CloudFront-hosted LocalStack app folds multiple Set-Cookie headers into one header, dropping trust-device cookie

[bgazzera]

Title: bug: CloudFront-hosted LocalStack app folds multiple Set-Cookie headers into one header, dropping trust-device cookie

Repository: localstack/localstack

Summary

When accessing an auth flow through a LocalStack CloudFront-style hosted app domain, the response from POST /api/auth/two-factor/verify-otp returns better-auth.session_token and better-auth.trust_device in a single comma-joined Set-Cookie header.

As a result, clients persist only better-auth.session_token and drop better-auth.trust_device. The same auth flow works correctly against the direct ELB endpoint, where the two cookies are returned as separate Set-Cookie headers and both persist.

This breaks trusted-device login behavior: after signing in with trustDevice: true and signing out, the next sign-in through the hosted app still requires OTP.

Environment

• OS: macOS
• LocalStack container: localstack/localstack-pro:latest
• Local image inspect: localstack/localstack-pro@sha256:da1ed4d300a62c41ca5c90b37ed87f5b03d942937cf6238ec942315150e7de3d
• Image created: 2026-03-18T21:12:43.93508707Z

Known related issues

• #12577 Issue with multiple cookies (array) in v2 Lambda proxy integration payload
• #12633 bug: Multiple cookie wrongly set in a single Set-Header when accessing via ELB

Expected behavior

The hosted CloudFront-style path should preserve separate Set-Cookie headers exactly like the direct ELB path. Both better-auth.session_token and better-auth.trust_device should persist.

Actual behavior

Hosted path returns a single folded header:

set-cookie: better-auth.session_token=...; Max-Age=604800; Path=/; HttpOnly; SameSite=Lax, better-auth.trust_device=...; Max-Age=2592000; Path=/; HttpOnly; SameSite=Lax

curl then stores only better-auth.session_token in the cookie jar for the hosted domain.

Control case

The same verify-otp call against the direct ELB auth URL returns:

set-cookie: better-auth.session_token=...; Max-Age=604800; Path=/; HttpOnly; SameSite=Lax
set-cookie: better-auth.trust_device=...; Max-Age=2592000; Path=/; HttpOnly; SameSite=Lax

curl stores both cookies for the ELB domain, and the next sign-in succeeds without a 2FA redirect.

Reproduction

Prerequisites

• A Better Auth app is exposed both via:
  • direct ELB domain: http://auth-api.elb.localhost.localstack.cloud:4566
  • CloudFront-style hosted app domain: http://6c2f926b.cloudfront.localhost.localstack.cloud:4566
• The hosted app proxies /api/auth/* to the same auth backend.
• A verified account exists with 2FA enabled.

1. Start sign-in through the hosted app domain.

curl -i -c /tmp/hosted-trust-cookies.txt \
  -H 'Content-Type: application/json' \
  -X POST 'http://6c2f926b.cloudfront.localhost.localstack.cloud:4566/api/auth/sign-in/email' \
  --data '{"email":"<verified-email>","password":"<password>"}'

Observed result:

HTTP/1.1 200 OK
set-cookie: better-auth.two_factor=...; Max-Age=600; Path=/; HttpOnly; SameSite=Lax

{"twoFactorRedirect":true}

2. Send the OTP for the pending challenge.

curl -i -b /tmp/hosted-trust-cookies.txt -c /tmp/hosted-trust-cookies.txt \
  -H 'Origin: http://6c2f926b.cloudfront.localhost.localstack.cloud:4566' \
  -H 'Content-Type: application/json' \
  -X POST 'http://6c2f926b.cloudfront.localhost.localstack.cloud:4566/api/auth/two-factor/send-otp' \
  --data '{}'

3. Verify the OTP with trustDevice: true.

curl -i -b /tmp/hosted-trust-cookies.txt -c /tmp/hosted-trust-cookies.txt \
  -H 'Origin: http://6c2f926b.cloudfront.localhost.localstack.cloud:4566' \
  -H 'Content-Type: application/json' \
  -X POST 'http://6c2f926b.cloudfront.localhost.localstack.cloud:4566/api/auth/two-factor/verify-otp' \
  --data '{"code":"<otp>","trustDevice":true}'

Observed hosted response:

HTTP/1.1 200 OK
set-cookie: better-auth.session_token=4LoAYZI77l8AYSHsNWCTiNvfBX4Ewq8M.0AGF0GJI5ZjrFS3DNXtEUHfkP4YmecGGR7vRS3ELn9A%3D; Max-Age=604800; Path=/; HttpOnly; SameSite=Lax, better-auth.trust_device=3Tb9FLqFRV0N3ljA5cnLqCiP9C9w5mPP8lL7ebt6Jgo!trust-device-fK_NjsyR3G8Wgpx5NE_GNd_-bwq-a4Yz.u0MWlKDVnAvoHvbbDKrxYAEQagXF7bP6tnNG9dxMlPw%3D; Max-Age=2592000; Path=/; HttpOnly; SameSite=Lax

Hosted cookie jar after verify:

#HttpOnly_6c2f926b.cloudfront.localhost.localstack.cloud FALSE / FALSE ... better-auth.session_token ...
#HttpOnly_6c2f926b.cloudfront.localhost.localstack.cloud FALSE / FALSE ... better-auth.two_factor ...

Note that better-auth.trust_device is missing.

4. Compare with the direct ELB path.

curl -i -b /tmp/direct-trust-cookies.txt -c /tmp/direct-trust-cookies.txt \
  -H 'Origin: https://6c2f926b.cloudfront.localhost.localstack.cloud' \
  -H 'Content-Type: application/json' \
  -X POST 'http://auth-api.elb.localhost.localstack.cloud:4566/api/auth/two-factor/verify-otp' \
  --data '{"code":"<otp>","trustDevice":true}'

Observed direct ELB response:

HTTP/1.1 200 OK
set-cookie: better-auth.session_token=...; Max-Age=604800; Path=/; HttpOnly; SameSite=Lax
set-cookie: better-auth.trust_device=...; Max-Age=2592000; Path=/; HttpOnly; SameSite=Lax

Direct ELB cookie jar after verify:

#HttpOnly_auth-api.elb.localhost.localstack.cloud FALSE / FALSE ... better-auth.session_token ...
#HttpOnly_auth-api.elb.localhost.localstack.cloud FALSE / FALSE ... better-auth.trust_device ...

5. Sign out and sign in again on the direct ELB path.

Observed direct sign-in result:

{"redirect":false,"token":"...","user":{...}}

This confirms the auth backend itself is behaving correctly and the cookie folding only happens on the hosted CloudFront-style path.

Why this looks like a LocalStack regression or separate code path

• The symptom matches previously fixed LocalStack issues #12577 and #12633.
• The direct ELB path now behaves correctly in the same environment.
• Only the hosted CloudFront-style app path still folds the cookies.