FEAT: Implement Keycloak client with circuit breaker and retry logic for improved authentication resilience
This commit is contained in:
@@ -1,65 +1,66 @@
|
||||
import { keycloakClient } from '~/server/utils/keycloak-client'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const startTime = Date.now()
|
||||
const query = getQuery(event)
|
||||
const { code, state, error } = query
|
||||
|
||||
console.log('[KEYCLOAK] Callback received:', { code: !!code, state, error })
|
||||
console.log('[KEYCLOAK] Callback received:', {
|
||||
code: !!code,
|
||||
state,
|
||||
error,
|
||||
requestId: event.node.req.headers['x-request-id'] || 'unknown'
|
||||
})
|
||||
|
||||
if (error) {
|
||||
console.error('[KEYCLOAK] OAuth error:', error)
|
||||
const errorMsg = `Authentication failed: ${error}`
|
||||
console.error('[KEYCLOAK] OAuth error:', errorMsg)
|
||||
|
||||
// Add timing info for debugging
|
||||
const duration = Date.now() - startTime
|
||||
console.error(`[KEYCLOAK] Failed after ${duration}ms`)
|
||||
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: `Authentication failed: ${error}`
|
||||
statusMessage: errorMsg
|
||||
})
|
||||
}
|
||||
|
||||
if (!code) {
|
||||
console.error('[KEYCLOAK] No authorization code received')
|
||||
const errorMsg = 'No authorization code received'
|
||||
console.error('[KEYCLOAK] ' + errorMsg)
|
||||
|
||||
const duration = Date.now() - startTime
|
||||
console.error(`[KEYCLOAK] Failed after ${duration}ms`)
|
||||
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: 'No authorization code received'
|
||||
statusMessage: errorMsg
|
||||
})
|
||||
}
|
||||
|
||||
try {
|
||||
// Validate environment variables
|
||||
const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET
|
||||
if (!clientSecret) {
|
||||
console.error('[KEYCLOAK] KEYCLOAK_CLIENT_SECRET not configured')
|
||||
throw createError({
|
||||
statusCode: 500,
|
||||
statusMessage: 'Authentication service misconfigured'
|
||||
})
|
||||
}
|
||||
|
||||
// Exchange authorization code for tokens
|
||||
const tokenResponse = await $fetch('https://auth.portnimara.dev/realms/client-portal/protocol/openid-connect/token', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
},
|
||||
body: new URLSearchParams({
|
||||
grant_type: 'authorization_code',
|
||||
client_id: 'client-portal',
|
||||
client_secret: clientSecret,
|
||||
code: code as string,
|
||||
redirect_uri: 'https://client.portnimara.dev/api/auth/keycloak/callback'
|
||||
}).toString()
|
||||
}) as any
|
||||
|
||||
console.log('[KEYCLOAK] Token exchange successful:', {
|
||||
console.log('[KEYCLOAK] Starting token exchange...')
|
||||
const redirectUri = 'https://client.portnimara.dev/api/auth/keycloak/callback'
|
||||
|
||||
// Use the new Keycloak client with retry logic and circuit breaker
|
||||
const tokenResponse = await keycloakClient.exchangeCodeForTokens(code as string, redirectUri)
|
||||
|
||||
const tokenExchangeDuration = Date.now() - startTime
|
||||
console.log(`[KEYCLOAK] Token exchange successful in ${tokenExchangeDuration}ms:`, {
|
||||
hasAccessToken: !!tokenResponse.access_token,
|
||||
hasRefreshToken: !!tokenResponse.refresh_token,
|
||||
expiresIn: tokenResponse.expires_in
|
||||
})
|
||||
|
||||
// Get user info
|
||||
const userInfo = await $fetch('https://auth.portnimara.dev/realms/client-portal/protocol/openid-connect/userinfo', {
|
||||
headers: {
|
||||
'Authorization': `Bearer ${tokenResponse.access_token}`
|
||||
}
|
||||
}) as any
|
||||
|
||||
console.log('[KEYCLOAK] User info retrieved:', {
|
||||
// Get user info with retry logic
|
||||
console.log('[KEYCLOAK] Fetching user info...')
|
||||
const userInfoStartTime = Date.now()
|
||||
|
||||
const userInfo = await keycloakClient.getUserInfo(tokenResponse.access_token)
|
||||
|
||||
const userInfoDuration = Date.now() - userInfoStartTime
|
||||
console.log(`[KEYCLOAK] User info retrieved in ${userInfoDuration}ms:`, {
|
||||
sub: userInfo.sub,
|
||||
email: userInfo.email,
|
||||
username: userInfo.preferred_username,
|
||||
@@ -95,21 +96,39 @@ export default defineEventHandler(async (event) => {
|
||||
path: '/'
|
||||
})
|
||||
|
||||
console.log('[KEYCLOAK] Session cookie set successfully')
|
||||
console.log('[KEYCLOAK] Redirecting to dashboard...')
|
||||
const totalDuration = Date.now() - startTime
|
||||
console.log(`[KEYCLOAK] Authentication completed successfully in ${totalDuration}ms`)
|
||||
console.log('[KEYCLOAK] Session cookie set, redirecting to dashboard...')
|
||||
|
||||
// Redirect to dashboard
|
||||
await sendRedirect(event, '/dashboard')
|
||||
|
||||
} catch (error: any) {
|
||||
console.error('[KEYCLOAK] Token exchange failed:', error)
|
||||
console.error('[KEYCLOAK] Error details:', {
|
||||
const duration = Date.now() - startTime
|
||||
console.error(`[KEYCLOAK] Authentication failed after ${duration}ms:`, {
|
||||
message: error.message,
|
||||
status: error.status,
|
||||
statusMessage: error.statusMessage,
|
||||
data: error.data
|
||||
})
|
||||
|
||||
// Redirect to login with error
|
||||
await sendRedirect(event, '/login?error=auth_failed')
|
||||
// Log circuit breaker status for debugging
|
||||
const circuitStatus = keycloakClient.getCircuitBreakerStatus()
|
||||
if (circuitStatus.isOpen) {
|
||||
console.error('[KEYCLOAK] Circuit breaker is OPEN:', circuitStatus)
|
||||
}
|
||||
|
||||
// Provide more specific error messages
|
||||
let errorParam = 'auth_failed'
|
||||
if (error.status === 503) {
|
||||
errorParam = 'service_unavailable'
|
||||
} else if (error.status >= 500) {
|
||||
errorParam = 'server_error'
|
||||
} else if (error.status === 401 || error.status === 403) {
|
||||
errorParam = 'access_denied'
|
||||
}
|
||||
|
||||
// Redirect to login with specific error
|
||||
await sendRedirect(event, `/login?error=${errorParam}`)
|
||||
}
|
||||
})
|
||||
|
||||
@@ -1,4 +1,7 @@
|
||||
import { keycloakClient } from '~/server/utils/keycloak-client'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const startTime = Date.now()
|
||||
console.log('[REFRESH] Processing token refresh request')
|
||||
|
||||
try {
|
||||
@@ -43,21 +46,12 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
}
|
||||
|
||||
// Use refresh token to get new access token
|
||||
const tokenResponse = await $fetch('https://auth.portnimara.dev/realms/client-portal/protocol/openid-connect/token', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
},
|
||||
body: new URLSearchParams({
|
||||
grant_type: 'refresh_token',
|
||||
client_id: 'client-portal',
|
||||
client_secret: clientSecret,
|
||||
refresh_token: sessionData.refreshToken
|
||||
}).toString()
|
||||
}) as any
|
||||
// Use refresh token to get new access token with retry logic
|
||||
console.log('[REFRESH] Using Keycloak client for token refresh...')
|
||||
const tokenResponse = await keycloakClient.refreshAccessToken(sessionData.refreshToken)
|
||||
|
||||
console.log('[REFRESH] Token refresh successful:', {
|
||||
const refreshDuration = Date.now() - startTime
|
||||
console.log(`[REFRESH] Token refresh successful in ${refreshDuration}ms:`, {
|
||||
hasAccessToken: !!tokenResponse.access_token,
|
||||
hasRefreshToken: !!tokenResponse.refresh_token,
|
||||
expiresIn: tokenResponse.expires_in
|
||||
|
||||
Reference in New Issue
Block a user