Merge branch 'canary' into fix/returned-false-input-validation-clean

packages/better-auth/src/cookies/cookies.test.ts

@@ -1,5 +1,5 @@
 import type { BetterAuthOptions } from "@better-auth/core";
-import { describe, expect, it, vi } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import {
 	expireCookie,
 	getCookieCache,
@@ -98,6 +98,43 @@ describe("cookies", async () => {
 			},
 		);
 	});
+
+	describe("production environment", () => {
+		afterEach(() => {
+			vi.unstubAllEnvs();
+			vi.resetModules();
+		});
+
+		it("should use secure cookies when baseURL is not configured", async () => {
+			// Set NODE_ENV to production
+			vi.stubEnv("NODE_ENV", "production");
+
+			// Reset modules to reload with new NODE_ENV
+			vi.resetModules();
+
+			// Re-import modules after NODE_ENV change
+			const { getTestInstance: getTestInstanceReloaded } = await import(
+				"../test-utils/test-instance"
+			);
+
+			const { client, testUser } = await getTestInstanceReloaded({
+				baseURL: undefined,
+			});
+
+			await client.signIn.email(
+				{
+					email: testUser.email,
+					password: testUser.password,
+				},
+				{
+					onResponse(context) {
+						const setCookie = context.response.headers.get("set-cookie");
+						expect(setCookie).toContain("Secure");
+					},
+				},
+			);
+		});
+	});
 });
 
 describe("crossSubdomainCookies", () => {

packages/better-auth/src/cookies/index.ts

@@ -28,7 +28,7 @@ export function createCookieGetter(options: BetterAuthOptions) {
 	const secure =
 		options.advanced?.useSecureCookies !== undefined
 			? options.advanced?.useSecureCookies
-			: options.baseURL !== undefined
+			: options.baseURL
 				? options.baseURL.startsWith("https://")
 					? true
 					: false