Skip to content

fix(auth): demo cookie cleanup in middleware#93

Merged
NicholaiVogel merged 1 commit intomainfrom
fix/demo-cookie-middleware
Feb 16, 2026
Merged

fix(auth): demo cookie cleanup in middleware#93
NicholaiVogel merged 1 commit intomainfrom
fix/demo-cookie-middleware

Conversation

@NicholaiVogel
Copy link
Copy Markdown
Contributor

@NicholaiVogel NicholaiVogel commented Feb 16, 2026

Summary

  • Move demo cookie deletion from getCurrentUser() (Server Component, where cookies().delete() silently fails) to middleware where response cookies actually work
  • Real WorkOS sessions now actively delete stale demo cookies via Set-Cookie on the response
  • Fix auth priority: WorkOS session checked before demo cookie fallback in getCurrentUser()
  • /demo route clears compass-active-org so demo mode doesn't inherit a real user's workspace

Context

The demo cookie deletion in getCurrentUser() was a no-op from Server Component context -- cookies().delete() only works in Server Actions and Route Handlers. The cookie persisted for its full 24h lifetime, and middleware short-circuited auth checks even when a real WorkOS session existed.

Test plan

  • Log in with real credentials, switch orgs, navigate -- stays in selected org
  • Visit /demo -- lands in demo org (Meridian Group), not previous real org
  • Log in again after demo -- demo cookie cleared by middleware, lands in real workspace
  • Verify compass-demo cookie absent after real login via browser devtools

@NicholaiVogel
fix(auth): delete demo cookie in middleware
05f6cc1 
The demo cookie deletion in getCurrentUser() was a no-op from
Server Component context (cookies().delete() only works in
Server Actions and Route Handlers). The cookie persisted for
its full 24h lifetime, causing middleware to short-circuit auth
checks even when a real WorkOS session existed.

- Middleware: real session now takes priority over demo cookie,
  stale cookie actively deleted via Set-Cookie on response
- auth.ts: remove early demo-first check and dead deletion code,
  WorkOS session checked before demo fallback
- /demo route: clear compass-active-org so demo doesn't inherit
  a real user's workspace selection
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Feb 16, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 compass 05f6cc1 Feb 16 2026, 05:46 AM

@NicholaiVogel NicholaiVogel merged commit b1f6780 into main Feb 16, 2026
6 of 10 checks passed
@NicholaiVogel NicholaiVogel deleted the fix/demo-cookie-middleware branch February 16, 2026 05:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NicholaiVogel