fix: auth cookies cross-origin, async params, CSRF/web-vitals errors

- Set SameSite=lax for auth & CSRF cookies in development (cross-port)
- Set refresh_token cookie path to / (was /auth, preventing cross-port send)
- Await params in Next.js 15 async server components (layout, listings, agents)
- Add CSRF token to web-vitals POST requests
- Fix: 401 Unauthorized on all authenticated API calls from web app
- Fix: CSRF token missing on POST requests from different port
- Fix: params.locale sync access warning in generateMetadata

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>

apps/web/app/[locale]/(public)/agents/[id]/page.tsx

@@ -19,10 +19,11 @@ const siteUrl = process.env['NEXT_PUBLIC_SITE_URL'] || 'https://goodgo.vn';
 // ---------------------------------------------------------------------------
 
 interface PageProps {
-  params: { locale: string; id: string };
+  params: Promise<{ locale: string; id: string }>;
 }
 
-export async function generateMetadata({ params }: PageProps): Promise<Metadata> {
+export async function generateMetadata({ params: paramsPromise }: PageProps): Promise<Metadata> {
+  const params = await paramsPromise;
   const agent = await fetchAgentProfile(params.id);
   if (!agent) {
     return { title: 'Không tìm thấy môi giới' };
@@ -82,7 +83,8 @@ export async function generateMetadata({ params }: PageProps): Promise<Metadata>
 // Page (Server Component)
 // ---------------------------------------------------------------------------
 
-export default async function AgentProfilePage({ params }: PageProps) {
+export default async function AgentProfilePage({ params: paramsPromise }: PageProps) {
+  const params = await paramsPromise;
   const [agent, reviewsResult] = await Promise.all([
     fetchAgentProfile(params.id),
     fetchAgentReviews(params.id, 1, 10),

apps/web/app/[locale]/(public)/listings/[id]/page.tsx

@@ -26,10 +26,11 @@ function getLabel(list: readonly { value: string; label: string }[], value: stri
 // ---------------------------------------------------------------------------
 
 interface PageProps {
-  params: { locale: string; id: string };
+  params: Promise<{ locale: string; id: string }>;
 }
 
-export async function generateMetadata({ params }: PageProps): Promise<Metadata> {
+export async function generateMetadata({ params: paramsPromise }: PageProps): Promise<Metadata> {
+  const params = await paramsPromise;
   const listing = await fetchListingById(params.id);
   if (!listing) {
     return { title: 'Kh\u00f4ng t\u00ecm th\u1ea5y tin \u0111\u0103ng' };
@@ -92,7 +93,8 @@ export async function generateMetadata({ params }: PageProps): Promise<Metadata>
 // Page (Server Component)
 // ---------------------------------------------------------------------------
 
-export default async function PublicListingDetailPage({ params }: PageProps) {
+export default async function PublicListingDetailPage({ params: paramsPromise }: PageProps) {
+  const params = await paramsPromise;
   const listing = await fetchListingById(params.id);
 
   if (!listing) {

apps/web/app/[locale]/layout.tsx

@@ -27,10 +27,11 @@ export const viewport: Viewport = {
 };
 
 export async function generateMetadata({
-  params: { locale },
+  params,
 }: {
-  params: { locale: string };
+  params: Promise<{ locale: string }>;
 }): Promise<Metadata> {
+  const { locale } = await params;
   const t = await getTranslations({ locale, namespace: 'metadata' });
 
   return {
@@ -92,11 +93,13 @@ export function generateStaticParams() {
 
 export default async function LocaleLayout({
   children,
-  params: { locale },
+  params,
 }: {
   children: React.ReactNode;
-  params: { locale: string };
+  params: Promise<{ locale: string }>;
 }) {
+  const { locale } = await params;
+
   // Validate locale
   if (!routing.locales.includes(locale as Locale)) {
     notFound();