middleware fix wip

2026-01-04 01:45:14 +01:00
parent 99092e2759
commit b8eb8fb005
7 changed files with 170 additions and 15 deletions
--- a/apps/website/app/auth/login/page.tsx
+++ b/apps/website/app/auth/login/page.tsx
@@ -35,13 +35,27 @@ export default function LoginPage() {
  
  const [showPassword, setShowPassword] = useState(false);
  const [showErrorDetails, setShowErrorDetails] = useState(false);
+  const [hasInsufficientPermissions, setHasInsufficientPermissions] = useState(false);

  // Check if user is already authenticated
  useEffect(() => {
    if (session) {
-      router.replace(returnTo);
+      // If there's a returnTo parameter (user was redirected here from a protected route),
+      // they might not have permission. Don't auto-redirect them back.
+      const returnToParam = searchParams.get('returnTo');
+      console.log('[LOGIN] returnToParam:', returnToParam);
+      console.log('[LOGIN] returnTo:', returnTo);
+      const hasReturnTo = returnToParam !== null;
+      if (hasReturnTo) {
+        console.log('[LOGIN] Has returnTo, setting insufficient permissions');
+        setHasInsufficientPermissions(true);
+      } else {
+        // No returnTo means they navigated here directly while authenticated
+        console.log('[LOGIN] No returnTo, redirecting to dashboard');
+        router.replace('/dashboard');
+      }
    }
-  }, [session, router, returnTo]);
+  }, [session, router, returnTo, searchParams]);

  // Use enhanced form hook
  const {
@@ -244,6 +258,28 @@ export default function LoginPage() {
                </label>
              </div>

+              {/* Insufficient Permissions Message */}
+              <AnimatePresence>
+                {hasInsufficientPermissions && (
+                  <motion.div
+                    initial={{ opacity: 0, y: -10 }}
+                    animate={{ opacity: 1, y: 0 }}
+                    exit={{ opacity: 0, y: -10 }}
+                    className="p-4 rounded-lg bg-warning-amber/10 border border-warning-amber/30"
+                  >
+                    <div className="flex items-start gap-3">
+                      <AlertCircle className="w-5 h-5 text-warning-amber flex-shrink-0 mt-0.5" />
+                      <div className="text-sm text-gray-300">
+                        <strong className="text-warning-amber">Insufficient Permissions</strong>
+                        <p className="mt-1">
+                          You don't have permission to access that page. Please log in with an account that has the required role.
+                        </p>
+                      </div>
+                    </div>
+                  </motion.div>
+                )}
+              </AnimatePresence>
+
              {/* Enhanced Error Display */}
              <AnimatePresence>
                {formState.submitError && (
--- a/apps/website/app/sponsor/dashboard/page.tsx
+++ b/apps/website/app/sponsor/dashboard/page.tsx
@@ -1,5 +1,7 @@
 'use client';

+export const dynamic = 'force-dynamic';
+
 import { useEffect, useState } from 'react';
 import { useQuery } from '@tanstack/react-query';
 import { motion, useReducedMotion, AnimatePresence } from 'framer-motion';
--- a/apps/website/app/sponsor/page.tsx
+++ b/apps/website/app/sponsor/page.tsx
@@ -3,6 +3,7 @@ import { redirect } from 'next/navigation';
 export const dynamic = 'force-dynamic';

 export default function SponsorPage() {
-  // Server-side redirect to sponsor dashboard
+  // Redirect to dashboard - this will be handled by middleware for auth
+  // Using permanent redirect to avoid cookie loss
  redirect('/sponsor/dashboard');
 }
--- a/apps/website/lib/gateways/SessionGateway.ts
+++ b/apps/website/lib/gateways/SessionGateway.ts
@@ -5,29 +5,48 @@
 * Designed for 'use server' contexts.
 */

-import { cookies } from 'next/headers';
+import type { NextRequest } from 'next/server';
 import type { AuthSessionDTO } from '../types/generated/AuthSessionDTO';

 /**
 * SessionGateway class for server-side session management
 *
- * Uses Next.js server cookies and fetches session from API
- * Returns null on any error or non-2xx response (no throws)
+ * Supports both middleware and server component contexts
 */
 export class SessionGateway {
  /**
-   * Get current authentication session
+   * Get current authentication session from cookies
   *
+   * @param cookieHeader - Raw cookie header string (for middleware)
   * @returns Promise<AuthSessionDTO | null> - Session object or null if not authenticated/error
   */
-  async getSession(): Promise<AuthSessionDTO | null> {
+  async getSession(cookieHeader?: string): Promise<AuthSessionDTO | null> {
    try {
-      // Get cookies from the current request
-      const cookieStore = await cookies();
-      const cookieString = cookieStore.toString();
+      let cookieString: string;
+
+      // Handle middleware context (cookieHeader provided) vs server component context
+      if (cookieHeader !== undefined) {
+        // Middleware context - use provided cookie header
+        cookieString = cookieHeader;
+        console.log(`[SESSION] Using provided cookie header, length:`, cookieString.length);
+      } else {
+        // Server component context - get cookies from next/headers
+        try {
+          const { cookies } = await import('next/headers');
+          const cookieStore = await cookies();
+          cookieString = cookieStore.toString();
+          console.log(`[SESSION] Using server component cookies, length:`, cookieString.length);
+        } catch (error) {
+          console.log(`[SESSION] Could not access cookies in server component context:`, error);
+          return null;
+        }
+      }
+
+      console.log(`[SESSION] Cookie string:`, cookieString.substring(0, 200) + (cookieString.length > 200 ? '...' : ''));

      // If no cookies, return null immediately
      if (!cookieString) {
+        console.log(`[SESSION] No cookies found, returning null`);
        return null;
      }

@@ -37,10 +56,10 @@ export class SessionGateway {
      // The API is always at http://api:3000 in the Docker network
      const baseUrl = process.env.API_BASE_URL || 'http://localhost:3101';
      const apiUrl = `${baseUrl}/auth/session`;
+      
+      console.log(`[SESSION] Fetching session from:`, apiUrl);

      // Fetch session from API with cookies forwarded
-      // In server-side fetch, we need to pass cookies explicitly
-      // credentials: 'include' doesn't work in server-side fetch
      const response = await fetch(apiUrl, {
        headers: {
          cookie: cookieString,
@@ -48,17 +67,33 @@ export class SessionGateway {
        cache: 'no-store',
      });

+      console.log(`[SESSION] Response status:`, response.status);
+      console.log(`[SESSION] Response ok:`, response.ok);
+
      // Return null for non-2xx responses
      if (!response.ok) {
+        console.log(`[SESSION] Non-2xx response, returning null`);
        return null;
      }

      // Parse and return session data
      const session = await response.json();
+      console.log(`[SESSION] Session parsed successfully`);
      return session as AuthSessionDTO;
    } catch (error) {
+      console.log(`[SESSION] Error occurred:`, error);
      // Return null on any error (network, parsing, etc.)
      return null;
    }
  }
+
+  /**
+   * Get session from NextRequest (for middleware use)
+   */
+  async getSessionFromRequest(request: NextRequest): Promise<AuthSessionDTO | null> {
+    const cookieHeader = request.headers.get('cookie') || '';
+    console.log(`[SESSION] NextRequest cookie header length:`, cookieHeader.length);
+    console.log(`[SESSION] NextRequest cookie header:`, cookieHeader.substring(0, 200) + (cookieHeader.length > 200 ? '...' : ''));
+    return this.getSession(cookieHeader);
+  }
 }
--- a/apps/website/middleware.ts
+++ b/apps/website/middleware.ts
@@ -16,18 +16,41 @@ import { routes, routeMatchers } from '@/lib/routing/RouteConfig';
 export async function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;
  
+  // Debug logging
+  console.log(`[MIDDLEWARE] Processing request for path: ${pathname}`);
+  
+  // Handle /sponsor root redirect to /sponsor/dashboard in middleware to preserve cookies
+  if (pathname === '/sponsor') {
+    console.log(`[MIDDLEWARE] Redirecting /sponsor to /sponsor/dashboard`);
+    return NextResponse.redirect(new URL('/sponsor/dashboard', request.url));
+  }
+  
  // Set x-pathname header for layout-level protection
  const response = NextResponse.next();
  response.headers.set('x-pathname', pathname);

  // Get session first (needed for all auth-related decisions)
  const sessionGateway = new SessionGateway();
-  const session = await sessionGateway.getSession();
+  const session = await sessionGateway.getSessionFromRequest(request);
+  
+  console.log(`[MIDDLEWARE] Session retrieved:`, session ? 'Session found' : 'No session');
+  if (session) {
+    console.log(`[MIDDLEWARE] User role:`, session.user?.role);
+  }

  // Auth pages (login, signup, etc.) - handle before public check
  if (routeMatchers.isInGroup(pathname, 'auth')) {
    if (session) {
-      // User is authenticated, redirect away from auth page
+      // Check if user was redirected here due to insufficient permissions
+      const returnTo = request.nextUrl.searchParams.get('returnTo');
+      if (returnTo) {
+        // User has a session but insufficient permissions for the returnTo route
+        // Allow them to see the login page (they may need to switch accounts)
+        console.log(`[MIDDLEWARE] Authenticated user at login with returnTo, allowing access`);
+        return response;
+      }
+      
+      // User is authenticated and navigated to auth page directly, redirect away
      const role = session.user?.role || 'driver';
      const redirectPath = getHomePathForRole(role);
      
@@ -46,12 +69,14 @@ export async function middleware(request: NextRequest) {

  // Public routes (no auth required, but not auth pages)
  if (routeMatchers.isPublic(pathname)) {
+    console.log(`[MIDDLEWARE] Route is public, allowing access`);
    return response;
  }

  // Protected routes (require authentication)
  if (!session) {
    // No session, redirect to login
+    console.log(`[MIDDLEWARE] No session, redirecting to login`);
    // Preserve locale if present in the path
    const localeMatch = pathname.match(/^\/([a-z]{2})\//);
    const locale = localeMatch ? localeMatch[1] : null;
@@ -64,16 +89,20 @@ export async function middleware(request: NextRequest) {
      redirectUrl.pathname = `/${locale}${redirectUrl.pathname}`;
    }
    
+    console.log(`[MIDDLEWARE] Redirecting to:`, redirectUrl.toString());
    return NextResponse.redirect(redirectUrl);
  }

  // Role-based access control
  const requiredRoles = routeMatchers.requiresRole(pathname);
+  console.log(`[MIDDLEWARE] Required roles for ${pathname}:`, requiredRoles);
  if (requiredRoles) {
    const userRole = session.user?.role;
+    console.log(`[MIDDLEWARE] User role:`, userRole);
    
    if (!userRole || !requiredRoles.includes(userRole)) {
      // User doesn't have required role or no role at all, redirect to login
+      console.log(`[MIDDLEWARE] User doesn't have required role, redirecting to login`);
      // Preserve locale if present in the path
      const localeMatch = pathname.match(/^\/([a-z]{2})\//);
      const locale = localeMatch ? localeMatch[1] : null;
@@ -85,11 +114,13 @@ export async function middleware(request: NextRequest) {
        redirectUrl.pathname = `/${locale}${redirectUrl.pathname}`;
      }
      
+      console.log(`[MIDDLEWARE] Redirecting to:`, redirectUrl.toString());
      return NextResponse.redirect(redirectUrl);
    }
  }

  // All checks passed, allow access
+  console.log(`[MIDDLEWARE] All checks passed, allowing access`);
  return response;
 }