fix: auth configuration

Author: peppescg

dev-auth/oidc-provider.mjs

@@ -22,7 +22,7 @@ const configuration = {
       redirect_uris: [
         // Better Auth genericOAuth uses /oauth2/callback/:providerId
         "http://localhost:3000/api/auth/oauth2/callback/oidc",
-        "http://localhost:3001/api/auth/oauth2/callback/oidc",
+        "http://localhost:3000/api/auth/oauth2/callback/oidc",
         "http://localhost:3002/api/auth/oauth2/callback/oidc",
         "http://localhost:3003/api/auth/oauth2/callback/oidc",
       ],

src/app/login/page.tsx

@@ -2,12 +2,16 @@
 
 import { authClient } from "@/lib/auth-client";
 
+const OIDC_PROVIDER_ID = process.env.NEXT_PUBLIC_OIDC_PROVIDER_ID || "oidc";
+const OIDC_PROVIDER_NAME =
+  process.env.NEXT_PUBLIC_OIDC_PROVIDER_NAME || "OIDC Provider";
+
 export default function LoginPage() {
   const handleOIDCLogin = async () => {
     try {
       console.log("Initiating OIDC sign-in...");
       const { data, error } = await authClient.signIn.oauth2({
-        providerId: "oidc",
+        providerId: OIDC_PROVIDER_ID,
         callbackURL: "/dashboard",
       });
 
@@ -43,7 +47,7 @@ export default function LoginPage() {
           onClick={handleOIDCLogin}
           className="rounded-full bg-black px-8 py-3 text-white transition-colors hover:bg-zinc-800 dark:bg-white dark:text-black dark:hover:bg-zinc-200"
         >
-          Sign In with OIDC
+          Sign In with {OIDC_PROVIDER_NAME}
         </button>
       </main>
     </div>

src/lib/auth.ts

@@ -1,84 +1,43 @@
 import { betterAuth } from "better-auth";
 import { genericOAuth } from "better-auth/plugins";
 
-// Read from environment variables to support any OIDC provider
-const OIDC_ISSUER = process.env.OIDC_ISSUER_URL || "";
-const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID || "";
-const OIDC_CLIENT_SECRET = process.env.OIDC_CLIENT_SECRET || "";
-const BETTER_AUTH_SECRET =
-  process.env.BETTER_AUTH_SECRET || "build-time-placeholder";
-const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL || "http://localhost:3000";
+const OIDC_PROVIDER_ID = process.env.OIDC_PROVIDER_ID || "oidc";
+const OIDC_ISSUER = process.env.OIDC_ISSUER || "";
+const BASE_URL = process.env.BETTER_AUTH_URL || "http://localhost:3000";
 
-// Validate required environment variables (warnings only during build)
-const isBuild = process.env.NEXT_PHASE === "phase-production-build";
-
-if (!process.env.BETTER_AUTH_SECRET) {
-  const message =
-    "[Better Auth] BETTER_AUTH_SECRET is required. Set it in .env.local to a strong, random value.";
-  if (isBuild) {
-    console.warn(message);
-  } else {
-    throw new Error(message);
-  }
-}
-
-if (!OIDC_ISSUER || !OIDC_CLIENT_ID || !OIDC_CLIENT_SECRET) {
-  const message =
-    "[Better Auth] OIDC configuration is incomplete. Set OIDC_ISSUER_URL, OIDC_CLIENT_ID, and OIDC_CLIENT_SECRET in .env.local";
-  if (isBuild) {
-    console.warn(message);
-  } else {
-    throw new Error(message);
-  }
-}
-
-console.log("[Better Auth] OIDC Configuration:", {
-  issuer: OIDC_ISSUER,
-  clientId: OIDC_CLIENT_ID,
-  baseURL: BETTER_AUTH_URL,
-  discoveryUrl: `${OIDC_ISSUER}/.well-known/openid-configuration`,
-  callbackURL: `${BETTER_AUTH_URL}/api/auth/oauth2/callback/oidc`,
-});
-
-// Configure trusted origins - defaults to localhost ports for development
-// Set TRUSTED_ORIGINS environment variable for production (comma-separated list)
 const trustedOrigins = process.env.TRUSTED_ORIGINS
-  ? process.env.TRUSTED_ORIGINS.split(",").map((origin) => origin.trim())
-  : [
-      "http://localhost:3000",
-      "http://localhost:3001",
-      "http://localhost:3002",
-      "http://localhost:3003",
-    ];
+  ? process.env.TRUSTED_ORIGINS.split(",").map((s) => s.trim())
+  : [BASE_URL, "http://localhost:3002", "http://localhost:3003"];
 
-// Always include BETTER_AUTH_URL if not already present
-if (BETTER_AUTH_URL && !trustedOrigins.includes(BETTER_AUTH_URL)) {
-  trustedOrigins.push(BETTER_AUTH_URL);
+if (!trustedOrigins.includes(BASE_URL)) {
+  trustedOrigins.push(BASE_URL);
 }
 
 export const auth = betterAuth({
-  secret: BETTER_AUTH_SECRET,
-  baseURL: BETTER_AUTH_URL,
+  secret: process.env.BETTER_AUTH_SECRET || "build-time-placeholder",
+  baseURL: BASE_URL,
   trustedOrigins,
-  // No database configuration - running in stateless mode
   session: {
-    expiresIn: 60 * 60 * 24 * 7, // 7 days
+    expiresIn: 60 * 60 * 24 * 7,
     cookieCache: {
       enabled: true,
-      maxAge: 30 * 24 * 60 * 60, // 30 days cache duration
-      strategy: "jwe", // Use encrypted tokens for better security
-      refreshCache: true, // Enable stateless refresh
+      maxAge: 5 * 60,
     },
   },
   plugins: [
     genericOAuth({
       config: [
         {
-          providerId: "oidc",
+          providerId: OIDC_PROVIDER_ID,
           discoveryUrl: `${OIDC_ISSUER}/.well-known/openid-configuration`,
-          clientId: OIDC_CLIENT_ID,
-          clientSecret: OIDC_CLIENT_SECRET,
+          authorizationUrl: `${OIDC_ISSUER}/v1/authorize`,
+          tokenUrl: `${OIDC_ISSUER}/v1/token`,
+          userInfoUrl: `${OIDC_ISSUER}/v1/userinfo`,
+          redirectURI: `${BASE_URL}/api/auth/oauth2/callback/${OIDC_PROVIDER_ID}`,
+          clientId: process.env.OIDC_CLIENT_ID || "",
+          clientSecret: process.env.OIDC_CLIENT_SECRET || "",
           scopes: ["openid", "email", "profile"],
+          pkce: false,
         },
       ],
     }),