fix host cookie deleting (#1011)

<!--

Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md

-->


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Cookie deletion now respects the browser's secure context when domains
are specified, ensuring consistent removal across secure and non-secure
connections.
* Session refresh logic now removes redundant default cookies after
setting a custom refresh cookie, preventing duplicate cookies and
conflicts.

* **Tests**
* End-to-end tests updated to expect the default refresh cookie to be
absent and to read payloads from the custom cookie.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: BilalG1

apps/e2e/tests/js/cookies.test.ts

@@ -166,13 +166,10 @@ it("should set refresh token cookies for trusted parent domains", async ({ expec
   const customReady = await waitUntil(() => cookieStore.has(customCookieName), 10_000);
   expect(customReady).toBe(true);
 
-  expect(cookieStore.has(defaultCookieName)).toBe(true);
+  expect(cookieStore.has(defaultCookieName)).toBe(false);
   expect(cookieStore.has(customCookieName)).toBe(true);
 
-  const valuesEqual = await waitUntil(() => cookieStore.get(customCookieName) === cookieStore.get(defaultCookieName), 10_000);
-  expect(valuesEqual).toBe(true);
-
-  const defaultValue = cookieStore.get(defaultCookieName)!;
+  const defaultValue = cookieStore.get(customCookieName)!;
   const parsedValue = JSON.parse(decodeURIComponent(defaultValue));
   expect(typeof parsedValue.refresh_token).toBe("string");
   expect(parsedValue.refresh_token.length).toBeGreaterThan(10);

packages/template/src/lib/cookie.ts

@@ -204,9 +204,9 @@ function setCookieClientInternal(name: string, value: string, options: SetCookie
 
 function deleteCookieClientInternal(name: string, options: DeleteCookieOptions = {}) {
   if (options.domain !== undefined) {
-    Cookies.remove(name, { domain: options.domain });
+    Cookies.remove(name, { domain: options.domain, secure: determineSecureFromClientContext() });
   }
-  Cookies.remove(name);
+  Cookies.remove(name, { secure: determineSecureFromClientContext() });
 }
 
 export function setOrDeleteCookieClient(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions = {}) {

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

@@ -620,6 +620,8 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
       }
       const value = refreshToken && updatedAt ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
       await setCookie(domain.data, value);
+      const isSecure = await isSecureCookieContext();
+      await setOrDeleteCookie(this._getRefreshTokenDefaultCookieNameForSecure(isSecure), null);
     });
   }
   private async _getTrustedParentDomain(currentDomain: string): Promise<string | null> {