Add debug logging and cookie domain configuration to auth flow

- Add comprehensive logging to login and callback endpoints for debugging - Configure cookie domain from environment variable for cross-subdomain support - Update cookie security settings based on NODE_ENV - Add Keycloak configuration validation with detailed error logging
2025-08-07 03:17:25 +02:00 · 2025-08-07 03:17:25 +02:00 · 858b252a7e
parent d8420b8f9e
commit 858b252a7e
3 changed files with 54 additions and 12 deletions
--- a/server/api/auth/callback.get.ts
+++ b/server/api/auth/callback.get.ts
@ -1,6 +1,14 @@
 export default defineEventHandler(async (event) => {
+  console.log('🔄 Callback endpoint called at:', new Date().toISOString());
+  
  const query = getQuery(event);
  const { code, state } = query;
+  
+  console.log('📝 Callback query params:', { 
+    hasCode: !!code, 
+    hasState: !!state,
+    state: state ? 'present' : 'missing'
+  });

  if (!code || !state) {
    throw createError({
--- a/server/api/auth/login.get.ts
+++ b/server/api/auth/login.get.ts
@ -1,17 +1,47 @@
 import { randomBytes } from 'crypto';

 export default defineEventHandler(async (event) => {
-  const keycloak = createKeycloakClient();
-  const state = randomBytes(32).toString('hex');
+  console.log('🔐 Login endpoint called at:', new Date().toISOString());
  
-  // Store state in session for verification
-  setCookie(event, 'oauth-state', state, {
-    httpOnly: true,
-    secure: true,
-    maxAge: 600, // 10 minutes
-  });
+  try {
+    const config = useRuntimeConfig();
+    console.log('🔧 Keycloak config:', {
+      issuer: config.keycloak?.issuer || 'NOT SET',
+      clientId: config.keycloak?.clientId || 'NOT SET',
+      callbackUrl: config.keycloak?.callbackUrl || 'NOT SET',
+      hasSecret: !!config.keycloak?.clientSecret
+    });

-  const authUrl = keycloak.getAuthUrl(state);
-  
-  return sendRedirect(event, authUrl);
+    if (!config.keycloak?.issuer || !config.keycloak?.clientId || !config.keycloak?.clientSecret) {
+      console.error('❌ Missing Keycloak configuration');
+      throw createError({
+        statusCode: 500,
+        statusMessage: 'Keycloak configuration is incomplete'
+      });
+    }
+
+    const keycloak = createKeycloakClient();
+    const state = randomBytes(32).toString('hex');
+    
+    // Get cookie domain from environment
+    const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
+    console.log('🍪 Cookie domain:', cookieDomain);
+    
+    // Store state in session for verification
+    setCookie(event, 'oauth-state', state, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      domain: cookieDomain,
+      maxAge: 600, // 10 minutes
+    });
+
+    const authUrl = keycloak.getAuthUrl(state);
+    console.log('🔗 Redirecting to Keycloak:', authUrl);
+    
+    return sendRedirect(event, authUrl);
+  } catch (error) {
+    console.error('❌ Login error:', error);
+    throw error;
+  }
 });
--- a/server/utils/session.ts
+++ b/server/utils/session.ts
@ -31,10 +31,14 @@ export class SessionManager {
    const data = JSON.stringify(sessionData);
    const encrypted = this.encrypt(data);
    
+    const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
+    console.log('🍪 Creating session cookie with domain:', cookieDomain);
+    
    return serialize(this.cookieName, encrypted, {
      httpOnly: true,
-      secure: true,
+      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
+      domain: cookieDomain,
      maxAge: 60 * 60 * 24 * 7, // 7 days
      path: '/',
    });