updated auth routes to use sessions and "httpOnly" cookies

2026-02-08 18:33:01 +00:00 · 2026-01-09 05:33:36 +00:00
parent 89b38a4aa3
commit f90ddc2e4c
6 changed files with 104 additions and 30 deletions
--- a/packages/backend/src/routes/auth/me.ts
+++ b/packages/backend/src/routes/auth/me.ts
@@ -8,5 +8,10 @@ export default async function me(req: AuthedRequest) {
        return new Response("user not found", { status: 404 });
    }

-    return Response.json(user as UserRecord);
+    const { passwordHash: _, ...safeUser } = user;
+
+    return Response.json({
+        user: safeUser as Omit<UserRecord, "passwordHash">,
+        csrfToken: req.csrfToken,
+    });
 }