Fix mobile auth reliability: disable refetch-on-focus, enable session cache, fix CORS

prazgaitis · claude · prazgaitis · commit e3476ea7812c · 2026-02-13T09:19:46.000-06:00
- Disable refetchOnWindowFocus in Better Auth client to prevent mobile
  tab-switch visibility changes from clearing auth state mid-session
- Enable server-side session cookieCache (5 min TTL) to avoid DB lookups
  on every /get-session call, speeding up auth bootstrap on slow connections
- Add www variant to CORS allowedOrigins in http.ts to match trustedOrigins
  in auth.ts — prevents CORS failures when accessing via www subdomain
- Add console.error logging to silent catch blocks in getCurrentUser and
  getServerAuth so auth failures are visible in production logs

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/web/lib/auth.ts b/apps/web/lib/auth.ts
@@ -28,8 +28,8 @@ export const getCurrentUser = cache(async function getCurrentUser(): Promise<Doc
         {},
       );
     }
-  } catch {
-    // Auth query/mutation failed - user will remain null
+  } catch (error) {
+    console.error("[auth] getCurrentUser failed:", error);
   }
 
   return user;
diff --git a/apps/web/lib/better-auth/client.ts b/apps/web/lib/better-auth/client.ts
@@ -24,4 +24,10 @@ export const betterAuthClient = createAuthClient({
     credentials: "include",
   },
   plugins: [convexClient()],
+  sessionOptions: {
+    // Disable automatic refetch on tab focus — on mobile, switching apps or
+    // pulling down the notification shade triggers visibilitychange, causing
+    // unnecessary /get-session round-trips that temporarily clear auth state.
+    refetchOnWindowFocus: false,
+  },
 });
diff --git a/apps/web/lib/server-auth.ts b/apps/web/lib/server-auth.ts
@@ -108,8 +108,8 @@ export async function getServerAuth(): Promise<ServerAuthResult> {
         },
       };
     }
-  } catch {
-    // Query/mutation failed, fall through to unauthenticated response.
+  } catch (error) {
+    console.error("[server-auth] getServerAuth failed:", error);
   }
 
   return {
diff --git a/packages/backend/auth.ts b/packages/backend/auth.ts
@@ -39,6 +39,12 @@ export const createAuth = (ctx: GenericCtx<DataModel>) => {
     emailAndPassword: {
       enabled: true,
     },
+    session: {
+      cookieCache: {
+        enabled: true,
+        maxAge: 5 * 60, // 5 minutes — avoids DB lookup on every /get-session
+      },
+    },
     socialProviders: {
       google: {
         clientId: process.env.GOOGLE_CLIENT_ID!,
diff --git a/packages/backend/http.ts b/packages/backend/http.ts
@@ -35,6 +35,10 @@ authComponent.registerRoutes(http, createAuth, {
       "http://localhost:3000",
       "http://localhost:3001",
       process.env.SITE_URL || "",
+      // Also allow www variant (matches trustedOrigins in auth.ts)
+      ...(process.env.SITE_URL
+        ? [process.env.SITE_URL.replace("://", "://www.")]
+        : []),
     ].filter(Boolean),
   },
 });

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,8 @@ export const getCurrentUser = cache(async function getCurrentUser(): Promise<Doc`
`28`	`28`	`{},`
`29`	`29`	`);`
`30`	`30`	`}`
`31`		`- } catch {`
`32`		`- // Auth query/mutation failed - user will remain null`
	`31`	`+ } catch (error) {`
	`32`	`+ console.error("[auth] getCurrentUser failed:", error);`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`return user;`
Original file line number	Diff line number	Diff line change
`@@ -108,8 +108,8 @@ export async function getServerAuth(): Promise<ServerAuthResult> {`
`108`	`108`	`},`
`109`	`109`	`};`
`110`	`110`	`}`
`111`		`- } catch {`
`112`		`- // Query/mutation failed, fall through to unauthenticated response.`
	`111`	`+ } catch (error) {`
	`112`	`+ console.error("[server-auth] getServerAuth failed:", error);`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`return {`