fix: strip session token from bootstrap response body and add conditional secure cookie flag

- Remove sessionToken from the JSON response body of /api/auth/bootstrap
  to prevent XSS-based session theft. The token is still set as an
  httpOnly cookie, which is the intended transport for browser sessions.
- Add secure flag to the session cookie when auth policy is
  'remote-reachable', preventing cookie transmission over plaintext HTTP
  in non-loopback environments.
- Update server tests to extract session tokens from Set-Cookie headers
  instead of the response body.
- Update web client to no longer expect sessionToken in bootstrap response.

Author: cursoragent

apps/server/src/auth/http.ts

@@ -40,12 +40,14 @@ export const authBootstrapRouteLayer = HttpRouter.add(
     );
     const result = yield* serverAuth.exchangeBootstrapCredential(payload.credential);
 
-    return yield* HttpServerResponse.jsonUnsafe(result, { status: 200 }).pipe(
+    const { sessionToken: _token, ...responseBody } = result;
+    return yield* HttpServerResponse.jsonUnsafe(responseBody, { status: 200 }).pipe(
       HttpServerResponse.setCookie(descriptor.sessionCookieName, result.sessionToken, {
         expires: DateTime.toDate(result.expiresAt),
         httpOnly: true,
         path: "/",
         sameSite: "lax",
+        secure: descriptor.policy === "remote-reachable",
       }),
     );
   }).pipe(Effect.catchTag("AuthError", (error) => Effect.succeed(toUnauthorizedResponse(error)))),

apps/server/src/server.test.ts

@@ -492,6 +492,12 @@ const getHttpServerUrl = (pathname = "") =>
     return `http://127.0.0.1:${address.port}${pathname}`;
   });
 
+function parseSessionTokenFromSetCookie(setCookie: string | null): string | null {
+  if (!setCookie) return null;
+  const match = /t3_session=([^;]+)/.exec(setCookie);
+  return match?.[1] ?? null;
+}
+
 const bootstrapBrowserSession = (credential = defaultDesktopBootstrapToken) =>
   Effect.gen(function* () {
     const bootstrapUrl = yield* getHttpServerUrl("/api/auth/bootstrap");
@@ -509,13 +515,15 @@ const bootstrapBrowserSession = (credential = defaultDesktopBootstrapToken) =>
     const body = (yield* Effect.promise(() => response.json())) as {
       readonly authenticated: boolean;
       readonly sessionMethod: string;
-      readonly sessionToken: string;
       readonly expiresAt: string;
     };
+    const cookie = response.headers.get("set-cookie");
+    const sessionToken = parseSessionTokenFromSetCookie(cookie);
     return {
       response,
       body,
-      cookie: response.headers.get("set-cookie"),
+      cookie,
+      sessionToken,
     };
   });
 
@@ -525,18 +533,18 @@ const getAuthenticatedSessionToken = (credential = defaultDesktopBootstrapToken)
       return cachedDefaultSessionToken;
     }
 
-    const { response, body } = yield* bootstrapBrowserSession(credential);
-    if (!response.ok) {
+    const { response, sessionToken } = yield* bootstrapBrowserSession(credential);
+    if (!response.ok || !sessionToken) {
       return yield* Effect.fail(
         new Error(`Expected bootstrap session response to succeed, got ${response.status}`),
       );
     }
 
     if (credential === defaultDesktopBootstrapToken) {
-      cachedDefaultSessionToken = body.sessionToken;
+      cachedDefaultSessionToken = sessionToken;
     }
 
-    return body.sessionToken;
+    return sessionToken;
   });
 
 const getWsServerUrl = (
@@ -720,13 +728,15 @@ it.layer(NodeServices.layer)("server router seam", (it) => {
     Effect.gen(function* () {
       yield* buildAppUnderTest();
 
-      const { response: bootstrapResponse, body: bootstrapBody } = yield* bootstrapBrowserSession();
+      const { response: bootstrapResponse, sessionToken: bootstrapSessionToken } =
+        yield* bootstrapBrowserSession();
 
       assert.equal(bootstrapResponse.status, 200);
+      assert(bootstrapSessionToken, "Expected session token in Set-Cookie header");
 
       const wsUrl = appendSessionTokenToUrl(
         yield* getWsServerUrl("/ws", { authenticated: false }),
-        bootstrapBody.sessionToken,
+        bootstrapSessionToken,
       );
       const response = yield* Effect.scoped(
         withWsRpcClient(wsUrl, (client) => client[WS_METHODS.serverGetConfig]({})),

apps/web/src/authBootstrap.test.ts

@@ -65,7 +65,6 @@ describe("resolveInitialServerAuthGateState", () => {
         jsonResponse({
           authenticated: true,
           sessionMethod: "browser-session-cookie",
-          sessionToken: "session-token",
           expiresAt: "2026-04-05T00:00:00.000Z",
         }),
       );
@@ -207,7 +206,6 @@ describe("resolveInitialServerAuthGateState", () => {
         jsonResponse({
           authenticated: true,
           sessionMethod: "browser-session-cookie",
-          sessionToken: "session-token",
           expiresAt: "2026-04-05T00:00:00.000Z",
         }),
       );

apps/web/src/authBootstrap.ts

@@ -1,4 +1,4 @@
-import type { AuthBootstrapInput, AuthBootstrapResult, AuthSessionState } from "@t3tools/contracts";
+import type { AuthBootstrapInput, AuthSessionState } from "@t3tools/contracts";
 import { resolveServerHttpUrl } from "./lib/utils";
 
 export type ServerAuthGateState =
@@ -56,7 +56,7 @@ async function fetchSessionState(): Promise<AuthSessionState> {
   return (await response.json()) as AuthSessionState;
 }
 
-async function exchangeBootstrapCredential(credential: string): Promise<AuthBootstrapResult> {
+async function exchangeBootstrapCredential(credential: string): Promise<void> {
   const payload: AuthBootstrapInput = { credential };
   const response = await fetch(resolveServerHttpUrl({ pathname: "/api/auth/bootstrap" }), {
     body: JSON.stringify(payload),
@@ -71,8 +71,6 @@ async function exchangeBootstrapCredential(credential: string): Promise<AuthBoot
     const message = await response.text();
     throw new Error(message || `Failed to bootstrap auth session (${response.status}).`);
   }
-
-  return (await response.json()) as AuthBootstrapResult;
 }
 
 async function bootstrapServerAuth(): Promise<ServerAuthGateState> {

apps/web/test/authHttpHandlers.ts

@@ -2,7 +2,6 @@ import type { ServerAuthDescriptor } from "@t3tools/contracts";
 import { HttpResponse, http } from "msw";
 
 const TEST_SESSION_EXPIRES_AT = "2026-05-01T12:00:00.000Z";
-const TEST_SESSION_TOKEN = "browser-test-session-token";
 
 export function createAuthenticatedSessionHandlers(getAuthDescriptor: () => ServerAuthDescriptor) {
   return [
@@ -18,7 +17,6 @@ export function createAuthenticatedSessionHandlers(getAuthDescriptor: () => Serv
       HttpResponse.json({
         authenticated: true,
         sessionMethod: "browser-session-cookie",
-        sessionToken: TEST_SESSION_TOKEN,
         expiresAt: TEST_SESSION_EXPIRES_AT,
       }),
     ),