2026-02-01 19:18:48 +00:00
4 changed files with 23 additions and 6 deletions
--- a/.env.example
+++ b/.env.example
@@ -50,7 +50,10 @@ KNOWLEDGE_CACHE_TTL=300
 OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
 OIDC_CLIENT_ID=your-client-id-here
 OIDC_CLIENT_SECRET=your-client-secret-here
-OIDC_REDIRECT_URI=http://localhost:3001/auth/callback
+# Redirect URI must match what's configured in Authentik
+# Development: http://localhost:3001/auth/callback/authentik
+# Production: https://api.mosaicstack.dev/auth/callback/authentik
+OIDC_REDIRECT_URI=http://localhost:3001/auth/callback/authentik

 # Authentik PostgreSQL Database
 AUTHENTIK_POSTGRES_USER=authentik
--- a/apps/api/src/auth/auth.config.ts
+++ b/apps/api/src/auth/auth.config.ts
@@ -1,5 +1,6 @@
 import { betterAuth } from "better-auth";
 import { prismaAdapter } from "better-auth/adapters/prisma";
+import { genericOAuth } from "better-auth/plugins";
 import type { PrismaClient } from "@prisma/client";

 export function createAuth(prisma: PrismaClient) {
@@ -10,13 +11,28 @@ export function createAuth(prisma: PrismaClient) {
    emailAndPassword: {
      enabled: true, // Enable for now, can be disabled later
    },
+    plugins: [
+      genericOAuth({
+        config: [
+          {
+            providerId: "authentik",
+            clientId: process.env.OIDC_CLIENT_ID ?? "",
+            clientSecret: process.env.OIDC_CLIENT_SECRET ?? "",
+            discoveryUrl: `${process.env.OIDC_ISSUER ?? ""}.well-known/openid-configuration`,
+            scopes: ["openid", "profile", "email"],
+          },
+        ],
+      }),
+    ],
    session: {
      expiresIn: 60 * 60 * 24, // 24 hours
      updateAge: 60 * 60 * 24, // 24 hours
    },
    trustedOrigins: [
      process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
-      "http://localhost:3001", // API origin
+      "http://localhost:3001", // API origin (dev)
+      "https://app.mosaicstack.dev", // Production web
+      "https://api.mosaicstack.dev", // Production API
    ],
  });
 }
--- a/apps/web/src/components/auth/LoginButton.test.tsx
+++ b/apps/web/src/components/auth/LoginButton.test.tsx
@@ -32,9 +32,7 @@ describe("LoginButton", (): void => {
    const button = screen.getByRole("button", { name: /sign in/i });
    await user.click(button);

-    expect(mockLocation.assign).toHaveBeenCalledWith(
-      "http://localhost:3001/auth/callback/authentik"
-    );
+    expect(mockLocation.assign).toHaveBeenCalledWith("http://localhost:3001/auth/signin/authentik");
  });

  it("should have proper styling", (): void => {
--- a/apps/web/src/components/auth/LoginButton.tsx
+++ b/apps/web/src/components/auth/LoginButton.tsx
@@ -8,7 +8,7 @@ export function LoginButton(): React.JSX.Element {
  const handleLogin = (): void => {
    // Redirect to the backend OIDC authentication endpoint
    // BetterAuth will handle the OIDC flow and redirect back to the callback
-    window.location.assign(`${API_URL}/auth/callback/authentik`);
+    window.location.assign(`${API_URL}/auth/signin/authentik`);
  };

  return (