From d57b98fc789e0015c1f5005289acc08168a52b96 Mon Sep 17 00:00:00 2001
From: yushen <ldnvnbl@gmail.com>
Date: Tue, 31 Mar 2026 16:22:25 +0800
Subject: [PATCH] fix(api): add credentials include to fetch for cross-origin
 cookie storage

The API at multica-api.copilothub.ai sets CloudFront signed cookies
with Domain=.copilothub.ai, but fetch() defaults to credentials:
'same-origin'. Since the frontend (multica-app.copilothub.ai) and API
are cross-origin, the browser silently drops Set-Cookie headers without
credentials: 'include'.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/web/shared/api/client.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/web/shared/api/client.ts b/apps/web/shared/api/client.ts
index 9b41a9bd..2419d7bc 100644
--- a/apps/web/shared/api/client.ts
+++ b/apps/web/shared/api/client.ts
@@ -107,6 +107,7 @@ export class ApiClient {
     const res = await fetch(`${this.baseUrl}${path}`, {
       ...init,
       headers,
+      credentials: "include",
     });
 
     if (!res.ok) {
@@ -527,6 +528,7 @@ export class ApiClient {
       method: "POST",
       headers: this.authHeaders(),
       body: formData,
+      credentials: "include",
     });
 
     if (!res.ok) {