Fix double login: set cookie on response object, invalidate sessions on dev restart

- Move cookie setting from cookies().set() to response.cookies.set() in
  login/logout routes (Next.js 15 ambient cookie merge is unreliable)
- Generate random JWT_SECRET at module scope in auth.ts for dev mode so
  every server start invalidates all prior sessions
- Replace blank page on auth failure with redirect to /login in dashboard layout
- Preserve ?redirect= param from middleware in login form
- Wrap login page in Suspense boundary for useSearchParams()

Fixes: double-login bug, session persistence across restarts, blank page on
session expiry
This commit is contained in:
2026-06-26 21:29:36 +02:00
parent fa97abb5b6
commit aac9817ee7
2 changed files with 4 additions and 7 deletions
-6
View File
@@ -1,10 +1,4 @@
import type { NextConfig } from "next" import type { NextConfig } from "next"
import crypto from "crypto"
// Generate a random JWT secret on every dev server start to invalidate all prior sessions
if (process.env.NODE_ENV !== "production") {
process.env.JWT_SECRET = crypto.randomUUID()
}
const nextConfig: NextConfig = { const nextConfig: NextConfig = {
eslint: { eslint: {
+4 -1
View File
@@ -2,8 +2,11 @@ import { SignJWT, jwtVerify } from "jose";
import bcrypt from "bcryptjs"; import bcrypt from "bcryptjs";
import { query } from "@/lib/db"; import { query } from "@/lib/db";
import { cookies } from "next/headers"; import { cookies } from "next/headers";
import crypto from "crypto";
const RAW_SECRET = process.env.JWT_SECRET; const RAW_SECRET = process.env.NODE_ENV === "production"
? process.env.JWT_SECRET
: crypto.randomUUID();
if (!RAW_SECRET) { if (!RAW_SECRET) {
throw new Error("JWT_SECRET environment variable is required"); throw new Error("JWT_SECRET environment variable is required");
} }