fix(auth): check __Secure- prefixed cookie when reading session token

[mikib0]

Better Auth prefixes session cookies with __Secure- on HTTPS (remote dev/prod) but not on HTTP (local). getAccessToken was only looking up the unprefixed key, returning null for every remote request and causing a 401 on all authenticated endpoints.

Summary by CodeRabbit

• Refactor
  • Optimized session token parsing logic to improve code efficiency while maintaining existing authentication behavior.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

The parseSessionToken function in the API client initialization was simplified by removing debug logging and the try/catch error handler around JSON.parse. The function now directly parses cookies and extracts the session token without local error handling.

Changes

Session Token Parsing

Layer / File(s)	Summary
parseSessionToken refactor apps/expo/lib/api/packrat.ts	parseSessionToken removes logging and error handling, now directly parsing the cookie JSON and returning the session token from either better-auth.session_token or __Secure-better-auth.session_token; JSON.parse failures are no longer caught locally.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing auth by checking the __Secure- prefixed cookie when reading the session token, which directly addresses the HTTPS cookie prefixing issue in the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auth-secure-cookie-prefix

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}