chore: auth secure to true

[ameer2468]

This is needed for auth to work in local dev.

Previously was modified due to the belief that it affected Safari.

Summary by CodeRabbit

• Bug Fixes
  • Improved session security by enforcing secure authentication cookies, ensuring they are only sent over HTTPS. This enhances account protection and reduces exposure on unsecured networks, with no changes to the sign-in or sign-out experience.

[coderabbitai]

Walkthrough

The sessionToken cookie’s secure flag in packages/database/auth/auth-options.tsx was changed from conditional (based on NODE_ENV) to always true. No other logic, exports, or control flow were modified.

Changes

Cohort / File(s)	Summary of Changes
Auth cookie config packages/database/auth/auth-options.tsx	Set sessionToken cookie option secure: true unconditionally; removed environment-based conditional. No other alterations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: Safari onboarding + general redirection  #920 — Also changes the same sessionToken cookie secure flag in the same file, making it env-dependent; directly related.
• chore: sameSite to none #921 — Adjusts sessionToken cookie options in the same file, changing sameSite to "none"; closely related configuration change.

Poem

I hop through code where cookies dwell,
A tiny flag now set to gel.
Secure by night, secure by day,
No ENV debates to block the way.
With whiskers twitching, merged and true—
A safer crumb for me (and you). 🐇🍪

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch secure-true

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/database/auth/auth-options.tsx (1)

97-101: Do not log OTP codes or email identifiers on the production path

When RESEND_API_KEY is present, we’re in the real email-sending branch, but the code logs both the user email and the 6‑digit token. This is sensitive (PII + one-time secret) and will be stored in logs. Remove these logs or replace with a sanitized message.

Proposed diff:

-            console.log({ identifier, token });
             const { OTPEmail } = await import("../emails/otp-email");
             const email = OTPEmail({ code: token, email: identifier });
-            console.log({ email });
             await sendEmail({
               email: identifier,
               subject: `Your Cap Verification Code`,
               react: email,
             });
+            console.info("Verification email dispatched via provider");

🧹 Nitpick comments (3)

packages/database/auth/auth-options.tsx (3)

115-116: Harden the session cookie with the __Host- prefix

Since you have path: "/", no domain attribute, and now secure: true, you can safely adopt the __Host- prefix for stronger isolation (prevents cookie injection from subdomains).

Applying this is optional but recommended. Note: this will invalidate existing sessions once deployed.

Proposed diff:

-        name: `next-auth.session-token`,
+        name: `__Host-next-auth.session-token`,

---

33-34: Turn off NextAuth debug in production

debug: true in production can leak sensitive details into logs. Gate it by environment.

Proposed diff:

-    debug: true,
+    debug: process.env.NODE_ENV !== "production",

---

169-188: Wrap organization setup in a DB transaction to avoid partial state

The multi-step sequence (create organization, add member, update user) can leave partial records if any step fails. Use a transaction to guarantee atomicity.

Example (Drizzle):

await db().transaction(async (tx) => {
  const organizationId = nanoId();
  await tx.insert(organizations).values({
    id: organizationId,
    name: "My Organization",
    ownerId: user.id,
  });
  await tx.insert(organizationMembers).values({
    id: nanoId(),
    userId: user.id,
    organizationId,
    role: "owner",
  });
  await tx.update(users)
    .set({ activeOrganizationId: organizationId })
    .where(eq(users.id, user.id));
});

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 055951f and de52df5.

📒 Files selected for processing (1)

• packages/database/auth/auth-options.tsx (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use strict TypeScript and avoid any; prefer shared types from packages

Files:

• packages/database/auth/auth-options.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Desktop (aarch64-apple-darwin, macos-latest)
• GitHub Check: Build Desktop (x86_64-pc-windows-msvc, windows-latest)
• GitHub Check: Analyze (rust)

🔇 Additional comments (2)

packages/database/auth/auth-options.tsx (2)

117-121: Secure=true with SameSite=None is correct

Setting the session cookie to Secure when SameSite is "none" aligns with current browser requirements and prevents rejection in Safari/Chrome. This should reduce "Set-Cookie blocked because it had the 'SameSite=None' attribute but was not set with the 'Secure' attribute" issues.

---

114-121: Confirm local development runs over HTTPS, otherwise auth will silently fail

With secure: true, browsers won't set or send the cookie over plain HTTP (including http://localhost). If any teammate still uses HTTP locally, they'll see sign-in loops. Please verify your dev setup terminates TLS (e.g., HTTPS-enabled dev domain, local reverse proxy, or Next.js dev server with HTTPS) and update the README accordingly.

Quick manual check:

• In DevTools → Application → Cookies, confirm next-auth.session-token is created without a "Blocked" reason.
• Inspect the Network "Set-Cookie" response header; it should not be flagged as "Secure-only over HTTPS".

I can draft a short doc snippet for local HTTPS setup if helpful.