fix: Re-write cookies after Environment resolves to apply correct partitioned attributes

Dev browser cookies are written at Step 0 before Environment is fetched,
so they initially use stale (non-partitioned) attributes. After Environment
resolves, refreshCookies() re-writes them with the correct attributes.

Also fixes non-partitioned cookie cleanup: when transitioning to partitioned,
the old non-partitioned cookies are now properly removed (plain remove without
partitioned attribute targets the non-partitioned version, since the browser
treats them as different cookies).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: brkalow

packages/clerk-js/src/core/auth/AuthCookieService.ts

@@ -75,6 +75,13 @@ export class AuthCookieService {
 
     eventBus.on(events.UserSignOut, () => this.handleSignOut());
 
+    // After Environment resolves, re-write dev browser cookies with correct
+    // partitioned attributes. Dev browser cookies are initially written before
+    // Environment is fetched, so they may have stale attributes.
+    eventBus.on(events.EnvironmentUpdate, () => {
+      this.devBrowser.refreshCookies();
+    });
+
     this.refreshTokenOnFocus();
     this.startPollingForToken();
 

packages/clerk-js/src/core/auth/cookies/devBrowser.ts

@@ -44,6 +44,15 @@ export const createDevBrowserCookie = (
     const expires = addYears(Date.now(), 1);
     const { sameSite, secure, partitioned } = getCookieAttributes(options);
 
+    // If setting Partitioned to true, remove the existing non-partitioned cookies.
+    // A partitioned and non-partitioned cookie with the same name are treated as
+    // different cookies by the browser, so we need to explicitly remove the old
+    // non-partitioned versions. Plain remove() (without attributes) targets them.
+    if (partitioned) {
+      suffixedDevBrowserCookie.remove();
+      devBrowserCookie.remove();
+    }
+
     suffixedDevBrowserCookie.set(jwt, { expires, sameSite, secure, partitioned });
     devBrowserCookie.set(jwt, { expires, sameSite, secure, partitioned });
   };

packages/clerk-js/src/core/auth/cookies/session.ts

@@ -45,10 +45,13 @@ export const createSessionCookie = (cookieSuffix: string, options: SessionCookie
     const expires = addYears(Date.now(), 1);
     const { sameSite, secure, partitioned } = getCookieAttributes(options);
 
-    // If setting Partitioned to true, remove the existing session cookies.
-    // This is to avoid conflicts with the same cookie name without Partitioned attribute.
+    // If setting Partitioned to true, remove the existing non-partitioned cookies.
+    // A partitioned and non-partitioned cookie with the same name are treated as
+    // different cookies by the browser, so we need to explicitly remove the old
+    // non-partitioned versions. Plain remove() (without attributes) targets them.
     if (partitioned) {
-      remove();
+      sessionCookie.remove();
+      suffixedSessionCookie.remove();
     }
 
     sessionCookie.set(token, { expires, sameSite, secure, partitioned });

packages/clerk-js/src/core/auth/devBrowser.ts

@@ -18,6 +18,8 @@ export interface DevBrowser {
   setDevBrowserJWT(jwt: string): void;
 
   removeDevBrowserJWT(): void;
+
+  refreshCookies(): void;
 }
 
 export type CreateDevBrowserOptions = {
@@ -106,11 +108,19 @@ export function createDevBrowser({
     setDevBrowserJWT(data?.id);
   }
 
+  function refreshCookies() {
+    const jwt = getDevBrowserJWT();
+    if (jwt) {
+      setDevBrowserJWT(jwt);
+    }
+  }
+
   return {
     clear,
     setup,
     getDevBrowserJWT,
     setDevBrowserJWT,
     removeDevBrowserJWT,
+    refreshCookies,
   };
 }