From def921f115b20204328c0acae67c7b6f8f6edda9 Mon Sep 17 00:00:00 2001
From: Barcode Betty <noreply@cartsnitch.com>
Date: Sat, 4 Apr 2026 18:40:22 +0000
Subject: [PATCH] fix(api): read __Secure- prefixed session cookie in auth

Better-auth sets the session cookie with the __Secure- prefix on HTTPS
deployments. The API was only reading the plain cookie name, causing all
authenticated calls to return 401 in dev/UAT/prod environments.

Check __Secure-better-auth.session_token first, fall back to
better-auth.session_token for HTTP local dev compatibility.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 api/src/cartsnitch_api/auth/dependencies.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/api/src/cartsnitch_api/auth/dependencies.py b/api/src/cartsnitch_api/auth/dependencies.py
index 6fe1db4..91c438f 100644
--- a/api/src/cartsnitch_api/auth/dependencies.py
+++ b/api/src/cartsnitch_api/auth/dependencies.py
@@ -19,6 +19,8 @@ bearer_scheme = HTTPBearer(auto_error=False)
 
 # Better-Auth session cookie name
 SESSION_COOKIE_NAME = "better-auth.session_token"
+# Secure prefix used by better-auth on HTTPS deployments
+SECURE_SESSION_COOKIE_NAME = "__Secure-better-auth.session_token"
 
 
 async def _validate_session_token(token: str, db: AsyncSession) -> str:
@@ -65,8 +67,8 @@ async def get_current_user(
     """
     token: str | None = None
 
-    # 1. Check session cookie
-    cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
+    # 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev)
+    cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(SESSION_COOKIE_NAME)
     if cookie_token:
         token = cookie_token