matt/monacousa-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve login redirect failures by removing cookie domain and implementing session data encryption
All checks were successful
Build And Push Image / docker (push) Successful in 3m9s
Details

Browse Source
This commit is contained in:
Matt
2025-08-07 13:01:39 +02:00
parent 2c545dcaaa
commit cbaedeb0a8
3 changed files with 13 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
server/api/auth/direct-login.post.ts
View File

@@ -236,17 +236,14 @@ export default defineEventHandler(async (event) => {
const sessionManager = createSessionManager();
const maxAge = !!rememberMe ? 60 * 60 * 24 * 30 : 60 * 60 * 24 * 7; // 30 days vs 7 days
// Don't set a domain for the cookie - let it default to the current domain
// Create the encrypted session data
const sessionData_json = JSON.stringify(sessionData);
const encrypted = sessionManager.encrypt(sessionData_json);
console.log(`🍪 Setting session cookie (Remember Me: ${!!rememberMe}) without explicit domain`);
// Create the session cookie string using the session manager
const sessionCookieString = sessionManager.createSession(sessionData, !!rememberMe);
// Parse the cookie string to get just the value
const cookieValue = sessionCookieString.split('=')[1].split(';')[0];
// Use Nuxt's setCookie helper with the encrypted value
setCookie(event, 'monacousa-session', cookieValue, {
// Use Nuxt's setCookie helper directly with the encrypted value
setCookie(event, 'monacousa-session', encrypted, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',

6
server/utils/session.ts
View File

@@ -10,7 +10,7 @@ export class SessionManager {
this.encryptionKey = Buffer.from(encryptionKey, 'hex');
}
private encrypt(data: string): string {
encrypt(data: string): string {
const iv = randomBytes(16);
const cipher = createCipheriv('aes-256-cbc', this.encryptionKey, iv);
let encrypted = cipher.update(data, 'utf8', 'hex');
@@ -31,16 +31,14 @@ export class SessionManager {
const data = JSON.stringify(sessionData);
const encrypted = this.encrypt(data);
const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
const maxAge = rememberMe ? 60 * 60 * 24 * 30 : 60 * 60 * 24 * 7; // 30 days vs 7 days
console.log(`🍪 Creating session cookie (Remember Me: ${rememberMe}) with domain:`, cookieDomain);
console.log(`🍪 Creating session cookie (Remember Me: ${rememberMe}) without explicit domain`);
return serialize(this.cookieName, encrypted, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
domain: cookieDomain,
maxAge,
path: '/',
});