How to read Sinatra session data from server side redirect

Question

I have a Caddy server with Sinatra app (app.domain.com) and second app (example.app.domain.com), both behind reverse proxies under a single domain.

I want to authorize user with Sinatra before they get access to second app (example.app.domain.com). I'm using forward_auth Caddy directive for this.

This is my Caddyfile:

app.domain.com {

    reverse_proxy localhost:4567
    
}

example.app.domain.com {
    forward_auth localhost:4567 {
      uri /forward_auth
    }

    reverse_proxy localhost:10000
}
  

From what I understand, Caddy forwards all headers to forward_auth URL (app.domain.com/forward_auth), including Cookie header which contains rack.session.

I would expect Sinatra to pick up this cookie so I have session object available to use and confirm authorization by comparing session data with second app Host URL (if user has access to this tenant)

This is my Sinatra config:

enable :sessions
set :session_secret, ENV.fetch('SESSION_SECRET') { SecureRandom.hex(64) }
set :sessions, :domain => '.domain.com'

get '/forward_auth' do
  puts session.inspect
  puts request.cookies["rack.session"]
  
  # check if subdomain matches tenant (psuedocode)
  if session[:tenant_id] == request.host.split(".").first 
    200
  else
    redirect "https://app.domain.com/login", 303
  end
end

It logs session object but without data I have added to session when user logged in, ex. session[:tenant_id]. As you can see, rack.session cookie is passed by Caddy.

{"session_id"=>"c93b908fc19b255ed596887e1d9652ce8f7fd40615202ce82ea96a1c57190037", "csrf"=>"zcD_ERexfoIBwM8AdhvctyTUM9QjT-ThKPDn9LQvhGQ=", "tracking"=>{"HTTP_USER_AGENT"=>"mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/114.0.0.0 safari/537.36"}}

/NCHAmGX/wOclP0Lfbl/ygXqi8uaxXf+OV9X3kY4uW4fFQ9ZLD/xOWoIi3+dxrq3d/n6r4hKs6Up6We2iQERtiakOMYVgJmCAOHJtVCN0d68RcsI3sYDbqLb+HK6JCEPlnc8fn1QAfDTserFhu4fa5RPLjhfOShZRTfeSo0Rommi2m0x5oZ1RIFfqVixZwLmy1jz4HMO4L2BGpb3h1D3tjvuAKfIYHgbVaO2sx/snzR8VkBnhlbteOTtyJopElYEMupW+Bulca/gWcVrkB/tZXHJMt5mHX2jCIEpWOXPHtObLSCPfVmvuGMl1BHSpfNkwBBqm4a8Q6wlVQtOSrho/bnvJzF6MllZr1gjHUg9IsuM6SJjL6xclldl/Banw+S2j2j2TgGdp7rEju2AKwTl02tGVsjvGVO5dA==--JbTLY/MyxPGdZzR3--0kkkD4OvOoVyjDsXC9Kcow==

I'm not sure what is missing here. Can I access session data directly? Should I parse cookie string and decode it somehow? If yes, how would I do it? I couldn't find any clear info how to decode with Rack::Session