From 244c8b6fb5fbcd366b8f19f2fa6aa0ac7e749b57 Mon Sep 17 00:00:00 2001 From: Michael Freno Date: Wed, 7 Jan 2026 18:53:41 -0500 Subject: [PATCH] callback change --- src/routes/api/auth/callback/github.ts | 36 ++-------------- src/routes/api/auth/callback/google.ts | 36 ++-------------- src/routes/api/auth/email-login-callback.ts | 48 +++------------------ src/server/api/routers/auth.ts | 16 +++---- src/server/session-config.ts | 2 +- 5 files changed, 21 insertions(+), 117 deletions(-) diff --git a/src/routes/api/auth/callback/github.ts b/src/routes/api/auth/callback/github.ts index c3a5ced..557e243 100644 --- a/src/routes/api/auth/callback/github.ts +++ b/src/routes/api/auth/callback/github.ts @@ -1,7 +1,6 @@ import type { APIEvent } from "@solidjs/start/server"; import { appRouter } from "~/server/api/root"; import { createTRPCContext } from "~/server/api/utils"; -import { getResponseHeaders } from "vinxi/http"; export async function GET(event: APIEvent) { const url = new URL(event.request.url); @@ -46,41 +45,12 @@ export async function GET(event: APIEvent) { result.redirectTo ); - // Get the response headers that were set by the session (includes Set-Cookie) - const responseHeaders = getResponseHeaders(event.nativeEvent); - console.log( - "[GitHub OAuth Callback] Response headers from event:", - Object.keys(responseHeaders) - ); - - // Create redirect response with the session cookie + // Vinxi's updateSession already set the cookie headers automatically + // Just redirect - the cookies are already in the response const redirectUrl = result.redirectTo || "/account"; - const headers = new Headers({ - Location: redirectUrl - }); - - // Copy Set-Cookie headers from the session response - if (responseHeaders["set-cookie"]) { - const cookies = Array.isArray(responseHeaders["set-cookie"]) - ? responseHeaders["set-cookie"] - : [responseHeaders["set-cookie"]]; - - console.log("[GitHub OAuth Callback] Found cookies:", cookies.length); - cookies.forEach((cookie) => { - headers.append("Set-Cookie", cookie); - console.log( - "[GitHub OAuth Callback] Adding cookie:", - cookie.substring(0, 50) + "..." - ); - }); - } else { - console.error("[GitHub OAuth Callback] NO SET-COOKIE HEADER FOUND!"); - console.error("[GitHub OAuth Callback] All headers:", responseHeaders); - } - return new Response(null, { status: 302, - headers + headers: { Location: redirectUrl } }); } else { console.error( diff --git a/src/routes/api/auth/callback/google.ts b/src/routes/api/auth/callback/google.ts index b0417d7..96811da 100644 --- a/src/routes/api/auth/callback/google.ts +++ b/src/routes/api/auth/callback/google.ts @@ -1,7 +1,6 @@ import type { APIEvent } from "@solidjs/start/server"; import { appRouter } from "~/server/api/root"; import { createTRPCContext } from "~/server/api/utils"; -import { getResponseHeaders } from "vinxi/http"; export async function GET(event: APIEvent) { const url = new URL(event.request.url); @@ -46,41 +45,12 @@ export async function GET(event: APIEvent) { result.redirectTo ); - // Get the response headers that were set by the session (includes Set-Cookie) - const responseHeaders = getResponseHeaders(event.nativeEvent); - console.log( - "[Google OAuth Callback] Response headers from event:", - Object.keys(responseHeaders) - ); - - // Create redirect response with the session cookie + // Vinxi's updateSession already set the cookie headers automatically + // Just redirect - the cookies are already in the response const redirectUrl = result.redirectTo || "/account"; - const headers = new Headers({ - Location: redirectUrl - }); - - // Copy Set-Cookie headers from the session response - if (responseHeaders["set-cookie"]) { - const cookies = Array.isArray(responseHeaders["set-cookie"]) - ? responseHeaders["set-cookie"] - : [responseHeaders["set-cookie"]]; - - console.log("[Google OAuth Callback] Found cookies:", cookies.length); - cookies.forEach((cookie) => { - headers.append("Set-Cookie", cookie); - console.log( - "[Google OAuth Callback] Adding cookie:", - cookie.substring(0, 50) + "..." - ); - }); - } else { - console.error("[Google OAuth Callback] NO SET-COOKIE HEADER FOUND!"); - console.error("[Google OAuth Callback] All headers:", responseHeaders); - } - return new Response(null, { status: 302, - headers + headers: { Location: redirectUrl } }); } else { console.error( diff --git a/src/routes/api/auth/email-login-callback.ts b/src/routes/api/auth/email-login-callback.ts index 3bf8500..70f10ce 100644 --- a/src/routes/api/auth/email-login-callback.ts +++ b/src/routes/api/auth/email-login-callback.ts @@ -1,24 +1,18 @@ import type { APIEvent } from "@solidjs/start/server"; import { appRouter } from "~/server/api/root"; import { createTRPCContext } from "~/server/api/utils"; -import { getResponseHeaders } from "vinxi/http"; export async function GET(event: APIEvent) { const url = new URL(event.request.url); const email = url.searchParams.get("email"); const token = url.searchParams.get("token"); - const rememberMeParam = url.searchParams.get("rememberMe"); console.log("[Email Login Callback] Request received:", { email, hasToken: !!token, - tokenLength: token?.length, - rememberMeParam + tokenLength: token?.length }); - // Parse rememberMe parameter - const rememberMe = rememberMeParam === "true"; - if (!email || !token) { console.error("[Email Login Callback] Missing required parameters:", { hasEmail: !!email, @@ -37,11 +31,10 @@ export async function GET(event: APIEvent) { const caller = appRouter.createCaller(ctx); console.log("[Email Login Callback] Calling emailLogin procedure..."); - // Call the email login handler + // Call the email login handler - rememberMe will be read from JWT payload const result = await caller.auth.emailLogin({ email, - token, - rememberMe + token }); console.log("[Email Login Callback] Login result:", result); @@ -52,41 +45,12 @@ export async function GET(event: APIEvent) { result.redirectTo ); - // Get the response headers that were set by the session (includes Set-Cookie) - const responseHeaders = getResponseHeaders(event.nativeEvent); - console.log( - "[Email Login Callback] Response headers from event:", - Object.keys(responseHeaders) - ); - - // Create redirect response with the session cookie + // Vinxi's updateSession already set the cookie headers automatically + // Just redirect - the cookies are already in the response const redirectUrl = result.redirectTo || "/account"; - const headers = new Headers({ - Location: redirectUrl - }); - - // Copy Set-Cookie headers from the session response - if (responseHeaders["set-cookie"]) { - const cookies = Array.isArray(responseHeaders["set-cookie"]) - ? responseHeaders["set-cookie"] - : [responseHeaders["set-cookie"]]; - - console.log("[Email Login Callback] Found cookies:", cookies.length); - cookies.forEach((cookie) => { - headers.append("Set-Cookie", cookie); - console.log( - "[Email Login Callback] Adding cookie:", - cookie.substring(0, 50) + "..." - ); - }); - } else { - console.error("[Email Login Callback] NO SET-COOKIE HEADER FOUND!"); - console.error("[Email Login Callback] All headers:", responseHeaders); - } - return new Response(null, { status: 302, - headers + headers: { Location: redirectUrl } }); } else { console.error( diff --git a/src/server/api/routers/auth.ts b/src/server/api/routers/auth.ts index 4c3210b..dd5a54f 100644 --- a/src/server/api/routers/auth.ts +++ b/src/server/api/routers/auth.ts @@ -660,8 +660,8 @@ export const authRouter = createTRPCRouter({ }); } - // Use rememberMe from JWT payload (source of truth) - const rememberMe = (payload.rememberMe as boolean) || false; + // Use rememberMe from JWT payload (source of truth), default to false + const rememberMe = (payload.rememberMe as boolean) ?? false; console.log("[Email Login] Using rememberMe from JWT:", rememberMe); const conn = ConnectionFactory(); @@ -829,7 +829,7 @@ export const authRouter = createTRPCRouter({ const userId = (res.rows[0] as unknown as User).id; const isAdmin = userId === env.ADMIN_ID; - // Use rememberMe from JWT if not provided in input + // Use rememberMe from JWT if not provided in input, default to false const shouldRemember = rememberMe ?? (payload.rememberMe as boolean) ?? false; @@ -1008,7 +1008,7 @@ export const authRouter = createTRPCRouter({ getH3Event(ctx), userId, isAdmin, - false, // Registration defaults to non-remember + true, // Always use persistent sessions clientIP, userAgent ); @@ -1177,7 +1177,7 @@ export const authRouter = createTRPCRouter({ getH3Event(ctx), user.id, isAdmin, - rememberMe || false, + rememberMe ?? false, // Default to session cookie (expires on browser close) clientIP, userAgent ); @@ -1190,7 +1190,7 @@ export const authRouter = createTRPCRouter({ await logAuditEvent({ userId: user.id, eventType: "auth.login.success", - eventData: { method: "password", rememberMe: rememberMe || false }, + eventData: { method: "password", rememberMe: rememberMe ?? false }, ipAddress: clientIP, userAgent, success: true @@ -1266,7 +1266,7 @@ export const authRouter = createTRPCRouter({ const secret = new TextEncoder().encode(env.JWT_SECRET_KEY); const token = await new SignJWT({ email, - rememberMe: rememberMe ?? false, + rememberMe: rememberMe ?? false, // Default to session cookie (expires on browser close) code: loginCode }) .setProtectedHeader({ alg: "HS256" }) @@ -1274,7 +1274,7 @@ export const authRouter = createTRPCRouter({ .sign(secret); const domain = env.VITE_DOMAIN || "https://freno.me"; - const loginUrl = `${domain}/api/auth/email-login-callback?email=${email}&token=${token}&rememberMe=${rememberMe}`; + const loginUrl = `${domain}/api/auth/email-login-callback?email=${email}&token=${token}`; const htmlContent = generateLoginLinkEmail({ email, diff --git a/src/server/session-config.ts b/src/server/session-config.ts index 7d4d058..8938183 100644 --- a/src/server/session-config.ts +++ b/src/server/session-config.ts @@ -31,7 +31,7 @@ export const sessionConfig: SessionConfig = { cookie: { httpOnly: true, secure: env.NODE_ENV === "production", - sameSite: "strict", + sameSite: "lax", // Allow cookies on top-level navigation (OAuth/email redirects) for WebKit compatibility path: "/" } };