Enable CHIPS - partitioned auth cookie for 3rd party use

src/components/authentication/session.interceptor.ts

@@ -97,7 +97,7 @@ export class SessionInterceptor implements NestInterceptor {
   }
 
   private getTokenFromCookie(req: IRequest | undefined): string | null {
-    return req?.cookies?.[this.config.sessionCookie.name] || null;
+    return req?.cookies?.[this.config.sessionCookie(req).name] || null;
   }
 
   getImpersonateeFromContext(

src/components/authentication/session.resolver.ts

@@ -72,7 +72,9 @@ export class SessionResolver {
     const userFromSession = session.anonymous ? undefined : session.userId;
 
     if (browser) {
-      const { name, expires, ...options } = this.config.sessionCookie;
+      const { name, expires, ...options } = this.config.sessionCookie(
+        context.request!,
+      );
       if (!context.response) {
         throw new ServerException(
           'Cannot use cookie session without a response object',

src/core/config/config.service.ts

@@ -17,7 +17,7 @@ import { ProgressReportStatus } from '../../components/progress-report/dto/progr
 import type { TransitionName as ProgressReportTransitionName } from '../../components/progress-report/workflow/transitions';
 import { DefaultTimezoneWrapper } from '../email/templates/formatted-date-time';
 import { FrontendUrlWrapper } from '../email/templates/frontend-url';
-import type { CookieOptions, CorsOptions } from '../http';
+import type { CookieOptions, CorsOptions, IRequest } from '../http';
 import { LogLevel } from '../logger/logger.interface';
 import { EnvironmentService } from './environment.service';
 import { determineRootUser } from './root-user.config';
@@ -248,10 +248,9 @@ export const makeConfig = (env: EnvironmentService) =>
       } satisfies CorsOptions;
     })();
 
-    sessionCookie = ((): Merge<
-      CookieOptions,
-      { name: string; expires?: DurationLike }
-    > => {
+    sessionCookie = (
+      req: IRequest,
+    ): Merge<CookieOptions, { name: string; expires?: DurationLike }> => {
       const name = env.string('SESSION_COOKIE_NAME').optional('cordsession');
 
       let domain = env.string('SESSION_COOKIE_DOMAIN').optional();
@@ -261,6 +260,10 @@ export const makeConfig = (env: EnvironmentService) =>
         domain = '.' + domain;
       }
 
+      const userAgent = req.headers['user-agent'];
+      const isSafari =
+        userAgent && /^((?!chrome|android).)*safari/i.test(userAgent);
+
       return {
         name,
         domain,
@@ -270,14 +273,17 @@ export const makeConfig = (env: EnvironmentService) =>
         httpOnly: true,
         // All paths, not just the current one
         path: '/',
-        ...(!isDev && {
+        ...(!(isSafari && isDev) && {
           // Require HTTPS (required for SameSite)
           secure: true,
           // Allow 3rd party (other domains)
           sameSite: 'none',
+          // Don't share cookie value between top level domains.
+          // Required for 3rd party use.
+          partitioned: true,
         }),
       };
-    })();
+    };
 
     xray = {
       daemonAddress: this.jest