fix(auth): stabilize cookie domain handling behind proxy and add auth debug logs

2026-04-21 17:36:32 +07:00
parent c84ce90fcf
commit 311551c31a
2 changed files with 173 additions and 7 deletions
--- a/app/auth/login/route.ts
+++ b/app/auth/login/route.ts
@ -38,6 +38,39 @@ function resolveNumber(raw: string | undefined, fallback: number) {
  return value;
 }

+const AUTH_DEBUG = process.env.AUTH_DEBUG === "true" || process.env.AUTH_DEBUG === "1";
+
+function maskEmail(email: string) {
+  if (!email) {
+    return "";
+  }
+
+  const [name, domain] = email.split("@");
+  if (!domain) {
+    return "*****";
+  }
+
+  if (name.length <= 2) {
+    return `${name[0]}***@${domain}`;
+  }
+
+  return `${name.slice(0, 2)}***@${domain}`;
+}
+
+function shouldUseSecureCookies(request: NextRequest) {
+  const explicit = process.env.COOKIE_SECURE?.toLowerCase() ?? "";
+  if (explicit === "true" || explicit === "1") {
+    return true;
+  }
+
+  if (explicit === "false" || explicit === "0") {
+    return false;
+  }
+
+  const forwardedProto = request.headers.get("x-forwarded-proto");
+  return request.nextUrl.protocol === "https:" || (forwardedProto?.split(",")[0]?.toLowerCase() === "https");
+}
+
 export async function POST(request: NextRequest) {
  const { ipAddress, userAgent } = await getRequestAuditContext();
  const baseUrl = getRequestBaseUrl(request);
@ -66,6 +99,15 @@ export async function POST(request: NextRequest) {
  const next = getSafePath(typeof rawNext === "string" ? rawNext : null);
  const email = typeof rawEmail === "string" ? rawEmail.trim() : "";
  const password = typeof rawPassword === "string" ? rawPassword : "";
+  if (AUTH_DEBUG) {
+    console.warn("[AUTH] login_attempt", {
+      email: maskEmail(email),
+      hasPassword: password.length > 0,
+      next,
+      ipAddress,
+      userAgent
+    });
+  }

  if (!email || !password) {
    const loginUrl = new URL("/login", baseUrl);
@ -107,6 +149,14 @@ export async function POST(request: NextRequest) {
      loginUrl.searchParams.set("next", next);
    }

+    if (AUTH_DEBUG) {
+      console.warn("[AUTH] login_failed", {
+        email: maskEmail(email),
+        ipAddress,
+        userAgent
+      });
+    }
+
    return NextResponse.redirect(loginUrl);
  }

@ -133,14 +183,42 @@ export async function POST(request: NextRequest) {
    destination && canAccessPath(session.role as UserRole, destination)
      ? destination
      : getDefaultPathForRole(session.role as UserRole);
+  const sessionMaxAgeSeconds = Math.max(
+    60,
+    Math.floor(session.expiresAt - Math.floor(Date.now() / 1000))
+  );
  const response = NextResponse.redirect(new URL(safeDestination, baseUrl));
  response.cookies.set(SESSION_COOKIE, await serializeSession(session), {
    httpOnly: true,
    sameSite: "lax",
-    secure: process.env.NODE_ENV === "production",
+    secure: shouldUseSecureCookies(request),
    path: "/",
-    maxAge: Math.max(1, Math.floor(session.expiresAt - Date.now() / 1000))
+    maxAge: sessionMaxAgeSeconds
  });
+  if (AUTH_DEBUG) {
+    console.warn("[AUTH] session_cookie_issued", {
+      userId: session.userId,
+      role: session.role,
+      sessionExpiresAt: session.expiresAt,
+      maxAge: sessionMaxAgeSeconds,
+      host: request.headers.get("host") || "unknown",
+      protocol: request.nextUrl.protocol,
+      forwardedProto: request.headers.get("x-forwarded-proto") || "unknown",
+      secureCookies: shouldUseSecureCookies(request)
+    });
+    console.warn("[AUTH] login_success_redirect", {
+      userId: session.userId,
+      destination: safeDestination,
+      setCookie: response.headers.get("set-cookie")
+    });
+  }
+
+  response.headers.set("X-Auth-Session", "issued");
+  response.headers.set("X-Auth-Session-User", session.userId);
+  response.headers.set("X-Auth-Session-Role", session.role);
+  response.headers.set("X-Auth-Session-Base-Url", baseUrl.toString());
+  response.headers.set("X-Auth-Session-Max-Age", String(sessionMaxAgeSeconds));
+  response.headers.set("X-Auth-Session-Secure", String(shouldUseSecureCookies(request)));

  return response;
 }
--- a/middleware.ts
+++ b/middleware.ts
@ -4,14 +4,55 @@ import { canAccessPath, getDefaultPathForRole, parseSessionCookie, SESSION_COOKI
 import { DEFAULT_LOCALE, isLocale, LOCALE_COOKIE } from "@/lib/i18n";
 import { getRequestBaseUrl } from "@/lib/request-url";

+const AUTH_DEBUG = process.env.AUTH_DEBUG === "true" || process.env.AUTH_DEBUG === "1";
+
 const publicPaths = ["/login", "/forgot-password", "/reset-password", "/unauthorized", "/invite", "/auth"];

 function isPublicPath(pathname: string) {
  return publicPaths.some((path) => pathname === path || pathname.startsWith(`${path}/`));
 }

+function shouldUseSecureCookies(request: NextRequest) {
+  const explicit = process.env.COOKIE_SECURE?.toLowerCase() ?? "";
+  if (explicit === "true" || explicit === "1") {
+    return true;
+  }
+
+  if (explicit === "false" || explicit === "0") {
+    return false;
+  }
+
+  const forwardedProto = request.headers.get("x-forwarded-proto");
+  return request.nextUrl.protocol === "https:" || (forwardedProto?.split(",")[0]?.toLowerCase() === "https");
+}
+
+function debugAuth(message: string, details: Record<string, unknown> = {}) {
+  if (!AUTH_DEBUG) {
+    return;
+  }
+
+  console.warn(`[AUTH] ${message}`, details);
+}
+
+function setDebugHeaders(response: NextResponse, headers: Record<string, string>) {
+  if (!AUTH_DEBUG) {
+    return;
+  }
+
+  Object.entries(headers).forEach(([key, value]) => {
+    response.headers.set(key, value);
+  });
+}
+
 async function decodeSessionCookie(value: string) {
-  return (await parseSessionCookie(value)) as null | { role: UserRole };
+  const parsed = (await parseSessionCookie(value)) as null | { role: UserRole };
+  if (!parsed) {
+    debugAuth("invalid_session_cookie", {
+      cookieLength: value.length,
+      cookiePreview: `${value.slice(0, 28)}...${value.slice(-14)}`
+    });
+  }
+  return parsed;
 }

 export async function middleware(request: NextRequest) {
@ -33,19 +74,37 @@ export async function middleware(request: NextRequest) {
    response.cookies.set(LOCALE_COOKIE, detected, {
      path: "/",
      maxAge: 365 * 24 * 60 * 60,
-      secure: process.env.NODE_ENV === "production",
+      secure: shouldUseSecureCookies(request),
      sameSite: "lax"
    });
  } else if (!isLocale(localeCookie)) {
    response.cookies.set(LOCALE_COOKIE, DEFAULT_LOCALE, {
      path: "/",
      maxAge: 365 * 24 * 60 * 60,
-      secure: process.env.NODE_ENV === "production",
+      secure: shouldUseSecureCookies(request),
      sameSite: "lax"
    });
  }

  if (!session && !isPublicPath(pathname) && pathname !== "/") {
+    const clientIp =
+      request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ||
+      request.headers.get("x-real-ip") ||
+      "unknown";
+
+    debugAuth("missing_or_invalid_session", {
+      pathname,
+      method: request.method,
+      ip: clientIp,
+      userAgent: request.headers.get("user-agent") || "unknown",
+      hasSessionCookie: Boolean(sessionCookie),
+      sessionCookieLength: sessionCookie?.length || 0,
+      host: request.headers.get("host") || "unknown",
+      protocol: request.nextUrl.protocol,
+      forwardedProto: request.headers.get("x-forwarded-proto") || "unknown",
+      secureCookies: shouldUseSecureCookies(request)
+    });
+
    const loginUrl = new URL("/login", baseUrl);
    loginUrl.searchParams.set("next", pathname);
    return NextResponse.redirect(loginUrl);
@ -56,13 +115,42 @@ export async function middleware(request: NextRequest) {
    const hasSafeNext = typeof requested === "string" && requested.startsWith("/") && !requested.startsWith("//");
    const nextPath = hasSafeNext ? requested : null;
    const destination = nextPath && canAccessPath(session.role, nextPath) ? nextPath : getDefaultPathForRole(session.role);
-    return NextResponse.redirect(new URL(destination, baseUrl));
+    const redirectResponse = NextResponse.redirect(new URL(destination, baseUrl));
+    setDebugHeaders(redirectResponse, {
+      "X-Auth-Session": "valid",
+      "X-Auth-Session-Has-Cookie": String(Boolean(sessionCookie)),
+      "X-Auth-Session-Role": session.role,
+      "X-Auth-Path": pathname,
+      "X-Auth-Base-Url": baseUrl.toString()
+    });
+    return redirectResponse;
  }

  if (session && !isPublicPath(pathname) && !canAccessPath(session.role, pathname)) {
-    return NextResponse.redirect(new URL("/unauthorized", baseUrl));
+    debugAuth("role_forbidden", {
+      pathname,
+      role: session.role
+    });
+    const forbiddenResponse = NextResponse.redirect(new URL("/unauthorized", baseUrl));
+    setDebugHeaders(forbiddenResponse, {
+      "X-Auth-Session": "forbidden",
+      "X-Auth-Session-Has-Cookie": String(Boolean(sessionCookie)),
+      "X-Auth-Session-Role": session.role,
+      "X-Auth-Path": pathname,
+      "X-Auth-Base-Url": baseUrl.toString()
+    });
+    return forbiddenResponse;
  }

+  setDebugHeaders(response, {
+    "X-Auth-Session": session ? "valid" : "missing",
+    "X-Auth-Session-Has-Cookie": String(Boolean(sessionCookie)),
+    "X-Auth-Session-Valid-Role": session?.role || "n/a",
+    "X-Auth-Path": pathname,
+    "X-Auth-Base-Url": baseUrl.toString(),
+    "X-Auth-Host": request.headers.get("host") || "unknown"
+  });
+
  return response;
 }