From 7b53d20c8122ca5716f8cfbc8184d9f53a2981eb Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Thu, 5 Feb 2026 00:36:56 +0000
Subject: [PATCH] Fix PKCE code verifier authentication error

Add explicit cookie configuration for PKCE code verifier to resolve
'InvalidCheck: pkceCodeVerifier value could not be parsed' error.

This fixes an issue where OAuth authentication would fail on first attempt
due to NextAuth v5 not having explicit cookie settings for PKCE flow.
The explicit configuration ensures cookies are properly stored and retrieved
during the OAuth callback, preventing authentication failures.

- Add pkceCodeVerifier cookie configuration with proper security settings
- Use dynamic secure flag based on AUTH_URL protocol (HTTP vs HTTPS)
- Set appropriate cookie options (httpOnly, sameSite, path, maxAge)
- Handle undefined AUTH_URL during build time with optional chaining

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>
---
 packages/web/src/auth.ts | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/packages/web/src/auth.ts b/packages/web/src/auth.ts
index b1f9c720b..4a50d16ed 100644
--- a/packages/web/src/auth.ts
+++ b/packages/web/src/auth.ts
@@ -158,6 +158,18 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         strategy: "jwt",
     },
     trustHost: true,
+    cookies: {
+        pkceCodeVerifier: {
+            name: "next-auth.pkce.code_verifier",
+            options: {
+                httpOnly: true,
+                sameSite: "lax",
+                path: "/",
+                secure: env.AUTH_URL?.startsWith("https://") ?? false,
+                maxAge: 60 * 15, // 15 minutes
+            },
+        },
+    },
     events: {
         createUser: onCreateUser,
         signIn: async ({ user, account }) => {