fix: default cookie sameSite to 'lax' instead of 'none'

sameSite: 'none' sends cookies on all cross-site requests, weakening
CSRF protection. Defaulting to 'lax' while allowing env override.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: jakebromberg

shared/authentication/src/auth.definition.ts

@@ -87,7 +87,7 @@ export const auth: Auth = betterAuth({
   // Subdomain-friendly cookie setting (recommended over cross-site cookies)
   advanced: {
     defaultCookieAttributes: {
-      sameSite: 'none',
+      sameSite: (process.env.COOKIE_SAME_SITE as 'lax' | 'strict' | 'none') || 'lax',
       secure: true,
     },
   },

tests/unit/authentication/cookie-config.test.ts

@@ -0,0 +1,25 @@
+import * as fs from 'fs';
+import * as path from 'path';
+
+describe('auth.definition.ts cookie configuration', () => {
+  const authDefPath = path.resolve(
+    __dirname,
+    '../../../shared/authentication/src/auth.definition.ts'
+  );
+  let source: string;
+
+  beforeAll(() => {
+    source = fs.readFileSync(authDefPath, 'utf-8');
+  });
+
+  it('should not use sameSite: none (weakens CSRF protection)', () => {
+    const hardcodedNone = /sameSite:\s*['"]none['"]/;
+    expect(source).not.toMatch(hardcodedNone);
+
+    expect(source).toMatch(/sameSite:/);
+  });
+
+  it('should set secure: true on cookies', () => {
+    expect(source).toMatch(/secure:\s*true/);
+  });
+});