ugh

2025-03-23 23:53:45 +00:00
parent edc220bc5d
commit 3413e3b1e8
8 changed files with 122 additions and 88 deletions
--- a/app/api/auth/check/route.ts
+++ b/app/api/auth/check/route.ts
@@ -11,9 +11,13 @@ export async function GET(req: NextRequest) {
    // If not in headers, check cookies
    if (!token) {
      token = req.cookies.get('Authorization')?.value;
-      console.log('Auth check: Token from cookies');
+      console.log('Auth check: Token from cookies:', token ? `${token.substring(0, 10)}...` : 'none');
+      
+      // Debug: List all cookies
+      const cookiesList = req.cookies.getAll();
+      console.log('Auth check: All cookies:', JSON.stringify(cookiesList.map(c => c.name)));
    } else {
-      console.log('Auth check: Token from headers');
+      console.log('Auth check: Token from headers:', token.substring(0, 10) + '...');
    }
    
    if (!token) {
--- a/app/api/auth/set-cookie/route.ts
+++ b/app/api/auth/set-cookie/route.ts
@@ -0,0 +1,59 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+// Force dynamic execution to ensure cookies are set at runtime
+export const dynamic = 'force-dynamic';
+
+export async function POST(req: NextRequest) {
+  try {
+    // Parse the request body to get the auth token
+    const body = await req.json();
+    const { token } = body;
+
+    if (!token) {
+      console.error('Set-cookie API: No token provided');
+      return NextResponse.json(
+        { error: 'No token provided' },
+        { status: 400 }
+      );
+    }
+
+    // Create a response object
+    const response = NextResponse.json(
+      { success: true },
+      { status: 200 }
+    );
+
+    // Set the token in an HTTP-only cookie that will be sent with requests
+    // The secure flag is conditionally set based on the environment
+    const isLocalhost = req.headers.get('host')?.includes('localhost') || 
+                        req.headers.get('host')?.includes('127.0.0.1');
+    
+    const cookieOptions = {
+      // HttpOnly for security - prevents JavaScript access
+      httpOnly: true,
+      // Valid for 7 days (same as the JWT)
+      maxAge: 7 * 24 * 60 * 60,
+      // Only send in requests to our domain
+      path: '/',
+      // Strict same-site policy to prevent CSRF
+      sameSite: 'strict' as const,
+      // Secure only in production environments
+      secure: !isLocalhost
+    };
+
+    // Set the cookie with the options
+    response.cookies.set('Authorization', token, cookieOptions);
+
+    console.log('Set-cookie API: Cookie set successfully');
+    return response;
+  } catch (error) {
+    console.error('Set-cookie API error:', error);
+    return NextResponse.json(
+      { 
+        error: 'Failed to set cookie', 
+        details: error instanceof Error ? error.message : String(error)
+      },
+      { status: 500 }
+    );
+  }
+}