client-login: hard reload to /contributor instead of setSession+router.push

The previous attempt at hydrating the Supabase browser client via
supabase.auth.setSession() was racing against the server-set cookie.
The server cookie was written with Path=/; SameSite=Lax (no Secure
flag — Next.js cookies().set defaults), but the browser supabase
client's setAll handler writes cookies with Secure; SameSite=None.
The two writes for the same cookie name produced inconsistent state.

Drop setSession + router.push entirely. Instead, do a hard
window.location.href = '/contributor' redirect after a successful
POST. The server renders /contributor with the freshly-set auth
cookie; the browser supabase client boots up reading it from
document.cookie on page load. No client-side hydration race.
This commit is contained in:
Ryan Salazar
2026-05-09 06:39:28 +00:00
parent 275f0c9627
commit 9e3b48c10d

View File

@@ -33,20 +33,14 @@ export default function ClientLoginPage() {
return;
}
// Hydrate Supabase client with the session from the API response so
// AuthContext picks it up immediately and the next render of
// /contributor sees an authenticated user (no flash of logged-out
// state, no race against cookie propagation).
if (data.session?.access_token && data.session?.refresh_token) {
await supabase.auth.setSession({
access_token: data.session.access_token,
refresh_token: data.session.refresh_token,
});
}
// Redirect to contributor dashboard (fresh session in AuthContext)
router.push('/contributor');
router.refresh();
// The wp-login API has already set the supabase session cookie via
// its NextResponse. Do a HARD reload to /contributor so the server
// re-renders with that cookie and the browser supabase client
// boots up reading it from document.cookie. Avoids the cookie-flag
// mismatch that happens if we try to setSession() client-side
// (browser client writes Secure;SameSite=None, server writes
// SameSite=Lax — they conflict).
window.location.href = '/contributor';
} catch (err: any) {
setError(err.message || 'An error occurred');
console.error('Login exception:', err);