From c1c887d03c3f7da6b1d3df6563981f9324acfe22 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Sun, 7 Jun 2026 00:50:20 -0600
Subject: [PATCH] fix: update deriveCookieSecret to meet oauth2-proxy
 requirements

---
 packages/server/src/setup/forward-auth-setup.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/server/src/setup/forward-auth-setup.ts b/packages/server/src/setup/forward-auth-setup.ts
index 44ef3008c..cec525064 100644
--- a/packages/server/src/setup/forward-auth-setup.ts
+++ b/packages/server/src/setup/forward-auth-setup.ts
@@ -38,9 +38,12 @@ export const forwardAuthCallbackUrl = (
 ): string => `${https ? "https" : "http"}://${authDomain}/oauth2/callback`;
 
 export const deriveCookieSecret = (salt: string): string => {
+	// oauth2-proxy requires cookie_secret to be exactly 16, 24, or 32 bytes.
+	// Take the first 32 hex chars (= 16 bytes) to satisfy that constraint.
 	return createHmac("sha256", betterAuthSecret)
 		.update(`forward-auth:${salt}`)
-		.digest("base64");
+		.digest("hex")
+		.slice(0, 32);
 };
 
 export const buildForwardAuthEnv = (