fix: set auth cookie server-side for reliable SSR auth

src/app/api/auth/login/route.ts

@@ -1,3 +1,4 @@
+import { cookies } from "next/headers";
 import { NextRequest, NextResponse } from "next/server";
 import { createToken } from "@/lib/auth";
 
@@ -13,6 +14,17 @@ export async function POST(req: NextRequest) {
       name: username,
       provider: "local",
     });
+
+    // Set cookie server-side (reliable, httpOnly)
+    const jar = await cookies();
+    jar.set("tb_token", token, {
+      httpOnly: true,
+      secure: true,
+      sameSite: "lax",
+      maxAge: 7 * 24 * 3600,
+      path: "/",
+    });
+
     return NextResponse.json({ token, user: { name: username, provider: "local" } });
   }
 

src/app/login/page.tsx

@@ -22,12 +22,10 @@ export default function LoginPage() {
       });
       const data = await res.json();
       if (res.ok && data.token) {
-        // Store token
+        // Token stored in localStorage for API calls
         localStorage.setItem("tb_token", data.token);
-        // Also set cookie for SSR middleware
+        // Cookie set server-side via Set-Cookie header
-        document.cookie = `tb_token=${data.token}; path=/; max-age=${7 * 24 * 3600}; samesite=lax`;
+        window.location.href = "/";
-        router.push("/");
-        router.refresh();
       } else {
         setError(data.error || "Ошибка авторизации");
       }