Files
avbeat-com/src/lib
Ryan Salazar 89aaa7b36d supabase browser client: match server cookie attributes (SameSite=Lax, no Secure)
The browser-side createBrowserClient was writing cookies with
'Secure; SameSite=None' while the server-side createServerClient
writes the same cookie names with 'SameSite=Lax' (no Secure flag —
Next.js cookies().set() default).

When the wp-login API set the auth cookie via NextResponse, the browser
stored it with SameSite=Lax. Then the browser supabase client (via
AuthContext or any subsequent auth call) tried to re-write the cookie
via document.cookie with Secure;SameSite=None. Browsers can't reconcile
this — depending on Chrome/Safari/Firefox version, you get either:
  - duplicate cookies that confuse session detection
  - the JS write silently failing because Secure;SameSite=None has
    additional constraints
  - the existing Lax cookie getting clobbered with attributes that
    conflict with same-site navigation

Net effect: AuthContext on /contributor doesn't reliably see the
session even though the cookie exists, so /contributor's
'!loading && !user → router.push(/login)' check bounces the user
back to /client-login. Looks like login failed.

Fix: align the JS-side cookie attributes with the server-side defaults
(SameSite=Lax, no Secure). Both writes now produce the same cookie
shape, no conflict.
2026-05-09 09:52:56 +00:00
..