frontend/src/auth/auth.ts

import NextAuth from "next-auth"
import KeycloakProvider from "next-auth/providers/keycloak"

declare module "next-auth" {
  interface Session {
    user: {
      id: string
      name?: string | null
      email?: string | null
      image?: string | null
      clubs?: Record<string, string>
      isAdmin?: boolean
    }
    accessToken?: string
  }
  
  interface JWT {
    clubs?: Record<string, string>
    accessToken?: string
    isAdmin?: boolean
  }
}

// In Docker, the Next.js server reaches Keycloak via internal hostname
// (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint
// URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.
const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'
const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
const oidcPublic = `${issuerPublic}/protocol/openid-connect`
const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    KeycloakProvider({
      clientId: process.env.KEYCLOAK_CLIENT_ID || 'workclub-app',
      issuer: issuerPublic,
      authorization: {
        url: `${oidcPublic}/auth`,
        params: { scope: "openid email profile" },
      },
      token: `${oidcInternal}/token`,
      userinfo: `${oidcInternal}/userinfo`,
      jwks_endpoint: `${oidcInternal}/certs`,
    })
  ],
  trustHost: true,
  cookies: {
    pkceCodeVerifier: {
      name: "authjs.pkce.code_verifier",
      options: {
        httpOnly: true,
        sameSite: "lax",
        path: "/",
        secure: false,
      },
    },
    state: {
      name: "authjs.state",
      options: {
        httpOnly: true,
        sameSite: "lax",
        path: "/",
        secure: false,
      },
    },
  },
  debug: true,
  callbacks: {
    async jwt({ token, account }) {
      if (account && account.access_token) {
        // Add clubs claim from Keycloak access token
        token.clubs = (account as { clubs?: Record<string, string> }).clubs || {}
        token.accessToken = account.access_token
      }

      // Always check admin status from the access token if available
      if (token.accessToken) {
        try {
          const payload = JSON.parse(Buffer.from((token.accessToken as string).split('.')[1], 'base64').toString());
          const roles = (payload.realm_access?.roles as string[]) || [];
          token.isAdmin = roles.includes('admin');
          console.log('[Auth Debug] Checking admin status:', { roles, isAdmin: token.isAdmin });
        } catch (e) {
          console.error('[Auth Debug] Failed to check admin status:', e);
          token.isAdmin = false;
        }
      } else {
        console.log('[Auth Debug] No access token available');
      }
      return token
    },
    async session({ session, token }) {
      // Expose clubs to client
      if (session.user) {
        session.user.clubs = token.clubs as Record<string, string> | undefined
        session.user.isAdmin = token.isAdmin as boolean | undefined
      }
      session.accessToken = token.accessToken as string | undefined
      return session
    }
  }
})
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`import NextAuth from "next-auth"`
			`import KeycloakProvider from "next-auth/providers/keycloak"`

			`declare module "next-auth" {`
			`interface Session {`
			`user: {`
			`id: string`
			`name?: string \| null`
			`email?: string \| null`
			`image?: string \| null`
			`clubs?: Record<string, string>`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`isAdmin?: boolean`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`}`
			`accessToken?: string`
			`}`

			`interface JWT {`
			`clubs?: Record<string, string>`
			`accessToken?: string`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`isAdmin?: boolean`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`}`
			`}`

fix(auth): resolve Keycloak OIDC issuer mismatch and API proxy routing 2026-03-09 14:21:03 +01:00			`// In Docker, the Next.js server reaches Keycloak via internal hostname`
			`// (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint`
			`// URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.`
Remove localhost:3000 from Keycloak redirect URIs and web origins 2026-03-20 22:39:15 +01:00			`const issuerPublic = process.env.KEYCLOAK_ISSUER \|\| 'http://localhost:30808/realms/workclub'`
fix(auth): resolve Keycloak OIDC issuer mismatch and API proxy routing 2026-03-09 14:21:03 +01:00			`const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL \|\| issuerPublic`
			const oidcPublic = `${issuerPublic}/protocol/openid-connect`
feat: Configure Keycloak to use internal port 8081, explicitly define OIDC endpoints in NextAuth, and update API service Keycloak authority. 2026-03-18 14:47:57 +01:00			const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`
fix(auth): resolve Keycloak OIDC issuer mismatch and API proxy routing 2026-03-09 14:21:03 +01:00
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`export const { handlers, signIn, signOut, auth } = NextAuth({`
			`providers: [`
			`KeycloakProvider({`
fix: Add fallback values for Keycloak environment variables to fix Docker build 2026-03-20 12:11:22 +01:00			`clientId: process.env.KEYCLOAK_CLIENT_ID \|\| 'workclub-app',`
fix(auth): resolve Keycloak OIDC issuer mismatch and API proxy routing 2026-03-09 14:21:03 +01:00			`issuer: issuerPublic,`
feat: Configure Keycloak to use internal port 8081, explicitly define OIDC endpoints in NextAuth, and update API service Keycloak authority. 2026-03-18 14:47:57 +01:00			`authorization: {`
			url: `${oidcPublic}/auth`,
			`params: { scope: "openid email profile" },`
			`},`
			token: `${oidcInternal}/token`,
			userinfo: `${oidcInternal}/userinfo`,
			jwks_endpoint: `${oidcInternal}/certs`,
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`})`
			`],`
feat: Configure Keycloak to use internal port 8081, explicitly define OIDC endpoints in NextAuth, and update API service Keycloak authority. 2026-03-18 14:47:57 +01:00			`trustHost: true,`
feat: Enrich DTOs and UI to display member names instead of UUIDs for task assignees, creators, and shift signups. 2026-03-18 14:15:33 +01:00			`cookies: {`
			`pkceCodeVerifier: {`
			`name: "authjs.pkce.code_verifier",`
			`options: {`
			`httpOnly: true,`
			`sameSite: "lax",`
			`path: "/",`
			`secure: false,`
			`},`
			`},`
			`state: {`
			`name: "authjs.state",`
			`options: {`
			`httpOnly: true,`
			`sameSite: "lax",`
			`path: "/",`
			`secure: false,`
			`},`
			`},`
			`},`
			`debug: true,`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`callbacks: {`
			`async jwt({ token, account }) {`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`if (account && account.access_token) {`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`// Add clubs claim from Keycloak access token`
fix: resolve frontend lint errors and cleanup types 2026-03-18 09:15:02 +01:00			`token.clubs = (account as { clubs?: Record<string, string> }).clubs \|\| {}`
			`token.accessToken = account.access_token`
Fix: Always check admin status from access token in JWT callback 2026-03-21 13:11:01 +01:00			`}`

			`// Always check admin status from the access token if available`
			`if (token.accessToken) {`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`try {`
			`const payload = JSON.parse(Buffer.from((token.accessToken as string).split('.')[1], 'base64').toString());`
fix: resolve frontend lint errors and cleanup types 2026-03-18 09:15:02 +01:00			`const roles = (payload.realm_access?.roles as string[]) \|\| [];`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`token.isAdmin = roles.includes('admin');`
Add debug logging for admin status detection 2026-03-21 13:32:53 +01:00			`console.log('[Auth Debug] Checking admin status:', { roles, isAdmin: token.isAdmin });`
			`} catch (e) {`
			`console.error('[Auth Debug] Failed to check admin status:', e);`
feat: restrict admin access to club operations and rollout test environment 2026-03-18 09:08:45 +01:00			`token.isAdmin = false;`
			`}`
Add debug logging for admin status detection 2026-03-21 13:32:53 +01:00			`} else {`
			`console.log('[Auth Debug] No access token available');`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`}`
			`return token`
			`},`
			`async session({ session, token }) {`
			`// Expose clubs to client`
			`if (session.user) {`
fix: resolve frontend lint errors and cleanup types 2026-03-18 09:15:02 +01:00			`session.user.clubs = token.clubs as Record<string, string> \| undefined`
			`session.user.isAdmin = token.isAdmin as boolean \| undefined`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`}`
fix: resolve frontend lint errors and cleanup types 2026-03-18 09:15:02 +01:00			`session.accessToken = token.accessToken as string \| undefined`
feat(frontend-auth): add NextAuth.js v5 Keycloak integration (partial - Task 10) 2026-03-03 18:52:44 +01:00			`return session`
			`}`
			`}`
			`})`