Hono + Better-auth + Lambda Cookies
I am wondering if anybody has set up an API on AWS Lambda using hono secured with Better-auth. I have used Better-auth in the past for a Next.js project, I am now exploring how to use it with Hono and I would like to deploy it in a serverless environment to start (AWS Lambda). Does anyone have experience with Cookies management in this context? Next.js used to just take care of it for me, but now I am having to return the cookies to the frontend, React app, which get stored and sent with subsequent requests. However, when I try to do an auth.api.getSession() api call and pass the headers into it, I am getting null.
I will provide any code I have for this discussion. Going to be at work for the next few hours so I appreciate anyone who joins ins patience! šŖ šŖ šŖ
10 Replies
I am also wondering if I need to encrypt the cookie on the server, then send it to the react app. I am assuming yes, since that is most secure, and would love to see fi anyone has implemented it!
Hey, I don't really have any experience in this area, but I'd like to see if I could maybe help. š
Can you elaborate more on you having to return cookies to the front-end? I've always been on the assumption that BA handles cookie setting over request headers automatically
@Ping -
I definitely can! However, I am at work at the moment, just saw this on my phone. I can get back to you and update this thread around 4 pm PST. Thanks!
Sure no rush! Just an FYI, I may not be around when you are, it's currently 4am for me. š
@Ping - lol thanks for the heads up. yes no rush, going to be continuing to work on this in my free time so I will let you know whats up and share my findings!
Sounds good!
@Ping - So my problem is as follows:
1. I have a lambda function that uses Hono since there is a simple integration with the framework and I can specify different routes/middleware per route in my API. I am using the "/auth/login" route to log into my application ("duh"). This route uses the auth.api.signInEmail() function to sign into my app using better auth, which in turn creates a session in my backend (hosted by neon postgres db w/drizzle ORM). This function returns the following object while creating a session in the "session" table:
{
redirect: false,
token: '5imOHhOhIvERV3Dp1h1x1fbburDEbaut',
url: undefined,
user: {
id: 'bvDuazbLUB7S9AbA2tnZOcH0B78YMsBO',
email: '[email protected]',
name: 'Leo Cucinell',
image: null,
emailVerified: false,
createdAt: 2025-04-02T02:13:22.822Z,
updatedAt: 2025-04-02T02:13:22.822Z
}
}
I am assuming that I am supposed to encrypt the "token" item in the above object to add as a cookie as a reponse from my hono/lambda route. I am adding a link to my example repo below. This repo uses AWS CDK to deploy to AWS and outputs an API URL and API Key. If you are going to replicate this in your environment, you will need to set up the following:
1. a postgres database with DATABASE_URL in the .env file
2. a BETTER_AUTH_SECRET in .env
3. and a BETTER_AUTH_URL set to the API url that is returned when building the API the first time.
Github Repo: https://github.com/leocucinell/aws.better-auth-serverless-api
GitHub
GitHub - leocucinell/aws.better-auth-serverless-api
Contribute to leocucinell/aws.better-auth-serverless-api development by creating an account on GitHub.
I think I am missing a key detail about what header || cookie I must return from the "auth/login" route. I have been scraping the documentation about this issue and havent seen anything about building in a serverless env or how to handle Cookies / what cookies need to be saved. I feel this lack of docs is because better-auth has been built mostly with Next.js and other full stack frameworks in mind.
I think I missed the cross-domain cookies section of the better-auth documentation. so I am going to do a deep dive into that.
https://www.better-auth.com/docs/integrations/hono#cross-domain-cookies
Hono Integration | Better Auth
Integrate Better Auth with Hono.
I am still running into this issue after testing those though š
I am thinking I am returning the wrong thing or Iām not adding the correct header to the response