lionsdev/btpxpress-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Authentification fonctionnelle via security.lions.dev

Browse Source
This commit is contained in:
DahoudG
2025-11-01 14:16:20 +00:00
parent a5adb84a62
commit 1d68878601
20 changed files with 387 additions and 1067 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
app/api/auth/login/route.ts
View File

@@ -1,29 +0,0 @@
import { NextRequest, NextResponse } from 'next/server';
const KEYCLOAK_URL = process.env.NEXT_PUBLIC_KEYCLOAK_URL || 'https://security.lions.dev';
const KEYCLOAK_REALM = process.env.NEXT_PUBLIC_KEYCLOAK_REALM || 'btpxpress';
const CLIENT_ID = process.env.NEXT_PUBLIC_KEYCLOAK_CLIENT_ID || 'btpxpress-frontend';
const REDIRECT_URI = process.env.NEXT_PUBLIC_APP_URL
? `${process.env.NEXT_PUBLIC_APP_URL}/auth/callback`
: 'https://btpxpress.lions.dev/auth/callback';
export async function GET(request: NextRequest) {
console.log('🔐 Login API called');
// Générer un state aléatoire pour CSRF protection
const state = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
// Construire l'URL d'autorisation Keycloak
const authUrl = new URL(`${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth`);
authUrl.searchParams.set('client_id', CLIENT_ID);
authUrl.searchParams.set('redirect_uri', REDIRECT_URI);
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'openid profile email');
authUrl.searchParams.set('state', state);
console.log('✅ Redirecting to Keycloak:', authUrl.toString());
// Rediriger vers Keycloak pour l'authentification
return NextResponse.redirect(authUrl.toString());
}

48
app/api/auth/logout/route.ts
View File

@@ -1,48 +0,0 @@
import { NextRequest, NextResponse } from 'next/server';
import { cookies } from 'next/headers';
const KEYCLOAK_URL = process.env.NEXT_PUBLIC_KEYCLOAK_URL || 'https://security.lions.dev';
const KEYCLOAK_REALM = process.env.NEXT_PUBLIC_KEYCLOAK_REALM || 'btpxpress';
const CLIENT_ID = process.env.NEXT_PUBLIC_KEYCLOAK_CLIENT_ID || 'btpxpress-frontend';
const POST_LOGOUT_REDIRECT_URI = process.env.NEXT_PUBLIC_APP_URL || 'https://btpxpress.lions.dev';
export async function GET(request: NextRequest) {
console.log('🚪 Logout API called');
const cookieStore = await cookies();
// Récupérer l'id_token avant de supprimer les cookies
const idToken = cookieStore.get('id_token')?.value;
// Supprimer tous les cookies d'authentification
cookieStore.delete('access_token');
cookieStore.delete('refresh_token');
cookieStore.delete('id_token');
cookieStore.delete('token_expires_at');
console.log('✅ Authentication cookies deleted');
// Si on a un id_token, on fait un logout Keycloak
if (idToken) {
const logoutUrl = new URL(
`${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout`
);
logoutUrl.searchParams.set('client_id', CLIENT_ID);
logoutUrl.searchParams.set('post_logout_redirect_uri', POST_LOGOUT_REDIRECT_URI);
logoutUrl.searchParams.set('id_token_hint', idToken);
console.log('✅ Redirecting to Keycloak logout');
return NextResponse.redirect(logoutUrl.toString());
}
// Sinon, rediriger directement vers la page d'accueil
console.log('✅ Redirecting to home page');
return NextResponse.redirect(POST_LOGOUT_REDIRECT_URI);
}
export async function POST(request: NextRequest) {
// Même logique pour POST
return GET(request);
}

138
app/api/auth/token/route.ts
View File

@@ -1,138 +0,0 @@
import { NextRequest, NextResponse } from 'next/server';
import { cookies } from 'next/headers';
const KEYCLOAK_URL = process.env.NEXT_PUBLIC_KEYCLOAK_URL || 'https://security.lions.dev';
const KEYCLOAK_REALM = process.env.NEXT_PUBLIC_KEYCLOAK_REALM || 'btpxpress';
const CLIENT_ID = process.env.NEXT_PUBLIC_KEYCLOAK_CLIENT_ID || 'btpxpress-frontend';
const REDIRECT_URI = process.env.NEXT_PUBLIC_APP_URL
? `${process.env.NEXT_PUBLIC_APP_URL}/auth/callback`
: 'https://btpxpress.lions.dev/auth/callback';
const TOKEN_ENDPOINT = `${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token`;
export async function POST(request: NextRequest) {
console.log('🔐 Token exchange API called');
try {
const body = await request.json();
const { code, state } = body;
if (!code) {
console.error('❌ No authorization code provided');
return NextResponse.json(
{ error: 'Code d\'autorisation manquant' },
{ status: 400 }
);
}
console.log('✅ Exchanging code with Keycloak...');
console.log('📍 Token endpoint:', TOKEN_ENDPOINT);
console.log('📍 Client ID:', CLIENT_ID);
console.log('📍 Redirect URI:', REDIRECT_URI);
// Préparer les paramètres pour l'échange de code
const params = new URLSearchParams({
grant_type: 'authorization_code',
client_id: CLIENT_ID,
code: code,
redirect_uri: REDIRECT_URI,
});
// Échanger le code contre des tokens
const tokenResponse = await fetch(TOKEN_ENDPOINT, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
body: params.toString(),
});
if (!tokenResponse.ok) {
const errorText = await tokenResponse.text();
console.error('❌ Keycloak token exchange failed:', tokenResponse.status, errorText);
let errorData;
try {
errorData = JSON.parse(errorText);
} catch {
errorData = { error: 'Token exchange failed', details: errorText };
}
return NextResponse.json(
{
error: errorData.error || 'Échec de l\'échange de token',
error_description: errorData.error_description || 'Erreur lors de la communication avec Keycloak',
details: errorData
},
{ status: tokenResponse.status }
);
}
const tokens = await tokenResponse.json();
console.log('✅ Tokens received from Keycloak');
// Stocker les tokens dans des cookies HttpOnly sécurisés
const cookieStore = await cookies();
const isProduction = process.env.NODE_ENV === 'production';
// Access token (durée: expires_in secondes)
cookieStore.set('access_token', tokens.access_token, {
httpOnly: true,
secure: isProduction,
sameSite: 'lax',
maxAge: tokens.expires_in || 300, // Par défaut 5 minutes
path: '/',
});
// Refresh token (durée plus longue)
if (tokens.refresh_token) {
cookieStore.set('refresh_token', tokens.refresh_token, {
httpOnly: true,
secure: isProduction,
sameSite: 'lax',
maxAge: tokens.refresh_expires_in || 1800, // Par défaut 30 minutes
path: '/',
});
}
// ID token
if (tokens.id_token) {
cookieStore.set('id_token', tokens.id_token, {
httpOnly: true,
secure: isProduction,
sameSite: 'lax',
maxAge: tokens.expires_in || 300,
path: '/',
});
}
// Stocker aussi le temps d'expiration
cookieStore.set('token_expires_at', String(Date.now() + (tokens.expires_in * 1000)), {
httpOnly: true,
secure: isProduction,
sameSite: 'lax',
maxAge: tokens.expires_in || 300,
path: '/',
});
console.log('✅ Tokens stored in HttpOnly cookies');
// Retourner une réponse de succès (sans les tokens)
return NextResponse.json({
success: true,
message: 'Authentification réussie',
expires_in: tokens.expires_in,
});
} catch (error) {
console.error('❌ Error in token exchange API:', error);
return NextResponse.json(
{
error: 'Erreur serveur',
message: error instanceof Error ? error.message : 'Erreur inconnue'
},
{ status: 500 }
);
}
}

82
app/api/auth/userinfo/route.ts
View File

@@ -1,82 +0,0 @@
import { NextRequest, NextResponse } from 'next/server';
import { cookies } from 'next/headers';
const KEYCLOAK_URL = process.env.NEXT_PUBLIC_KEYCLOAK_URL || 'https://security.lions.dev';
const KEYCLOAK_REALM = process.env.NEXT_PUBLIC_KEYCLOAK_REALM || 'btpxpress';
const USERINFO_ENDPOINT = `${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/userinfo`;
export async function GET(request: NextRequest) {
console.log('👤 Userinfo API called');
try {
const cookieStore = await cookies();
const accessToken = cookieStore.get('access_token')?.value;
if (!accessToken) {
console.error('❌ No access token found');
return NextResponse.json(
{ error: 'Non authentifié', authenticated: false },
{ status: 401 }
);
}
console.log('✅ Access token found, fetching user info from Keycloak');
// Récupérer les informations utilisateur depuis Keycloak
const userinfoResponse = await fetch(USERINFO_ENDPOINT, {
method: 'GET',
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json',
},
});
if (!userinfoResponse.ok) {
const errorText = await userinfoResponse.text();
console.error('❌ Keycloak userinfo failed:', userinfoResponse.status, errorText);
// Si le token est invalide ou expiré
if (userinfoResponse.status === 401) {
// Supprimer les cookies invalides
cookieStore.delete('access_token');
cookieStore.delete('refresh_token');
cookieStore.delete('id_token');
cookieStore.delete('token_expires_at');
return NextResponse.json(
{ error: 'Token expiré ou invalide', authenticated: false },
{ status: 401 }
);
}
return NextResponse.json(
{
error: 'Erreur lors de la récupération des informations utilisateur',
authenticated: false
},
{ status: userinfoResponse.status }
);
}
const userinfo = await userinfoResponse.json();
console.log('✅ User info retrieved:', userinfo.preferred_username || userinfo.sub);
return NextResponse.json({
authenticated: true,
user: userinfo,
});
} catch (error) {
console.error('❌ Error in userinfo API:', error);
return NextResponse.json(
{
error: 'Erreur serveur',
authenticated: false,
message: error instanceof Error ? error.message : 'Erreur inconnue'
},
{ status: 500 }
);
}
}