44,6 +44,7 @@
 		"emoji-picker-element": "^1.26.0",
 		"gsap": "^3.12.7",
 		"marked": "^15.0.4",
+		"psl": "^1.15.0",
 		"qrcode": "^1.5.4",
 		"svelte-i18n": "^4.0.1",
 		"svelte-maplibre": "^0.9.8",

frontend/pnpm-lock.yaml

@@ -23,6 +23,9 @@ importers:
       marked:
         specifier: ^15.0.4
         version: 15.0.4
+      psl:
+        specifier: ^1.15.0
+        version: 1.15.0
       qrcode:
         specifier: ^1.5.4
         version: 1.5.4
@@ -1913,6 +1916,13 @@ packages:
   protocol-buffers-schema@3.6.0:
     resolution: {integrity: sha512-TdDRD+/QNdrCGCE7v8340QyuXd4kIWIgapsE2+n/SaGiSSbomYl4TjHlvIoCWRpE7wFt02EpB35VVA2ImcBVqw==}
 
+  psl@1.15.0:
+    resolution: {integrity: sha512-JZd3gMVBAVQkSs6HdNZo9Sdo0LNcQeMNP3CozBJb3JYC/QUYZTnKxP+f8oWRX4rHP5EurWxqAHTSwUCjlNKa1w==}
+
+  punycode@2.3.1:
+    resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
+    engines: {node: '>=6'}
+
   qrcode@1.5.4:
     resolution: {integrity: sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==}
     engines: {node: '>=10.13.0'}
@@ -4154,6 +4164,12 @@ snapshots:
 
   protocol-buffers-schema@3.6.0: {}
 
+  psl@1.15.0:
+    dependencies:
+      punycode: 2.3.1
+
+  punycode@2.3.1: {}
+
   qrcode@1.5.4:
     dependencies:
       dijkstrajs: 1.0.3

frontend/src/routes/login/+page.server.ts

@@ -1,5 +1,6 @@
 import { fail, redirect, type RequestEvent } from '@sveltejs/kit';
-
+// @ts-ignore
+import psl from 'psl';
 import type { Actions, PageServerLoad, RouteParams } from './$types';
 import { getRandomBackground, getRandomQuote } from '$lib';
 import { fetchCSRFToken } from '$lib/index.server';
@@ -105,7 +106,7 @@ export const actions: Actions = {
 	}
 };
 
-function handleSuccessfulLogin(event: RequestEvent, response: Response) {
+function handleSuccessfulLogin(event: RequestEvent<RouteParams, '/login'>, response: Response) {
 	const setCookieHeader = response.headers.get('Set-Cookie');
 	if (setCookieHeader) {
 		const sessionIdRegex = /sessionid=([^;]+).*?expires=([^;]+)/;
@@ -113,24 +114,22 @@ function handleSuccessfulLogin(event: RequestEvent, response: Response) {
 		if (match) {
 			const [, sessionId, expiryString] = match;
 
-			// Get the proper cookie domain
+			// Get the proper cookie domain using psl
 			const hostname = event.url.hostname;
-			const domainParts = hostname.split('.');
-			let cookieDomain: string | undefined = undefined;
+			let cookieDomain;
 
 			// Check if hostname is an IP address
 			const isIPAddress = /^\d{1,3}(\.\d{1,3}){3}$/.test(hostname);
 
 			if (!isIPAddress) {
-				if (domainParts.length > 2) {
-					// For subdomains like app.mydomain.com -> .mydomain.com
-					cookieDomain = '.' + domainParts.slice(-2).join('.');
-				} else if (domainParts.length === 2) {
-					// For root domains like mydomain.com -> .mydomain.com
-					cookieDomain = '.' + hostname;
+				const parsed = psl.parse(hostname);
+
+				if (parsed && parsed.domain) {
+					// Use the parsed domain (e.g., mydomain.com)
+					cookieDomain = `.${parsed.domain}`;
 				}
 			}
-			// Do not set a domain for IP addresses or single-part hostnames
+			// Do not set a domain for IP addresses or invalid hostnames
 
 			console.log('Setting sessionid cookie with domain:', cookieDomain);