From 2e138a8364a69c23d9d86ecdb4077e919f801b35 Mon Sep 17 00:00:00 2001
From: Christopher Mayor <christopherjohnmayor@gmail.com>
Date: Mon, 27 Apr 2026 12:38:16 -0700
Subject: [PATCH] fix #12: extract session token before dot (Better Auth signed
 cookie)

Better Auth cookie format is 'token.signature' but DB only stores the
token portion. Split on '.' to extract the actual session token.
---
 src/app/api/compare/route.ts          | 2 +-
 src/app/api/user/comparisons/route.ts | 2 +-
 src/app/api/user/stats/route.ts       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/app/api/compare/route.ts b/src/app/api/compare/route.ts
index c79a735..86fb5e9 100644
--- a/src/app/api/compare/route.ts
+++ b/src/app/api/compare/route.ts
@@ -30,7 +30,7 @@ export async function POST(request: Request) {
     .split(";")
     .map((c) => c.trim())
     .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
-  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim().split(".")[0];
 
   if (!token) {
     return Response.json({ error: "Authentication required" }, { status: 401 });
diff --git a/src/app/api/user/comparisons/route.ts b/src/app/api/user/comparisons/route.ts
index b9d46eb..855a1ee 100644
--- a/src/app/api/user/comparisons/route.ts
+++ b/src/app/api/user/comparisons/route.ts
@@ -11,7 +11,7 @@ export async function GET(request: Request) {
     .split(";")
     .map((c) => c.trim())
     .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
-  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim().split(".")[0];
   if (!token) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
diff --git a/src/app/api/user/stats/route.ts b/src/app/api/user/stats/route.ts
index 7c1e6dd..284f132 100644
--- a/src/app/api/user/stats/route.ts
+++ b/src/app/api/user/stats/route.ts
@@ -11,7 +11,7 @@ export async function GET() {
     .split(";")
     .map((c) => c.trim())
     .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
-  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim().split(".")[0];
   if (!token) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }