feat(auth): implement public authentication handoff and session management

Author: Andreas-Froyland

components/public/PublicFeedbackBoard.vue

@@ -948,7 +948,7 @@
 </template>
 
 <script>
-import { authClient } from '~/lib/auth-client'
+import { completePublicAuthHandoffFromUrl, fetchPublicAuthSession } from '~/lib/public-auth-handoff'
 
 const ROADMAP_PREFETCH_CACHE_TTL_MS = 60_000
 const FEEDBACK_DETAILS_PREFETCH_CACHE_TTL_MS = 30_000
@@ -1170,7 +1170,7 @@ export default {
       await this.$nextTick()
       this.setupScrollObserver()
       this.warmRoadmapData()
-      this.checkAdminStatus()
+      await this.checkAdminStatus()
       return
     }
     try {
@@ -1179,7 +1179,7 @@ export default {
       this.applyTheme(this.projectData?.project?.settings?.themeMode || 'system')
       await this.loadFeedback()
       this.warmRoadmapData()
-      this.checkAdminStatus()
+      await this.checkAdminStatus()
     } catch (err) {
       console.error('Error loading project:', err)
       this.error = 'This feedback page could not be found.'
@@ -1606,16 +1606,31 @@ export default {
     },
     async checkAdminStatus() {
       if (!import.meta.client) return
+
+      const handoffCompleted = await completePublicAuthHandoffFromUrl().catch(() => false)
+
       try {
-        const sessionResult = await authClient.getSession()
-        if (!sessionResult?.data?.user) return
-        this.currentUser = sessionResult.data.user
-        this.submitForm.authorName = sessionResult.data.user.name || ''
-        this.submitForm.authorEmail = sessionResult.data.user.email || ''
+        const sessionResult = await fetchPublicAuthSession()
+        const currentUser = sessionResult?.user || null
+
+        this.currentUser = currentUser
+        this.isAdmin = false
+        this.submitForm.authorName = currentUser?.name || ''
+        this.submitForm.authorEmail = currentUser?.email || ''
+
+        if (!currentUser) {
+          return
+        }
+
+        if (handoffCompleted) {
+          await $fetch('/api/auth/merge-anonymous', { method: 'POST' }).catch(() => {})
+        }
+
         const response = await $fetch('/api/teams/list-user')
         const teams = response?.data || []
         this.isAdmin = teams.some((t) => t.slug === this.teamSlug)
       } catch {
+        this.currentUser = null
         this.isAdmin = false
       }
     },

components/public/PublicRoadmap.vue

@@ -336,7 +336,7 @@
 </template>
 
 <script>
-import { authClient } from '~/lib/auth-client'
+import { completePublicAuthHandoffFromUrl, fetchPublicAuthSession } from '~/lib/public-auth-handoff'
 
 const FEEDBACK_BOARD_PREFETCH_CACHE_TTL_MS = 60_000
 
@@ -476,7 +476,7 @@ export default {
       this.columnsLoading = false
       this.applyTheme(data.project?.settings?.themeMode || 'system')
       this.warmFeedbackBoardData()
-      this.checkCurrentUser()
+      await this.checkCurrentUser()
       return
     }
     try {
@@ -486,7 +486,7 @@ export default {
       this.columns = data.columns || []
       this.applyTheme(this.projectData.project.settings?.themeMode || 'system')
       this.warmFeedbackBoardData()
-      this.checkCurrentUser()
+      await this.checkCurrentUser()
     } catch (err) {
       console.error('Error loading roadmap:', err)
       this.error = 'This roadmap could not be found.'
@@ -538,9 +538,15 @@ export default {
     },
     async checkCurrentUser() {
       if (!import.meta.client) return
+
+      const handoffCompleted = await completePublicAuthHandoffFromUrl().catch(() => false)
+
       try {
-        const sessionResult = await authClient.getSession()
-        this.currentUser = sessionResult?.data?.user || null
+        const sessionResult = await fetchPublicAuthSession()
+        this.currentUser = sessionResult?.user || null
+        if (handoffCompleted && this.currentUser) {
+          await $fetch('/api/auth/merge-anonymous', { method: 'POST' }).catch(() => {})
+        }
       } catch {
         this.currentUser = null
       }

lib/auth-redirect.ts

@@ -43,6 +43,22 @@ export function parseRedirectUrl(rawRedirect: string): URL | null {
   }
 }
 
+export function getMainAppUrl() {
+  if (!import.meta.client) {
+    return ''
+  }
+
+  const config = useRuntimeConfig()
+  const appDomain = normalizeHostname(String(config.public.appDomain || 'localhost'))
+  const dashboardDomain = normalizeHostname(
+    String(config.public.dashboardDomain || (appDomain === 'localhost' ? 'localhost' : `app.${appDomain}`))
+  )
+  const protocol = window.location.protocol
+  const port = dashboardDomain === 'localhost' ? `:${window.location.port}` : ''
+
+  return `${protocol}//${dashboardDomain}${port}`
+}
+
 export async function resolveSafeRedirectTarget(rawRedirect: unknown, fallback = '/dashboard'): Promise<string> {
   if (!rawRedirect || typeof rawRedirect !== 'string') {
     return fallback
@@ -100,3 +116,42 @@ export async function resolveSafeRedirectTarget(rawRedirect: unknown, fallback =
 
   return fallback
 }
+
+export async function resolvePostAuthRedirectTarget(rawRedirect: unknown, fallback = '/dashboard'): Promise<string> {
+  const target = await resolveSafeRedirectTarget(rawRedirect, fallback)
+
+  if (!import.meta.client || target.startsWith('/')) {
+    return target
+  }
+
+  const parsed = parseRedirectUrl(target)
+  if (!parsed) {
+    return fallback
+  }
+
+  const redirectHost = normalizeHostname(parsed.hostname)
+  const config = useRuntimeConfig()
+  const appDomain = normalizeHostname(String(config.public.appDomain || 'localhost'))
+  const dashboardDomain = normalizeHostname(
+    String(config.public.dashboardDomain || (appDomain === 'localhost' ? 'localhost' : `app.${appDomain}`))
+  )
+  const currentHost = normalizeHostname(window.location.hostname)
+
+  if (
+    isAppHostedRedirectHost({
+      redirectHost,
+      currentHost,
+      appDomain,
+      dashboardDomain,
+    })
+  ) {
+    return parsed.toString()
+  }
+
+  const mainAppUrl = getMainAppUrl()
+  if (!mainAppUrl) {
+    return parsed.toString()
+  }
+
+  return `${mainAppUrl}/api/public/auth/handoff/start?target=${encodeURIComponent(parsed.toString())}`
+}

lib/public-auth-handoff.ts

@@ -0,0 +1,32 @@
+export const PUBLIC_AUTH_HANDOFF_QUERY_PARAM = 'authHandoff'
+
+function stripPublicAuthHandoffTokenFromUrl() {
+  if (!import.meta.client) return
+
+  const url = new URL(window.location.href)
+  url.searchParams.delete(PUBLIC_AUTH_HANDOFF_QUERY_PARAM)
+  window.history.replaceState({}, '', url.toString())
+}
+
+export async function completePublicAuthHandoffFromUrl() {
+  if (!import.meta.client) return false
+
+  const url = new URL(window.location.href)
+  const token = url.searchParams.get(PUBLIC_AUTH_HANDOFF_QUERY_PARAM)
+  if (!token) return false
+
+  try {
+    await $fetch('/api/public/auth/handoff/consume', {
+      method: 'POST',
+      body: { token },
+    })
+    return true
+  } finally {
+    stripPublicAuthHandoffTokenFromUrl()
+  }
+}
+
+export async function fetchPublicAuthSession() {
+  const response = await $fetch<{ data?: { session?: any; user?: any } | null }>('/api/public/auth/session')
+  return response?.data || { session: null, user: null }
+}

middleware/auth.global.ts

@@ -1,4 +1,5 @@
 import { authClient } from '~/lib/auth-client'
+import { resolvePostAuthRedirectTarget } from '~/lib/auth-redirect'
 
 export default defineNuxtRouteMiddleware(async (to, _from) => {
   // Skip middleware on server-side during generation/build
@@ -63,8 +64,12 @@ export default defineNuxtRouteMiddleware(async (to, _from) => {
         return
       }
       const redirect = to.query.redirect
-      if (redirect && typeof redirect === 'string' && redirect.startsWith('/')) {
-        return navigateTo(redirect)
+      if (redirect && typeof redirect === 'string') {
+        const target = await resolvePostAuthRedirectTarget(redirect, '/dashboard')
+        if (target.startsWith('http://') || target.startsWith('https://')) {
+          return navigateTo(target, { external: true })
+        }
+        return navigateTo(target)
       }
       return navigateTo('/dashboard')
     }

pages/login/index.vue

@@ -178,7 +178,7 @@
 
 <script>
 import { authClient } from '~/lib/auth-client'
-import { resolveSafeRedirectTarget } from '~/lib/auth-redirect'
+import { resolvePostAuthRedirectTarget, resolveSafeRedirectTarget } from '~/lib/auth-redirect'
 
 export default {
   name: 'LoginPage',
@@ -203,6 +203,10 @@ export default {
       return resolveSafeRedirectTarget(rawRedirect, fallback)
     },
 
+    async resolvePostAuthTarget(rawRedirect, fallback = '/dashboard') {
+      return resolvePostAuthRedirectTarget(rawRedirect, fallback)
+    },
+
     async handleSubmit() {
       if (!this.email || !this.password) {
         this.error = 'Please enter both email and password'
@@ -222,7 +226,7 @@ export default {
           this.error = result.error.message || 'Sign in failed'
         } else {
           $fetch('/api/auth/merge-anonymous', { method: 'POST' }).catch(() => {})
-          const target = await this.resolveRedirectTarget(this.$route.query.redirect, '/dashboard')
+          const target = await this.resolvePostAuthTarget(this.$route.query.redirect, '/dashboard')
           // Hard reload when adding an account to clear all in-memory session caches
           if (this.$route.query.addAccount === 'true') {
             window.location.href = target
@@ -250,7 +254,7 @@ export default {
       this.error = ''
 
       try {
-        const callbackURL = await this.resolveRedirectTarget(this.$route.query.redirect, '/dashboard')
+        const callbackURL = await this.resolvePostAuthTarget(this.$route.query.redirect, '/dashboard')
 
         const result = await authClient.signIn.magicLink({
           email: this.email,
@@ -275,7 +279,7 @@ export default {
       this.error = ''
 
       try {
-        const callbackURL = await this.resolveRedirectTarget(this.$route.query.redirect, '/dashboard')
+        const callbackURL = await this.resolvePostAuthTarget(this.$route.query.redirect, '/dashboard')
         await authClient.signIn.social({
           provider: 'github',
           callbackURL,

pages/signup/index.vue

@@ -113,7 +113,7 @@
 
 <script>
 import { authClient } from '~/lib/auth-client'
-import { resolveSafeRedirectTarget } from '~/lib/auth-redirect'
+import { resolvePostAuthRedirectTarget, resolveSafeRedirectTarget } from '~/lib/auth-redirect'
 
 export default {
   name: 'SignUpPage',
@@ -137,6 +137,10 @@ export default {
       return resolveSafeRedirectTarget(rawRedirect, fallback)
     },
 
+    async resolvePostAuthTarget(rawRedirect, fallback = '/dashboard') {
+      return resolvePostAuthRedirectTarget(rawRedirect, fallback)
+    },
+
     async handleSubmit() {
       if (!this.name || !this.email || !this.password) {
         this.error = 'Please fill in all fields'
@@ -162,7 +166,7 @@ export default {
           this.error = result.error.message || 'Sign up failed'
         } else {
           $fetch('/api/auth/merge-anonymous', { method: 'POST' }).catch(() => {})
-          const target = await this.resolveRedirectTarget(this.$route.query.redirect, '/dashboard')
+          const target = await this.resolvePostAuthTarget(this.$route.query.redirect, '/dashboard')
           if (target.startsWith('http://') || target.startsWith('https://')) {
             window.location.href = target
           } else {
@@ -182,7 +186,7 @@ export default {
       this.error = ''
 
       try {
-        const callbackURL = await this.resolveRedirectTarget(this.$route.query.redirect, '/dashboard')
+        const callbackURL = await this.resolvePostAuthTarget(this.$route.query.redirect, '/dashboard')
         await authClient.signIn.social({
           provider: 'github',
           callbackURL,

server/api/public/auth/handoff/consume.post.ts

@@ -0,0 +1,54 @@
+import { getRequestURL } from 'h3'
+import { z } from 'zod'
+import { normalizeHostname } from '~/lib/auth-redirect'
+import { createSuccessResponse } from '~/server/utils/response'
+import {
+  findPublicAuthSession,
+  parsePublicAuthHandoffToken,
+  setPublicAuthSessionCookies,
+} from '~/server/utils/public-auth-handoff'
+import { validateBody } from '~/server/utils/validation'
+
+const bodySchema = z.object({
+  token: z.string().min(1),
+})
+
+export default defineEventHandler(async (event) => {
+  const body = await validateBody(event, bodySchema)
+  const currentHost = normalizeHostname(getRequestURL(event).hostname)
+  const handoff = await parsePublicAuthHandoffToken(body.token)
+
+  if (handoff.targetHost !== currentHost) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Forbidden',
+    })
+  }
+
+  const authSession = await findPublicAuthSession(handoff.sessionToken)
+  if (!authSession) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Unauthorized',
+    })
+  }
+
+  await setPublicAuthSessionCookies(event, {
+    dontRememberMe: handoff.dontRememberMe,
+    session: authSession.session,
+  })
+
+  return createSuccessResponse({
+    session: {
+      id: authSession.session.id,
+      expiresAt: authSession.session.expiresAt,
+    },
+    user: {
+      id: authSession.user.id,
+      email: authSession.user.email,
+      name: authSession.user.name,
+      image: authSession.user.image || null,
+      emailVerified: authSession.user.emailVerified,
+    },
+  })
+})