cookies not passing into callback for oauth

[avnav0]

i am setting up google oauth using svelte for frontend with mysite.com and cloudflare workers for backend endpoints with something like mysite-luciaprod.myaccount.workers.dev

same as usual:
onSubmit() --> /initiate --> /callback

however cookies don't pass from /initiate to /callback

and i suspect it has to do with the fact that when i print out the headers on the request to /callback it shows host being mysite-luciaprod.myaccount.workers.dev.

i'm guessing host is supposed to be mysite.com?

these are the cookies i use:

		COOKIES_TO_USE = {
            'httpOnly': true, // must be true in production
            'secure': true, // `true` for production
            'sameSite': 'Strict',
            'path': '/', // It specifies the URL path for which the cookie is valid (typically the callback endpoint)
            'maxAge': 60 * 60,
        };

and the headers i set:

HEADERS_TO_USE = {
            'Content-Type': 'application/json',
            "Access-Control-Allow-Origin": "https://mysite.com, https://mysite-luciaprod.myproject.workers.dev",
            "Access-Control-Allow-Methods": "POST, GET, OPTIONS",
            "Access-Control-Allow-Headers": "Content-Type",

            "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';", // Content Security Policy (CSP): Helps prevent cross-site scripting (XSS) and other code injection attacks by specifying which sources of content are considered valid. This header dictates what types of content are allowed to be executed and loaded in the browser.
            "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload", // Strict Transport Security (HSTS): Ensures that the browser only communicates with the server over HTTPS, preventing downgrade attacks and improving overall security.
            "X-Frame-Options": "DENY", // X-Frame-Options: Prevents your web page from being loaded within a frame on another website, guarding against clickjacking attacks.
            "X-Content-Type-Options": "nosniff", // X-Content-Type-Options: Prevents browsers from interpreting files as a different MIME type than declared, which can help mitigate MIME-sniffing attacks.
            "Referrer-Policy": "strict-origin-when-cross-origin" // Referrer-Policy: Controls how much information about the referring URL is included in the Referer header when making requests from one page to another.
        };

anyone have advice? because it won't pass the callback validation if the url state doesn't match the google_oauth_state per lucia docs...but google_oauth_state never makes it to /callback

[pilcrowonpaper]

Are you hosting /initiate and /callback in 2 different origins?

[avnav0]

thanks for the help and sorry about the confusion - i was not aware that sameSite needs to be Lax in order for google to return cookies to the callback.

i also made the following change "Access-Control-Allow-Origin": "https://nidnad.com, https://accounts.google.com", and it works