fix(auth): use BASE_URL for redirects and handle __Secure- cookie prefix

[peppescg]

Summary

Kapture.2026-03-11.at.15.49.48.mp4

• route.ts: replace request.url with BASE_URL (BETTER_AUTH_URL) as the base for all
  redirects in the Route Handler. In production with output: standalone and HOSTNAME=0.0.0.0,
  request.url was built from the internal bind address (0.0.0.0:3000) instead of the external
  URL, producing unreachable redirects.

• utils.ts: isTokenNearExpiry() never found the cookie in production HTTPS because Better
  Auth prefixes cookies with __Secure- on secure connections. The function was matching against
  better-auth.account_data while the actual cookie was named
  __Secure-better-auth.account_data, so it always returned true → infinite redirect loop.

  The second bug was masked by the first: before the routing fix, the redirect to 0.0.0.0:3000
  failed immediately with a connection error. Once redirects pointed to the correct origin, the
  loop became visible as ERR_TOO_MANY_REDIRECTS.

[Copilot]

Pull request overview

This PR fixes production auth redirect behavior by ensuring redirects are built from the externally reachable BASE_URL (aka BETTER_AUTH_URL) and by correctly detecting Better Auth cookies that are __Secure- prefixed under HTTPS, preventing infinite refresh redirect loops.

Changes:

• Update isTokenNearExpiry() to normalize cookie names by stripping the __Secure- prefix when locating/chunking better-auth.account_data.
• Update the token refresh route handler to resolve and validate redirect targets against BASE_URL rather than request.url.
• Add/extend unit tests covering __Secure- cookies and redirect/base-url behavior in the token refresh route.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
src/lib/auth/utils.ts	Normalizes cookie names to support __Secure- prefixed Better Auth cookies and chunked cookie reads.
src/lib/auth/tests/utils.test.ts	Adds tests ensuring __Secure- cookies (including chunked) are read/concatenated correctly.
src/app/api/auth/token-refresh/route.ts	Builds redirect validation and redirect responses from BASE_URL to avoid internal bind-address redirects.
src/app/api/auth/token-refresh/route.test.ts	Adds route handler unit tests for BASE_URL-based redirects, open-redirect protection, and Set-Cookie forwarding.

[peppescg]

@claude succinct review

[claude]

Claude finished @peppescg's task in 54s —— View job

---

Code Review

Overall: Solid fix for two real production bugs. Code is clean, well-documented, and well-tested. A couple of minor issues worth addressing.

---

route.ts — Module-level URL parse (high priority)

// line 6
const BASE_ORIGIN = new URL(BASE_URL).origin;

If BETTER_AUTH_URL is unset or malformed in a deployment, this throws at module evaluation time, crashing the entire route before any request is handled. Copilot flagged this too. Consider moving it inside the handler with a clear error response, or pre-validate BASE_URL in constants.ts.

Fix this →

---

route.test.ts — Stale comment (low priority)

The comment describing BASE_URL defaulting to http://localhost:3000 because no BETTER_AUTH_URL is set is inaccurate — vitest.config.mts sets BETTER_AUTH_URL explicitly. Already flagged by Copilot with a suggested fix.

---

utils.ts — Cookie normalization ✅

The __Secure- stripping + chunked cookie re-assembly logic is correct. The numeric suffix sort (/\.(\d+)$/) works correctly on raw names (the __Secure- prefix doesn't interfere since the regex anchors at the end). The fallback to "0" on non-numeric suffixes is safe.

---

Open redirect protection ✅

The // prefix guard + origin comparison via new URL(..., BASE_URL).origin === BASE_ORIGIN is solid. javascript: URIs are correctly rejected because their .origin evaluates to "null".

---

Summary: The two bugs are correctly diagnosed and fixed. Only the module-level new URL() is a real risk worth addressing before merge.

[samuv]

I don't have much context, but looks good