test setup

tests/shared/website/WebsiteAuthManager.ts

@@ -32,13 +32,17 @@ export class WebsiteAuthManager {
     if (request) {
       const token = await WebsiteAuthManager.loginViaApi(request, apiBaseUrl, role);
 
-      // Critical: the website (localhost:3000) must receive `gp_session` so middleware can forward it.
-      // Playwright cookie format - either url OR domain+path
+      // Critical: the website must receive `gp_session` so middleware can forward it.
+      // Playwright runs in its own container and accesses website via PLAYWRIGHT_BASE_URL
+      // The cookie domain must match the hostname in the URL that Playwright uses
+      const url = new URL(baseURL);
+      const domain = url.hostname; // "website" in Docker, "localhost" locally
+      
       await context.addCookies([
         {
           name: 'gp_session',
           value: token,
-          domain: 'localhost',
+          domain: domain,
           path: '/',
           httpOnly: true,
           sameSite: 'Lax',
@@ -66,6 +70,8 @@ export class WebsiteAuthManager {
   ): Promise<string> {
     const credentials = WebsiteAuthManager.getCredentials(role);
 
+    // In Docker, the API is at http://api:3000, but the website needs to receive cookies
+    // that will be forwarded to the API. The cookie domain should match the website.
     const res = await request.post(`${apiBaseUrl}/auth/login`, {
       data: {
         email: credentials.email,