From 977028186303383510b8f97e81603d26edc72de8 Mon Sep 17 00:00:00 2001
From: Linus Flood <linus.flood@scandichotels.com>
Date: Fri, 19 Sep 2025 13:05:20 +0000
Subject: [PATCH] Merged in fix/webview-auth-fix-2 (pull request #2834)

feat/webview: delete cookie instead of setting header in webview auth middleware

* feat/webview: delete cookie instead of setting header in webview auth middleware
---
 apps/scandic-web/middlewares/webView.ts | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/apps/scandic-web/middlewares/webView.ts b/apps/scandic-web/middlewares/webView.ts
index abee15790..2b4ebfb2f 100644
--- a/apps/scandic-web/middlewares/webView.ts
+++ b/apps/scandic-web/middlewares/webView.ts
@@ -51,20 +51,19 @@ export const middleware: NextMiddleware = async (request) => {
 
   // If user is redirected to /lang/webview/refresh/, the webview token is invalid and we remove the cookie
   if (refreshWebviews.includes(nextUrl.pathname)) {
-    return NextResponse.rewrite(
+    const res = NextResponse.rewrite(
       new URL(
         `/${lang}/webview/refresh?${nextUrl.searchParams.toString()}`,
         nextUrl
       ),
       {
-        headers: {
-          "Set-Cookie": `webviewToken=0; Max-Age=0; Secure; HttpOnly; Path=/; SameSite=Strict;`,
-        },
         request: {
           headers,
         },
       }
     )
+    res.cookies.delete("webviewToken")
+    return res
   }
   const authorizationToken = request.headers.get("X-Authorization")
   const webviewTokenCookie = request.cookies.get("webviewToken")