From 6ebe13cdddb2330ed23f6333881f0d1ac0bfe6e6 Mon Sep 17 00:00:00 2001 From: Nathan Flurry Date: Mon, 16 Mar 2026 22:37:54 -0700 Subject: [PATCH] fix(foundry): use cookie-based OAuth state to prevent proxy retry auth failures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Switch storeStateStrategy from "database" to "cookie" so OAuth state is stored encrypted in a temporary cookie instead of a DB verification record. This makes the callback idempotent — proxy retries can't fail because the state travels with the request itself rather than being deleted after the first successful callback. Co-Authored-By: Claude Opus 4.6 (1M context) --- foundry/packages/backend/src/services/better-auth.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/foundry/packages/backend/src/services/better-auth.ts b/foundry/packages/backend/src/services/better-auth.ts index 0db6b23..8986ae7 100644 --- a/foundry/packages/backend/src/services/better-auth.ts +++ b/foundry/packages/backend/src/services/better-auth.ts @@ -527,6 +527,15 @@ export function initBetterAuthService(actorClient: any, options: { apiUrl: strin secret: requireEnv("BETTER_AUTH_SECRET"), database: adapter, trustedOrigins: [stripTrailingSlash(options.appUrl), stripTrailingSlash(options.apiUrl)], + account: { + // Store OAuth state in an encrypted cookie instead of a DB verification record. + // The production proxy chain (Cloudflare -> Fastly -> Railway) retries the OAuth + // callback when it takes >10s, causing a duplicate request. With the "database" + // strategy the first request deletes the verification record, so the retry fails + // with "verification not found" -> ?error=please_restart_the_process. + // Cookie strategy avoids this because the state lives in the request itself. + storeStateStrategy: "cookie", + }, session: { cookieCache: { enabled: true,