From 01ee21536b2a804213896498f0a4363cac72da6a Mon Sep 17 00:00:00 2001
From: Jake Bromberg <jake@funlandresearch.com>
Date: Sat, 21 Feb 2026 08:36:28 -0800
Subject: [PATCH 1/2] fix: default cookie sameSite to 'lax' instead of 'none'

sameSite: 'none' sends cookies on all cross-site requests, weakening
CSRF protection. Defaulting to 'lax' while allowing env override.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 shared/authentication/src/auth.definition.ts  |  2 +-
 .../unit/authentication/cookie-config.test.ts | 25 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 tests/unit/authentication/cookie-config.test.ts

diff --git a/shared/authentication/src/auth.definition.ts b/shared/authentication/src/auth.definition.ts
index 11f555c..591f558 100644
--- a/shared/authentication/src/auth.definition.ts
+++ b/shared/authentication/src/auth.definition.ts
@@ -87,7 +87,7 @@ export const auth: Auth = betterAuth({
   // Subdomain-friendly cookie setting (recommended over cross-site cookies)
   advanced: {
     defaultCookieAttributes: {
-      sameSite: 'none',
+      sameSite: (process.env.COOKIE_SAME_SITE as 'lax' | 'strict' | 'none') || 'lax',
       secure: true,
     },
   },
diff --git a/tests/unit/authentication/cookie-config.test.ts b/tests/unit/authentication/cookie-config.test.ts
new file mode 100644
index 0000000..5c48e26
--- /dev/null
+++ b/tests/unit/authentication/cookie-config.test.ts
@@ -0,0 +1,25 @@
+import * as fs from 'fs';
+import * as path from 'path';
+
+describe('auth.definition.ts cookie configuration', () => {
+  const authDefPath = path.resolve(
+    __dirname,
+    '../../../shared/authentication/src/auth.definition.ts'
+  );
+  let source: string;
+
+  beforeAll(() => {
+    source = fs.readFileSync(authDefPath, 'utf-8');
+  });
+
+  it('should not use sameSite: none (weakens CSRF protection)', () => {
+    const hardcodedNone = /sameSite:\s*['"]none['"]/;
+    expect(source).not.toMatch(hardcodedNone);
+
+    expect(source).toMatch(/sameSite:/);
+  });
+
+  it('should set secure: true on cookies', () => {
+    expect(source).toMatch(/secure:\s*true/);
+  });
+});

From 363dd988a8595a38333760b8b3108afe81665f94 Mon Sep 17 00:00:00 2001
From: Jake Bromberg <jake@funlandresearch.com>
Date: Fri, 27 Feb 2026 09:47:17 -0800
Subject: [PATCH 2/2] style: format files with Prettier

---
 tests/unit/authentication/cookie-config.test.ts | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/tests/unit/authentication/cookie-config.test.ts b/tests/unit/authentication/cookie-config.test.ts
index 5c48e26..542e5b4 100644
--- a/tests/unit/authentication/cookie-config.test.ts
+++ b/tests/unit/authentication/cookie-config.test.ts
@@ -2,10 +2,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 
 describe('auth.definition.ts cookie configuration', () => {
-  const authDefPath = path.resolve(
-    __dirname,
-    '../../../shared/authentication/src/auth.definition.ts'
-  );
+  const authDefPath = path.resolve(__dirname, '../../../shared/authentication/src/auth.definition.ts');
   let source: string;
 
   beforeAll(() => {