feat: Use dynamic cookie names for refresh tokens

This change introduces a mechanism to generate unique cookie names for
refresh tokens based on the `X-App-Origin` header. This allows different
frontends to have their own distinct refresh tokens, preventing
conflicts and improving security.

app/Http/Controllers/AuthController.php

@@ -7,6 +7,7 @@
 use Illuminate\Http\JsonResponse;
 use App\Http\Resources\AuthResource;
 use App\Services\AuthService;
+use Request;
 
 class AuthController extends Controller
 {
@@ -25,12 +26,14 @@ public function login(AuthRequest $request): JsonResponse
             return $this->errorResponse(message: __("auth.failed"), code: 401);
         }
 
+        $cookieName = $this->getCookieName($request);
+
         return $this->successResponse(
             payload: new AuthResource($result["payload"]),
             message: __("auth.logged_in"),
         )->withCookie(
             cookie(
-                "refresh_token",
+                $cookieName,
                 $result["refreshToken"],
                 config("sanctum.rt_expiration") * 60,
                 "/",
@@ -43,23 +46,26 @@ public function login(AuthRequest $request): JsonResponse
         );
     }
 
-    public function logout(): JsonResponse
+    public function logout(Request $request): JsonResponse
     {
         $this->authService->logout();
 
+        $cookieName = $this->getCookieName($request);
+
         return $this->successResponse(
             message: __("auth.logout"),
-        )->withoutCookie("refresh_token");
+        )->withoutCookie($cookieName);
     }
 
     public function refresh(RefreshTokenRequest $request): JsonResponse
     {
-        $refresh_token = $request->cookie("refresh_token");
+        $cookieName = $this->getCookieName($request);
+        $refresh_token = $request->cookie($cookieName);
 
         if (is_null($refresh_token)) {
             return $this->errorResponse(
                 code: 403,
-            )->withoutCookie("refresh_token");
+            )->withoutCookie($cookieName);
         }
 
         $result = $this->authService->refresh(
@@ -70,14 +76,14 @@ public function refresh(RefreshTokenRequest $request): JsonResponse
             return $this->errorResponse(
                 message: __("auth.unauthorized"),
                 code: 403,
-            )->withoutCookie("refresh_token");
+            )->withoutCookie($cookieName);
         }
 
         return $this->successResponse(
             payload: new AuthResource($result["payload"]),
         )->withCookie(
             cookie(
-                "refresh_token",
+                $cookieName,
                 $result["refreshToken"],
                 config("sanctum.rt_expiration") * 60,
                 "/",
@@ -89,4 +95,13 @@ public function refresh(RefreshTokenRequest $request): JsonResponse
             ),
         );
     }
+
+    /**
+     * Resolves the dynamic cookie name based on the requesting application.
+     */
+    private function getCookieName(mixed $request): string
+    {
+        $appOrigin = $request->header("X-App-Origin", "default");
+        return "{$appOrigin}_refresh_token";
+    }
 }