Skip to content

Commit 6ebe13c

Browse files
NathanFlurryclaude
andcommitted
fix(foundry): use cookie-based OAuth state to prevent proxy retry auth failures
Switch storeStateStrategy from "database" to "cookie" so OAuth state is stored encrypted in a temporary cookie instead of a DB verification record. This makes the callback idempotent — proxy retries can't fail because the state travels with the request itself rather than being deleted after the first successful callback. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 8ddec68 commit 6ebe13c

1 file changed

Lines changed: 9 additions & 0 deletions

File tree

foundry/packages/backend/src/services/better-auth.ts

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -527,6 +527,15 @@ export function initBetterAuthService(actorClient: any, options: { apiUrl: strin
527527
secret: requireEnv("BETTER_AUTH_SECRET"),
528528
database: adapter,
529529
trustedOrigins: [stripTrailingSlash(options.appUrl), stripTrailingSlash(options.apiUrl)],
530+
account: {
531+
// Store OAuth state in an encrypted cookie instead of a DB verification record.
532+
// The production proxy chain (Cloudflare -> Fastly -> Railway) retries the OAuth
533+
// callback when it takes >10s, causing a duplicate request. With the "database"
534+
// strategy the first request deletes the verification record, so the retry fails
535+
// with "verification not found" -> ?error=please_restart_the_process.
536+
// Cookie strategy avoids this because the state lives in the request itself.
537+
storeStateStrategy: "cookie",
538+
},
530539
session: {
531540
cookieCache: {
532541
enabled: true,

0 commit comments

Comments
 (0)