From 4cb3adbce31b9cf2a8dc49292ffc774d8a397513 Mon Sep 17 00:00:00 2001
From: Chance Douglass <cdital5@gmail.com>
Date: Tue, 28 Apr 2026 09:53:14 -0600
Subject: [PATCH] chore(auth): instrument cookie boundary to debug magic link
 bounce

Adds temporary diagnostic logging at three points to pinpoint why the
session set by /auth/callback is not visible to middleware on the next
request to /dashboard:

- callback setAll: logs cookie names + lengths the SDK is writing
- callback return: logs cookies actually attached to the redirect response
- middleware: logs incoming sb-* cookies, getUser user id, and error
- set-session: logs setSession result + response cookies (hash-bridge path)

Each addition is marked `// TEMP DIAG` and will be reverted once the
bug is identified. Also surfaces the getUser error in middleware
(previously dropped).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/web/src/app/api/auth/set-session/route.ts |  8 ++++++++
 apps/web/src/app/auth/callback/route.ts        | 16 ++++++++++++++++
 apps/web/src/middleware.ts                     | 16 +++++++++++++++-
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/apps/web/src/app/api/auth/set-session/route.ts b/apps/web/src/app/api/auth/set-session/route.ts
index e079bd7f..f625d349 100644
--- a/apps/web/src/app/api/auth/set-session/route.ts
+++ b/apps/web/src/app/api/auth/set-session/route.ts
@@ -69,6 +69,14 @@ export async function POST(request: NextRequest) {
     refresh_token: refreshToken,
   });
 
+  // TEMP DIAG: remove after magic-link bounce bug is resolved
+  console.log(
+    '[auth/set-session] setSession',
+    error ? `error: ${error.message}` : 'ok',
+    'response cookies:',
+    response.cookies.getAll().map((c) => c.name),
+  );
+
   if (error) {
     console.error('[auth/set-session] setSession failed:', error.message);
     // Return a fresh NextResponse — not `response` — to avoid leaking any
diff --git a/apps/web/src/app/auth/callback/route.ts b/apps/web/src/app/auth/callback/route.ts
index 59842777..519911d2 100644
--- a/apps/web/src/app/auth/callback/route.ts
+++ b/apps/web/src/app/auth/callback/route.ts
@@ -73,6 +73,15 @@ export async function GET(request: NextRequest) {
         setAll(
           cookiesToSet: { name: string; value: string; options: CookieOptions }[],
         ) {
+          // TEMP DIAG: remove after magic-link bounce bug is resolved
+          console.log(
+            '[auth/callback] setAll',
+            cookiesToSet.map((c) => ({
+              name: c.name,
+              len: c.value.length,
+              options: c.options,
+            })),
+          );
           cookiesToSet.forEach(({ name, value }) =>
             request.cookies.set(name, value),
           );
@@ -185,5 +194,12 @@ export async function GET(request: NextRequest) {
     }
   }
 
+  // TEMP DIAG: remove after magic-link bounce bug is resolved
+  console.log(
+    '[auth/callback] returning redirect',
+    redirectUrl.toString(),
+    'cookies:',
+    response.cookies.getAll().map((c) => c.name),
+  );
   return response;
 }
diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
index 42a8663f..1a8ff501 100644
--- a/apps/web/src/middleware.ts
+++ b/apps/web/src/middleware.ts
@@ -29,7 +29,21 @@ export async function middleware(request: NextRequest) {
   );
 
   // Refresh session (do not remove this line)
-  const { data: { user } } = await supabase.auth.getUser();
+  const { data: { user }, error } = await supabase.auth.getUser();
+
+  // TEMP DIAG: remove after magic-link bounce bug is resolved.
+  // Surfaces which sb-* cookies arrived and whether getUser rejected them.
+  const sbCookies = request.cookies
+    .getAll()
+    .filter((c) => c.name.startsWith('sb-'))
+    .map((c) => ({ name: c.name, len: c.value.length }));
+  console.log(
+    '[middleware]',
+    request.nextUrl.pathname,
+    'sbCookies:', sbCookies,
+    'user:', user?.id ?? null,
+    'error:', error?.message ?? null,
+  );
 
   // Redirect unauthenticated users from protected routes to login
   const pathname = request.nextUrl.pathname;