fix: update cookie handling to use access token instead of session identifier

PhuocHoan · PhuocHoan · commit 0750a541ad05 · 2025-12-20T17:42:57.000+07:00
diff --git a/apps/api/src/auth/auth.controller.ts b/apps/api/src/auth/auth.controller.ts
@@ -155,13 +155,11 @@ export class AuthController {
         profile,
       );
 
-      // Set HTTP-only cookie with an opaque session identifier instead of the raw access token.
-      // The session identifier should be mapped server-side to the actual access token.
-      res.cookie('access_token', result.sessionId, COOKIE_OPTIONS);
+      // Set HTTP-only cookie with the access token
+      res.cookie('access_token', result.access_token, COOKIE_OPTIONS);
 
       // Redirect to frontend callback page
-      // Session identifier in URL is kept for backward compatibility and as fallback
-      res.redirect(`${frontendUrl}/auth/callback?token=${result.sessionId}`);
+      res.redirect(`${frontendUrl}/auth/callback?token=${result.access_token}`);
     } catch (error) {
       if (
         error instanceof UnauthorizedException &&
