Fix OAuth session and proxy configuration

- Add trust proxy setting for reverse proxy support
- Save session before redirect to ensure state persistence
- Fixes state mismatch and rate limiter errors

Author: mattburchett

backend/src/routes/auth.ts

@@ -12,9 +12,16 @@ router.get('/login', authRateLimiter, (req: Request, res: Response) => {
     req.session.codeVerifier = codeVerifier;
     req.session.state = state;
 
-    logger.info('Redirecting to Keycloak for authentication');
+    // Save session before redirect to ensure state is persisted
+    req.session.save((err) => {
+      if (err) {
+        logger.error('Failed to save session', { error: err });
+        return res.status(500).json({ error: 'Failed to initiate login' });
+      }
 
-    res.redirect(url);
+      logger.info('Redirecting to Keycloak for authentication');
+      res.redirect(url);
+    });
   } catch (error) {
     logger.error('Error in login route', { error });
     res.status(500).json({ error: 'Failed to initiate login' });

backend/src/server.ts

@@ -71,6 +71,9 @@ async function startServer() {
     const sessionStore = await createSessionStore();
     const sessionMiddleware = createSessionMiddleware(sessionStore);
 
+    // Trust proxy - required when behind reverse proxy (Traefik/nginx)
+    app.set('trust proxy', true);
+
     app.use(helmetMiddleware);
     app.use(corsMiddleware);
     app.use(compressionMiddleware);