fix: allow subdomain of acode.app

[deadlyjack]

No description provided.

[greptile-apps]

Greptile Summary

This PR addresses two previously flagged issues with the cookie-based auth token flow in the Android WebView plugin: it switches to a domain-scoped cookie (Domain=.acode.app) so subdomains like dev.acode.app share the same token cookie, and it adds a one-time migration that clears the old host-scoped cookies left by the previous implementation.

• Domain cookie adoption: setTokenCookie now sets Domain=.acode.app, and API_ORIGINS is trimmed to just https://acode.app since the domain attribute covers all subdomains automatically.
• clearTokenCookie hardened: The deletion cookie-string now correctly carries Secure; HttpOnly; SameSite=None, fixing the prior issue where a mismatch could cause the old Chromium engine to silently ignore the Max-Age=0 eviction.
• Migration path: A KEY_MIGRATED_V2 flag gates a one-time clearLegacyCookies() call that erases the old host-bound cookies for both acode.app and dev.acode.app on first run after upgrade.

Confidence Score: 5/5

This PR is safe to merge — the cookie migration and domain-scoped token logic are correct and directly address the two previously raised concerns.

The migration guard is properly gated by a persistent flag, runs before the new cookie is written, and clears host-bound legacy cookies with the correct matching attributes so Chromium's cookie store will accept the eviction. The new clearTokenCookie now carries the same Secure/HttpOnly/SameSite=None flags as the original set call, closing the silent-ignore risk. No new defects were introduced.

No files require special attention.

Important Files Changed

Filename	Overview
src/plugins/auth/src/android/Authenticator.java	Switches to domain-scoped cookie with .acode.app, hardens clearTokenCookie with matching security flags, and adds a guarded one-time migration to evict legacy host-scoped cookies; both previously flagged thread concerns are addressed.

Sequence Diagram

sequenceDiagram
    participant App as pluginInitialize
    participant Prefs as EncryptedPrefs
    participant CM as CookieManager

    App->>Prefs: getBoolean(KEY_MIGRATED_V2)
    alt Not yet migrated
        App->>CM: "clear host-bound token on acode.app (Max-Age=0)"
        App->>CM: "clear host-bound token on dev.acode.app (Max-Age=0)"
        App->>CM: flush
        App->>Prefs: setBoolean(KEY_MIGRATED_V2, true)
    end

    App->>Prefs: getString(KEY_TOKEN)
    alt Token exists
        App->>CM: "set Domain=.acode.app scoped token cookie"
        App->>CM: flush
        Note over CM: Cookie now covers all subdomains of acode.app
    end

    Note over App,CM: On logout
    App->>CM: "delete Domain=.acode.app token cookie (Max-Age=0, Secure)"
    App->>CM: flush

Loading

_{Reviews (3): Last reviewed commit: "fix: handle legacy auth" | Re-trigger Greptile}

[deadlyjack]

@greptile_apps review again

[deadlyjack]

@greptile_apps review again