@checkstack/auth-backend 0.4.18 → 0.4.19

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @checkstack/auth-backend
 
+## 0.4.19
+
+### Patch Changes
+
+- 889dd8c: Fix session loss for LDAP and SAML authentication strategies
+
+  The auth bridge was joining multiple `Set-Cookie` headers into a single comma-separated string, which corrupted cookie attributes. This caused the `session_token` cookie to inherit the 5-minute `maxAge` from the `session_data` cache cookie instead of the intended 7-day expiry. After the cookie expired from the browser, `get-session` returned `null` and all API calls failed with 401.
+
+  Changed the `createSession` RPC contract to return `setCookies: string[]` (array) instead of `setCookie: string`, and updated LDAP/SAML consumers to use `Headers.append("Set-Cookie", ...)` to set each cookie as a separate header.
+
+- Updated dependencies [889dd8c]
+  - @checkstack/auth-common@0.6.2
+
 ## 0.4.18
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-backend",
-  "version": "0.4.18",
+  "version": "0.4.19",
   "type": "module",
   "main": "src/index.ts",
   "checkstack": {
@@ -15,9 +15,9 @@
   },
   "dependencies": {
     "@checkstack/auth-common": "0.6.1",
-    "@checkstack/backend-api": "0.11.1",
+    "@checkstack/backend-api": "0.12.0",
     "@checkstack/notification-common": "0.2.8",
-    "@checkstack/command-backend": "0.1.18",
+    "@checkstack/command-backend": "0.1.19",
     "better-auth": "^1.4.7",
     "drizzle-orm": "^0.45.0",
     "hono": "^4.12.14",

package/src/router.test.ts

@@ -359,11 +359,12 @@ describe("Auth Router", () => {
 
     const mockResponse = { sessionId: "session-123" };
     const mockHandler = mock(async (_req: Request) => {
+      const headers = new Headers();
+      headers.append("Set-Cookie", "better-auth.session_token=test-token; Path=/; HttpOnly; Max-Age=604800");
+      headers.append("Set-Cookie", "better-auth.session_data=test-data; Path=/; HttpOnly; Max-Age=300");
       return new Response(JSON.stringify(mockResponse), {
         status: 200,
-        headers: {
-          "Set-Cookie": "better-auth.session_token=test-token; Path=/; HttpOnly",
-        },
+        headers,
       });
     });
 
@@ -386,7 +387,9 @@ describe("Auth Router", () => {
     );
 
     expect(result.sessionId).toBe("session-123");
-    expect(result.setCookie).toContain("better-auth.session_token=test-token");
+    expect(result.setCookies).toBeArrayOfSize(2);
+    expect(result.setCookies[0]).toContain("better-auth.session_token=test-token");
+    expect(result.setCookies[1]).toContain("better-auth.session_data=test-data");
     expect(mockHandler).toHaveBeenCalled();
 
     // Verify the virtual request headers

package/src/router.ts

@@ -1106,14 +1106,12 @@ export const createAuthRouter = (
       });
     }
 
-    // Extract Set-Cookie. Use getSetCookie() if available (Bun/Node 20+), otherwise fallback to get()
-    // get() usually joins multiple cookies with a comma, which is often correct but sometimes brittle
-    const setCookie =
-      typeof res.headers.getSetCookie === "function"
-        ? res.headers.getSetCookie().join(", ")
-        : res.headers.get("set-cookie");
-
-    if (!setCookie) {
+    // Extract Set-Cookie headers as individual strings (one per cookie)
+    // Using getSetCookie() preserves each cookie separately — joining with commas
+    // corrupts cookie attributes that contain commas (e.g. Expires dates)
+    const setCookies = res.headers.getSetCookie();
+
+    if (setCookies.length === 0) {
       const headers: Record<string, string> = {};
       // eslint-disable-next-line unicorn/no-array-for-each
       res.headers.forEach((value, key) => {
@@ -1133,7 +1131,7 @@ export const createAuthRouter = (
 
     return {
       sessionId: body.sessionId,
-      setCookie,
+      setCookies,
     };
   });