From ad55af04ccc4801221a4c94cd006884f4b52b31a Mon Sep 17 00:00:00 2001
From: Dale Stubblefield <dalestubblefield@me.com>
Date: Sun, 8 Mar 2026 22:00:51 -0500
Subject: [PATCH] fix: disable secure cookies for HTTP deployments

Fixes login failing silently on authenticated + private deployments
served over plain HTTP (e.g. Tailscale, LAN). Users can sign up and
sign in, but the session cookie is rejected by the browser so they
are immediately redirected back to the login page.

Better Auth defaults to __Secure- prefixed cookies with the Secure
flag when NODE_ENV=production. Browsers silently reject Secure cookies
on non-HTTPS origins. This detects when PAPERCLIP_PUBLIC_URL uses
http:// and sets useSecureCookies: false so session cookies work
without HTTPS.
---
 server/src/auth/better-auth.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server/src/auth/better-auth.ts b/server/src/auth/better-auth.ts
index 786d3a4b..d338eeb8 100644
--- a/server/src/auth/better-auth.ts
+++ b/server/src/auth/better-auth.ts
@@ -70,6 +70,9 @@ export function createBetterAuthInstance(db: Db, config: Config, trustedOrigins?
   const secret = process.env.BETTER_AUTH_SECRET ?? process.env.PAPERCLIP_AGENT_JWT_SECRET ?? "paperclip-dev-secret";
   const effectiveTrustedOrigins = trustedOrigins ?? deriveAuthTrustedOrigins(config);
 
+  const publicUrl = process.env.PAPERCLIP_PUBLIC_URL ?? baseUrl;
+  const isHttpOnly = publicUrl ? publicUrl.startsWith("http://") : false;
+
   const authConfig = {
     baseURL: baseUrl,
     secret,
@@ -88,6 +91,7 @@ export function createBetterAuthInstance(db: Db, config: Config, trustedOrigins?
       requireEmailVerification: false,
       disableSignUp: config.authDisableSignUp,
     },
+    ...(isHttpOnly ? { advanced: { useSecureCookies: false } } : {}),
   };
 
   if (!baseUrl) {