@byline/host-tanstack-start 2.3.1 → 2.3.2

package/dist/auth/auth-context.js

@@ -20,7 +20,7 @@ async function getAdminRequestContext() {
     } catch  {}
     const refreshToken = readRefreshTokenCookie();
     if (!refreshToken) {
-        clearSessionCookies();
+        if (accessToken) clearSessionCookies();
         throw ERR_UNAUTHENTICATED({
             message: 'no admin session'
         });

package/package.json

@@ -3,7 +3,7 @@
   "private": false,
   "type": "module",
   "license": "MPL-2.0",
-  "version": "2.3.1",
+  "version": "2.3.2",
   "engines": {
     "node": ">=20.9.0"
   },
@@ -107,12 +107,12 @@
     "react-swipeable": "^7.0.2",
     "uuid": "^14.0.0",
     "zod": "^4.4.3",
-    "@byline/ai": "2.3.1",
-    "@byline/client": "2.3.1",
-    "@byline/core": "2.3.1",
-    "@byline/admin": "2.3.1",
-    "@byline/auth": "2.3.1",
-    "@byline/ui": "2.3.1"
+    "@byline/auth": "2.3.2",
+    "@byline/admin": "2.3.2",
+    "@byline/core": "2.3.2",
+    "@byline/client": "2.3.2",
+    "@byline/ai": "2.3.2",
+    "@byline/ui": "2.3.2"
   },
   "peerDependencies": {
     "@tanstack/react-router": "^1.167.0",

package/src/auth/auth-context.test.node.ts

@@ -137,7 +137,7 @@ describe('getAdminRequestContext', () => {
     expect(verifyAccessToken).toHaveBeenCalledWith('fresh-access')
   })
 
-  it('throws ERR_UNAUTHENTICATED and clears cookies when no session exists', async () => {
+  it('throws ERR_UNAUTHENTICATED without emitting Set-Cookie when no cookies are sent', async () => {
     cookiesReturn({})
 
     try {
@@ -147,7 +147,22 @@ describe('getAdminRequestContext', () => {
       expect(err).toBeInstanceOf(AuthError)
       expect((err as AuthError).code).toBe(AuthErrorCodes.UNAUTHENTICATED)
     }
-    // Cookie clear = setCookie with empty value and maxAge 0 for both names.
+    // Anonymous visitors must produce zero Set-Cookie headers so shared
+    // caches (Cloudflare) can cache public pages — a Set-Cookie on the
+    // response is a hard bypass signal for CDNs.
+    expect(setCookie).not.toHaveBeenCalled()
+  })
+
+  it('clears the stale access cookie when only an access token was sent', async () => {
+    cookiesReturn({ byline_access_token: 'stale' })
+    verifyAccessToken.mockRejectedValueOnce(new Error('expired'))
+
+    try {
+      await getAdminRequestContext()
+      expect.fail('expected ERR_UNAUTHENTICATED')
+    } catch (err) {
+      expect((err as AuthError).code).toBe(AuthErrorCodes.UNAUTHENTICATED)
+    }
     const clears = setCookie.mock.calls.filter((c) => c[2]?.maxAge === 0)
     const clearedNames = new Set(clears.map((c) => c[0]))
     expect(clearedNames.has('byline_access_token')).toBe(true)

package/src/auth/auth-context.ts

@@ -80,8 +80,13 @@ export async function getAdminRequestContext(): Promise<RequestContext> {
   // Refresh path: swap the refresh cookie for a fresh token pair.
   const refreshToken = readRefreshTokenCookie()
   if (!refreshToken) {
-    // No session at all — clear anything stale and reject.
-    clearSessionCookies()
+    // Only emit cookie clears when the browser actually sent a stale access
+    // cookie — otherwise the response carries no Set-Cookie at all, which
+    // lets shared caches (Cloudflare) cache public pages for anonymous
+    // visitors. Set-Cookie on the response is a hard bypass signal for CDNs.
+    if (accessToken) {
+      clearSessionCookies()
+    }
     throw ERR_UNAUTHENTICATED({ message: 'no admin session' })
   }