fix: lates

app/auth/login/route.ts

@@ -2,6 +2,9 @@ import { NextRequest, NextResponse } from "next/server";
 
 import {
   SESSION_COOKIE,
+  SESSION_COOKIE_SECURE_ENV,
+  getSessionCookieDomain,
+  getSessionTtlSeconds,
   UserRole,
   canAccessPath,
   authenticateUser,
@@ -58,7 +61,7 @@ function maskEmail(email: string) {
 }
 
 function shouldUseSecureCookies(request: NextRequest) {
-  const explicit = process.env.COOKIE_SECURE?.toLowerCase() ?? "";
+  const explicit = SESSION_COOKIE_SECURE_ENV;
   if (explicit === "true" || explicit === "1") {
     return true;
   }
@@ -193,6 +196,7 @@ export async function POST(request: NextRequest) {
     sameSite: "lax",
     secure: shouldUseSecureCookies(request),
     path: "/",
+    domain: getSessionCookieDomain(),
     maxAge: sessionMaxAgeSeconds
   });
   if (AUTH_DEBUG) {
@@ -200,6 +204,7 @@ export async function POST(request: NextRequest) {
       userId: session.userId,
       role: session.role,
       sessionExpiresAt: session.expiresAt,
+      sessionMaxAgeFromEnv: getSessionTtlSeconds(),
       maxAge: sessionMaxAgeSeconds,
       host: request.headers.get("host") || "unknown",
       protocol: request.nextUrl.protocol,

app/auth/logout/route.ts

@@ -4,7 +4,7 @@ import { getRequestAuditContext, writeAuditTrail } from "@/lib/audit";
 import { getSession, SESSION_COOKIE } from "@/lib/auth";
 import { getRequestBaseUrl } from "@/lib/request-url";
 
-export async function GET(request: NextRequest) {
+export async function POST(request: NextRequest) {
   const session = await getSession();
   const { ipAddress, userAgent } = await getRequestAuditContext();
 
@@ -25,3 +25,9 @@ export async function GET(request: NextRequest) {
   response.cookies.delete(SESSION_COOKIE);
   return response;
 }
+
+export async function GET(request: NextRequest) {
+  const baseUrl = getRequestBaseUrl(request);
+  const response = NextResponse.redirect(new URL("/login", baseUrl));
+  return response;
+}