ilia/mirror_match
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mirror_match/lib/auth.ts
ilia df865dca41
All checks were successful
CI / skip-ci-check (push) Successful in 1m25s
Details
CI / lint-and-type-check (push) Successful in 1m50s
Details
CI / test (push) Successful in 1m54s
Details
CI / build (push) Successful in 1m54s
Details
CI / secret-scanning (push) Successful in 1m26s
Details
CI / dependency-scan (push) Successful in 1m31s
Details
CI / sast-scan (push) Successful in 2m34s
Details
CI / workflow-summary (push) Successful in 1m23s
Details
This MR fixes critical authentication issues that prevented login on localhost and improves the developer experience with consolidated rebuild scripts and a working help modal keyboard shortcut. (#5) 
# Fix authentication issues and improve developer experience

## Summary

This MR fixes critical authentication issues that prevented login on localhost and improves the developer experience with consolidated rebuild scripts and a working help modal keyboard shortcut.

## Problems Fixed

### 1. Authentication Issues
- **UntrustedHost Error**: NextAuth v5 was rejecting localhost requests with "UntrustedHost: Host must be trusted" error
- **Cookie Prefix Errors**: Cookies were being set with `__Host-` and `__Secure-` prefixes on HTTP (localhost), causing browser rejection
- **MissingCSRF Error**: CSRF token cookies were not being set correctly due to cookie configuration issues

### 2. Help Modal Keyboard Shortcut
- **Shift+? not working**: The help modal keyboard shortcut was not detecting the question mark key correctly

### 3. Developer Experience
- **Multiple rebuild scripts**: Had several overlapping rebuild scripts that were confusing
- **Unused code**: Removed unused `useSecureCookies` variable and misleading comments

## Changes Made

### Authentication Fixes (`lib/auth.ts`)
- Set `trustHost: true` to fix UntrustedHost error (required for NextAuth v5)
- Added explicit cookie configuration for HTTP (localhost) to prevent prefix errors:
  - Cookies use `secure: false` for HTTP
  - Cookie names without prefixes for HTTP
  - Let Auth.js defaults handle HTTPS (with prefixes and Secure flag)
- Removed unused `useSecureCookies` variable
- Simplified debug logging

### Help Modal Fix (`components/HelpModal.tsx`)
- Fixed keyboard shortcut detection to properly handle Shift+? (Shift+/)
- Updated help text to show correct shortcut (Shift+? instead of Ctrl+?)

### Developer Scripts
- **Consolidated rebuild scripts**: Merged `CLEAN_REBUILD.sh`, `FIX_AND_RESTART.sh`, and `start-server.sh` into single `rebuild.sh`
- **Added REBUILD.md**: Documentation for rebuild process
- Removed redundant script files

### Code Cleanup
- Removed unused `useSecureCookies` variable from `lib/auth.ts`
- Removed misleading comment from `app/api/auth/[...nextauth]/route.ts`
- Cleaned up verbose debug logging

## Technical Details

### Cookie Configuration
The fix works by explicitly configuring cookies for HTTP environments:
- **HTTP (localhost)**: Cookies without prefixes, `secure: false`
- **HTTPS (production)**: Let Auth.js defaults handle (prefixes + Secure flag)

This prevents NextAuth v5 from auto-detecting HTTPS from proxy headers and incorrectly adding cookie prefixes.

### Keyboard Shortcut
The question mark key requires Shift+/ on most keyboards. The fix now properly detects:
- `event.shiftKey && event.key === "/"`
- `event.key === "?"` (fallback)
- `event.code === "Slash" && event.shiftKey` (additional fallback)

## Testing

-  Login works on localhost (http://localhost:3000)
-  No cookie prefix errors in browser console
-  No UntrustedHost errors in server logs
-  Help modal opens/closes with Shift+?
-  Rebuild script works in both dev and prod modes

## Files Changed

### Modified
- `lib/auth.ts` - Authentication configuration fixes
- `components/HelpModal.tsx` - Keyboard shortcut fix
- `app/api/auth/[...nextauth]/route.ts` - Removed misleading comment

### Added
- `rebuild.sh` - Consolidated rebuild script
- `REBUILD.md` - Rebuild documentation

## Migration Notes

No database migrations or environment variable changes required. The fix works with existing configuration.

## Related Issues

Fixes authentication issues preventing local development and testing.

Reviewed-on: #5
2026-01-05 19:42:46 -05:00

166 lines
5.0 KiB
TypeScript
Raw Blame History

import NextAuth from "next-auth"
import Credentials from "next-auth/providers/credentials"
import { prisma } from "./prisma"
import bcrypt from "bcryptjs"
import { logger } from "./logger"
// Lazy check for NEXTAUTH_SECRET - only validate when actually needed
// This prevents build-time errors when the secret isn't available
function getNextAuthSecret(): string {
const secret = process.env.NEXTAUTH_SECRET
if (!secret) {
// Always throw at runtime - this is a critical configuration error
throw new Error("NEXTAUTH_SECRET is not set. Define it to enable authentication.")
}
return secret
}
// Determine if we should use secure cookies based on AUTH_URL/NEXTAUTH_URL
// Auth.js v5 derives this from the origin it detects, so we need to be explicit
const authUrl = process.env.AUTH_URL || process.env.NEXTAUTH_URL || "http://localhost:3000"
const isHttp = authUrl.startsWith("http://")
export const { handlers, auth, signIn, signOut } = NextAuth({
// trustHost must be true for NextAuth v5 to work, even on localhost
trustHost: true,
debug: process.env.NODE_ENV !== "production",
basePath: "/api/auth",
providers: [
Credentials({
name: "Credentials",
credentials: {
email: { label: "Email", type: "email" },
password: { label: "Password", type: "password" }
},
async authorize(credentials) {
try {
if (!credentials?.email || !credentials?.password) {
return null
}
const email = credentials.email as string
const password = credentials.password as string
const user = await prisma.user.findUnique({
where: { email }
})
if (!user || !user.passwordHash) {
return null
}
const isValid = await bcrypt.compare(password, user.passwordHash)
if (!isValid) {
return null
}
return {
id: user.id,
email: user.email,
name: user.name,
role: user.role,
}
} catch (err) {
logger.error("Auth authorize error", err instanceof Error ? err : new Error(String(err)))
return null
}
}
})
],
callbacks: {
async jwt({ token, user }) {
if (user) {
token.id = user.id
token.role = (user as { role: string }).role
token.email = user.email
token.name = user.name
// DEBUG level: only logs in development or when LOG_LEVEL=DEBUG
logger.debug("JWT callback: user added to token", {
userId: user.id,
email: user.email
})
} else {
// DEBUG level: token refresh (normal operation, only log in debug mode)
logger.debug("JWT callback: token refresh", {
hasToken: !!token,
tokenId: token?.id,
tokenEmail: token?.email,
})
}
return token
},
async session({ session, token }) {
// Always ensure session.user exists when token exists
if (token && (token.id || token.email)) {
session.user = {
...session.user,
id: token.id as string,
email: (token.email as string) || session.user?.email || "",
name: (token.name as string) || session.user?.name || "",
role: token.role as string,
}
// DEBUG level: session creation is normal operation, only log in debug mode
logger.debug("Session callback: session created", {
userId: token.id,
email: token.email,
userRole: token.role,
})
} else {
// WARN level: token missing/invalid is a warning condition
logger.warn("Session callback: token missing or invalid", {
hasToken: !!token,
hasSession: !!session,
tokenId: token?.id,
tokenEmail: token?.email
})
// Return session even if token is invalid - NextAuth will handle validation
}
// Explicitly return session to ensure it's returned
return session
}
},
pages: {
signIn: "/login",
},
session: {
strategy: "jwt",
maxAge: 30 * 24 * 60 * 60, // 30 days
},
// Explicitly configure cookies for HTTP (localhost)
// For HTTPS, let Auth.js defaults handle it (prefixes + Secure)
cookies: isHttp
? {
// localhost / pure HTTP: no prefixes, no Secure
sessionToken: {
name: "authjs.session-token",
options: {
httpOnly: true,
sameSite: "lax",
path: "/",
secure: false,
},
},
csrfToken: {
name: "authjs.csrf-token",
options: {
httpOnly: true,
sameSite: "lax",
path: "/",
secure: false,
},
},
callbackUrl: {
name: "authjs.callback-url",
options: {
httpOnly: true,
sameSite: "lax",
path: "/",
secure: false,
},
},
}
: undefined, // Let Auth.js defaults handle HTTPS envs (prefixes + Secure)
secret: getNextAuthSecret(),
})
Reference in New Issue View Git Blame Copy Permalink