feat: Improve session handling and cookie management in API

- Enhanced the GET request handler to better manage session tokens from both request headers and Next.js cookie store. - Added detailed error handling for authentication failures and improved logging for debugging purposes. - Updated cookie management to provide clearer insights into session token presence and accessibility. - Ensured secure cookie handling is enforced in production environments.
2026-01-04 12:17:24 -05:00 · 2026-01-04 12:17:24 -05:00 · 9457f08580
commit 9457f08580
parent ea7da85d5e
2 changed files with 33 additions and 9 deletions
--- a/app/api/debug/session/route.ts
+++ b/app/api/debug/session/route.ts
@ -4,11 +4,9 @@ import { cookies } from "next/headers"
 export async function GET(request: Request) {
  try {
    const session = await auth()
    const cookieStore = await cookies()
    const cookieHeader = request.headers.get("cookie") || ""
-    // Parse cookies from header
+    // Parse cookies from header first
    const cookieMap: Record<string, string> = {}
    cookieHeader.split(";").forEach(cookie => {
      const [key, value] = cookie.trim().split("=")
@ -17,9 +15,26 @@ export async function GET(request: Request) {
      }
    })
-    const sessionToken = cookieStore.get("__Secure-authjs.session-token")?.value || 
+    // Try to get session token from cookies
-                         cookieMap["__Secure-authjs.session-token"] || 
+    const sessionTokenFromHeader = cookieMap["__Secure-authjs.session-token"] || "NOT FOUND"
-                         "NOT FOUND"
+    
    // Try to call auth() - this might fail or return null
    let session = null
    let authError = null
    try {
      session = await auth()
    } catch (err) {
      authError = err instanceof Error ? err.message : String(err)
    }
    // Try to get cookie from Next.js cookie store
    let sessionTokenFromStore = "NOT ACCESSIBLE"
    try {
      const cookieStore = await cookies()
      sessionTokenFromStore = cookieStore.get("__Secure-authjs.session-token")?.value || "NOT FOUND"
    } catch {
      // Cookie store might not be accessible in all contexts
    }
    return NextResponse.json({
      hasSession: !!session,
@ -27,11 +42,14 @@ export async function GET(request: Request) {
        user: session.user,
        expires: session.expires,
      } : null,
      authError,
      cookies: {
-        sessionTokenPresent: !!sessionToken && sessionToken !== "NOT FOUND",
+        sessionTokenInHeader: sessionTokenFromHeader !== "NOT FOUND",
-        sessionTokenPreview: sessionToken !== "NOT FOUND" ? `${sessionToken.substring(0, 20)}...` : "NOT FOUND",
+        sessionTokenInStore: sessionTokenFromStore !== "NOT FOUND" && sessionTokenFromStore !== "NOT ACCESSIBLE",
        sessionTokenPreview: sessionTokenFromHeader !== "NOT FOUND" ? `${sessionTokenFromHeader.substring(0, 30)}...` : "NOT FOUND",
        allCookieKeys: Object.keys(cookieMap),
        cookieHeaderLength: cookieHeader.length,
        cookieHeaderPreview: cookieHeader.substring(0, 200),
      },
      env: {
        hasSecret: !!process.env.NEXTAUTH_SECRET,
--- a/lib/auth.ts
+++ b/lib/auth.ts
@ -61,6 +61,12 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
        token.role = (user as { role: string }).role
        token.email = user.email
        token.name = user.name
        console.log("JWT callback: user added to token", { userId: user.id, email: user.email })
      } else {
        console.log("JWT callback: no user, token exists", { 
          hasToken: !!token,
          tokenKeys: token ? Object.keys(token) : []
        })
      }
      return token
    },
@ -112,7 +118,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
        httpOnly: true,
        sameSite: "lax",
        path: "/",
-        secure: process.env.NODE_ENV === "production",
+        secure: true, // Always secure in production (HTTPS required)
      },
    },
  },