Testing Authentik SSO Issues

2025-12-10 13:36:45 +03:00 · 2025-09-07 19:09:00 +05:30
parent c4b353aae8
commit c2f6e73054
6 changed files with 169 additions and 42 deletions
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -19,42 +19,71 @@ export const auth = betterAuth({

  // Base URL configuration - use the primary URL (Better Auth only supports single baseURL)
  baseURL: (() => {
-    const url = process.env.BETTER_AUTH_URL || "http://localhost:4321";
+    const url = process.env.BETTER_AUTH_URL;
+    const defaultUrl = "http://localhost:4321";
+    
+    // Check if URL is provided and not empty
+    if (!url || typeof url !== 'string' || url.trim() === '') {
+      console.info('BETTER_AUTH_URL not set, using default:', defaultUrl);
+      return defaultUrl;
+    }
+    
    try {
-      // Validate URL format
-      new URL(url);
-      return url;
-    } catch {
-      console.warn(`Invalid BETTER_AUTH_URL: ${url}, falling back to localhost`);
-      return "http://localhost:4321";
+      // Validate URL format and ensure it's a proper origin
+      const validatedUrl = new URL(url.trim());
+      const cleanUrl = validatedUrl.origin; // Use origin to ensure no trailing paths
+      console.info('Using BETTER_AUTH_URL:', cleanUrl);
+      return cleanUrl;
+    } catch (e) {
+      console.error(`Invalid BETTER_AUTH_URL format: "${url}"`);
+      console.error('Error:', e);
+      console.info('Falling back to default:', defaultUrl);
+      return defaultUrl;
    }
  })(),
  basePath: "/api/auth", // Specify the base path for auth endpoints
  
  // Trusted origins - this is how we support multiple access URLs
  trustedOrigins: (() => {
-    const origins = [
+    const origins: string[] = [
      "http://localhost:4321",
      "http://localhost:8080", // Keycloak
    ];
    
    // Add the primary URL from BETTER_AUTH_URL
-    const primaryUrl = process.env.BETTER_AUTH_URL || "http://localhost:4321";
-    try {
-      new URL(primaryUrl);
-      origins.push(primaryUrl);
-    } catch {
-      // Skip if invalid
+    const primaryUrl = process.env.BETTER_AUTH_URL;
+    if (primaryUrl && typeof primaryUrl === 'string' && primaryUrl.trim() !== '') {
+      try {
+        const validatedUrl = new URL(primaryUrl.trim());
+        origins.push(validatedUrl.origin);
+      } catch {
+        // Skip if invalid
+      }
    }
    
    // Add additional trusted origins from environment
    // This is where users can specify multiple access URLs
    if (process.env.BETTER_AUTH_TRUSTED_ORIGINS) {
-      origins.push(...process.env.BETTER_AUTH_TRUSTED_ORIGINS.split(',').map(o => o.trim()));
+      const additionalOrigins = process.env.BETTER_AUTH_TRUSTED_ORIGINS
+        .split(',')
+        .map(o => o.trim())
+        .filter(o => o !== '');
+      
+      // Validate each additional origin
+      for (const origin of additionalOrigins) {
+        try {
+          const validatedUrl = new URL(origin);
+          origins.push(validatedUrl.origin);
+        } catch {
+          console.warn(`Invalid trusted origin: ${origin}, skipping`);
+        }
+      }
    }
    
-    // Remove duplicates and return
-    return [...new Set(origins.filter(Boolean))];
+    // Remove duplicates and empty strings, then return
+    const uniqueOrigins = [...new Set(origins.filter(Boolean))];
+    console.info('Trusted origins:', uniqueOrigins);
+    return uniqueOrigins;
  })(),

  // Authentication methods