fix(auth): restore keycloak sign-in for NodePort access

Trust external host for Auth.js, provide missing frontend auth env/secrets, and submit a proper CSRF-backed sign-in POST so browser login reaches Keycloak reliably.
2026-03-13 06:52:18 +01:00
parent d4f09295be
commit 9cb80e4517
3 changed files with 58 additions and 3 deletions
--- a/frontend/src/app/login/page.tsx
+++ b/frontend/src/app/login/page.tsx
@@ -1,7 +1,7 @@
 'use client';

 import { useEffect, Suspense } from 'react';
-import { signIn, signOut, useSession } from 'next-auth/react';
+import { signOut, useSession } from 'next-auth/react';
 import { useRouter, useSearchParams } from 'next/navigation';
 import { Card, CardHeader, CardTitle, CardContent, CardFooter } from '@/components/ui/card';
 import { Button } from '@/components/ui/button';
@@ -18,8 +18,33 @@ function LoginContent() {
    }
  }, [status, router]);

-  const handleSignIn = () => {
-    signIn('keycloak', { callbackUrl: '/dashboard' });
+  const handleSignIn = async () => {
+    const csrfResponse = await fetch('/api/auth/csrf');
+    const csrfPayload = await csrfResponse.json() as { csrfToken?: string };
+
+    if (!csrfPayload.csrfToken) {
+      window.location.href = '/api/auth/signin?callbackUrl=%2Fdashboard';
+      return;
+    }
+
+    const form = document.createElement('form');
+    form.method = 'POST';
+    form.action = '/api/auth/signin/keycloak';
+
+    const csrfInput = document.createElement('input');
+    csrfInput.type = 'hidden';
+    csrfInput.name = 'csrfToken';
+    csrfInput.value = csrfPayload.csrfToken;
+    form.appendChild(csrfInput);
+
+    const callbackInput = document.createElement('input');
+    callbackInput.type = 'hidden';
+    callbackInput.name = 'callbackUrl';
+    callbackInput.value = `${window.location.origin}/dashboard`;
+    form.appendChild(callbackInput);
+
+    document.body.appendChild(form);
+    form.submit();
  };

  const handleSwitchAccount = () => {