@checkstack/auth-common 0.6.1 → 0.6.3

package/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @checkstack/auth-common
 
+## 0.6.3
+
+### Patch Changes
+
+- Updated dependencies [8d1ef12]
+  - @checkstack/common@0.7.0
+
+## 0.6.2
+
+### Patch Changes
+
+- 889dd8c: Fix session loss for LDAP and SAML authentication strategies
+
+  The auth bridge was joining multiple `Set-Cookie` headers into a single comma-separated string, which corrupted cookie attributes. This caused the `session_token` cookie to inherit the 5-minute `maxAge` from the `session_data` cache cookie instead of the intended 7-day expiry. After the cookie expired from the browser, `get-session` returned `null` and all API calls failed with 401.
+
+  Changed the `createSession` RPC contract to return `setCookies: string[]` (array) instead of `setCookie: string`, and updated LDAP/SAML consumers to use `Headers.append("Set-Cookie", ...)` to set each cookie as a separate header.
+
 ## 0.6.1
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-common",
-  "version": "0.6.1",
+  "version": "0.6.3",
   "type": "module",
   "exports": {
     ".": {
@@ -9,7 +9,7 @@
     }
   },
   "dependencies": {
-    "@checkstack/common": "0.6.4",
+    "@checkstack/common": "0.6.5",
     "@orpc/contract": "^1.13.14",
     "zod": "^4.0.0"
   },

package/src/rpc-contract.ts

@@ -356,7 +356,7 @@ export const authContract = {
     access: [],
   })
     .input(CreateSessionInputSchema)
-    .output(z.object({ sessionId: z.string(), setCookie: z.string() })),
+    .output(z.object({ sessionId: z.string(), setCookies: z.array(z.string()) })),
 
   getUserById: proc({
     operationType: "query",