# @teres/auth-gateway

Minimal Node session service to share auth token via Cookie or API.

## Run

```sh
pnpm -F @teres/auth-gateway dev
```

Default port: `7000`. Configure via env:

- `PORT=7000`
- `ALLOWED_ORIGINS=http://localhost:5173,http://localhost:6006`
- `COOKIE_NAME=sid`
- `COOKIE_DOMAIN=` (optional)
- `COOKIE_SECURE=false` (set `true` in HTTPS)
- `COOKIE_SAMESITE=lax` (`lax|strict|none`)
- `EXPOSE_TOKEN=true` (set `false` to hide token in GET response)

## Endpoints

- `GET /health` → `{ ok: true }`
- `POST /auth/session` → set token; accepts JSON `{ token }` or `Authorization: Bearer <token>`
- `GET /auth/session` → read session; returns `{ exists, updatedAt, token? }`
- `DELETE /auth/session` → clear session and cookie

## Frontend usage

After login in host app:

```ts
await fetch("http://localhost:7000/auth/session", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ token }),
  credentials: "include",
});
```

In iframe app (ragflow) to read the token (if `EXPOSE_TOKEN=true`):

```ts
const res = await fetch("http://localhost:7000/auth/session", {
  credentials: "include",
});
const data = await res.json();
const token = data.token; // may be undefined if EXPOSE_TOKEN=false
```

Alternatively, keep `EXPOSE_TOKEN=false` and use a backend that reads the cookie server-side. Or pass the token via your `iframe-bridge`/Penpal channel.