aiolabs/webapp
8
0
Fork 0
Code Issues 65 Pull requests Projects Releases Packages Wiki Activity Actions

Shared auth across standalone app modules #28

New issue
Open
opened 2026-04-27 15:20:27 +00:00 by padreug · 0 comments
padreug commented 2026-04-27 15:20:27 +00:00
Owner
Copy link

Problem

Each standalone app (Castle, Sortir/Eventos) requires a separate login because they're on different subdomains with isolated localStorage. Users must authenticate on each app independently.

Moved from aiolabs/atio-home#1.

Current workaround

Standalone apps accept ?token=<access_token> in the URL. The main app can link to sortir.ariege.io?token=xxx to relay the session. Not production-grade (token in browser history/logs).

Approaches considered

1. Route-based modules (near-term, recommended)

Serve standalone apps as routes under the main app domain instead of separate subdomains:

  • app.ariege.io/sortir instead of sortir.ariege.io
  • app.ariege.io/castle instead of castle.ariege.io
  • app.ariege.io/eventos instead of eventos.atitlan.io

Pros: Same origin = same localStorage = shared auth. No backend changes. No CORS issues.
Cons: Need to ensure standalone app routes don't conflict with main app routes. PWA manifest/service worker scope needs configuration per path prefix. Build pipeline needs to output to subdirectories.

2. Cookie-based auth (Domain=.ariege.io)

LNbits sets HttpOnly cookie with Domain=.ariege.io on login. All subdomains share the session automatically.

Pros: Clean, standard web pattern. Works with existing subdomain setup.
Cons: Requires LNbits backend changes. CORS configuration needed. Different domains per deployment (ariege.io vs atitlan.io vs aiolabs.dev).

3. Nostr-based auth (long-term)

Since every user has a Nostr keypair, standalone apps could authenticate via NIP-98 (signed HTTP auth) or a challenge-response flow. The private key is stored in the main app; standalone apps request signing via postMessage or a shared worker.

Pros: Aligns with Nostr-native goal. No cookies/tokens needed. Works across any domain.
Cons: No established PWA pattern for this yet. Key storage/sharing across origins is the hard part.

Recommendation

Start with approach 1 (route-based) for near-term. It's the simplest and doesn't require backend changes. The standalone apps already build to separate dist directories — just need nginx to serve them under path prefixes on the main app domain.

Related

  • aiolabs/atio-home#1 (original issue, to be closed)
  • aiolabs/webapp#26 (adopt standalone UI patterns in AIO app — related, as the AIO app itself may eventually absorb these modules)
## Problem Each standalone app (Castle, Sortir/Eventos) requires a separate login because they're on different subdomains with isolated localStorage. Users must authenticate on each app independently. Moved from aiolabs/atio-home#1. ## Current workaround Standalone apps accept `?token=<access_token>` in the URL. The main app can link to `sortir.ariege.io?token=xxx` to relay the session. Not production-grade (token in browser history/logs). ## Approaches considered ### 1. Route-based modules (near-term, recommended) Serve standalone apps as routes under the main app domain instead of separate subdomains: - `app.ariege.io/sortir` instead of `sortir.ariege.io` - `app.ariege.io/castle` instead of `castle.ariege.io` - `app.ariege.io/eventos` instead of `eventos.atitlan.io` **Pros:** Same origin = same localStorage = shared auth. No backend changes. No CORS issues. **Cons:** Need to ensure standalone app routes don't conflict with main app routes. PWA manifest/service worker scope needs configuration per path prefix. Build pipeline needs to output to subdirectories. ### 2. Cookie-based auth (`Domain=.ariege.io`) LNbits sets `HttpOnly` cookie with `Domain=.ariege.io` on login. All subdomains share the session automatically. **Pros:** Clean, standard web pattern. Works with existing subdomain setup. **Cons:** Requires LNbits backend changes. CORS configuration needed. Different domains per deployment (ariege.io vs atitlan.io vs aiolabs.dev). ### 3. Nostr-based auth (long-term) Since every user has a Nostr keypair, standalone apps could authenticate via NIP-98 (signed HTTP auth) or a challenge-response flow. The private key is stored in the main app; standalone apps request signing via postMessage or a shared worker. **Pros:** Aligns with Nostr-native goal. No cookies/tokens needed. Works across any domain. **Cons:** No established PWA pattern for this yet. Key storage/sharing across origins is the hard part. ## Recommendation Start with approach 1 (route-based) for near-term. It's the simplest and doesn't require backend changes. The standalone apps already build to separate dist directories — just need nginx to serve them under path prefixes on the main app domain. ## Related - aiolabs/atio-home#1 (original issue, to be closed) - aiolabs/webapp#26 (adopt standalone UI patterns in AIO app — related, as the AIO app itself may eventually absorb these modules)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dev
No results found.
Labels
Clear labels   
app:activities
Standalone Sortir activities app

  
app:chat
Standalone chat app

  
app:events

   
app:forum

   
app:libra

   
app:market
Standalone marketplace app

  
app:restaurant

   
app:tasks

   
app:wallet
Standalone wallet app

  
app:webapp
Main webapp (all modules)

  
bug
Something is not working

  
enhancement
New feature or improvement

No labels
app:activities
app:chat
app:events
app:forum
app:libra
app:market
app:restaurant
app:tasks
app:wallet
app:webapp
bug
enhancement
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
aiolabs/webapp#28
No description provided.