From cfe50af1af96454b786afd6abb2f8a13bbafc299 Mon Sep 17 00:00:00 2001
From: Christopher Mayor <christopherjohnmayor@gmail.com>
Date: Mon, 27 Apr 2026 12:53:04 -0700
Subject: [PATCH] fix #12: middleware __Secure- cookie prefix check

Middleware only checked for better-auth.session_token but HTTPS uses
__Secure-better-auth.session_token, causing all protected routes to
redirect to sign-in even when authenticated.
---
 src/middleware.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/middleware.ts b/src/middleware.ts
index 2bce440..a744032 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -7,7 +7,10 @@ function hasSessionCookie(headers: Headers): boolean {
   const cookieHeader = headers.get("cookie") ?? "";
   return cookieHeader
     .split(";")
-    .some((c) => c.trim().startsWith("better-auth.session_token="));
+    .some((c) => {
+      const trimmed = c.trim();
+      return trimmed.startsWith("better-auth.session_token=") || trimmed.startsWith("__Secure-better-auth.session_token=");
+    });
 }
 
 export async function middleware(request: NextRequest) {