fix[faustwp-core]: (#2313) add security flags to removeCookie()

[latenighthackathon]

Description

removeCookie() in packages/faustwp-core/src/server/auth/cookie.ts expires the refresh token cookie with only expires: new Date(0), missing the path, sameSite, secure, and httpOnly flags that setCookie() uses when setting it.

Per RFC 6265, a Set-Cookie header without a path attribute defaults to the current request path. If the logout request comes from a different path than /, the browser won't match and delete the original cookie — it persists after what the application considers a successful logout.

Before

cookie.serialize(key, '', {
    expires: new Date(0),
})

After

cookie.serialize(key, '', {
    path: '/',
    sameSite: 'strict',
    secure: true,
    httpOnly: true,
    expires: new Date(0),
})

These flags match the attributes used in setRefreshToken() (token.ts:51-58).

Related Issues

Closes #2313

Testing

Confirm the issue (before the fix)

1. Verify removeCookie() is missing security flags:

sed -n '67,76p' packages/faustwp-core/src/server/auth/cookie.ts
# Expected on canary: only "expires: new Date(0)" — no path, sameSite, secure, or httpOnly

2. Compare with setCookie() which has the correct flags:

grep -A 7 'this.cookies.setCookie' packages/faustwp-core/src/server/auth/token.ts
# Expected: path: '/', sameSite: 'strict', secure: true, httpOnly: true
# These are the flags that removeCookie() should also have

Confirm the fix

3. Verify removeCookie() now includes all security flags:

sed -n '67,80p' packages/faustwp-core/src/server/auth/cookie.ts
# Expected: path, sameSite, secure, httpOnly all present before expires

4. Verify flags match the setCookie() call in token.ts:

# Both should use: path: '/', sameSite: 'strict', secure: true, httpOnly: true
diff <(grep -A 4 "path:" packages/faustwp-core/src/server/auth/cookie.ts) \
     <(grep -A 4 "path:" packages/faustwp-core/src/server/auth/token.ts)
# Expected: identical flag values (only expires/maxAge will differ)

Run the test suite

JS tests — confirms no regressions:

npm install && npm run build && npm run test

[headless-platform-by-wp-engine]

Currently, we do not support the creation of preview deployments based on changes coming from forked repositories.
Learn more about preview environments in our documentation.

[changeset-bot]

🦋 Changeset detected

Latest commit: 8c2f67b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@faustwp/core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Fran-A-Dev]

LGTM, I don't think the original cookie is ever set with domain attribute anywhere else. This looks good.