ember-market-frontend/app/api/auth/set-cookie/route.ts

import { NextRequest, NextResponse } from 'next/server';

// Force dynamic execution to ensure cookies are set at runtime
export const dynamic = 'force-dynamic';

export async function POST(req: NextRequest) {
  try {
    // Parse the request body to get the auth token
    const body = await req.json();
    const { token } = body;

    if (!token) {
      console.error('Set-cookie API: No token provided');
      return NextResponse.json(
        { error: 'No token provided' },
        { status: 400 }
      );
    }

    // Create a response object
    const response = NextResponse.json(
      { success: true },
      { status: 200 }
    );

    // Set the token in an HTTP-only cookie that will be sent with requests
    // The secure flag is conditionally set based on the environment
    const isLocalhost = req.headers.get('host')?.includes('localhost') || 
                        req.headers.get('host')?.includes('127.0.0.1');
    
    const cookieOptions = {
      // HttpOnly for security - prevents JavaScript access
      httpOnly: true,
      // Valid for 3 hours
      maxAge: 3 * 60 * 60,
      // Only send in requests to our domain
      path: '/',
      // Strict same-site policy to prevent CSRF
      sameSite: 'strict' as const,
      // Secure only in production environments
      secure: !isLocalhost
    };

    // Set the cookie with the options
    response.cookies.set('Authorization', token, cookieOptions);

    console.log('Set-cookie API: Cookie set successfully');
    return response;
  } catch (error) {
    console.error('Set-cookie API error:', error);
    return NextResponse.json(
      { 
        error: 'Failed to set cookie', 
        details: error instanceof Error ? error.message : String(error)
      },
      { status: 500 }
    );
  }
}