fix: set token cookie on login for OAuth authorize flow

Author: ralyodio

src/app/api/auth/login/route.ts

@@ -106,15 +106,25 @@ export async function POST(request: NextRequest) {
       );
     }
 
-    // Return success response
-    return NextResponse.json(
+    // Return success response with session cookie (needed for OAuth authorize flow)
+    const response = NextResponse.json(
       {
         success: true,
         merchant: result.merchant,
         token: result.token,
       },
       { status: 200 }
     );
+
+    response.cookies.set('token', result.token!, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      path: '/',
+      maxAge: 7 * 24 * 60 * 60, // 7 days
+    });
+
+    return response;
   } catch (error) {
     console.error('Login error:', error);
     return NextResponse.json(

src/app/api/auth/webauthn/login-verify/route.ts

@@ -132,7 +132,7 @@ export async function POST(request: NextRequest) {
     '24h'
   );
 
-  return NextResponse.json({
+  const response = NextResponse.json({
     success: true,
     token,
     merchant: {
@@ -141,4 +141,14 @@ export async function POST(request: NextRequest) {
       is_admin: merchant.is_admin,
     },
   });
+
+  response.cookies.set('token', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 7 * 24 * 60 * 60, // 7 days
+  });
+
+  return response;
 }