From c253b446cb603c5ceef3c0d44c92c3e69ed040ee Mon Sep 17 00:00:00 2001
From: Bereket Engida <bekacru@gmail.com>
Date: Mon, 10 Feb 2025 19:04:15 +0300
Subject: [PATCH] fix(auth): update cookie handling in anonymous and
 multi-session plugins

---
 .../better-auth/src/plugins/anonymous/index.ts | 18 ++++++++++--------
 .../src/plugins/multi-session/index.ts         |  6 +++++-
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/packages/better-auth/src/plugins/anonymous/index.ts b/packages/better-auth/src/plugins/anonymous/index.ts
index 6506d12500..cca311f7ea 100644
--- a/packages/better-auth/src/plugins/anonymous/index.ts
+++ b/packages/better-auth/src/plugins/anonymous/index.ts
@@ -162,17 +162,19 @@ export const anonymous = (options?: AnonymousOptions) => {
 							context.context.authCookies.sessionToken.name,
 						);
 						return (
-							!!hasSessionToken &&
-							(context.path.startsWith("/sign-in") ||
-								context.path.startsWith("/sign-up") ||
-								context.path.startsWith("/callback") ||
-								context.path.startsWith("/oauth2/callback") ||
-								context.path.startsWith("/magic-link/verify") ||
-								context.path.startsWith("/email-otp/verify-email"))
+							context.path.startsWith("/sign-in") ||
+							context.path.startsWith("/sign-up") ||
+							context.path.startsWith("/callback") ||
+							context.path.startsWith("/oauth2/callback") ||
+							context.path.startsWith("/magic-link/verify") ||
+							context.path.startsWith("/email-otp/verify-email")
 						);
 					},
 					handler: createAuthMiddleware(async (ctx) => {
-						const headers = ctx.responseHeader;
+						const headers =
+							ctx.context.returned instanceof APIError
+								? ctx.context.returned.headers
+								: ctx.responseHeader;
 						const setCookie = headers.get("set-cookie");
 						/**
 						 * We can consider the user is about to sign in or sign up
diff --git a/packages/better-auth/src/plugins/multi-session/index.ts b/packages/better-auth/src/plugins/multi-session/index.ts
index 03e3f36065..e40e3e0f6c 100644
--- a/packages/better-auth/src/plugins/multi-session/index.ts
+++ b/packages/better-auth/src/plugins/multi-session/index.ts
@@ -232,7 +232,11 @@ export const multiSession = (options?: MultiSessionConfig) => {
 				{
 					matcher: () => true,
 					handler: createAuthMiddleware(async (ctx) => {
-						const cookieString = ctx.responseHeader.get("set-cookie");
+						const headers =
+							ctx.context.returned instanceof APIError
+								? ctx.context.returned.headers
+								: ctx.responseHeader;
+						const cookieString = headers.get("set-cookie");
 						if (!cookieString) return;
 						const setCookies = parseSetCookieHeader(cookieString);
 						const sessionCookieConfig = ctx.context.authCookies.sessionToken;