Fix session cookie propagation; desktop creates session via POST before opening portal

apps/desktop/src/main.tsx

@@ -430,14 +430,36 @@ function App() {
     }
   }
 
-  const openSystem = useCallback(() => {
+  const openSystem = useCallback(async () => {
     if (!token) return
     setIsLaunchingSystem(true)
+    try {
+      // Tenta criar a sessão via API (evita dependência de redirecionamento + cookies em 3xx)
+      const res = await fetch(`${apiBaseUrl}/api/machines/sessions`, {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ machineToken: token, rememberMe: true }),
+      })
+      if (!res.ok) {
+        // Fallback para o handshake por redirecionamento
         const persona = (config?.accessRole ?? accessRole) === "manager" ? "manager" : "collaborator"
         const redirectTarget = persona === "manager" ? "/dashboard" : "/portal"
         const url = `${resolvedAppUrl}/machines/handshake?token=${encodeURIComponent(token)}&redirect=${encodeURIComponent(redirectTarget)}`
         window.location.href = url
-  }, [token, config?.accessRole, accessRole, resolvedAppUrl])
+        return
+      }
+    } catch {
+      const persona = (config?.accessRole ?? accessRole) === "manager" ? "manager" : "collaborator"
+      const redirectTarget = persona === "manager" ? "/dashboard" : "/portal"
+      const url = `${resolvedAppUrl}/machines/handshake?token=${encodeURIComponent(token)}&redirect=${encodeURIComponent(redirectTarget)}`
+      window.location.href = url
+      return
+    }
+    const persona = (config?.accessRole ?? accessRole) === "manager" ? "manager" : "collaborator"
+    const redirectTarget = persona === "manager" ? "/dashboard" : "/portal"
+    window.location.href = `${resolvedAppUrl}${redirectTarget}`
+  }, [token, config?.accessRole, accessRole, resolvedAppUrl, apiBaseUrl])
 
   async function reprovision() {
     if (!store) return

src/app/api/machines/sessions/route.ts

@@ -43,9 +43,26 @@ export async function POST(request: Request) {
       { status: 200 }
     )
 
-    session.headers.forEach((value, key) => {
-      response.headers.set(key, value)
-    })
+    // Propaga cookies de sessão do Better Auth com segurança.
+    // Em alguns ambientes, múltiplos Set-Cookie são colapsados; tentamos cobrir ambos.
+    const headersAny = session.headers as unknown as { getSetCookie?: () => string[] }
+    const setCookies: string[] = []
+    try {
+      if (typeof headersAny?.getSetCookie === "function") {
+        setCookies.push(...(headersAny.getSetCookie() ?? []))
+      } else {
+        const single = session.headers.get("set-cookie")
+        if (single) setCookies.push(single)
+      }
+    } catch {
+      const single = session.headers.get("set-cookie")
+      if (single) setCookies.push(single)
+    }
+
+    for (const cookie of setCookies) {
+      // Usa append para não sobrescrever múltiplos cookies (authsession e assinatura, por exemplo)
+      response.headers.append("set-cookie", cookie)
+    }
 
     const machineCookiePayload = {
       machineId: session.machine.id,

src/app/machines/handshake/route.ts

@@ -50,13 +50,24 @@ export async function GET(request: NextRequest) {
     const session = await createMachineSession(token, true)
     const response = NextResponse.redirect(redirectUrl)
 
-    session.headers.forEach((value, key) => {
-      if (key.toLowerCase() === "set-cookie") {
-        response.headers.append("set-cookie", value)
+    // Propaga os cookies de sessão do Better Auth (podem vir múltiplos)
+    const headersAny = session.headers as unknown as { getSetCookie?: () => string[] }
+    let setCookies: string[] = []
+    try {
+      if (typeof headersAny?.getSetCookie === "function") {
+        setCookies = headersAny.getSetCookie() ?? []
       } else {
-        response.headers.set(key, value)
+        const single = session.headers.get("set-cookie")
+        if (single) setCookies = [single]
+      }
+    } catch {
+      const single = session.headers.get("set-cookie")
+      if (single) setCookies = [single]
+    }
+
+    for (const cookie of setCookies) {
+      response.headers.append("set-cookie", cookie)
     }
-    })
 
     const machineCookiePayload = {
       machineId: session.machine.id,