High-Performance-Structures · NicholaiVogel · Feb 16, 2026 · Feb 16, 2026
diff --git a/src/app/demo/route.ts b/src/app/demo/route.ts
@@ -10,5 +10,8 @@ export async function GET() {
     path: "/",
     maxAge: 60 * 60 * 24, // 24 hours
   })
+  // clear stale org preference so demo doesn't inherit
+  // a real user's last-active workspace
+  cookieStore.delete("compass-active-org")
   redirect("/dashboard")
 }
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
@@ -53,15 +53,6 @@ export function toSidebarUser(user: AuthUser): SidebarUser {
 
 export async function getCurrentUser(): Promise<AuthUser | null> {
   try {
-    // check for demo session cookie first
-    try {
-      const cookieStore = await cookies()
-      const isDemoSession = cookieStore.get("compass-demo")?.value === "true"
-      if (isDemoSession) return DEMO_USER
-    } catch {
-      // cookies() may throw in non-request contexts
-    }
-
     // check if workos is configured
     const isWorkOSConfigured =
       process.env.WORKOS_API_KEY &&
@@ -115,15 +106,8 @@ export async function getCurrentUser(): Promise<AuthUser | null> {
       return null
     }
 
-    // real session exists -- clear stale demo cookie if present
-    try {
-      const cookieStore = await cookies()
-      if (cookieStore.get("compass-demo")) {
-        cookieStore.delete("compass-demo")
-      }
-    } catch {
-      // cookies() may throw in non-request contexts
-    }
+    // demo cookie cleanup handled by middleware (can't delete
+    // cookies from Server Components -- only actions/routes)
 
     const workosUser = session.user
 

diff --git a/src/middleware.ts b/src/middleware.ts
@@ -41,17 +41,28 @@ export default async function middleware(request: NextRequest) {
     return handleAuthkitHeaders(request, headers)
   }
 
-  // demo sessions bypass auth
-  const isDemoSession = request.cookies.get("compass-demo")?.value === "true"
-  if (isDemoSession) {
+  const hasDemoCookie =
+    request.cookies.get("compass-demo")?.value === "true"
+
+  // real session trumps demo cookie -- clear the stale cookie
+  if (session.user && hasDemoCookie) {
+    const response = handleAuthkitHeaders(request, headers)
+    response.cookies.delete("compass-demo")
+    return response
+  }
+
+  // demo sessions bypass auth (no real session present)
+  if (hasDemoCookie) {
     return handleAuthkitHeaders(request, headers)
   }
 
   // redirect unauthenticated users to our custom login page
   if (!session.user) {
     const loginUrl = new URL("/login", request.url)
     loginUrl.searchParams.set("from", pathname)
-    return handleAuthkitHeaders(request, headers, { redirect: loginUrl.toString() })
+    return handleAuthkitHeaders(request, headers, {
+      redirect: loginUrl.toString(),
+    })
   }
 
   // authenticated - continue with authkit headers