scandic/web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: improve auth handling and logging

Browse Source
This commit is contained in:
Michael Zetterberg
2024-08-22 13:39:06 +02:00
parent 71d93864dd
commit a33a69fb58
15 changed files with 174 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/[lang]/(live)/(protected)/layout.tsx
View File

@@ -20,13 +20,17 @@ export default async function ProtectedLayout({
h.get("x-url") ?? h.get("x-pathname") ?? overview[getLang()]
)
const redirectURL = `/${getLang()}/login?redirectTo=${redirectTo}`
if (!session) {
redirect(`/${getLang()}/login?redirectTo=${redirectTo}`)
console.log(`[layout:protected] no session, redirecting to: ${redirectURL}`)
redirect(redirectURL)
}
const user = await serverClient().user.get()
if (!user || "error" in user) {
redirect(`/${getLang()}/login?redirectTo=${redirectTo}`)
console.log(`[layout:protected] no user, redirecting to: ${redirectURL}`)
redirect(redirectURL)
}
return children

63
app/[lang]/(live)/(protected)/logout/route.ts
View File

@@ -1,5 +1,3 @@
import { createActionURL } from "@auth/core"
import { headers as nextHeaders } from "next/headers"
import { NextRequest, NextResponse } from "next/server"
import { AuthError } from "next-auth"
@@ -16,11 +14,35 @@ export async function GET(
let redirectTo: string = ""
const returnUrl = request.headers.get("x-returnurl")
const isSeamless = request.headers.get("x-logout-source") === "seamless"
if (returnUrl) {
// Seamless logout request from Current web
redirectTo = returnUrl
console.log(
`[logout] source: ${request.headers.get("x-logout-source") || "normal"}`
)
const redirectToSearchParamValue =
request.nextUrl.searchParams.get("redirectTo")
const redirectToFallback = "/"
if (isSeamless) {
if (returnUrl) {
redirectTo = returnUrl
} else {
console.log(
`[login] missing returnUrl, using fallback: ${redirectToFallback}`
)
redirectTo = redirectToFallback
}
} else {
redirectTo = redirectToSearchParamValue || redirectToFallback
// Make relative URL to absolute URL
if (redirectTo.startsWith("/")) {
console.log(`[logout] make redirectTo absolute, from ${redirectTo}`)
redirectTo = new URL(redirectTo, env.PUBLIC_URL).href
console.log(`[logout] make redirectTo absolute, to ${redirectTo}`)
}
try {
// Initiate the seamless logout flow
let redirectUrlValue
@@ -45,6 +67,9 @@ export async function GET(
break
}
const redirectUrl = new URL(redirectUrlValue)
console.log(
`[logout] creating redirect to seamless logout: ${redirectUrl}`
)
redirectTo = redirectUrl.toString()
} catch (e) {
console.error(
@@ -55,37 +80,25 @@ export async function GET(
}
try {
redirectTo = `${env.CURITY_ISSUER_USER}/authn/authenticate/logout?redirect_uri=${encodeURIComponent(redirectTo)}`
console.log(`[logout] final redirectUrl: ${redirectTo}`)
console.log({ logout_env: process.env })
/**
* Passing `redirect: false` to `signOut` will return a result object
* instead of automatically redirecting inside of `signOut`.
* https://github.com/nextauthjs/next-auth/blob/3c035ec/packages/next-auth/src/lib/actions.ts#L104
*/
console.log({ logout_NEXTAUTH_URL: process.env.NEXTAUTH_URL })
console.log({ logout_env: process.env })
const headers = new Headers(nextHeaders())
const signOutURL = createActionURL(
"signout",
// @ts-expect-error `x-forwarded-proto` is not nullable, next.js sets it by default
headers.get("x-forwarded-proto"),
headers,
process.env
)
console.log({ logout_signOutURL: signOutURL })
// Redirect to Curity logout
const curityLogoutUrl = `${env.CURITY_ISSUER_USER}/authn/authenticate/logout?redirect_uri=${encodeURIComponent(redirectTo)}`
console.log({ logout_redirectTo: curityLogoutUrl })
const redirectUrlObj = await signOut({
redirectTo: curityLogoutUrl,
redirectTo,
redirect: false,
})
if (redirectUrlObj) {
console.log(`[logout] redirecting to: ${redirectUrlObj.redirect}`)
return NextResponse.redirect(redirectUrlObj.redirect)
} else {
console.error(`[logout] missing redirectUrlObj reponse from signOut()`)
}
} catch (error) {
if (error instanceof AuthError) {

32
app/[lang]/(live)/(public)/login/route.ts
View File

@@ -11,6 +11,10 @@ export async function GET(
request: NextRequest,
context: { params: { lang: Lang } }
) {
if (!env.PUBLIC_URL) {
throw internalServerError("No value for env.PUBLIC_URL")
}
let redirectHeaders: Headers | undefined = undefined
let redirectTo: string
@@ -20,10 +24,6 @@ export async function GET(
const isSeamlessMagicLink =
request.headers.get("x-login-source") === "seamless-magiclink"
if (!env.PUBLIC_URL) {
throw internalServerError("No value for env.PUBLIC_URL")
}
console.log(
`[login] source: ${request.headers.get("x-login-source") || "normal"}`
)
@@ -32,6 +32,7 @@ export async function GET(
const redirectToSearchParamValue =
request.nextUrl.searchParams.get("redirectTo")
const redirectToFallback = "/"
console.log(`[login] redirectTo cookie value: ${redirectToCookieValue}`)
console.log(
`[login] redirectTo search param value: ${redirectToSearchParamValue}`
@@ -104,20 +105,16 @@ export async function GET(
)
} catch (e) {
console.error(
"Unable to create URL for seamless login, proceeding without it."
"[login] unable to create URL for seamless login, proceeding without it.",
e
)
console.error(e)
}
}
try {
/**
* Passing `redirect: false` to `signIn` will return the URL instead of
* automatically redirecting to it inside of `signIn`.
* https://github.com/nextauthjs/next-auth/blob/3c035ec/packages/next-auth/src/lib/actions.ts#L76
*/
console.log(`[login] final redirectUrl: ${redirectTo}`)
console.log({ login_env: process.env })
/** Record<string, any> is next-auth typings */
const params: Record<string, any> = {
ui_locales: context.params.lang,
@@ -152,6 +149,11 @@ export async function GET(
params.acr_values = "abc"
}
params.scope = params.scope.join(" ")
/**
* Passing `redirect: false` to `signIn` will return the URL instead of
* automatically redirecting to it inside of `signIn`.
* https://github.com/nextauthjs/next-auth/blob/3c035ec/packages/next-auth/src/lib/actions.ts#L76
*/
const redirectUrl = await signIn(
"curity",
{
@@ -162,9 +164,13 @@ export async function GET(
)
if (redirectUrl) {
return NextResponse.redirect(redirectUrl, {
const redirectOpts = {
headers: redirectHeaders,
})
}
console.log(`[login] redirecting to: ${redirectUrl}`, redirectOpts)
return NextResponse.redirect(redirectUrl, redirectOpts)
} else {
console.error(`[login] missing redirectUrl reponse from signIn()`)
}
} catch (error) {
if (error instanceof AuthError) {

50
app/[lang]/(live)/(public)/verifymagiclink/route.ts
View File

@@ -12,39 +12,54 @@ export async function GET(
request: NextRequest,
context: { params: { lang: Lang } }
) {
let redirectTo: string
// Set redirect url from the magicLinkRedirect Cookie which is set when intiating login
redirectTo =
request.cookies.get("magicLinkRedirectTo")?.value ||
"/" + context.params.lang
if (!env.PUBLIC_URL) {
throw internalServerError("No value for env.PUBLIC_URL")
}
const loginKey = request.nextUrl.searchParams.get("loginKey")
if (!loginKey) {
console.log(
`[verifymagiclink] missing required loginKey, aborting bad request`
)
return badRequest()
}
let redirectTo: string
console.log(`[verifymagiclink] verifying callback`)
const redirectToCookieValue = request.cookies.get(
"magicLinkRedirectTo"
)?.value // Set redirect url from the magicLinkRedirect Cookie which is set when intiating login
const redirectToFallback = "/"
console.log(
`[verifymagiclink] magicLinkRedirectTo cookie value: ${redirectToCookieValue}`
)
redirectTo = redirectToCookieValue || redirectToFallback
// Make relative URL to absolute URL
if (redirectTo.startsWith("/")) {
console.log(
`[verifymagiclink] make redirectTo absolute, from ${redirectTo}`
)
redirectTo = new URL(redirectTo, env.PUBLIC_URL).href
console.log(`[verifymagiclink] make redirectTo absolute, to ${redirectTo}`)
}
// Update Seamless login url as Magic link login has a different authenticator in Curity
redirectTo = redirectTo.replace("updatelogin", "updateloginemail")
const loginKey = request.nextUrl.searchParams.get("loginKey")
if (!loginKey) {
return badRequest()
}
try {
console.log(`[verifymagiclink] final redirectUrl: ${redirectTo}`)
/**
* Passing `redirect: false` to `signIn` will return the URL instead of
* automatically redirecting to it inside of `signIn`.
* https://github.com/nextauthjs/next-auth/blob/3c035ec/packages/next-auth/src/lib/actions.ts#L76
*/
console.log({ login_redirectTo: redirectTo })
let redirectUrl = await signIn(
const redirectUrl = await signIn(
"curity",
{
redirectTo,
@@ -61,7 +76,12 @@ export async function GET(
)
if (redirectUrl) {
console.log(`[verifymagiclink] redirecting to: ${redirectUrl}`)
return NextResponse.redirect(redirectUrl)
} else {
console.error(
`[verifymagiclink] missing redirectUrl reponse from signIn()`
)
}
} catch (error) {
if (error instanceof AuthError) {

14
app/[lang]/webview/[contentType]/[uid]/page.tsx
View File

@@ -21,6 +21,7 @@ export default async function ContentTypePage({
const user = await serverClient().user.get()
if (!user) {
console.log(`[webview:page] unable to load user`)
return <p>Error: No user could be loaded</p>
}
@@ -31,9 +32,16 @@ export default async function ContentTypePage({
case "token_expired":
const h = headers()
const returnURL = `/${getLang()}/webview${h.get("x-pathname")!}`
redirect(
`/${getLang()}/webview/refresh?returnUrl=${encodeURIComponent(returnURL)}`
)
const redirectURL = `/${getLang()}/webview/refresh?returnUrl=${encodeURIComponent(returnURL)}`
console.log(`[webview:page] user error, redirecting to: ${redirectURL}`)
redirect(redirectURL)
case "notfound":
return <p>Error: user not found</p>
case "unknown":
return <p>Unknown error occurred loading user</p>
default:
const u: never = user
console.log(`[webview:page] unhandled user loading error`)
}
}