middleware fix wip
This commit is contained in:
48
MIDDLEWARE_FIX_SUMMARY.md
Normal file
48
MIDDLEWARE_FIX_SUMMARY.md
Normal file
@@ -0,0 +1,48 @@
|
||||
# Middleware Authentication Fix Summary
|
||||
|
||||
## Problem
|
||||
6 out of 12 e2e tests failing due to middleware not properly protecting routes.
|
||||
|
||||
## Root Cause Analysis
|
||||
|
||||
### Issue 1: Cookie Loss in Redirect Chain
|
||||
When navigating to `/sponsor`, the page component does a server-side `redirect('/sponsor/dashboard')` which loses cookies in the redirect chain. This causes the second request to `/sponsor/dashboard` to have no cookies.
|
||||
|
||||
**Evidence:**
|
||||
```
|
||||
/sponsor - cookie header length: 50 ✓
|
||||
/sponsor/dashboard - cookie header length: 0 ✗
|
||||
```
|
||||
|
||||
**Fix:** Handle `/sponsor` → `/sponsor/dashboard` redirect in middleware to preserve cookies.
|
||||
|
||||
### Issue 2: Auth Page Redirect Loop
|
||||
When an authenticated user with insufficient permissions is redirected to `/auth/login?returnTo=/sponsor/dashboard`, the middleware immediately redirects them away from the login page because they're authenticated. This creates a conflict.
|
||||
|
||||
**Fix:** Allow authenticated users to access login pages if they have a `returnTo` parameter (indicating they were sent there due to insufficient permissions).
|
||||
|
||||
### Issue 3: SessionGateway Cookie Handling
|
||||
The `SessionGateway.getSession()` method was checking `if (cookieHeader)` which evaluates to `false` for empty strings, causing it to fall through to server component context even when called from middleware with an empty cookie header.
|
||||
|
||||
**Fix:** Check `if (cookieHeader !== undefined)` instead.
|
||||
|
||||
## Changes Made
|
||||
|
||||
1. **apps/website/lib/gateways/SessionGateway.ts**
|
||||
- Fixed cookie header check to use `!== undefined` instead of truthy check
|
||||
|
||||
2. **apps/website/middleware.ts**
|
||||
- Added redirect from `/sponsor` to `/sponsor/dashboard` in middleware
|
||||
- Added check for `returnTo` parameter in auth page logic
|
||||
- Added comprehensive logging
|
||||
|
||||
3. **apps/website/app/sponsor/dashboard/page.tsx**
|
||||
- Added `export const dynamic = 'force-dynamic'` (reverted - doesn't work with client components)
|
||||
|
||||
## Test Results
|
||||
Still failing - need to investigate further.
|
||||
|
||||
## Next Steps
|
||||
1. Check if cookies are being set with correct domain
|
||||
2. Verify Playwright cookie handling in Docker environment
|
||||
3. Consider if the test expectations are correct
|
||||
Reference in New Issue
Block a user