letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(proxy): accept the __Secure- prefixed session cookie in production
All checks were successful
Build & Push Docker Images / lint (push) Successful in 3m35s
Details
Build & Push Docker Images / build-and-push (push) Successful in 13m38s
Details

Browse Source 
The auth gate read only `pn-crm.session_token`, but better-auth prefixes
the cookie `__Secure-pn-crm.session_token` whenever it issues secure
cookies (production/HTTPS). So in prod every authenticated request was
bounced to /login — sign-in returned 200 + Set-Cookie, but the gate
couldn't see the (prefixed) cookie on the next navigation. Worked in dev
(HTTP → no prefix). Check both names.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-06-03 03:13:22 +02:00
parent 102ee493f8
commit 23a5811342
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/proxy.ts
View File

@@ -209,7 +209,14 @@ export function proxy(request: NextRequest): NextResponse {
return applyCsp(NextResponse.next({ request: { headers: requestHeaders } }), nonce, pathname);
}
const sessionToken = request.cookies.get('pn-crm.session_token');
// better-auth prefixes the cookie with `__Secure-` whenever it issues
// secure cookies (production / HTTPS), so the name on the wire is
// `__Secure-pn-crm.session_token` in prod but bare `pn-crm.session_token`
// in dev. Check both, or every authenticated request in prod gets
// bounced to /login because the gate can't find the (prefixed) cookie.
const sessionToken =
request.cookies.get('pn-crm.session_token') ??
request.cookies.get('__Secure-pn-crm.session_token');
if (!sessionToken?.value) {
if (isApiRoute(pathname)) {