From c8460038e865413a049c961e9f9b99c7e8097dec Mon Sep 17 00:00:00 2001 From: latenighthackathon Date: Thu, 2 Apr 2026 23:39:25 -0500 Subject: [PATCH 1/2] fix[faustwp-core]: (#2313) add security flags to removeCookie() removeCookie() expires the refresh token cookie with only the expires attribute, missing the path, sameSite, secure, and httpOnly flags that setCookie() uses when setting it. Without a matching path: '/', the browser may not delete the correct cookie on logout. Add the same security attributes used in setRefreshToken() so the browser correctly identifies and expires the target cookie. Closes #2313 --- packages/faustwp-core/src/server/auth/cookie.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/faustwp-core/src/server/auth/cookie.ts b/packages/faustwp-core/src/server/auth/cookie.ts index 9047f2282..f1feeb533 100644 --- a/packages/faustwp-core/src/server/auth/cookie.ts +++ b/packages/faustwp-core/src/server/auth/cookie.ts @@ -70,6 +70,10 @@ export class Cookies { this.response?.setHeader( 'Set-Cookie', cookie.serialize(key, '', { + path: '/', + sameSite: 'strict', + secure: true, + httpOnly: true, expires: new Date(0), }), ); From 8c2f67b78f864a3641ba3aaa2adacc5f3b68aa69 Mon Sep 17 00:00:00 2001 From: latenighthackathon Date: Thu, 2 Apr 2026 23:45:15 -0500 Subject: [PATCH 2/2] chore: add changeset for cookie removal fix --- .changeset/cookie-removal-flags.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/cookie-removal-flags.md diff --git a/.changeset/cookie-removal-flags.md b/.changeset/cookie-removal-flags.md new file mode 100644 index 000000000..fc888eeab --- /dev/null +++ b/.changeset/cookie-removal-flags.md @@ -0,0 +1,5 @@ +--- +"@faustwp/core": patch +--- + +fix[faustwp-core]: add path, sameSite, secure, and httpOnly flags to removeCookie() to match setCookie() attributes