From d8eb0eef8eb9756f32eef1d92c6fa62d747a26ad Mon Sep 17 00:00:00 2001
From: Christopher Mayor <christopherjohnmayor@gmail.com>
Date: Mon, 27 Apr 2026 12:35:25 -0700
Subject: [PATCH] fix #12: handle __Secure- cookie prefix in all auth bypass
 code

Better Auth sets cookies with __Secure- prefix when served over HTTPS.
Updated cookie parsing in compare, user/comparisons, and user/stats
routes to check for both __Secure-better-auth.session_token and
better-auth.session_token.
---
 src/app/api/compare/route.ts          | 7 ++++---
 src/app/api/user/comparisons/route.ts | 7 ++++---
 src/app/api/user/stats/route.ts       | 7 ++++---
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/app/api/compare/route.ts b/src/app/api/compare/route.ts
index cb995df..c79a735 100644
--- a/src/app/api/compare/route.ts
+++ b/src/app/api/compare/route.ts
@@ -26,10 +26,11 @@ export async function POST(request: Request) {
   // Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
   // Manually parse session token from cookie and query sessions table directly
   const cookieHeader = request.headers.get("cookie") ?? "";
-  const tokenMatch = cookieHeader
+  const cookieMatch = cookieHeader
     .split(";")
-    .find((c) => c.trim().startsWith("better-auth.session_token="));
-  const token = tokenMatch?.split("=")?.[1]?.trim();
+    .map((c) => c.trim())
+    .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
 
   if (!token) {
     return Response.json({ error: "Authentication required" }, { status: 401 });
diff --git a/src/app/api/user/comparisons/route.ts b/src/app/api/user/comparisons/route.ts
index cb7b2d6..b9d46eb 100644
--- a/src/app/api/user/comparisons/route.ts
+++ b/src/app/api/user/comparisons/route.ts
@@ -7,10 +7,11 @@ export async function GET(request: Request) {
   // Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
   const hdrs = await headers();
   const cookieHeader = hdrs.get("cookie") ?? "";
-  const tokenMatch = cookieHeader
+  const cookieMatch = cookieHeader
     .split(";")
-    .find((c) => c.trim().startsWith("better-auth.session_token="));
-  const token = tokenMatch?.split("=")?.[1]?.trim();
+    .map((c) => c.trim())
+    .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
   if (!token) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
diff --git a/src/app/api/user/stats/route.ts b/src/app/api/user/stats/route.ts
index f5601e9..7c1e6dd 100644
--- a/src/app/api/user/stats/route.ts
+++ b/src/app/api/user/stats/route.ts
@@ -7,10 +7,11 @@ export async function GET() {
   // Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
   const hdrs = await headers();
   const cookieHeader = hdrs.get("cookie") ?? "";
-  const tokenMatch = cookieHeader
+  const cookieMatch = cookieHeader
     .split(";")
-    .find((c) => c.trim().startsWith("better-auth.session_token="));
-  const token = tokenMatch?.split("=")?.[1]?.trim();
+    .map((c) => c.trim())
+    .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
   if (!token) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }