fix(auth): refine cookie options for improved security and compatibility

- Updated cookie options to use the CookieOptions type from Express.
- Ensured the domain attribute is set correctly for cross-site cookies.
- Removed conditional domain setting to streamline cookie handling.

Author: tomast1337

apps/backend/src/auth/auth.service.ts

@@ -1,7 +1,7 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import axios from 'axios';
-import type { Request, Response } from 'express';
+import type { CookieOptions, Request, Response } from 'express';
 import ms from 'ms';
 
 import { CreateUser } from '@nbw/database';
@@ -190,7 +190,7 @@ export class AuthService {
 
   private async GenTokenRedirect(
     user_registered: UserDocument,
-    res: Response<any, Record<string, any>>,
+    res: Response<unknown, Record<string, unknown>>,
   ): Promise<void> {
     const token = await this.createJwtPayload({
       id: user_registered._id.toString(),
@@ -201,29 +201,13 @@ export class AuthService {
     const frontEndURL = this.FRONTEND_URL;
     const maxAge = ms(this.COOKIE_EXPIRES_IN) * 1000;
 
-    // Build cookie options with conditional domain
-    // Only include domain if it's set and not empty (avoids browser blocking invalid domains)
-    const cookieOptions: {
-      maxAge: number;
-      sameSite: 'none' | 'lax' | 'strict';
-      secure: boolean;
-      httpOnly: boolean;
-      path: string;
-      domain?: string;
-    } = {
+    const cookieOptions: CookieOptions = {
       maxAge: maxAge,
-      sameSite: 'none', // Required for cross-site cookies
-      secure: true, // Required when sameSite is 'none'
-      httpOnly: false, // Prevents JavaScript access (security best practice)
-      path: '/', // Make cookies available site-wide
+      domain: this.APP_DOMAIN,
+      sameSite: 'none',
+      path: '/',
     };
 
-    // Only set domain if APP_DOMAIN is provided and not empty
-    // This prevents browser from blocking cookies with invalid domain attributes
-    if (this.APP_DOMAIN && this.APP_DOMAIN.trim() !== '') {
-      cookieOptions.domain = this.APP_DOMAIN;
-    }
-
     res.cookie('token', token.access_token, cookieOptions);
     res.cookie('refresh_token', token.refresh_token, cookieOptions);