// server/api/auth/keycloak-callback.ts - EXTENDED SESSION FIX import { createUserSession } from '~/server/utils/sessionStore'; // Add this at the top of the file (after imports) const SESSION_DURATION = 1 * 60 * 60; // 1 hour in seconds (3600 seconds) // Or use one of these alternatives: // const SESSION_DURATION = 24 * 60 * 60; // 1 day // const SESSION_DURATION = 30 * 24 * 60 * 60; // 30 days // const SESSION_DURATION = 12 * 60 * 60; // 12 hours // const SESSION_DURATION = 7 * 24 * 60 * 60; // 7 days export default defineEventHandler(async (event) => { try { const config = useRuntimeConfig(); const query = getQuery(event); const code = query.code as string; const state = query.state as string; const error = query.error as string; const storedState = getCookie(event, 'oauth_state'); if (error) { console.error('❌ OAuth error from Keycloak:', error); const errorDescription = query.error_description as string; console.error('❌ Error description:', errorDescription); const errorMsg = encodeURIComponent(`Keycloak error: ${error} - ${errorDescription || 'Please try again'}`); return sendRedirect(event, `/auth/login?error=${errorMsg}`); } if (!state || state !== storedState) { console.error('❌ Invalid state parameter - possible CSRF attack'); console.error(' Expected:', storedState); console.error(' Received:', state); const errorMsg = encodeURIComponent('Security validation failed. Please try logging in again.'); return sendRedirect(event, `/auth/login?error=${errorMsg}`); } deleteCookie(event, 'oauth_state'); if (!code) { console.error('❌ Authorization code not provided'); const errorMsg = encodeURIComponent('No authorization code received from Keycloak.'); return sendRedirect(event, `/auth/login?error=${errorMsg}`); } // Validate Keycloak configuration if (!config.keycloakIssuer) { console.error('❌ KEYCLOAK_ISSUER is not configured'); const errorMsg = encodeURIComponent('Keycloak server is not configured. Please contact administrator.'); return sendRedirect(event, `/auth/login?error=${errorMsg}`); } if (!config.keycloakClientId || !config.keycloakClientSecret) { console.error('❌ Keycloak client credentials are not configured'); const errorMsg = encodeURIComponent('Keycloak client credentials are missing. Please contact administrator.'); return sendRedirect(event, `/auth/login?error=${errorMsg}`); } const tokenUrl = `${config.keycloakIssuer}/protocol/openid-connect/token`; const redirectUri = `${config.public.authUrl}/api/auth/keycloak-callback`; const tokenPayload = new URLSearchParams({ grant_type: 'authorization_code', client_id: config.keycloakClientId, client_secret: config.keycloakClientSecret, code, redirect_uri: redirectUri, }); let tokenResponse; try { // Create abort controller for timeout (compatible with all Node.js versions) const controller = new AbortController(); const timeoutId = setTimeout(() => controller.abort(), 30000); // 30 second timeout tokenResponse = await fetch(tokenUrl, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: tokenPayload, signal: controller.signal, }); clearTimeout(timeoutId); } catch (fetchError: any) { console.error('❌ Fetch error details:'); console.error(' - Error type:', fetchError.name); console.error(' - Error message:', fetchError.message); console.error(' - Token URL attempted:', tokenUrl); // Provide more specific error messages let errorMsg = 'Failed to connect to authentication server.'; if (fetchError.name === 'AbortError' || fetchError.message.includes('timeout')) { errorMsg = 'Authentication server timeout. Please try again.'; } else if (fetchError.message.includes('ENOTFOUND') || fetchError.message.includes('getaddrinfo')) { errorMsg = 'Cannot reach authentication server. Please check network connection.'; } else if (fetchError.message.includes('ECONNREFUSED')) { errorMsg = 'Authentication server refused connection. Server may be down.'; } else if (fetchError.message.includes('certificate') || fetchError.message.includes('SSL')) { errorMsg = 'SSL certificate error. Please contact administrator.'; } const encodedError = encodeURIComponent(errorMsg); return sendRedirect(event, `/auth/login?error=${encodedError}`); } if (!tokenResponse.ok) { const errorText = await tokenResponse.text(); console.error('❌ Token exchange failed:', errorText); const errorMsg = encodeURIComponent(`Token exchange failed: ${tokenResponse.status} - Please check Keycloak configuration`); return sendRedirect(event, `/auth/login?error=${errorMsg}`); } const tokens = await tokenResponse.json(); let idTokenPayload; let accessTokenPayload; let refreshTokenPayload; try { idTokenPayload = JSON.parse( Buffer.from(tokens.id_token.split('.')[1], 'base64').toString() ); accessTokenPayload = JSON.parse( Buffer.from(tokens.access_token.split('.')[1], 'base64').toString() ); refreshTokenPayload = JSON.parse( Buffer.from(tokens.refresh_token.split('.')[1], 'base64').toString() ); } catch (decodeError) { console.error('❌ Failed to decode token:', decodeError); const errorMsg = encodeURIComponent('Invalid token format'); return sendRedirect(event, `/auth/login?error=${errorMsg}`); } const clientRoles = accessTokenPayload.resource_access?.[config.keycloakClientId]?.roles || []; const nowInSeconds = Math.floor(Date.now() / 1000); const refreshTokenExpiresInSeconds = Math.max( refreshTokenPayload.exp - nowInSeconds, 0 ); const sessionDurationSeconds = refreshTokenExpiresInSeconds || SESSION_DURATION; const sessionData = { user: { auth_provider: 'keycloak', email: idTokenPayload.email, name: idTokenPayload.name || idTokenPayload.preferred_username, role: clientRoles, user_id: idTokenPayload.sub, username: idTokenPayload.preferred_username, }, accessToken: tokens.access_token, refreshToken: tokens.refresh_token, // idToken: tokens.id_token, expiresAt: (nowInSeconds + sessionDurationSeconds) * 1000, }; // Determine if we should use secure cookies // For localhost, always use secure: false const isSecure = process.env.NODE_ENV === 'production' && event.node.req.headers['x-forwarded-proto'] === 'https'; // Set cookie with proper settings for localhost // For localhost HTTP, we need secure: false and sameSite: 'lax' // IMPORTANT: Ensure domain is not set for localhost (allows cookie to work) const cookieOptions: any = { httpOnly: true, secure: isSecure, sameSite: 'lax' as const, maxAge: sessionDurationSeconds, path: '/', // Explicitly don't set domain for localhost - this is important! // Setting domain to 'localhost' can cause cookies to not work }; // For localhost, don't set domain (allows cookie to work on localhost) // Only set domain in production if needed if (process.env.NODE_ENV === 'production' && !event.node.req.headers.host?.includes('localhost')) { // Optionally set domain in production // cookieOptions.domain = '.yourdomain.com'; } // Store session in server-side store and use session ID in cookie // This avoids cookie size limits (4KB) const sessionId = createUserSession(sessionData); // Store only the session ID in the cookie (much smaller) setCookie(event, 'user_session', sessionId, cookieOptions); return sendRedirect(event, '/apps/dashboard?authenticated=true', 302); } catch (error: any) { console.error('❌ === CALLBACK ERROR ==='); console.error('❌ Error message:', error.message); console.error('❌ Error stack:', error.stack); console.error('❌ =================='); const errorMsg = encodeURIComponent(`Authentication failed: ${error.message}`); return sendRedirect(event, `/auth/login?error=${errorMsg}`); } });