diff --git a/app/api/auth/[...nextauth]/route.ts b/app/api/auth/[...nextauth]/route.ts index 1c48ac75..641eb7ad 100644 --- a/app/api/auth/[...nextauth]/route.ts +++ b/app/api/auth/[...nextauth]/route.ts @@ -35,7 +35,6 @@ declare module "next-auth" { role: string[]; }; accessToken: string; - nextcloudToken: string; } interface JWT { @@ -47,7 +46,6 @@ declare module "next-auth" { username: string; first_name: string; last_name: string; - nextcloudToken: string; error?: string; } } @@ -149,18 +147,37 @@ export const authOptions: NextAuthOptions = { }); if (account && profile) { - const decodedToken = jwtDecode(account.access_token!); - return { - ...token, - accessToken: account.access_token, - refreshToken: account.refresh_token, - accessTokenExpires: account.expires_at! * 1000, - role: decodedToken.realm_access?.roles || [], - username: profile.preferred_username || '', - first_name: profile.given_name || '', - last_name: profile.family_name || '', - nextcloudToken: account.access_token // Use the same token for NextCloud - }; + const keycloakProfile = profile as KeycloakProfile; + console.log('JWT callback profile:', { + rawRoles: keycloakProfile.roles, + realmAccess: keycloakProfile.realm_access, + profile: keycloakProfile + }); + + // Get roles from realm_access + const roles = keycloakProfile.realm_access?.roles || []; + console.log('JWT callback raw roles:', roles); + + // Clean up roles by removing ROLE_ prefix and converting to lowercase + const cleanRoles = roles.map((role: string) => + role.replace(/^ROLE_/, '').toLowerCase() + ); + + console.log('JWT callback cleaned roles:', cleanRoles); + + token.accessToken = account.access_token ?? ''; + token.refreshToken = account.refresh_token ?? ''; + token.accessTokenExpires = account.expires_at ?? 0; + token.sub = keycloakProfile.sub; + token.role = cleanRoles; + token.username = keycloakProfile.preferred_username ?? ''; + token.first_name = keycloakProfile.given_name ?? ''; + token.last_name = keycloakProfile.family_name ?? ''; + + console.log('JWT callback final token:', { + tokenRoles: token.role, + token + }); } else if (token.accessToken) { // Decode the token to get roles try { @@ -184,7 +201,7 @@ export const authOptions: NextAuthOptions = { } } - if (Date.now() < token.accessTokenExpires) { + if (Date.now() < (token.accessTokenExpires as number) * 1000) { return token; } @@ -217,7 +234,6 @@ export const authOptions: NextAuthOptions = { role: userRoles, }; session.accessToken = token.accessToken; - session.nextcloudToken = token.nextcloudToken; console.log('Session callback final session:', { userRoles: session.user.role, diff --git a/lib/nextcloud-utils.ts b/lib/nextcloud-utils.ts index 4883ee07..efe9c98e 100644 --- a/lib/nextcloud-utils.ts +++ b/lib/nextcloud-utils.ts @@ -1,9 +1,8 @@ import { getServerSession } from 'next-auth'; import { NextCloudService } from './nextcloud'; -import { authOptions } from '@/app/api/auth/[...nextauth]/route'; export async function getNextCloudService() { - const session = await getServerSession(authOptions); + const session = await getServerSession(); if (!session?.user?.email) { throw new Error('Not authenticated'); }