frontend/src/auth/auth.ts

import NextAuth from "next-auth"
import KeycloakProvider from "next-auth/providers/keycloak"

declare module "next-auth" {
  interface Session {
    user: {
      id: string
      name?: string | null
      email?: string | null
      image?: string | null
      clubs?: Record<string, string>
      isAdmin?: boolean
    }
    accessToken?: string
  }
  
  interface JWT {
    clubs?: Record<string, string>
    accessToken?: string
    isAdmin?: boolean
  }
}

// In Docker, the Next.js server reaches Keycloak via internal hostname
// (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint
// URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.
const issuerPublic = process.env.KEYCLOAK_ISSUER!
const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
const oidcPublic = `${issuerPublic}/protocol/openid-connect`
const oidcInternal = `${issuerInternal}/protocol/openid-connect`

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    KeycloakProvider({
      clientId: process.env.KEYCLOAK_CLIENT_ID!,
      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET!,
      issuer: issuerPublic,
      authorization: {
        url: `${oidcPublic}/auth`,
        params: { scope: "openid email profile" },
      },
      token: `${oidcInternal}/token`,
      userinfo: `${oidcInternal}/userinfo`,
    })
  ],
  callbacks: {
    async jwt({ token, account }) {
      if (account && account.access_token) {
        // Add clubs claim from Keycloak access token
        token.clubs = (account as any).clubs as Record<string, string> || {}
        token.accessToken = account.access_token as string
        
        try {
          const payload = JSON.parse(Buffer.from((token.accessToken as string).split('.')[1], 'base64').toString());
          const roles = payload.realm_access?.roles || [];
          token.isAdmin = roles.includes('admin');
        } catch (e) {
          token.isAdmin = false;
        }
      }
      return token
    },
    async session({ session, token }) {
      // Expose clubs to client
      if (session.user) {
        session.user.clubs = (token as any).clubs as Record<string, string> | undefined
        session.user.isAdmin = (token as any).isAdmin as boolean | undefined
      }
      session.accessToken = (token as any).accessToken as string | undefined
      return session
    }
  }
})
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`import NextAuth from "next-auth"`
			`import KeycloakProvider from "next-auth/providers/keycloak"`

			`declare module "next-auth" {`
			`interface Session {`
			`user: {`
			`id: string`
			`name?: string \| null`
			`email?: string \| null`
			`image?: string \| null`
			`clubs?: Record<string, string>`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`isAdmin?: boolean`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`}`
			`accessToken?: string`
			`}`

			`interface JWT {`
			`clubs?: Record<string, string>`
			`accessToken?: string`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`isAdmin?: boolean`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`}`
			`}`

fix(auth): resolve Keycloak OIDC issuer mismatch and API proxy routing 2026-03-09 14:21:03 +01:00			`// In Docker, the Next.js server reaches Keycloak via internal hostname`
			`// (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint`
			`// URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.`
			`const issuerPublic = process.env.KEYCLOAK_ISSUER!`
			`const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL \|\| issuerPublic`
			const oidcPublic = `${issuerPublic}/protocol/openid-connect`
			const oidcInternal = `${issuerInternal}/protocol/openid-connect`

feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`export const { handlers, signIn, signOut, auth } = NextAuth({`
			`providers: [`
			`KeycloakProvider({`
			`clientId: process.env.KEYCLOAK_CLIENT_ID!,`
			`clientSecret: process.env.KEYCLOAK_CLIENT_SECRET!,`
fix(auth): resolve Keycloak OIDC issuer mismatch and API proxy routing 2026-03-09 14:21:03 +01:00			`issuer: issuerPublic,`
			`authorization: {`
			url: `${oidcPublic}/auth`,
			`params: { scope: "openid email profile" },`
			`},`
			token: `${oidcInternal}/token`,
			userinfo: `${oidcInternal}/userinfo`,
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`})`
			`],`
			`callbacks: {`
			`async jwt({ token, account }) {`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`if (account && account.access_token) {`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`// Add clubs claim from Keycloak access token`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`token.clubs = (account as any).clubs as Record<string, string> \|\| {}`
			`token.accessToken = account.access_token as string`

			`try {`
			`const payload = JSON.parse(Buffer.from((token.accessToken as string).split('.')[1], 'base64').toString());`
			`const roles = payload.realm_access?.roles \|\| [];`
			`token.isAdmin = roles.includes('admin');`
			`} catch (e) {`
			`token.isAdmin = false;`
			`}`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`}`
			`return token`
			`},`
			`async session({ session, token }) {`
			`// Expose clubs to client`
			`if (session.user) {`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`session.user.clubs = (token as any).clubs as Record<string, string> \| undefined`
			`session.user.isAdmin = (token as any).isAdmin as boolean \| undefined`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`}`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`session.accessToken = (token as any).accessToken as string \| undefined`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`return session`
			`}`
			`}`
			`})`