Could you document the server-side cookie behavior of @aws-amplify/adapter-nextjs?

[k1350]

Is this related to a new or existing framework?

Next.js

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

When using @aws-amplify/adapter-nextjs, it is noted in the comment below that cookies set on the server-side will have a default value.
#12866 (comment)

In practice, when fetchAuthSession is executed within Next.js Server Actions and a token refresh occurs, cookies are set.

I think this behavior does not appear to be documented.
However, it is significant because it can cause issues in scenarios where CookieStorage is configured as shown below:

'use client';

import { Amplify } from 'aws-amplify';
import { cognitoUserPoolsTokenProvider } from 'aws-amplify/auth/cognito';
import { CookieStorage } from 'aws-amplify/utils';
import { amplifyConfig } from '..';

Amplify.configure(amplifyConfig, { ssr: true });

cognitoUserPoolsTokenProvider.setKeyValueStorage(
  new CookieStorage({
    domain: "example.com",
    secure: true,
    path: '/',
    sameSite: 'lax',
    expires: 30,
  }),
);

export function ConfigureAmplifyClientSide() {
  return null;
}

If you configure CookieStorage as above, cookies with a mismatched domain field, set on the server-side, will not be deleted when performing a signout on the client-side.
As a result, stale cookies eventually trigger repeated tokenRefresh_failure events, leaving users unable to log in.

I have commented on the following issue to provide more details about this behavior:
#13940 (comment)

This behavior—where cookies set on the server-side have default values—cannot be overlooked.
I would like this behavior of @aws-amplify/adapter-nextjs to be documented explicitly.

Describe the solution you'd like

I would like this behavior of @aws-amplify/adapter-nextjs to be documented explicitly.

Describe alternatives you've considered

None

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[HuiSF]

Thanks for the suggestion. @k1350 Currently, the documentation points out that the auth tokens may be sent back to the client from the server when calling the server-side fetchAuthSession(), but it doesn't clarify that the cookie attributes cannot be customized on the server-side given the current state. I will look into updating the documentation.

In addition, we have a plan to enable cookie attribute customization for the Next.js adapter on the server side in the near future, please stay tuned. :)