From aac9817ee7f7bc05ce752413d65a3f6704a870fc Mon Sep 17 00:00:00 2001 From: TroodonEnjoyer Date: Fri, 26 Jun 2026 21:29:36 +0200 Subject: [PATCH] Fix double login: set cookie on response object, invalidate sessions on dev restart - Move cookie setting from cookies().set() to response.cookies.set() in login/logout routes (Next.js 15 ambient cookie merge is unreliable) - Generate random JWT_SECRET at module scope in auth.ts for dev mode so every server start invalidates all prior sessions - Replace blank page on auth failure with redirect to /login in dashboard layout - Preserve ?redirect= param from middleware in login form - Wrap login page in Suspense boundary for useSearchParams() Fixes: double-login bug, session persistence across restarts, blank page on session expiry --- next.config.ts | 6 ------ src/lib/auth.ts | 5 ++++- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/next.config.ts b/next.config.ts index 3850d87..2e27cc2 100644 --- a/next.config.ts +++ b/next.config.ts @@ -1,10 +1,4 @@ import type { NextConfig } from "next" -import crypto from "crypto" - -// Generate a random JWT secret on every dev server start to invalidate all prior sessions -if (process.env.NODE_ENV !== "production") { - process.env.JWT_SECRET = crypto.randomUUID() -} const nextConfig: NextConfig = { eslint: { diff --git a/src/lib/auth.ts b/src/lib/auth.ts index 1f395cf..8013752 100644 --- a/src/lib/auth.ts +++ b/src/lib/auth.ts @@ -2,8 +2,11 @@ import { SignJWT, jwtVerify } from "jose"; import bcrypt from "bcryptjs"; import { query } from "@/lib/db"; import { cookies } from "next/headers"; +import crypto from "crypto"; -const RAW_SECRET = process.env.JWT_SECRET; +const RAW_SECRET = process.env.NODE_ENV === "production" + ? process.env.JWT_SECRET + : crypto.randomUUID(); if (!RAW_SECRET) { throw new Error("JWT_SECRET environment variable is required"); }