From 9e3b48c10d8e31d151fca38c17341f31078ef894 Mon Sep 17 00:00:00 2001 From: Ryan Salazar Date: Sat, 9 May 2026 06:39:28 +0000 Subject: [PATCH] client-login: hard reload to /contributor instead of setSession+router.push MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous attempt at hydrating the Supabase browser client via supabase.auth.setSession() was racing against the server-set cookie. The server cookie was written with Path=/; SameSite=Lax (no Secure flag — Next.js cookies().set defaults), but the browser supabase client's setAll handler writes cookies with Secure; SameSite=None. The two writes for the same cookie name produced inconsistent state. Drop setSession + router.push entirely. Instead, do a hard window.location.href = '/contributor' redirect after a successful POST. The server renders /contributor with the freshly-set auth cookie; the browser supabase client boots up reading it from document.cookie on page load. No client-side hydration race. --- src/app/client-login/page.tsx | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/src/app/client-login/page.tsx b/src/app/client-login/page.tsx index d309f9e..4c4a63c 100644 --- a/src/app/client-login/page.tsx +++ b/src/app/client-login/page.tsx @@ -33,20 +33,14 @@ export default function ClientLoginPage() { return; } - // Hydrate Supabase client with the session from the API response so - // AuthContext picks it up immediately and the next render of - // /contributor sees an authenticated user (no flash of logged-out - // state, no race against cookie propagation). - if (data.session?.access_token && data.session?.refresh_token) { - await supabase.auth.setSession({ - access_token: data.session.access_token, - refresh_token: data.session.refresh_token, - }); - } - - // Redirect to contributor dashboard (fresh session in AuthContext) - router.push('/contributor'); - router.refresh(); + // The wp-login API has already set the supabase session cookie via + // its NextResponse. Do a HARD reload to /contributor so the server + // re-renders with that cookie and the browser supabase client + // boots up reading it from document.cookie. Avoids the cookie-flag + // mismatch that happens if we try to setSession() client-side + // (browser client writes Secure;SameSite=None, server writes + // SameSite=Lax — they conflict). + window.location.href = '/contributor'; } catch (err: any) { setError(err.message || 'An error occurred'); console.error('Login exception:', err);