Fix navbar auth display and cross-domain login (#290)

bokelley · claude · web-flow · commit 9de5bfda574c · 2025-12-12T07:04:35.000-05:00
* Fix navbar auth display and cross-domain login issues - Add cache-control headers to /api/config to prevent browser caching of auth state, which was causing navbar to show login buttons after successful authentication - Redirect auth-requiring pages on adcontextprotocol.org to agenticadvertising.org since session cookies are domain-scoped to AAO - Make navbar identical across all sites with AAO branding and always show AdCP link - Redirect /auth/login on AdCP domain to AAO to ensure cookies persist across domains 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: add empty changeset for non-version-bump fix 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.changeset/good-ghosts-dream.md b/.changeset/good-ghosts-dream.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/server/public/nav.js b/server/public/nav.js
@@ -14,22 +14,14 @@
   // Determine if running locally
   const isLocal = window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1';
 
-  // adcontextprotocol.org is just a deep link to the AdCP page on AAO
-  // All sites show the full AAO nav with auth
-  const urlParams = new URLSearchParams(window.location.search);
-  const betaOverride = urlParams.get('beta');
-  const isBetaSite = betaOverride !== 'false';
-
-  // Determine base URLs based on site type and environment
+  // All sites use identical AAO-branded navigation
   // AAO content (members, insights, about) always lives on agenticadvertising.org
   // Docs always live on docs.adcontextprotocol.org
   const aaoBaseUrl = 'https://agenticadvertising.org';
-  const adcpBaseUrl = 'https://adcontextprotocol.org';
-  const homeBaseUrl = isBetaSite ? aaoBaseUrl : adcpBaseUrl;
   let docsUrl = 'https://docs.adcontextprotocol.org';
   let adagentsUrl = `${aaoBaseUrl}/adagents`;
   let membersUrl = `${aaoBaseUrl}/members`;
-  let homeUrl = homeBaseUrl;
+  let homeUrl = aaoBaseUrl;
   let apiBaseUrl = '';
 
   if (isLocal) {
@@ -127,10 +119,8 @@
     // AAO logo is white, needs invert on light background
     const logoNeedsInvert = true;
 
-    // Only show AdCP link on beta site (AAO) - on production (AdCP) the logo already goes to adcontextprotocol.org
-    const adcpLink = isBetaSite
-      ? '<a href="https://adcontextprotocol.org" class="navbar__link">AdCP</a>'
-      : '';
+    // AdCP link always shown
+    const adcpLink = '<a href="https://adcontextprotocol.org" class="navbar__link">AdCP</a>';
 
     return `
       <nav class="navbar">
diff --git a/server/src/http.ts b/server/src/http.ts
@@ -119,6 +119,13 @@ export class HTTPServer {
   }
 
 
+  // Helper to check if request is from adcontextprotocol.org (requires redirect to AAO for auth)
+  // Session cookies are scoped to agenticadvertising.org, so auth pages on AdCP must redirect
+  private isAdcpDomain(req: express.Request): boolean {
+    const hostname = req.hostname || '';
+    return hostname.includes('adcontextprotocol') && !hostname.includes('localhost');
+  }
+
   private setupRoutes(): void {
     // Authentication routes (only if configured)
     if (AUTH_ENABLED) {
@@ -129,9 +136,26 @@ export class HTTPServer {
     }
 
     // UI page routes (serve with environment variables injected)
-    this.app.get('/onboarding', (req, res) => res.redirect('/onboarding.html'));
-    this.app.get('/team', (req, res) => res.redirect('/team.html' + (req.url.includes('?') ? req.url.substring(req.url.indexOf('?')) : '')));
+    // Auth-requiring pages on adcontextprotocol.org redirect to agenticadvertising.org
+    // because session cookies are scoped to the AAO domain
+    this.app.get('/onboarding', (req, res) => {
+      if (this.isAdcpDomain(req)) {
+        return res.redirect(`https://agenticadvertising.org/onboarding`);
+      }
+      res.redirect('/onboarding.html');
+    });
+    this.app.get('/team', (req, res) => {
+      if (this.isAdcpDomain(req)) {
+        const queryString = req.url.includes('?') ? req.url.substring(req.url.indexOf('?')) : '';
+        return res.redirect(`https://agenticadvertising.org/team${queryString}`);
+      }
+      res.redirect('/team.html' + (req.url.includes('?') ? req.url.substring(req.url.indexOf('?')) : ''));
+    });
     this.app.get('/dashboard', async (req, res) => {
+      // Redirect to AAO for auth-requiring pages when on AdCP domain
+      if (this.isAdcpDomain(req)) {
+        return res.redirect('https://agenticadvertising.org/dashboard');
+      }
       try {
         const fs = await import('fs/promises');
         const dashboardPath = process.env.NODE_ENV === 'production'
@@ -157,6 +181,11 @@ export class HTTPServer {
 
     // Public config endpoint - returns feature flags and auth state for nav
     this.app.get("/api/config", optionalAuth, (req, res) => {
+      // Prevent caching - auth state changes on login/logout
+      res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+      res.setHeader('Pragma', 'no-cache');
+      res.setHeader('Expires', '0');
+
       // User is populated by optionalAuth middleware if authenticated
       let isAdmin = false;
       if (req.user) {
@@ -980,6 +1009,11 @@ export class HTTPServer {
 
     // Member Profile UI route - serve member-profile.html at /member-profile
     this.app.get("/member-profile", (req, res) => {
+      // Redirect to AAO for auth-requiring pages when on AdCP domain
+      if (this.isAdcpDomain(req)) {
+        const queryString = req.url.includes('?') ? req.url.substring(req.url.indexOf('?')) : '';
+        return res.redirect(`https://agenticadvertising.org/member-profile${queryString}`);
+      }
       const memberProfilePath = process.env.NODE_ENV === 'production'
         ? path.join(__dirname, "../server/public/member-profile.html")
         : path.join(__dirname, "../public/member-profile.html");
@@ -2455,8 +2489,23 @@ export class HTTPServer {
     const orgDb = new OrganizationDatabase();
 
     // GET /auth/login - Redirect to WorkOS for authentication
+    // On AdCP domain, redirect to AAO first to keep auth on a single domain
     this.app.get('/auth/login', authRateLimiter, (req, res) => {
       try {
+        // If on AdCP domain, redirect to AAO for login (keeps cookies on single domain)
+        if (this.isAdcpDomain(req)) {
+          const returnTo = req.query.return_to as string;
+          // Rewrite return_to to AAO domain if it's a relative URL
+          let aaoReturnTo = returnTo;
+          if (returnTo && returnTo.startsWith('/')) {
+            aaoReturnTo = `https://agenticadvertising.org${returnTo}`;
+          }
+          const redirectUrl = aaoReturnTo
+            ? `https://agenticadvertising.org/auth/login?return_to=${encodeURIComponent(aaoReturnTo)}`
+            : 'https://agenticadvertising.org/auth/login';
+          return res.redirect(redirectUrl);
+        }
+
         const returnTo = req.query.return_to as string;
         const state = returnTo ? JSON.stringify({ return_to: returnTo }) : undefined;
 
