Authentication cookies are set even when onSuccess callback throws an error

[LShaViR]

Describe the bug
The current behavior updates authentication cookies before executing the onSuccess callback. If the onSuccess function throws an error, the callback route correctly returns an error, but the cookies are still set. This makes the authentication appear successful even though the success logic failed.

To Reproduce
Steps to reproduce the behavior:

1. Add an onSuccess function inside handleAuth (in app/callback/route.ts) (for next-authkit-example)
2. Inside onSuccess, throw an error.
3. Observe that the callback route returns an error, but the authentication cookie is still set.

Expected behavior
The callback route should throw an error (already happening), and the cookies should not be set when onSuccess fails.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Windows
• Browser: Chrome
• authkit-nextjs version: 2.1.0
• Next.js version: 15.2.3

Additional context
Potential solution: If the onSuccess function throws an error, cookies should not be set.

[LShaViR]

And if you approve i would love to pick this issue

[nicknisi]

Thanks for the report! I agree the current behavior feels like it can create an inconsistent state. If onSuccess throws, the error response is returned but the session cookie is already set. The user sees the error but is actually logged in. I can see that being problematic if there's a side effect that failed in onSuccess.

I'll take a look and review your PR. Thanks!