fix: resolve login redirect failures by removing cookie domain and implementing session data encryption

2025-08-07 13:01:39 +02:00 · 2025-08-07 13:01:39 +02:00 · cbaedeb0a8
parent 2c545dcaaa
commit cbaedeb0a8
3 changed files with 13 additions and 17 deletions
--- a/LOGIN_FIX_SUMMARY.md
+++ b/LOGIN_FIX_SUMMARY.md
@ -235,9 +235,10 @@ NUXT_PUBLIC_DOMAIN=monacousa.org
 1. `nuxt.config.ts` - PWA service worker configuration
 2. `pages/login.vue` - Login page refactor
-3. `server/api/auth/direct-login.post.ts` - Cookie domain fix
+3. `server/api/auth/direct-login.post.ts` - Cookie domain fix and direct encryption
-4. `nginx-portal.conf` - Proxy timeout configuration
+4. `server/utils/session.ts` - Removed cookie domain from session manager
-5. `debug-login.js` - Debug script (new file)
+5. `nginx-portal.conf` - Proxy timeout configuration
-6. `LOGIN_FIX_SUMMARY.md` - This documentation (new file)
+6. `debug-login.js` - Debug script (new file)
 7. `LOGIN_FIX_SUMMARY.md` - This documentation (new file)
 The fixes address the core issues causing login redirect failures and should provide a stable authentication experience.
--- a/server/api/auth/direct-login.post.ts
+++ b/server/api/auth/direct-login.post.ts
@ -236,17 +236,14 @@ export default defineEventHandler(async (event) => {
    const sessionManager = createSessionManager();
    const maxAge = !!rememberMe ? 60 * 60 * 24 * 30 : 60 * 60 * 24 * 7; // 30 days vs 7 days
-    // Don't set a domain for the cookie - let it default to the current domain
+    // Create the encrypted session data
    const sessionData_json = JSON.stringify(sessionData);
    const encrypted = sessionManager.encrypt(sessionData_json);
    console.log(`🍪 Setting session cookie (Remember Me: ${!!rememberMe}) without explicit domain`);
-    // Create the session cookie string using the session manager
+    // Use Nuxt's setCookie helper directly with the encrypted value
-    const sessionCookieString = sessionManager.createSession(sessionData, !!rememberMe);
+    setCookie(event, 'monacousa-session', encrypted, {
    // Parse the cookie string to get just the value
    const cookieValue = sessionCookieString.split('=')[1].split(';')[0];
    // Use Nuxt's setCookie helper with the encrypted value
    setCookie(event, 'monacousa-session', cookieValue, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
--- a/server/utils/session.ts
+++ b/server/utils/session.ts
@ -10,7 +10,7 @@ export class SessionManager {
    this.encryptionKey = Buffer.from(encryptionKey, 'hex');
  }
-  private encrypt(data: string): string {
+  encrypt(data: string): string {
    const iv = randomBytes(16);
    const cipher = createCipheriv('aes-256-cbc', this.encryptionKey, iv);
    let encrypted = cipher.update(data, 'utf8', 'hex');
@ -31,16 +31,14 @@ export class SessionManager {
    const data = JSON.stringify(sessionData);
    const encrypted = this.encrypt(data);
    const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
    const maxAge = rememberMe ? 60 * 60 * 24 * 30 : 60 * 60 * 24 * 7; // 30 days vs 7 days
-    console.log(`🍪 Creating session cookie (Remember Me: ${rememberMe}) with domain:`, cookieDomain);
+    console.log(`🍪 Creating session cookie (Remember Me: ${rememberMe}) without explicit domain`);
    return serialize(this.cookieName, encrypted, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
      domain: cookieDomain,
      maxAge,
      path: '/',
    });