Stabilize auth session cookies per server mode

[juliusmarminge]

Summary

• Derive the session cookie name from server mode so desktop instances use a port-scoped cookie and web mode keeps the shared cookie name.
• Update auth policy and session credential handling to read the resolved cookie name from the active server config.
• Add logging for rejected authenticated session credentials to make auth failures easier to diagnose.
• Extend tests to cover the new desktop cookie naming behavior and the updated server response expectation.

Testing

• Not run (not requested).
• Existing and updated tests cover session cookie name resolution in auth policy and server seams.

---

Note

Medium Risk
Changes session cookie naming for desktop mode (now t3_session_<port>), which will invalidate existing desktop cookie sessions and could affect authentication flows if any consumers assume a fixed cookie name. Port selection logic now requires availability across multiple hosts, which may change which ports are chosen on some systems.

Overview
Desktop auth sessions are now port-scoped: resolveSessionCookieName returns t3_session for web mode but t3_session_<port> for desktop mode, and both ServerAuthPolicy and SessionCredentialService now derive the cookie name from ServerConfig.

Desktop backend/dev port selection is tightened to only accept a port if it can bind on all required hosts (e.g. loopback + wildcard/IPv6), with sequential host checks to avoid self-interference; tests are updated accordingly. The dev runner’s default server port base shifts from 3773 to 13773, and server/desktop tests are adjusted to match the new cookie/port expectations.

^{Reviewed by Cursor Bugbot for commit d8c3a5a. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Stabilize auth session cookies and port selection per server mode

• Session cookie name is now computed dynamically via resolveSessionCookieName in auth/utils.ts: t3_session for web mode and t3_session_<port> for desktop mode, preventing cookie collisions across desktop instances.
• Desktop and dev-runner port selection now requires the candidate port to be available on all relevant IPv4/IPv6 loopback and wildcard hosts, checked sequentially to avoid self-interference.
• The dev base server port changes from 3773 to 13773 in dev-runner.ts.
• Session verification failures now log a warning with the rejection reason before returning a 401.
• Behavioral Change: any code importing the fixed SESSION_COOKIE_NAME constant must now use resolveSessionCookieName; the default dev port shifts from 3773 to 13773.

^{Macroscope summarized d8c3a5a.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c87d5e3c-bf63-4eb6-9d3d-5c0b456c066a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch t3code/auth-session-stability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR modifies authentication session cookie naming in the auth/ directory, making desktop mode cookies port-specific. Changes to authentication code paths are flagged for human review regardless of apparent simplicity, as they can affect session handling and user authentication state.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix prepared fixes for both issues found in the latest run.

• ✅ Fixed: Concurrent port probes on overlapping hosts cause self-interference
  • Replaced Promise.all concurrent host probes with a sequential for-of loop that short-circuits on the first unavailable host, preventing EADDRINUSE self-interference between overlapping addresses binding to the same port.
• ✅ Fixed: Test no longer exercises non-required port overflow edge case
  • Changed the test to use offset 51763 with requireServerPort=false and requireWebPort=true so that the server port (65536) exceeds MAX_PORT while the web port (57496) stays in range, correctly exercising the non-required port overflow edge case.

Or push these changes by commenting:

@cursor push ef7768e7e2

Preview (ef7768e7e2)

diff --git a/apps/desktop/src/backendPort.ts b/apps/desktop/src/backendPort.ts
--- a/apps/desktop/src/backendPort.ts
+++ b/apps/desktop/src/backendPort.ts
@@ -58,10 +58,14 @@
   // Keep desktop startup predictable across app restarts by probing upward from
   // the same preferred port instead of picking a fresh ephemeral port.
   for (let port = startPort; port <= maxPort; port += 1) {
-    const availability = await Promise.all(
-      hostsToCheck.map((candidateHost) => canListenOnHost(port, candidateHost)),
-    );
-    if (availability.every(Boolean)) {
+    let allAvailable = true;
+    for (const candidateHost of hostsToCheck) {
+      if (!(await canListenOnHost(port, candidateHost))) {
+        allAvailable = false;
+        break;
+      }
+    }
+    if (allAvailable) {
       return port;
     }
   }

diff --git a/scripts/dev-runner.test.ts b/scripts/dev-runner.test.ts
--- a/scripts/dev-runner.test.ts
+++ b/scripts/dev-runner.test.ts
@@ -246,13 +246,13 @@
     it.effect("allows offsets where only non-required ports exceed max", () =>
       Effect.gen(function* () {
         const offset = yield* findFirstAvailableOffset({
-          startOffset: 51_762,
-          requireServerPort: true,
-          requireWebPort: false,
+          startOffset: 51_763,
+          requireServerPort: false,
+          requireWebPort: true,
           checkPortAvailability: () => Effect.succeed(true),
         });
 
-        assert.equal(offset, 51_762);
+        assert.equal(offset, 51_763);
       }),
     );
   });

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 1213650. Configure here.}