From 23a581134278ace80b8582b4cc4c2273c5a83660 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Wed, 3 Jun 2026 03:13:22 +0200
Subject: [PATCH] fix(proxy): accept the __Secure- prefixed session cookie in
 production
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The auth gate read only `pn-crm.session_token`, but better-auth prefixes
the cookie `__Secure-pn-crm.session_token` whenever it issues secure
cookies (production/HTTPS). So in prod every authenticated request was
bounced to /login — sign-in returned 200 + Set-Cookie, but the gate
couldn't see the (prefixed) cookie on the next navigation. Worked in dev
(HTTP → no prefix). Check both names.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 src/proxy.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/proxy.ts b/src/proxy.ts
index c2e0ed68..b5dfd580 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -209,7 +209,14 @@ export function proxy(request: NextRequest): NextResponse {
     return applyCsp(NextResponse.next({ request: { headers: requestHeaders } }), nonce, pathname);
   }
 
-  const sessionToken = request.cookies.get('pn-crm.session_token');
+  // better-auth prefixes the cookie with `__Secure-` whenever it issues
+  // secure cookies (production / HTTPS), so the name on the wire is
+  // `__Secure-pn-crm.session_token` in prod but bare `pn-crm.session_token`
+  // in dev. Check both, or every authenticated request in prod gets
+  // bounced to /login because the gate can't find the (prefixed) cookie.
+  const sessionToken =
+    request.cookies.get('pn-crm.session_token') ??
+    request.cookies.get('__Secure-pn-crm.session_token');
 
   if (!sessionToken?.value) {
     if (isApiRoute(pathname)) {