| import { NextResponse } from "next/server"; |
| import { cookies } from "next/headers"; |
| import { |
| buildOidcAuthorizationUrl, |
| createOidcNonce, |
| createOidcState, |
| createPkcePair, |
| fetchOidcDiscovery, |
| getOidcRuntimeConfig, |
| getPublicOrigin, |
| } from "@/lib/auth/oidc"; |
| import { shouldUseSecureCookie } from "@/lib/auth/dashboardSession"; |
|
|
| export async function GET(request) { |
| try { |
| const config = await getOidcRuntimeConfig(); |
| if (!config) { |
| return NextResponse.redirect(new URL("/login?error=oidc_not_configured", getPublicOrigin(request))); |
| } |
|
|
| const discovery = await fetchOidcDiscovery(config.issuerUrl); |
| const state = createOidcState(); |
| const nonce = createOidcNonce(); |
| const { verifier, challenge } = createPkcePair(); |
| const redirectUri = `${getPublicOrigin(request)}/api/auth/oidc/callback`; |
| const authUrl = buildOidcAuthorizationUrl({ |
| authorizationEndpoint: discovery.authorization_endpoint, |
| clientId: config.clientId, |
| redirectUri, |
| scopes: config.scopes, |
| state, |
| nonce, |
| codeChallenge: challenge, |
| }); |
|
|
| const cookieStore = await cookies(); |
| const baseOptions = { |
| httpOnly: true, |
| secure: shouldUseSecureCookie(request), |
| sameSite: "lax", |
| path: "/", |
| maxAge: 10 * 60, |
| }; |
| cookieStore.set("oidc_state", state, baseOptions); |
| cookieStore.set("oidc_nonce", nonce, baseOptions); |
| cookieStore.set("oidc_code_verifier", verifier, baseOptions); |
|
|
| return NextResponse.redirect(authUrl); |
| } catch (error) { |
| return NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(error.message || "oidc_start_failed")}`, getPublicOrigin(request))); |
| } |
| } |
|
|