From 3d576f064270b2458e9e943729bb1947ad817154 Mon Sep 17 00:00:00 2001
From: Till Tomczak <till.tmk@gmail.com>
Date: Tue, 1 Apr 2025 14:10:48 +0200
Subject: [PATCH] =?UTF-8?q?Verbessere=20OAuth-Unterst=C3=BCtzung=20f=C3=BC?=
 =?UTF-8?q?r=20m040tbaraspi001.de040.corpintra.net?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Füge dynamische Erkennung und Konfiguration von Hostnamen hinzu
- Erweitere Caddy-Konfiguration für m040tbaraspi001.de040.corpintra.net
- Konfiguriere OAuth mit expliziter NEXT_PUBLIC_OAUTH_CALLBACK_URL
- Passe Deployment-Skripte für Unternehmens-Hostname an
- Füge verbesserte Logging und Validierung für OAuth-Callbacks hinzu
- Füge ALLOWED_CALLBACK_HOSTS für Hostname-Validierung hinzu

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../docker/caddy/Caddyfile                    | 31 ++++++++++++++-
 .../reservation-platform/setup-backend-url.sh | 17 ++++++++-
 .../src/app/auth/login/callback/route.ts      | 14 +++++--
 .../src/server/auth/oauth.ts                  | 33 ++++++++++++++--
 .../src/utils/api-config.ts                   | 38 +++++++++++++++++--
 raspi-frontend-deploy.sh                      | 23 +++++++++--
 6 files changed, 139 insertions(+), 17 deletions(-)

diff --git a/packages/reservation-platform/docker/caddy/Caddyfile b/packages/reservation-platform/docker/caddy/Caddyfile
index beacec7..8534b94 100644
--- a/packages/reservation-platform/docker/caddy/Caddyfile
+++ b/packages/reservation-platform/docker/caddy/Caddyfile
@@ -2,7 +2,36 @@
     debug
 }
 
-m040tbaraspi001.de040.corpintra.net, m040tbaraspi001.de040.corpinter.net {
+# Hauptdomain für die Anwendung
+m040tbaraspi001.de040.corpintra.net, m040tbaraspi001, localhost {
     reverse_proxy myp-rp:3000
     tls internal
+
+    # Erlaube HTTP -> HTTPS Redirects für OAuth
+    @oauth path /auth/login/callback*
+    handle @oauth {
+        header Cache-Control "no-cache"
+        reverse_proxy myp-rp:3000
+    }
+    
+    # Allgemeine Header für Sicherheit und Caching
+    header {
+        # Sicherheitsheader
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        
+        # Cache-Control für statische Assets
+        @static {
+            path *.js *.css *.png *.jpg *.svg *.ico *.woff *.woff2
+        }
+        header @static Cache-Control "public, max-age=86400"
+        
+        # Keine Caches für dynamische Inhalte
+        @dynamic {
+            not path *.js *.css *.png *.jpg *.svg *.ico *.woff *.woff2
+        }
+        header @dynamic Cache-Control "no-store, no-cache, must-revalidate"
+    }
 }
\ No newline at end of file
diff --git a/packages/reservation-platform/setup-backend-url.sh b/packages/reservation-platform/setup-backend-url.sh
index 8c877d0..96eb5b6 100755
--- a/packages/reservation-platform/setup-backend-url.sh
+++ b/packages/reservation-platform/setup-backend-url.sh
@@ -33,6 +33,18 @@ else
   log "Verwende Standard-Backend-URL: ${BACKEND_URL}"
 fi
 
+# Bestimme den Hostnamen für OAuth
+HOSTNAME=$(hostname)
+if [[ "$HOSTNAME" == *"m040tbaraspi001"* ]] || [[ "$HOSTNAME" == *"corpintra"* ]]; then
+  FRONTEND_HOSTNAME="m040tbaraspi001.de040.corpintra.net"
+  OAUTH_URL="http://m040tbaraspi001.de040.corpintra.net/auth/login/callback"
+  log "Erkannt: Unternehmens-Hostname: $FRONTEND_HOSTNAME"
+else
+  FRONTEND_HOSTNAME="$HOSTNAME"
+  OAUTH_URL="http://$HOSTNAME:3000/auth/login/callback"
+  log "Lokaler Hostname: $FRONTEND_HOSTNAME"
+fi
+
 # Erstelle .env.local Datei mit Backend-URL
 log "${YELLOW}Erstelle .env.local Datei...${NC}"
 cat > "$ENV_FILE" << EOL
@@ -40,7 +52,10 @@ cat > "$ENV_FILE" << EOL
 NEXT_PUBLIC_API_URL=${BACKEND_URL}
 
 # Frontend-URL für OAuth Callback
-NEXT_PUBLIC_FRONTEND_URL=http://$(hostname):3000
+NEXT_PUBLIC_FRONTEND_URL=http://${FRONTEND_HOSTNAME}
+
+# Explizite OAuth Callback URL für GitHub
+NEXT_PUBLIC_OAUTH_CALLBACK_URL=${OAUTH_URL}
 
 # OAuth Konfiguration (falls nötig)
 OAUTH_CLIENT_ID=client_id
diff --git a/packages/reservation-platform/src/app/auth/login/callback/route.ts b/packages/reservation-platform/src/app/auth/login/callback/route.ts
index c9f93d0..e8416e2 100644
--- a/packages/reservation-platform/src/app/auth/login/callback/route.ts
+++ b/packages/reservation-platform/src/app/auth/login/callback/route.ts
@@ -1,6 +1,6 @@
 import { lucia } from "@/server/auth";
-import { type GitHubUserResult, github } from "@/server/auth/oauth";
-import { OAUTH_CALLBACK_URL } from "@/utils/api-config";
+import { type GitHubUserResult, github, isValidCallbackHost } from "@/server/auth/oauth";
+import { ALLOWED_CALLBACK_HOSTS, OAUTH_CALLBACK_URL } from "@/utils/api-config";
 import { db } from "@/server/db";
 import { users } from "@/server/db/schema";
 import { OAuth2RequestError } from "arctic";
@@ -22,11 +22,17 @@ export async function GET(request: Request): Promise<Response> {
 	const code = url.searchParams.get("code");
 	const state = url.searchParams.get("state");
 	const storedState = cookies().get("github_oauth_state")?.value ?? null;
+	
+	// Log für Debugging
+	console.log("OAuth Callback erhalten:", url.toString());
+	console.log("Callback URL Validierung:", isValidCallbackHost(url.toString()));
+	console.log("Erlaubte Hosts:", ALLOWED_CALLBACK_HOSTS);
+	
 	if (!code || !state || !storedState || state !== storedState) {
 		return new Response(
 			JSON.stringify({
-				status_text: "Something is wrong",
-				data: { code, state, storedState },
+				status_text: "Ungültiger OAuth-Callback",
+				data: { code, state, storedState, url: url.toString() },
 			}),
 			{
 				status: 400,
diff --git a/packages/reservation-platform/src/server/auth/oauth.ts b/packages/reservation-platform/src/server/auth/oauth.ts
index 8aec7cd..d878203 100644
--- a/packages/reservation-platform/src/server/auth/oauth.ts
+++ b/packages/reservation-platform/src/server/auth/oauth.ts
@@ -1,10 +1,23 @@
 import { GitHub } from "arctic";
-import { FRONTEND_URL, OAUTH_CALLBACK_URL } from "@/utils/api-config";
+import { ALLOWED_CALLBACK_HOSTS, FRONTEND_URL, OAUTH_CALLBACK_URL } from "@/utils/api-config";
 
-// Bestimme die Callback-URL basierend auf der Frontend-URL
+// Helper-Funktion, um die passende Callback-URL zu bestimmen
 const getCallbackUrl = () => {
-  console.log("Frontend URL:", FRONTEND_URL);
-  console.log("Verwende OAuth Callback URL:", OAUTH_CALLBACK_URL);
+  // Wenn eine spezifische OAuth-Callback-URL definiert ist, verwende diese
+  if (process.env.NEXT_PUBLIC_OAUTH_CALLBACK_URL) {
+    console.log("Verwende konfigurierte OAuth Callback URL:", process.env.NEXT_PUBLIC_OAUTH_CALLBACK_URL);
+    return process.env.NEXT_PUBLIC_OAUTH_CALLBACK_URL;
+  }
+  
+  // Für spezifischen Unternehmens-Hostname
+  if (FRONTEND_URL.includes('corpintra.net') || FRONTEND_URL.includes('m040tbaraspi001')) {
+    const url = `http://m040tbaraspi001.de040.corpintra.net/auth/login/callback`;
+    console.log("Verwende Unternehmens-Hostname für OAuth Callback:", url);
+    return url;
+  }
+  
+  // Fallback für lokale Entwicklung
+  console.log("Verwende Standard OAuth Callback URL:", OAUTH_CALLBACK_URL);
   return OAUTH_CALLBACK_URL;
 };
 
@@ -18,6 +31,18 @@ export const github = new GitHub(
   }
 );
 
+// Hilfsfunktion zur Validierung von OAuth-Callbacks
+export function isValidCallbackHost(url: string): boolean {
+  try {
+    const parsedUrl = new URL(url);
+    return ALLOWED_CALLBACK_HOSTS.some(host => parsedUrl.hostname === host || 
+                                              parsedUrl.hostname.includes(host));
+  } catch (e) {
+    console.error("Ungültige URL beim Validieren des Callback-Hosts:", url, e);
+    return false;
+  }
+}
+
 export interface GitHubUserResult {
 	id: number;
 	login: string;
diff --git a/packages/reservation-platform/src/utils/api-config.ts b/packages/reservation-platform/src/utils/api-config.ts
index a5e1351..edc1905 100644
--- a/packages/reservation-platform/src/utils/api-config.ts
+++ b/packages/reservation-platform/src/utils/api-config.ts
@@ -1,11 +1,41 @@
 // Basis-URL für Backend-API
 export const API_BASE_URL = process.env.NEXT_PUBLIC_API_URL || "http://192.168.0.105:5000";
 
-// Frontendurl für Callbacks
-export const FRONTEND_URL = process.env.NEXT_PUBLIC_FRONTEND_URL || "http://localhost:3000";
+// Frontend-URL für Callbacks - unterstützt mehrere Domains
+const getFrontendUrl = () => {
+  // Priorität 1: Explizit gesetzte Umgebungsvariable
+  if (process.env.NEXT_PUBLIC_FRONTEND_URL) {
+    return process.env.NEXT_PUBLIC_FRONTEND_URL;
+  }
+  
+  // Priorität 2: Spezifischer Hostname für das Netzwerk
+  if (typeof window !== 'undefined') {
+    // Im Browser: Prüfen auf m040tbaraspi001.de040.corpintra.net
+    const hostname = window.location.hostname;
+    if (hostname === 'm040tbaraspi001' || 
+        hostname === 'm040tbaraspi001.de040.corpintra.net' ||
+        hostname.includes('corpintra.net')) {
+      return `http://${hostname}`;
+    }
+  }
+  
+  // Priorität 3: Default für Localhost
+  return "http://localhost:3000";
+};
 
-// OAuth Callback URL
-export const OAUTH_CALLBACK_URL = `${FRONTEND_URL}/auth/login/callback`;
+export const FRONTEND_URL = getFrontendUrl();
+
+// OAuth Callback URL - muss exakt mit der registrierten URL in GitHub übereinstimmen
+export const OAUTH_CALLBACK_URL = process.env.NEXT_PUBLIC_OAUTH_CALLBACK_URL || 
+                                 `${FRONTEND_URL}/auth/login/callback`;
+
+// Liste der erlaubten Hostnamen für OAuth-Callbacks
+export const ALLOWED_CALLBACK_HOSTS = [
+  'localhost',
+  'm040tbaraspi001',
+  'm040tbaraspi001.de040.corpintra.net',
+  '192.168.0.105'
+];
 
 // Endpunkte für die verschiedenen Ressourcen
 export const API_ENDPOINTS = {
diff --git a/raspi-frontend-deploy.sh b/raspi-frontend-deploy.sh
index 0fd4b1e..42502b6 100755
--- a/raspi-frontend-deploy.sh
+++ b/raspi-frontend-deploy.sh
@@ -96,6 +96,18 @@ configure_backend_url() {
       return 1
     fi
   else
+    # Bestimme den Hostnamen für OAuth
+    HOSTNAME=$(hostname)
+    if [[ "$HOSTNAME" == *"m040tbaraspi001"* ]] || [[ "$HOSTNAME" == *"corpintra"* ]]; then
+      FRONTEND_HOSTNAME="m040tbaraspi001.de040.corpintra.net"
+      OAUTH_URL="http://m040tbaraspi001.de040.corpintra.net/auth/login/callback"
+      log "Erkannt: Unternehmens-Hostname: $FRONTEND_HOSTNAME"
+    else
+      FRONTEND_HOSTNAME="$HOSTNAME"
+      OAUTH_URL="http://$HOSTNAME:3000/auth/login/callback"
+      log "Lokaler Hostname: $FRONTEND_HOSTNAME"
+    fi
+
     # Erstelle .env.local-Datei manuell
     log "Erstelle .env.local-Datei manuell..."
     cat > "$FRONTEND_DIR/.env.local" << EOL
@@ -103,7 +115,10 @@ configure_backend_url() {
 NEXT_PUBLIC_API_URL=${backend_url}
 
 # Frontend-URL für OAuth Callback
-NEXT_PUBLIC_FRONTEND_URL=http://$(hostname):3000
+NEXT_PUBLIC_FRONTEND_URL=http://${FRONTEND_HOSTNAME}
+
+# Explizite OAuth Callback URL für GitHub
+NEXT_PUBLIC_OAUTH_CALLBACK_URL=${OAUTH_URL}
 
 # OAuth Konfiguration (falls nötig)
 OAUTH_CLIENT_ID=client_id
@@ -244,7 +259,8 @@ services:
     container_name: ${CONTAINER_NAME}
     environment:
       - NEXT_PUBLIC_API_URL=${BACKEND_URL}
-      - NEXT_PUBLIC_FRONTEND_URL=http://$(hostname):3000
+      - NEXT_PUBLIC_FRONTEND_URL=http://${FRONTEND_HOSTNAME}
+      - NEXT_PUBLIC_OAUTH_CALLBACK_URL=${OAUTH_URL}
       - OAUTH_CLIENT_ID=client_id
       - OAUTH_CLIENT_SECRET=client_secret
     ports:
@@ -306,7 +322,8 @@ start_container_run() {
   if ! docker run -d --name "$CONTAINER_NAME" \
      -p 3000:3000 \
      -e "NEXT_PUBLIC_API_URL=$BACKEND_URL" \
-     -e "NEXT_PUBLIC_FRONTEND_URL=http://$(hostname):3000" \
+     -e "NEXT_PUBLIC_FRONTEND_URL=http://${FRONTEND_HOSTNAME}" \
+     -e "NEXT_PUBLIC_OAUTH_CALLBACK_URL=${OAUTH_URL}" \
      -e "OAUTH_CLIENT_ID=client_id" \
      -e "OAUTH_CLIENT_SECRET=client_secret" \
      -v "$DB_VOLUME_DIR:/app/db" \