Add debug logging and cookie domain configuration to auth flow

- Add comprehensive logging to login and callback endpoints for debugging
- Configure cookie domain from environment variable for cross-subdomain support
- Update cookie security settings based on NODE_ENV
- Add Keycloak configuration validation with detailed error logging

server/api/auth/callback.get.ts

@@ -1,6 +1,14 @@
 export default defineEventHandler(async (event) => {
+  console.log('🔄 Callback endpoint called at:', new Date().toISOString());
+  
   const query = getQuery(event);
   const { code, state } = query;
+  
+  console.log('📝 Callback query params:', { 
+    hasCode: !!code, 
+    hasState: !!state,
+    state: state ? 'present' : 'missing'
+  });
 
   if (!code || !state) {
     throw createError({

server/api/auth/login.get.ts

@@ -1,17 +1,47 @@
 import { randomBytes } from 'crypto';
 
 export default defineEventHandler(async (event) => {
-  const keycloak = createKeycloakClient();
+  console.log('🔐 Login endpoint called at:', new Date().toISOString());
-  const state = randomBytes(32).toString('hex');
   
-  // Store state in session for verification
+  try {
-  setCookie(event, 'oauth-state', state, {
+    const config = useRuntimeConfig();
-    httpOnly: true,
+    console.log('🔧 Keycloak config:', {
-    secure: true,
+      issuer: config.keycloak?.issuer || 'NOT SET',
-    maxAge: 600, // 10 minutes
+      clientId: config.keycloak?.clientId || 'NOT SET',
-  });
+      callbackUrl: config.keycloak?.callbackUrl || 'NOT SET',
+      hasSecret: !!config.keycloak?.clientSecret
+    });
 
-  const authUrl = keycloak.getAuthUrl(state);
+    if (!config.keycloak?.issuer || !config.keycloak?.clientId || !config.keycloak?.clientSecret) {
-  
+      console.error('❌ Missing Keycloak configuration');
-  return sendRedirect(event, authUrl);
+      throw createError({
+        statusCode: 500,
+        statusMessage: 'Keycloak configuration is incomplete'
+      });
+    }
+
+    const keycloak = createKeycloakClient();
+    const state = randomBytes(32).toString('hex');
+    
+    // Get cookie domain from environment
+    const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
+    console.log('🍪 Cookie domain:', cookieDomain);
+    
+    // Store state in session for verification
+    setCookie(event, 'oauth-state', state, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      domain: cookieDomain,
+      maxAge: 600, // 10 minutes
+    });
+
+    const authUrl = keycloak.getAuthUrl(state);
+    console.log('🔗 Redirecting to Keycloak:', authUrl);
+    
+    return sendRedirect(event, authUrl);
+  } catch (error) {
+    console.error('❌ Login error:', error);
+    throw error;
+  }
 });

server/utils/session.ts

@@ -31,10 +31,14 @@ export class SessionManager {
     const data = JSON.stringify(sessionData);
     const encrypted = this.encrypt(data);
     
+    const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
+    console.log('🍪 Creating session cookie with domain:', cookieDomain);
+    
     return serialize(this.cookieName, encrypted, {
       httpOnly: true,
-      secure: true,
+      secure: process.env.NODE_ENV === 'production',
       sameSite: 'lax',
+      domain: cookieDomain,
       maxAge: 60 * 60 * 24 * 7, // 7 days
       path: '/',
     });