Resolved merge conflicts

public/lucidAuth.login.php

@@ -39,7 +39,8 @@
 				"Result"			=>	"Success",
 				"Location"			=>	$originalUri,
 				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'],
-                "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], $_SERVER['HTTP_HOST']))
+                "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], [$_SERVER['HTTP_HOST']])),
+                "SecureToken"       =>  $result['token']
 			]);
 		} else {
 			switch ($result['reason']) {

public/lucidAuth.setXDomainCookie.php

@@ -18,14 +18,19 @@
         switch ($queryString['action']) {
             case 'login':
                 if (validateToken($queryString['token'])['status'] === "Success") {
-                    // This request appears valid; store a cookie
+                    // This request appears valid; try storing a cookie
                     $httpHost = $_SERVER['HTTP_HOST'];
+                    $httpOrigin = $_SERVER['HTTP_ORIGIN'];
+                    // Check if $_SERVER['HTTP_HOST'] and $_SERVER['HTTP_ORIGIN'] match any of the configured domains (either explicitly or as a subdomain)
+                    //   This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
                     $cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) {
-                        // Check if $_SERVER['HTTP_HOST'] matches any of the configured domains (either explicitly or as a subdomain)
+                        return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
-                        //   This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
-                    return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
                     }))[0];
-                    if ($cookieDomain && setcookie('JWT', $queryString['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
+                    $originDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpOrigin) {
+                        return (strlen($value) > strlen($httpOrigin)) ? false : (0 === substr_compare($httpOrigin, $value, -strlen($value)));
+                    }))[0];
+                    if (($cookieDomain && (is_null($httpOrigin) || $originDomain)) && setcookie('JWT', $queryString['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
+                        header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
                         header("HTTP/1.1 202 Accepted");
                         exit;
                     }

public/misc/script.iframe.js

@@ -0,0 +1,10 @@
+$(document).ready(function(){
+    $.post("lucidAuth.setXDomainCookie.php", {
+        do: "login",
+        ref: $('#ref').val()
+    })
+    .done(function(data,_status) {
+        if (data.Result === 'Success') {
+        }
+    });
+});

public/misc/script.index.js

@@ -32,27 +32,33 @@ $(document).ready(function(){
 					});
 					if (data.CrossDomainLogin) {
 console.log('CrossDomainLogin initiated');
-// For reference:
+// do ajax in parallel, show progress,
-//          [
+// redirect once all finished loading or timeout after $X ms
-//				"Result"			=>	"Success",
+// origin domain should be exempted from timeout
-//				"Location"			=>	$originalUri,
+//   (because origin domain can/will be different from current domain --due to traefik design).
-//				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'],
-//              "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], $_SERVER['HTTP_HOST']))
-//			]);
-
-                        var cookieDomains = json_decode(data.CookieDomains);
-                        console.log(data.CookieDomains);
-// let the client setup multiple iframes for all domains
-// psuedo-code: foreach (cookieDomains as domain) { $.get(domain, ref=[action,token])}
-
-    //   validate each request against JWT-tokens in database
-    //   load all iframes parallel, show user progress and redirect once all iframes have finished loading; or after treshold of X ms has been reached
-    //   origin domain should be exempted from the treshold (because origin domain can be different from current domain -due to traefik design).
 
+                        var cookieDomains = JSON.parse(data.CookieDomains);
+                        var XHR = [];
+                        cookieDomains.forEach(function(domain) {
+                            XHR.push($.get({
+                                url: "https://auth." + domain + "/lucidAuth.setXDomainCookie.php",
+                                crossDomain: true,
+                                data: {
+                                    ref: btoa(JSON.stringify({
+                                        action: 'login',
+                                        token: data.SecureToken
+                                    }))
+                                }
+                            }));
+                        });
+                        $.when.apply($, XHR).then(function(){
+                            $.each(arguments, function(_index, arg) {
+                                console.log(JSON.stringify(arg));
+                            });
+                        });
 					}
-
                     // Finished (either succesfully or through timeout) cross-domain logins
-					window.location.replace(data.Location);
+					//window.location.replace(data.Location);
 				}, 2250);
 			} else {
 				$('#btnlogin').css({