Setting cookie domain for multi-product (multi-domain) app

[kohenkatz]

I have a single Laravel application that serves API endpoints for multiple products. Each product also has a frontend SPA (using Vue) that users access. For example:

Product Name	Frontend Domain	Laravel API Domain
Foo	app.fooproduct.com	api.fooproduct.com
Bar	app.barproduct.com	api.barproduct.com
Baz	app.bazproduct.com	api.bazproduct.com

Basically the only difference between the products is the skin of the application.

I use Sanctum for authentication. This works fine for GET requests, because the browser properly stores the session cookie for the correct api.[PRODUCT].com domain.

The problem is that POST requests require access to the XSRF-TOKEN cookie. Because the Vue app is on a different subdomain, it cannot read the cookie from the Laravel subdomain.

If I configure Laravel's SESSION_DOMAIN environment variable to .fooproduct.com, that allows the application to work for the Foo product, but not for the Bar and Baz products.

I wrote a middleware that checks if the current domain is recognized as a product and overrides the cookie domain, but I think it is fragile, and it will prevent using Octane in the future because it modifies the CookieJar singleton.

namespace App\Http\Middleware;

use Closure;
use Illuminate\Contracts\Config\Repository;
use Illuminate\Cookie\CookieJar;
use Illuminate\Support\Arr;
use Illuminate\Support\Str;

class ChooseProduct
{
    protected $config;
    protected $cookie;

    public function __construct(Repository $config, CookieJar $cookie)
    {
        $this->config = $config;
        $this->cookie = $cookie;
    }

    public function handle($request, Closure $next)
    {
        // Strips off the port, if present
        $requestDomain = strtok($request->server('HTTP_HOST'), ':');

        $theme = collect($this->config->get('products'))
            ->first(function ($theme) use ($requestDomain) {
                if (Str::endsWith($requestDomain, $theme['main_domain'])) {
                    return true;
                }
                if (Arr::has($theme, 'alt_domains') && Str::endsWith($requestDomain, $theme['alt_domains'])) {
                    return true;
                }

                return false;
            });

        if ($theme !== null) {
            $cookieConfig = $this->config->get('session');
            $this->cookie->setDefaultPathAndDomain($cookieConfig['path'], ".{$theme['main_domain']}", $cookieConfig['same_site']);
            $this->config->set('session.domain', ".{$theme['main_domain']}");
        }

        return $next($request);
    }
}

Other than setting up multiple copies of the Laravel app with different SESSION_DOMAIN values, is there a better/safer way to do what I'm trying to do?

---

Note: cross-posted to SO.