TopherMayor/comparaison
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix #12: handle __Secure- cookie prefix in all auth bypass code

Browse Source 
Better Auth sets cookies with __Secure- prefix when served over HTTPS.
Updated cookie parsing in compare, user/comparisons, and user/stats
routes to check for both __Secure-better-auth.session_token and
better-auth.session_token.
This commit is contained in:
Christopher Mayor
2026-04-27 12:35:25 -07:00
parent 371755c241
commit d8eb0eef8e
3 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/app/api/compare/route.ts
View File

@@ -26,10 +26,11 @@ export async function POST(request: Request) {
// Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
// Manually parse session token from cookie and query sessions table directly
const cookieHeader = request.headers.get("cookie") ?? "";
const tokenMatch = cookieHeader
const cookieMatch = cookieHeader
.split(";")
.find((c) => c.trim().startsWith("better-auth.session_token="));
const token = tokenMatch?.split("=")?.[1]?.trim();
.map((c) => c.trim())
.find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
if (!token) {
return Response.json({ error: "Authentication required" }, { status: 401 });

7
src/app/api/user/comparisons/route.ts
View File

@@ -7,10 +7,11 @@ export async function GET(request: Request) {
// Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
const hdrs = await headers();
const cookieHeader = hdrs.get("cookie") ?? "";
const tokenMatch = cookieHeader
const cookieMatch = cookieHeader
.split(";")
.find((c) => c.trim().startsWith("better-auth.session_token="));
const token = tokenMatch?.split("=")?.[1]?.trim();
.map((c) => c.trim())
.find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
if (!token) {
return Response.json({ error: "Unauthorized" }, { status: 401 });
}

7
src/app/api/user/stats/route.ts
View File

@@ -7,10 +7,11 @@ export async function GET() {
// Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
const hdrs = await headers();
const cookieHeader = hdrs.get("cookie") ?? "";
const tokenMatch = cookieHeader
const cookieMatch = cookieHeader
.split(";")
.find((c) => c.trim().startsWith("better-auth.session_token="));
const token = tokenMatch?.split("=")?.[1]?.trim();
.map((c) => c.trim())
.find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
if (!token) {
return Response.json({ error: "Unauthorized" }, { status: 401 });
}