chore: update CHANGELOG.md to include improvements in authentication flow, addressing CSRF handling and cookie management for seamless sign-in and enhanced security

app/actions/auth.ts

@@ -91,6 +91,20 @@ export async function exchangeAuthCode(code: string, codeVerifier: string | null
       maxAge: 60 * 60 * 24 * 30 // 30 days
     })
 
+    // * Note: CSRF token should be set by Auth API login flow and available via cookie
+    // * If the Auth API returns a CSRF token in header, we forward it
+    const csrfToken = res.headers.get('X-CSRF-Token')
+    if (csrfToken) {
+      cookieStore.set('csrf_token', csrfToken, {
+        httpOnly: false, // * Must be readable by JS for CSRF protection
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'lax',
+        path: '/',
+        domain: cookieDomain,
+        maxAge: 60 * 60 * 24 * 30
+      })
+    }
+
     return {
       success: true,
       user: {

app/api/auth/refresh/route.ts

@@ -37,6 +37,9 @@ export async function POST() {
 
     const data = await res.json()
 
+    // * Get CSRF token from Auth API response header (for cookie rotation)
+    const csrfToken = res.headers.get('X-CSRF-Token')
+
     cookieStore.set('access_token', data.access_token, {
       httpOnly: true,
       secure: process.env.NODE_ENV === 'production',
@@ -55,6 +58,18 @@ export async function POST() {
       maxAge: 60 * 60 * 24 * 30
     })
 
+    // * Set/update CSRF token cookie (non-httpOnly, for JS access)
+    if (csrfToken) {
+      cookieStore.set('csrf_token', csrfToken, {
+        httpOnly: false, // * Must be readable by JS for CSRF protection
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'lax',
+        path: '/',
+        domain: cookieDomain,
+        maxAge: 60 * 60 * 24 * 30
+      })
+    }
+
     return NextResponse.json({ success: true, access_token: data.access_token })
   } catch (error) {
     return NextResponse.json({ error: 'Internal error' }, { status: 500 })