Use cookieOptions for pointer cookie (#2005)

components/account.js

@@ -9,6 +9,7 @@ import { UserListRow } from '@/components/user-list'
 import Link from 'next/link'
 import AddIcon from '@/svgs/add-fill.svg'
 import { MultiAuthErrorBanner } from '@/components/banners'
+import { cookieOptions } from '@/lib/auth'
 
 const AccountContext = createContext()
 
@@ -16,10 +17,6 @@ const CHECK_ERRORS_INTERVAL_MS = 5_000
 
 const b64Decode = str => Buffer.from(str, 'base64').toString('utf-8')
 
-const maybeSecureCookie = cookie => {
-  return window.location.protocol === 'https:' ? cookie + '; Secure' : cookie
-}
-
 export const AccountProvider = ({ children }) => {
   const [accounts, setAccounts] = useState([])
   const [meAnon, setMeAnon] = useState(true)
@@ -115,7 +112,8 @@ const AccountListRow = ({ account, ...props }) => {
     e.preventDefault()
 
     // update pointer cookie
-    document.cookie = maybeSecureCookie(`multi_auth.user-id=${anonRow ? 'anonymous' : account.id}; Path=/`)
+    const options = cookieOptions({ httpOnly: false })
+    document.cookie = cookie.serialize('multi_auth.user-id', anonRow ? 'anonymous' : account.id, options)
 
     // update state
     if (anonRow) {

lib/auth.js

@@ -11,7 +11,7 @@ const userJwtRegexp = /^multi_auth\.\d+$/
 const HTTPS = process.env.NODE_ENV === 'production'
 const SESSION_COOKIE_NAME = HTTPS ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
 
-const cookieOptions = (args) => ({
+export const cookieOptions = (args) => ({
   path: '/',
   secure: process.env.NODE_ENV === 'production',
   // httpOnly cookies by default