From f7c992634879571d3506f6d8d5065959288853a9 Mon Sep 17 00:00:00 2001
From: Julien Froidefond <julien.froidefond@cdbdx.biz>
Date: Mon, 10 Nov 2025 23:15:53 +0100
Subject: [PATCH] feat(auth): enhance authentication process with secure cookie
 handling and detailed logging - Implemented secure cookie options based on
 HTTPS detection to improve security. - Added detailed logging for credential
 checks and user authentication flow to aid in debugging and monitoring.

---
 src/lib/auth.ts               | 26 ++++++++++++++++++++++++++
 src/services/core/database.ts |  6 ++++++
 2 files changed, 32 insertions(+)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index f4097b0..cfee16b 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -2,8 +2,23 @@ import { NextAuthOptions } from 'next-auth';
 import CredentialsProvider from 'next-auth/providers/credentials';
 import { usersService } from '@/services/users';
 
+// Détecter si on est en HTTPS
+const isHttps = process.env.NEXTAUTH_URL?.startsWith('https://') ?? false;
+
 export const authOptions: NextAuthOptions = {
   secret: process.env.NEXTAUTH_SECRET,
+  useSecureCookies: isHttps,
+  cookies: {
+    sessionToken: {
+      name: `${isHttps ? '__Secure-' : ''}next-auth.session-token`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: isHttps,
+      },
+    },
+  },
   providers: [
     CredentialsProvider({
       name: 'credentials',
@@ -13,17 +28,25 @@ export const authOptions: NextAuthOptions = {
       },
       async authorize(credentials) {
         if (!credentials?.email || !credentials?.password) {
+          console.error('[Auth] Missing credentials');
           return null;
         }
 
         try {
+          console.log(`[Auth] Attempting login for: ${credentials.email}`);
+          console.log(`[Auth] NEXTAUTH_URL: ${process.env.NEXTAUTH_URL}`);
+          console.log(`[Auth] HTTPS mode: ${isHttps}`);
+
           // Chercher l'utilisateur dans la base de données
           const user = await usersService.getUserByEmail(credentials.email);
 
           if (!user) {
+            console.error(`[Auth] User not found: ${credentials.email}`);
             return null;
           }
 
+          console.log(`[Auth] User found: ${user.id} (${user.email})`);
+
           // Vérifier le mot de passe
           const isValidPassword = await usersService.verifyPassword(
             credentials.password,
@@ -31,9 +54,12 @@ export const authOptions: NextAuthOptions = {
           );
 
           if (!isValidPassword) {
+            console.error(`[Auth] Invalid password for: ${credentials.email}`);
             return null;
           }
 
+          console.log(`[Auth] Login successful for: ${credentials.email}`);
+
           return {
             id: user.id,
             email: user.email,
diff --git a/src/services/core/database.ts b/src/services/core/database.ts
index 1b892cc..3fde0ea 100644
--- a/src/services/core/database.ts
+++ b/src/services/core/database.ts
@@ -12,6 +12,12 @@ export const prisma =
     log: ['error'], // Désactiver les logs query/warn pour éviter le bruit
   });
 
+// Log de la configuration DB au démarrage (une seule fois)
+if (!globalThis.__prisma) {
+  const dbUrl = process.env.DATABASE_URL || 'NOT SET';
+  console.log(`[DB] DATABASE_URL: ${dbUrl.replace(/\/\/.*@/, '//***:***@')}`); // Masquer les credentials si présents
+}
+
 // En développement, stocker l'instance globalement pour éviter les reconnexions
 if (process.env.NODE_ENV !== 'production') {
   globalThis.__prisma = prisma;