chore(auth): instrument cookie boundary to debug magic link bounce

[chanced58]

Summary

• Adds three temporary // TEMP DIAG log statements at the auth-cookie boundary to pinpoint why the session set by /auth/callback is not visible to middleware on the next request to /dashboard (users were getting bounced back to /login?redirectTo=%2Fdashboard).
• Also surfaces the getUser error in middleware (previously dropped, masking real failures).
• Investigation already turned up a separate, immediate root cause: the magic-link redirect URL has a doubled /auth/callback/auth/callback path because Render's NEXT_PUBLIC_APP_URL env var is currently set to https://www.diamondos.app/auth/callback instead of the bare origin. That is a config fix, not a code fix — the env var must be changed on Render and Supabase Site URL / redirect-URL allowlist must be aligned (see plan file). Once that's done, redeploying this branch keeps the diagnostic logs in place as a tripwire in case anything else is still off, and a follow-up PR will revert them.

Test plan

• Update Render env var: NEXT_PUBLIC_APP_URL=https://www.diamondos.app (origin only, no path)
• Update Supabase Site URL to https://www.diamondos.app and ensure redirect-URL allowlist contains https://www.diamondos.app/auth/callback and https://www.diamondos.app/auth/callback/hash
• Redeploy this branch on Render
• Request a fresh magic link in a clean private window at https://www.diamondos.app/login
• Hover the link in the email — confirm it points to https://www.diamondos.app/auth/callback?token_hash=… (single /auth/callback, no doubling)
• Click — land on /dashboard, no /login?redirectTo=… bounce
• Render logs show [auth/callback] setAll, [auth/callback] returning redirect cookies: [...sb-* cookie names...], and [middleware] /dashboard sbCookies: [...] user: <uuid> error: null — confirming end-to-end cookie flow

Follow-up

• Once the bounce is resolved end-to-end, open a follow-up PR to revert the three // TEMP DIAG log additions in apps/web/src/app/auth/callback/route.ts, apps/web/src/middleware.ts, and apps/web/src/app/api/auth/set-session/route.ts. (Keep the error destructure in middleware permanently — small win.)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added temporary diagnostic logging to authentication endpoints and middleware to assist with debugging session and auth flow issues.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a2307f21-11a1-491b-8096-8a79091f093a

📥 Commits

Reviewing files that changed from the base of the PR and between 2e17b87 and 4cb3adb.

📒 Files selected for processing (3)

• apps/web/src/app/api/auth/set-session/route.ts
• apps/web/src/app/auth/callback/route.ts
• apps/web/src/middleware.ts

---

📝 Walkthrough

Walkthrough

The PR adds temporary diagnostic logging to three authentication-related files in the Next.js application's auth flow. Logging statements capture setSession results, cookies being set and received, request paths, and user authentication state without modifying any functional logic.

Changes

Cohort / File(s)	Summary
Auth Diagnostic Logging apps/web/src/app/api/auth/set-session/route.ts, apps/web/src/app/auth/callback/route.ts, apps/web/src/middleware.ts	Adds temporary console logging throughout the authentication flow to capture setSession error states, cookie names and metadata, redirect targets, and user authentication details for debugging purposes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fix(auth): handle magic-link implicit flow so users land signed in #135 — Directly modifies the same three authentication files (set-session/route.ts, callback/route.ts, middleware.ts) that receive diagnostic logging in this PR.
• fix(auth): use public URL for callback redirects instead of request.url #109 — Modifies the auth callback handler (callback/route.ts) and touches the redirect URL construction logic that this PR adds logging around.

Poem

🐰 Hop, hop through cookies we trace!
Logs now light up the auth space,
Debug messages from path to middleware flow,
No new features—just visibility to glow! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main intent of the PR: adding temporary diagnostic instrumentation at the auth-cookie boundary to debug a magic link bounce issue.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch admin-ts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}