fix: improve auth handling and logging
This commit is contained in:
Michael Zetterberg
@@ -15,28 +15,46 @@ export async function GET(
|
|||||||
let redirectTo: string
|
let redirectTo: string
|
||||||
|
|
||||||
const returnUrl = request.headers.get("x-returnurl")
|
const returnUrl = request.headers.get("x-returnurl")
|
||||||
const isMFA = request.headers.get("x-mfa-login")
|
const isSeamless = request.headers.get("x-login-source") === "seamless"
|
||||||
|
const isMFA = request.headers.get("x-login-source") === "mfa"
|
||||||
// This is to support seamless login when using magic link login
|
const isSeamlessMagicLink =
|
||||||
const isMagicLinkUpdateLogin = !!request.headers.get("x-magic-link")
|
request.headers.get("x-login-source") === "seamless-magiclink"
|
||||||
|
|
||||||
if (!env.PUBLIC_URL) {
|
if (!env.PUBLIC_URL) {
|
||||||
throw internalServerError("No value for env.PUBLIC_URL")
|
throw internalServerError("No value for env.PUBLIC_URL")
|
||||||
}
|
}
|
||||||
|
|
||||||
if (returnUrl) {
|
console.log(
|
||||||
// Seamless login request from Current web
|
`[login] source: ${request.headers.get("x-login-source") || "normal"}`
|
||||||
redirectTo = returnUrl
|
)
|
||||||
|
|
||||||
|
const redirectToCookieValue = request.cookies.get("redirectTo")?.value // Cookie gets set by authRequired middleware
|
||||||
|
const redirectToSearchParamValue =
|
||||||
|
request.nextUrl.searchParams.get("redirectTo")
|
||||||
|
const redirectToFallback = "/"
|
||||||
|
console.log(`[login] redirectTo cookie value: ${redirectToCookieValue}`)
|
||||||
|
console.log(
|
||||||
|
`[login] redirectTo search param value: ${redirectToSearchParamValue}`
|
||||||
|
)
|
||||||
|
|
||||||
|
if (isSeamless) {
|
||||||
|
if (returnUrl) {
|
||||||
|
redirectTo = returnUrl
|
||||||
|
} else {
|
||||||
|
console.log(
|
||||||
|
`[login] missing returnUrl, using fallback: ${redirectToFallback}`
|
||||||
|
)
|
||||||
|
redirectTo = redirectToFallback
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
// Normal login request from New web
|
|
||||||
redirectTo =
|
redirectTo =
|
||||||
request.cookies.get("redirectTo")?.value || // Cookie gets set by authRequired middleware
|
redirectToCookieValue || redirectToSearchParamValue || redirectToFallback
|
||||||
request.nextUrl.searchParams.get("redirectTo") ||
|
|
||||||
"/"
|
|
||||||
|
|
||||||
// Make relative URL to absolute URL
|
// Make relative URL to absolute URL
|
||||||
if (redirectTo.startsWith("/")) {
|
if (redirectTo.startsWith("/")) {
|
||||||
|
console.log(`[login] make redirectTo absolute, from ${redirectTo}`)
|
||||||
redirectTo = new URL(redirectTo, env.PUBLIC_URL).href
|
redirectTo = new URL(redirectTo, env.PUBLIC_URL).href
|
||||||
|
console.log(`[login] make redirectTo absolute, to ${redirectTo}`)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Clean up cookie from authRequired middleware
|
// Clean up cookie from authRequired middleware
|
||||||
@@ -70,7 +88,11 @@ export async function GET(
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
const redirectUrl = new URL(redirectUrlValue)
|
const redirectUrl = new URL(redirectUrlValue)
|
||||||
|
console.log(`[login] creating redirect to seamless login: ${redirectUrl}`)
|
||||||
redirectUrl.searchParams.set("returnurl", redirectTo)
|
redirectUrl.searchParams.set("returnurl", redirectTo)
|
||||||
|
console.log(
|
||||||
|
`[login] returnurl for seamless login: ${redirectUrl.searchParams.get("returnurl")}`
|
||||||
|
)
|
||||||
redirectTo = redirectUrl.toString()
|
redirectTo = redirectUrl.toString()
|
||||||
|
|
||||||
/** Set cookie with redirect Url to appropriately redirect user when using magic link login */
|
/** Set cookie with redirect Url to appropriately redirect user when using magic link login */
|
||||||
@@ -94,10 +116,8 @@ export async function GET(
|
|||||||
* automatically redirecting to it inside of `signIn`.
|
* automatically redirecting to it inside of `signIn`.
|
||||||
* https://github.com/nextauthjs/next-auth/blob/3c035ec/packages/next-auth/src/lib/actions.ts#L76
|
* https://github.com/nextauthjs/next-auth/blob/3c035ec/packages/next-auth/src/lib/actions.ts#L76
|
||||||
*/
|
*/
|
||||||
console.log({ login_NEXTAUTH_URL: process.env.NEXTAUTH_URL })
|
console.log(`[login] final redirectUrl: ${redirectTo}`)
|
||||||
console.log({ login_env: process.env })
|
console.log({ login_env: process.env })
|
||||||
|
|
||||||
console.log({ login_redirectTo: redirectTo })
|
|
||||||
const params = {
|
const params = {
|
||||||
ui_locales: context.params.lang,
|
ui_locales: context.params.lang,
|
||||||
scope: ["openid", "profile"].join(" "),
|
scope: ["openid", "profile"].join(" "),
|
||||||
@@ -117,6 +137,7 @@ export async function GET(
|
|||||||
// This is new param set for differentiate between the Magic link login of New web and current web
|
// This is new param set for differentiate between the Magic link login of New web and current web
|
||||||
version: "2",
|
version: "2",
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isMFA) {
|
if (isMFA) {
|
||||||
// Append profile_update scope for MFA
|
// Append profile_update scope for MFA
|
||||||
params.scope = params.scope + " profile_udpate"
|
params.scope = params.scope + " profile_udpate"
|
||||||
@@ -126,9 +147,10 @@ export async function GET(
|
|||||||
*/
|
*/
|
||||||
params.acr_values =
|
params.acr_values =
|
||||||
"urn:se:curity:authentication:otp-authenticator:OTP-Authenticator_web"
|
"urn:se:curity:authentication:otp-authenticator:OTP-Authenticator_web"
|
||||||
} else if (isMagicLinkUpdateLogin) {
|
} else if (isSeamlessMagicLink) {
|
||||||
params.acr_values = "abc"
|
params.acr_values = "abc"
|
||||||
}
|
}
|
||||||
|
|
||||||
const redirectUrl = await signIn(
|
const redirectUrl = await signIn(
|
||||||
"curity",
|
"curity",
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -67,8 +67,8 @@ export const middleware = auth(async (request) => {
|
|||||||
|
|
||||||
if (isLoggedIn && isMFAPath && isMFAInvalid()) {
|
if (isLoggedIn && isMFAPath && isMFAInvalid()) {
|
||||||
const headers = new Headers(request.headers)
|
const headers = new Headers(request.headers)
|
||||||
headers.set("x-mfa-login", "true")
|
|
||||||
headers.set("x-returnurl", nextUrlClone.href)
|
headers.set("x-returnurl", nextUrlClone.href)
|
||||||
|
headers.set("x-login-source", "mfa")
|
||||||
return NextResponse.rewrite(new URL(`/${lang}/login`, request.nextUrl), {
|
return NextResponse.rewrite(new URL(`/${lang}/login`, request.nextUrl), {
|
||||||
request: {
|
request: {
|
||||||
headers,
|
headers,
|
||||||
|
|||||||
@@ -19,6 +19,7 @@ export const middleware: NextMiddleware = (request) => {
|
|||||||
|
|
||||||
const headers = new Headers(request.headers)
|
const headers = new Headers(request.headers)
|
||||||
headers.set("x-returnurl", returnUrl)
|
headers.set("x-returnurl", returnUrl)
|
||||||
|
headers.set("x-login-source", "seamless")
|
||||||
|
|
||||||
return NextResponse.rewrite(new URL(`/${lang}/login`, request.nextUrl), {
|
return NextResponse.rewrite(new URL(`/${lang}/login`, request.nextUrl), {
|
||||||
request: {
|
request: {
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ export const middleware: NextMiddleware = (request) => {
|
|||||||
|
|
||||||
const headers = new Headers(request.headers)
|
const headers = new Headers(request.headers)
|
||||||
headers.set("x-returnurl", returnUrl)
|
headers.set("x-returnurl", returnUrl)
|
||||||
headers.set("x-magic-link", "1")
|
headers.set("x-login-source", "seamless-magiclink")
|
||||||
|
|
||||||
return NextResponse.rewrite(new URL(`/${lang}/login`, request.nextUrl), {
|
return NextResponse.rewrite(new URL(`/${lang}/login`, request.nextUrl), {
|
||||||
request: {
|
request: {
|
||||||
|
|||||||
Reference in New Issue
Block a user