fix: resolve login redirect failures by removing cookie domain and implementing session data encryption

LOGIN_FIX_SUMMARY.md

@@ -235,9 +235,10 @@ NUXT_PUBLIC_DOMAIN=monacousa.org
 
 1. `nuxt.config.ts` - PWA service worker configuration
 2. `pages/login.vue` - Login page refactor
-3. `server/api/auth/direct-login.post.ts` - Cookie domain fix
-4. `nginx-portal.conf` - Proxy timeout configuration
-5. `debug-login.js` - Debug script (new file)
-6. `LOGIN_FIX_SUMMARY.md` - This documentation (new file)
+3. `server/api/auth/direct-login.post.ts` - Cookie domain fix and direct encryption
+4. `server/utils/session.ts` - Removed cookie domain from session manager
+5. `nginx-portal.conf` - Proxy timeout configuration
+6. `debug-login.js` - Debug script (new file)
+7. `LOGIN_FIX_SUMMARY.md` - This documentation (new file)
 
 The fixes address the core issues causing login redirect failures and should provide a stable authentication experience.

server/api/auth/direct-login.post.ts

@@ -236,17 +236,14 @@ export default defineEventHandler(async (event) => {
     const sessionManager = createSessionManager();
     const maxAge = !!rememberMe ? 60 * 60 * 24 * 30 : 60 * 60 * 24 * 7; // 30 days vs 7 days
     
-    // Don't set a domain for the cookie - let it default to the current domain
+    // Create the encrypted session data
+    const sessionData_json = JSON.stringify(sessionData);
+    const encrypted = sessionManager.encrypt(sessionData_json);
+    
     console.log(`🍪 Setting session cookie (Remember Me: ${!!rememberMe}) without explicit domain`);
     
-    // Create the session cookie string using the session manager
-    const sessionCookieString = sessionManager.createSession(sessionData, !!rememberMe);
-    
-    // Parse the cookie string to get just the value
-    const cookieValue = sessionCookieString.split('=')[1].split(';')[0];
-    
-    // Use Nuxt's setCookie helper with the encrypted value
-    setCookie(event, 'monacousa-session', cookieValue, {
+    // Use Nuxt's setCookie helper directly with the encrypted value
+    setCookie(event, 'monacousa-session', encrypted, {
       httpOnly: true,
       secure: process.env.NODE_ENV === 'production',
       sameSite: 'lax',

server/utils/session.ts

@@ -10,7 +10,7 @@ export class SessionManager {
     this.encryptionKey = Buffer.from(encryptionKey, 'hex');
   }
 
-  private encrypt(data: string): string {
+  encrypt(data: string): string {
     const iv = randomBytes(16);
     const cipher = createCipheriv('aes-256-cbc', this.encryptionKey, iv);
     let encrypted = cipher.update(data, 'utf8', 'hex');
@@ -31,16 +31,14 @@ export class SessionManager {
     const data = JSON.stringify(sessionData);
     const encrypted = this.encrypt(data);
     
-    const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
     const maxAge = rememberMe ? 60 * 60 * 24 * 30 : 60 * 60 * 24 * 7; // 30 days vs 7 days
     
-    console.log(`🍪 Creating session cookie (Remember Me: ${rememberMe}) with domain:`, cookieDomain);
+    console.log(`🍪 Creating session cookie (Remember Me: ${rememberMe}) without explicit domain`);
     
     return serialize(this.cookieName, encrypted, {
       httpOnly: true,
       secure: process.env.NODE_ENV === 'production',
       sameSite: 'lax',
-      domain: cookieDomain,
       maxAge,
       path: '/',
     });