Description

In packages/faustwp-core/src/server/auth/cookie.ts, the removeCookie() method expires a cookie with only the expires attribute set:

cookie.serialize(key, '', {
    expires: new Date(0),
})

However, setCookie() (called via setRefreshToken() in token.ts) sets the cookie with full security attributes:

{
    path: '/',
    sameSite: 'strict',
    secure: true,
    httpOnly: true,
}

Per RFC 6265, a Set-Cookie header without a matching path defaults to the current request path. If the removal request comes from a path other than /, the browser won't delete the original cookie set with path: '/'. The cookie persists after what the application considers a successful logout.

Additionally, without secure and httpOnly on the removal header, there is a brief window where a non-secure cookie with the same name could be injected over HTTP before the expiry takes effect.

Expected Behavior

removeCookie() should include the same path, sameSite, secure, and httpOnly flags used when the cookie was set, ensuring the browser correctly identifies and expires the target cookie.

Environment

• @faustwp/core v3.4.0
• canary branch