From cbaedeb0a88e6f6f75d07a0e2d9b5f3211dee300 Mon Sep 17 00:00:00 2001 From: Matt Date: Thu, 7 Aug 2025 13:01:39 +0200 Subject: [PATCH] fix: resolve login redirect failures by removing cookie domain and implementing session data encryption --- LOGIN_FIX_SUMMARY.md | 9 +++++---- server/api/auth/direct-login.post.ts | 15 ++++++--------- server/utils/session.ts | 6 ++---- 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/LOGIN_FIX_SUMMARY.md b/LOGIN_FIX_SUMMARY.md index 8a5daf1..bf099ae 100644 --- a/LOGIN_FIX_SUMMARY.md +++ b/LOGIN_FIX_SUMMARY.md @@ -235,9 +235,10 @@ NUXT_PUBLIC_DOMAIN=monacousa.org 1. `nuxt.config.ts` - PWA service worker configuration 2. `pages/login.vue` - Login page refactor -3. `server/api/auth/direct-login.post.ts` - Cookie domain fix -4. `nginx-portal.conf` - Proxy timeout configuration -5. `debug-login.js` - Debug script (new file) -6. `LOGIN_FIX_SUMMARY.md` - This documentation (new file) +3. `server/api/auth/direct-login.post.ts` - Cookie domain fix and direct encryption +4. `server/utils/session.ts` - Removed cookie domain from session manager +5. `nginx-portal.conf` - Proxy timeout configuration +6. `debug-login.js` - Debug script (new file) +7. `LOGIN_FIX_SUMMARY.md` - This documentation (new file) The fixes address the core issues causing login redirect failures and should provide a stable authentication experience. diff --git a/server/api/auth/direct-login.post.ts b/server/api/auth/direct-login.post.ts index 974b435..f7d33ed 100644 --- a/server/api/auth/direct-login.post.ts +++ b/server/api/auth/direct-login.post.ts @@ -236,17 +236,14 @@ export default defineEventHandler(async (event) => { const sessionManager = createSessionManager(); const maxAge = !!rememberMe ? 60 * 60 * 24 * 30 : 60 * 60 * 24 * 7; // 30 days vs 7 days - // Don't set a domain for the cookie - let it default to the current domain + // Create the encrypted session data + const sessionData_json = JSON.stringify(sessionData); + const encrypted = sessionManager.encrypt(sessionData_json); + console.log(`🍪 Setting session cookie (Remember Me: ${!!rememberMe}) without explicit domain`); - // Create the session cookie string using the session manager - const sessionCookieString = sessionManager.createSession(sessionData, !!rememberMe); - - // Parse the cookie string to get just the value - const cookieValue = sessionCookieString.split('=')[1].split(';')[0]; - - // Use Nuxt's setCookie helper with the encrypted value - setCookie(event, 'monacousa-session', cookieValue, { + // Use Nuxt's setCookie helper directly with the encrypted value + setCookie(event, 'monacousa-session', encrypted, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax', diff --git a/server/utils/session.ts b/server/utils/session.ts index 714c2f9..441c345 100644 --- a/server/utils/session.ts +++ b/server/utils/session.ts @@ -10,7 +10,7 @@ export class SessionManager { this.encryptionKey = Buffer.from(encryptionKey, 'hex'); } - private encrypt(data: string): string { + encrypt(data: string): string { const iv = randomBytes(16); const cipher = createCipheriv('aes-256-cbc', this.encryptionKey, iv); let encrypted = cipher.update(data, 'utf8', 'hex'); @@ -31,16 +31,14 @@ export class SessionManager { const data = JSON.stringify(sessionData); const encrypted = this.encrypt(data); - const cookieDomain = process.env.COOKIE_DOMAIN || undefined; const maxAge = rememberMe ? 60 * 60 * 24 * 30 : 60 * 60 * 24 * 7; // 30 days vs 7 days - console.log(`🍪 Creating session cookie (Remember Me: ${rememberMe}) with domain:`, cookieDomain); + console.log(`🍪 Creating session cookie (Remember Me: ${rememberMe}) without explicit domain`); return serialize(this.cookieName, encrypted, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax', - domain: cookieDomain, maxAge, path: '/', });