From 9f7e924ab05f23b4b6f247b2fb1e42a8e7305e62 Mon Sep 17 00:00:00 2001 From: Tomas Virgl <739690+tvi@users.noreply.github.com> Date: Tue, 9 Jun 2026 14:03:52 -0700 Subject: [PATCH 1/2] fix(auth): scope OAuth session cookie via secure + AUTH_COOKIE_PREFIX Set the Auth.js OAuth session cookie explicitly with the __Secure- prefix and an optional AUTH_COOKIE_PREFIX. Cookies are scoped by host+path+name (not port), so multiple local dashboards on different localhost ports would otherwise share the default session cookie and clobber each other. --- src/auth.ts | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/auth.ts b/src/auth.ts index b09d53fb1..0c5d7c54a 100644 --- a/src/auth.ts +++ b/src/auth.ts @@ -8,11 +8,34 @@ import { const oryOAuth2Audience = process.env.ORY_OAUTH2_AUDIENCE +const useSecureCookies = process.env.VERCEL_ENV === "production"; +// Standard Auth.js secure-cookie convention. +const securePrefix = useSecureCookies ? '__Secure-' : '' +// Cookies are scoped by host+path+name, NOT by port. Running two local +// dashboards on different localhost ports makes them share the default +// session cookie and clobber each other. AUTH_COOKIE_PREFIX lets each +// instance use a distinct cookie name. Unset in prod/preview. +const cookiePrefix = process.env.AUTH_COOKIE_PREFIX + ? `${process.env.AUTH_COOKIE_PREFIX}.` + : '' + export const { handlers, auth, signIn, signOut } = NextAuth({ // isolates from existing /api/auth/{callback,email-callback,verify-otp} basePath: '/api/auth/oauth', secret: process.env.AUTH_SECRET, session: { strategy: 'jwt' }, + useSecureCookies, + cookies: { + sessionToken: { + name: `${securePrefix}${cookiePrefix}authjs.session-token`, + options: { + httpOnly: true, + sameSite: 'lax', + path: '/', + secure: useSecureCookies, + }, + }, + }, // route handler that logs the failure and redirects to /sign-in so users // never see Auth.js's built-in error page; see oauth-recover/route.ts. pages: { From fa6ae507418ad31fb99d62b6decc5a59f970dac1 Mon Sep 17 00:00:00 2001 From: tvi <739690+tvi@users.noreply.github.com> Date: Tue, 9 Jun 2026 21:37:02 +0000 Subject: [PATCH 2/2] style: apply biome formatting --- src/auth.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/auth.ts b/src/auth.ts index 0c5d7c54a..bdb846f87 100644 --- a/src/auth.ts +++ b/src/auth.ts @@ -8,7 +8,7 @@ import { const oryOAuth2Audience = process.env.ORY_OAUTH2_AUDIENCE -const useSecureCookies = process.env.VERCEL_ENV === "production"; +const useSecureCookies = process.env.VERCEL_ENV === 'production' // Standard Auth.js secure-cookie convention. const securePrefix = useSecureCookies ? '__Secure-' : '' // Cookies are scoped by host+path+name, NOT by port. Running two local