From 747ad8d7a8947425001253da4348ac29b83fc938 Mon Sep 17 00:00:00 2001
From: Markov <markov@uix.su>
Date: Sun, 15 Feb 2026 19:23:40 +0100
Subject: [PATCH] fix: set auth cookie server-side for reliable SSR auth

---
 src/app/api/auth/login/route.ts | 12 ++++++++++++
 src/app/login/page.tsx          |  8 +++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/app/api/auth/login/route.ts b/src/app/api/auth/login/route.ts
index 2785c46..2d90bd2 100644
--- a/src/app/api/auth/login/route.ts
+++ b/src/app/api/auth/login/route.ts
@@ -1,3 +1,4 @@
+import { cookies } from "next/headers";
 import { NextRequest, NextResponse } from "next/server";
 import { createToken } from "@/lib/auth";
 
@@ -13,6 +14,17 @@ export async function POST(req: NextRequest) {
       name: username,
       provider: "local",
     });
+
+    // Set cookie server-side (reliable, httpOnly)
+    const jar = await cookies();
+    jar.set("tb_token", token, {
+      httpOnly: true,
+      secure: true,
+      sameSite: "lax",
+      maxAge: 7 * 24 * 3600,
+      path: "/",
+    });
+
     return NextResponse.json({ token, user: { name: username, provider: "local" } });
   }
 
diff --git a/src/app/login/page.tsx b/src/app/login/page.tsx
index 4265a4c..6690a1c 100644
--- a/src/app/login/page.tsx
+++ b/src/app/login/page.tsx
@@ -22,12 +22,10 @@ export default function LoginPage() {
       });
       const data = await res.json();
       if (res.ok && data.token) {
-        // Store token
+        // Token stored in localStorage for API calls
         localStorage.setItem("tb_token", data.token);
-        // Also set cookie for SSR middleware
-        document.cookie = `tb_token=${data.token}; path=/; max-age=${7 * 24 * 3600}; samesite=lax`;
-        router.push("/");
-        router.refresh();
+        // Cookie set server-side via Set-Cookie header
+        window.location.href = "/";
       } else {
         setError(data.error || "Ошибка авторизации");
       }