fix(auth): restore BetterAuth OIDC flow across api/web/compose
This commit is contained in:
@@ -14,6 +14,41 @@ const REQUIRED_OIDC_ENV_VARS = [
|
||||
"OIDC_REDIRECT_URI",
|
||||
] as const;
|
||||
|
||||
/**
|
||||
* Resolve BetterAuth base URL from explicit auth URL or API URL.
|
||||
* BetterAuth uses this to generate absolute callback/error URLs.
|
||||
*/
|
||||
export function getBetterAuthBaseUrl(): string | undefined {
|
||||
const configured = process.env.BETTER_AUTH_URL ?? process.env.NEXT_PUBLIC_API_URL;
|
||||
|
||||
if (!configured || configured.trim() === "") {
|
||||
if (process.env.NODE_ENV === "production") {
|
||||
throw new Error(
|
||||
"Missing BetterAuth base URL in production. Set BETTER_AUTH_URL (preferred) or NEXT_PUBLIC_API_URL."
|
||||
);
|
||||
}
|
||||
return undefined;
|
||||
}
|
||||
|
||||
let parsed: URL;
|
||||
try {
|
||||
parsed = new URL(configured);
|
||||
} catch (urlError: unknown) {
|
||||
const detail = urlError instanceof Error ? urlError.message : String(urlError);
|
||||
throw new Error(
|
||||
`BetterAuth base URL must be a valid URL. Current value: "${configured}". Parse error: ${detail}.`
|
||||
);
|
||||
}
|
||||
|
||||
if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
|
||||
throw new Error(
|
||||
`BetterAuth base URL must use https in production. Current value: "${configured}".`
|
||||
);
|
||||
}
|
||||
|
||||
return parsed.origin;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if OIDC authentication is enabled via environment variable
|
||||
*/
|
||||
@@ -59,17 +94,17 @@ export function validateOidcConfig(): void {
|
||||
);
|
||||
}
|
||||
|
||||
// Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/callback path
|
||||
// Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/oauth2/callback path
|
||||
validateRedirectUri();
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates the OIDC_REDIRECT_URI environment variable.
|
||||
* - Must be a parseable URL
|
||||
* - Path must start with /auth/callback
|
||||
* - Path must start with /auth/oauth2/callback
|
||||
* - Warns (but does not throw) if using localhost in production
|
||||
*
|
||||
* @throws Error if URL is invalid or path does not start with /auth/callback
|
||||
* @throws Error if URL is invalid or path does not start with /auth/oauth2/callback
|
||||
*/
|
||||
function validateRedirectUri(): void {
|
||||
const redirectUri = process.env.OIDC_REDIRECT_URI;
|
||||
@@ -86,14 +121,14 @@ function validateRedirectUri(): void {
|
||||
throw new Error(
|
||||
`OIDC_REDIRECT_URI must be a valid URL. Current value: "${redirectUri}". ` +
|
||||
`Parse error: ${detail}. ` +
|
||||
`Example: "https://app.example.com/auth/callback/authentik".`
|
||||
`Example: "https://api.example.com/auth/oauth2/callback/authentik".`
|
||||
);
|
||||
}
|
||||
|
||||
if (!parsed.pathname.startsWith("/auth/callback")) {
|
||||
if (!parsed.pathname.startsWith("/auth/oauth2/callback")) {
|
||||
throw new Error(
|
||||
`OIDC_REDIRECT_URI path must start with "/auth/callback". Current path: "${parsed.pathname}". ` +
|
||||
`Example: "https://app.example.com/auth/callback/authentik".`
|
||||
`OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback". Current path: "${parsed.pathname}". ` +
|
||||
`Example: "https://api.example.com/auth/oauth2/callback/authentik".`
|
||||
);
|
||||
}
|
||||
|
||||
@@ -120,6 +155,7 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
|
||||
const clientId = process.env.OIDC_CLIENT_ID;
|
||||
const clientSecret = process.env.OIDC_CLIENT_SECRET;
|
||||
const issuer = process.env.OIDC_ISSUER;
|
||||
const redirectUri = process.env.OIDC_REDIRECT_URI;
|
||||
|
||||
if (!clientId) {
|
||||
throw new Error("OIDC_CLIENT_ID is required when OIDC is enabled but was not set.");
|
||||
@@ -130,6 +166,9 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
|
||||
if (!issuer) {
|
||||
throw new Error("OIDC_ISSUER is required when OIDC is enabled but was not set.");
|
||||
}
|
||||
if (!redirectUri) {
|
||||
throw new Error("OIDC_REDIRECT_URI is required when OIDC is enabled but was not set.");
|
||||
}
|
||||
|
||||
return [
|
||||
genericOAuth({
|
||||
@@ -139,6 +178,7 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
|
||||
clientId,
|
||||
clientSecret,
|
||||
discoveryUrl: `${issuer}.well-known/openid-configuration`,
|
||||
redirectURI: redirectUri,
|
||||
pkce: true,
|
||||
scopes: ["openid", "profile", "email"],
|
||||
},
|
||||
@@ -203,7 +243,10 @@ export function createAuth(prisma: PrismaClient) {
|
||||
// Validate OIDC configuration at startup - fail fast if misconfigured
|
||||
validateOidcConfig();
|
||||
|
||||
const baseURL = getBetterAuthBaseUrl();
|
||||
|
||||
return betterAuth({
|
||||
baseURL,
|
||||
basePath: "/auth",
|
||||
database: prismaAdapter(prisma, {
|
||||
provider: "postgresql",
|
||||
|
||||
Reference in New Issue
Block a user