gitroomhq · Alexbeav · Dec 3, 2025 · Dec 3, 2025 · Copilot · Dec 3, 2025
diff --git a/apps/backend/src/services/auth/providers/oauth.provider.ts b/apps/backend/src/services/auth/providers/oauth.provider.ts
@@ -49,11 +49,13 @@ export class OauthProvider implements ProvidersInterface {
   }
 
   generateLink(): string {
+    const state = Math.random().toString(36).substring(2, 15);
     const params = new URLSearchParams({
       client_id: this.clientId,
       scope: 'openid profile email',
       response_type: 'code',
-      redirect_uri: `${this.frontendUrl}/settings`,
+      redirect_uri: `${this.frontendUrl}/auth?provider=GENERIC`,
+      state,
     });
 
     return `${this.authUrl}?${params.toString()}`;
@@ -71,7 +73,7 @@ export class OauthProvider implements ProvidersInterface {
         client_id: this.clientId,
         client_secret: this.clientSecret,
         code,
-        redirect_uri: `${this.frontendUrl}/settings`,
+        redirect_uri: `${this.frontendUrl}/auth?provider=GENERIC`,
       }),
     });
 

diff --git a/apps/frontend/src/components/auth/register.tsx b/apps/frontend/src/components/auth/register.tsx
@@ -5,7 +5,7 @@ import { useFetch } from '@gitroom/helpers/utils/custom.fetch';
 import Link from 'next/link';
 import { Button } from '@gitroom/react/form/button';
 import { Input } from '@gitroom/react/form/input';
-import { useCallback, useEffect, useMemo, useState } from 'react';
+import { useCallback, useEffect, useMemo, useState, useRef } from 'react';
 import { classValidatorResolver } from '@hookform/resolvers/class-validator';
 import { CreateOrgUserDto } from '@gitroom/nestjs-libraries/dtos/auth/create.org.user.dto';
 import { GithubProvider } from '@gitroom/frontend/components/auth/providers/github.provider';
@@ -39,28 +39,44 @@ type Inputs = {
 export function Register() {
   const getQuery = useSearchParams();
   const fetch = useFetch();
+  const router = useRouter();
   const [provider] = useState(getQuery?.get('provider')?.toUpperCase());
   const [code, setCode] = useState(getQuery?.get('code') || '');
   const [show, setShow] = useState(false);
+  // Prevent double-execution in React StrictMode
+  const loadingRef = useRef(false);
+
   useEffect(() => {
-    if (provider && code) {
+    if (provider && code && !loadingRef.current) {
+      loadingRef.current = true;
       load();
     }
   }, []);
-  }, []);
+  }, [load]);
-  }, []);
+  }, [load]);
+
   const load = useCallback(async () => {
-    const { token } = await (
+    const { token, login } = await (
       await fetch(`/auth/oauth/${provider?.toUpperCase() || 'LOCAL'}/exists`, {
         method: 'POST',
         body: JSON.stringify({
           code,
         }),
       })
     ).json();
+
+    // Handle existing user login - backend already set auth cookie
+    // Use window.location.href instead of router.push to do a full page reload
+    // This clears the OAuth code from the URL and ensures cookies are properly read
+    if (login) {
+      window.location.href = '/';
+      return;
+    }
+
     if (token) {
       setCode(token);
       setShow(true);
     }
-  }, [provider, code]);
+  }, [provider, code, router]);
-  }, [provider, code, router]);
+  }, [provider, code]);
-  }, [provider, code, router]);
+  }, [provider, code]);
+
   if (!code && !provider) {
     return <RegisterAfter token="" provider="LOCAL" />;
   }

diff --git a/libraries/helpers/src/subdomain/subdomain.management.ts b/libraries/helpers/src/subdomain/subdomain.management.ts
@@ -1,6 +1,32 @@
 import { parse } from 'tldts';
 
-export function getCookieUrlFromDomain(domain: string) {
+export function getCookieUrlFromDomain(domain: string): string | undefined {
   const url = parse(domain);
-  return url.domain! ? '.' + url.domain! : url.hostname!;
+
+  // If the domain is a public suffix (like synology.me, duckdns.org, ngrok.io, etc.),
+  // don't set an explicit cookie domain - let the browser use host-only cookies.
+  // This follows the same approach as Portainer and Sonarr/Radarr.
+  // Setting domain to .synology.me would be rejected by browsers as a "supercookie"
+  // because public suffixes are on the PSL (Public Suffix List).
+  //
+  // For postiz.alexbeav.synology.me:
+  //   - hostname = "postiz.alexbeav.synology.me"
+  //   - domain = "synology.me" (the registrable domain)
+  //   - publicSuffix = "me"
+  //   - isIcann = true (synology.me is on the ICANN section of PSL)
+  //
+  // Setting cookie domain to .synology.me would fail because browsers won't allow
+  // cookies that could affect all *.synology.me sites.
+  //
+  // By returning undefined, Express won't set a Domain attribute, and the browser
+  // will create a host-only cookie bound to the exact hostname.
+  if (url.isIcann && url.publicSuffix !== url.domain) {
+    // The domain's parent is on the public suffix list
-  if (url.isIcann && url.publicSuffix !== url.domain) {
-    // The domain's parent is on the public suffix list
+  if (url.isIcann && url.publicSuffix === url.domain) {
+    // The domain itself is on the public suffix list
-  if (url.isIcann && url.publicSuffix !== url.domain) {
-    // The domain's parent is on the public suffix list
+  if (url.isIcann && url.publicSuffix === url.domain) {
+    // The domain itself is on the public suffix list
+    // Return undefined to use host-only cookies (like Portainer does)
+    return undefined;
+  }
+
+  // For regular domains like postiz.example.com, return .example.com
+  // This allows cookie sharing across subdomains when using a private domain
+  return url.domain ? '.' + url.domain : undefined;
 }