From c0cb2d25a06afc56e3706ac49dab3bcae81a93b2 Mon Sep 17 00:00:00 2001
From: Mikkel Georgsen <msgeorgsen@gmail.com>
Date: Sun, 8 Feb 2026 12:55:35 +0100
Subject: [PATCH] Fix auth flow: federated logout, login page move, and
 healthcheck

- Add federated logout endpoint that clears Auth.js session AND ends
  Zitadel SSO session via OIDC end_session endpoint
- Move sign-in page from /auth/signin to /login to avoid Auth.js
  route conflict causing ERR_TOO_MANY_REDIRECTS
- Add callbackUrl to all signIn calls so users land on /dashboard
- Store id_token in session for federated logout id_token_hint
- Fix Zitadel healthcheck using binary ready command (no curl needed)
- Update post_logout_redirect_uri in setup script

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/dashboard/src/app.d.ts                   |  2 ++
 apps/dashboard/src/auth.ts                    |  4 ++-
 apps/dashboard/src/routes/+page.svelte        |  4 +--
 .../api/auth/federated-logout/+server.ts      | 26 +++++++++++++++++++
 .../src/routes/dashboard/+layout.server.ts    |  2 +-
 .../src/routes/dashboard/+layout.svelte       |  4 +--
 .../src/routes/dashboard/account/+page.svelte |  3 +--
 .../src/routes/login/+page.server.ts          |  9 +++++++
 .../{auth/signin => login}/+page.svelte       |  8 +++---
 docker/docker-compose.dev.yml                 |  3 ++-
 docker/setup-zitadel.sh                       |  2 +-
 docker/zitadel-healthcheck.yaml               |  2 ++
 12 files changed, 54 insertions(+), 15 deletions(-)
 create mode 100644 apps/dashboard/src/routes/api/auth/federated-logout/+server.ts
 create mode 100644 apps/dashboard/src/routes/login/+page.server.ts
 rename apps/dashboard/src/routes/{auth/signin => login}/+page.svelte (93%)
 create mode 100644 docker/zitadel-healthcheck.yaml

diff --git a/apps/dashboard/src/app.d.ts b/apps/dashboard/src/app.d.ts
index 8334603..fb4ea81 100644
--- a/apps/dashboard/src/app.d.ts
+++ b/apps/dashboard/src/app.d.ts
@@ -3,6 +3,7 @@
 declare module '@auth/sveltekit' {
 	interface Session {
 		accessToken?: string;
+		idToken?: string;
 	}
 }
 
@@ -10,6 +11,7 @@ declare module '@auth/core/jwt' {
 	interface JWT {
 		accessToken?: string;
 		refreshToken?: string;
+		idToken?: string;
 		expiresAt?: number;
 	}
 }
diff --git a/apps/dashboard/src/auth.ts b/apps/dashboard/src/auth.ts
index 9cd616d..cf9f4cb 100644
--- a/apps/dashboard/src/auth.ts
+++ b/apps/dashboard/src/auth.ts
@@ -29,17 +29,19 @@ export const { handle, signIn, signOut } = SvelteKitAuth({
 			if (account) {
 				token.accessToken = account.access_token;
 				token.refreshToken = account.refresh_token;
+				token.idToken = account.id_token;
 				token.expiresAt = account.expires_at;
 			}
 			return token;
 		},
 		async session({ session, token }) {
 			session.accessToken = token.accessToken as string;
+			session.idToken = token.idToken as string;
 			return session;
 		}
 	},
 	pages: {
-		signIn: '/auth/signin'
+		signIn: '/login'
 	},
 	trustHost: true
 });
diff --git a/apps/dashboard/src/routes/+page.svelte b/apps/dashboard/src/routes/+page.svelte
index 5a4262b..9cf3684 100644
--- a/apps/dashboard/src/routes/+page.svelte
+++ b/apps/dashboard/src/routes/+page.svelte
@@ -23,7 +23,7 @@
 				</a>
 			{:else}
 				<button
-					onclick={() => signIn('zitadel')}
+					onclick={() => signIn('zitadel', { callbackUrl: '/dashboard' })}
 					class="px-5 py-2 bg-blue-600 hover:bg-blue-500 rounded-lg font-medium transition-colors cursor-pointer"
 				>
 					Sign In
@@ -50,7 +50,7 @@
 			</a>
 		{:else}
 			<button
-				onclick={() => signIn('zitadel')}
+				onclick={() => signIn('zitadel', { callbackUrl: '/dashboard' })}
 				class="px-8 py-3 bg-blue-600 hover:bg-blue-500 rounded-lg text-lg font-medium transition-colors cursor-pointer"
 			>
 				Get Started
diff --git a/apps/dashboard/src/routes/api/auth/federated-logout/+server.ts b/apps/dashboard/src/routes/api/auth/federated-logout/+server.ts
new file mode 100644
index 0000000..3b4f6fa
--- /dev/null
+++ b/apps/dashboard/src/routes/api/auth/federated-logout/+server.ts
@@ -0,0 +1,26 @@
+import { redirect } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { env } from '$env/dynamic/private';
+
+export const GET: RequestHandler = async (event) => {
+	const session = await event.locals.auth();
+	const idToken = session?.idToken;
+
+	// Build Zitadel end_session URL
+	const issuer = env.AUTH_ZITADEL_ISSUER || 'http://localhost:8080';
+	const endSessionUrl = new URL('/oidc/v1/end_session', issuer);
+
+	if (idToken) {
+		endSessionUrl.searchParams.set('id_token_hint', idToken);
+	}
+	// Use the registered post_logout_redirect_uri
+	endSessionUrl.searchParams.set('post_logout_redirect_uri', 'http://localhost:5173');
+
+	// Clear the Auth.js session cookies
+	event.cookies.delete('authjs.session-token', { path: '/' });
+	event.cookies.delete('__Secure-authjs.session-token', { path: '/' });
+	event.cookies.delete('authjs.callback-url', { path: '/' });
+	event.cookies.delete('authjs.csrf-token', { path: '/' });
+
+	throw redirect(302, endSessionUrl.toString());
+};
diff --git a/apps/dashboard/src/routes/dashboard/+layout.server.ts b/apps/dashboard/src/routes/dashboard/+layout.server.ts
index b1b21b7..81e6b62 100644
--- a/apps/dashboard/src/routes/dashboard/+layout.server.ts
+++ b/apps/dashboard/src/routes/dashboard/+layout.server.ts
@@ -4,7 +4,7 @@ import type { LayoutServerLoad } from './$types';
 export const load: LayoutServerLoad = async (event) => {
 	const session = await event.locals.auth();
 	if (!session) {
-		throw redirect(303, '/auth/signin');
+		throw redirect(303, '/login');
 	}
 	return { session };
 };
diff --git a/apps/dashboard/src/routes/dashboard/+layout.svelte b/apps/dashboard/src/routes/dashboard/+layout.svelte
index 8d4d780..cd8085c 100644
--- a/apps/dashboard/src/routes/dashboard/+layout.svelte
+++ b/apps/dashboard/src/routes/dashboard/+layout.svelte
@@ -1,7 +1,5 @@
 <script lang="ts">
 	import { page } from '$app/stores';
-	import { signOut } from '@auth/sveltekit/client';
-
 	let { children } = $props();
 	let session = $derived($page.data.session);
 	let sidebarOpen = $state(false);
@@ -131,7 +129,7 @@
 						</div>
 					{/if}
 					<button
-						onclick={() => signOut()}
+						onclick={() => window.location.href = '/api/auth/federated-logout'}
 						class="text-sm text-slate-500 hover:text-red-600 dark:text-slate-400 dark:hover:text-red-400 transition-colors cursor-pointer"
 						title="Sign out"
 					>
diff --git a/apps/dashboard/src/routes/dashboard/account/+page.svelte b/apps/dashboard/src/routes/dashboard/account/+page.svelte
index 2e5c586..2ac7e8c 100644
--- a/apps/dashboard/src/routes/dashboard/account/+page.svelte
+++ b/apps/dashboard/src/routes/dashboard/account/+page.svelte
@@ -1,6 +1,5 @@
 <script lang="ts">
 	import { page } from '$app/stores';
-	import { signOut } from '@auth/sveltekit/client';
 	let session = $derived($page.data.session);
 
 	const zitadelAccountUrl = import.meta.env.PUBLIC_ZITADEL_ACCOUNT_URL || '#';
@@ -91,7 +90,7 @@
 			Sign out of your PVM account on this device.
 		</p>
 		<button
-			onclick={() => signOut({ callbackUrl: '/' })}
+			onclick={() => window.location.href = '/api/auth/federated-logout'}
 			class="inline-flex items-center gap-2 px-4 py-2 bg-red-600 hover:bg-red-700 text-white rounded-lg text-sm font-medium transition-colors cursor-pointer"
 		>
 			<svg class="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
diff --git a/apps/dashboard/src/routes/login/+page.server.ts b/apps/dashboard/src/routes/login/+page.server.ts
new file mode 100644
index 0000000..3ce867b
--- /dev/null
+++ b/apps/dashboard/src/routes/login/+page.server.ts
@@ -0,0 +1,9 @@
+import { redirect } from '@sveltejs/kit';
+import type { PageServerLoad } from './$types';
+
+export const load: PageServerLoad = async (event) => {
+	const session = await event.locals.auth();
+	if (session) {
+		throw redirect(303, '/dashboard');
+	}
+};
diff --git a/apps/dashboard/src/routes/auth/signin/+page.svelte b/apps/dashboard/src/routes/login/+page.svelte
similarity index 93%
rename from apps/dashboard/src/routes/auth/signin/+page.svelte
rename to apps/dashboard/src/routes/login/+page.svelte
index 18860b6..65d045d 100644
--- a/apps/dashboard/src/routes/auth/signin/+page.svelte
+++ b/apps/dashboard/src/routes/login/+page.svelte
@@ -17,7 +17,7 @@
 		<div class="bg-white/5 border border-white/10 rounded-2xl p-8 backdrop-blur-sm">
 			<!-- OIDC Sign In -->
 			<button
-				onclick={() => signIn('zitadel')}
+				onclick={() => signIn('zitadel', { callbackUrl: '/dashboard' })}
 				class="w-full flex items-center justify-center gap-3 px-4 py-3 bg-blue-600 hover:bg-blue-500 text-white rounded-lg font-medium transition-colors cursor-pointer"
 			>
 				<svg class="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
@@ -37,7 +37,7 @@
 
 			<div class="space-y-3">
 				<button
-					onclick={() => signIn('zitadel')}
+					onclick={() => signIn('zitadel', { callbackUrl: '/dashboard' })}
 					class="w-full flex items-center justify-center gap-3 px-4 py-3 bg-white/5 hover:bg-white/10 border border-white/10 text-white rounded-lg font-medium transition-colors cursor-pointer"
 				>
 					<svg class="w-5 h-5" viewBox="0 0 24 24" fill="currentColor">
@@ -50,7 +50,7 @@
 				</button>
 
 				<button
-					onclick={() => signIn('zitadel')}
+					onclick={() => signIn('zitadel', { callbackUrl: '/dashboard' })}
 					class="w-full flex items-center justify-center gap-3 px-4 py-3 bg-white/5 hover:bg-white/10 border border-white/10 text-white rounded-lg font-medium transition-colors cursor-pointer"
 				>
 					<svg class="w-5 h-5" viewBox="0 0 24 24" fill="currentColor">
@@ -60,7 +60,7 @@
 				</button>
 
 				<button
-					onclick={() => signIn('zitadel')}
+					onclick={() => signIn('zitadel', { callbackUrl: '/dashboard' })}
 					class="w-full flex items-center justify-center gap-3 px-4 py-3 bg-white/5 hover:bg-white/10 border border-white/10 text-white rounded-lg font-medium transition-colors cursor-pointer"
 				>
 					<svg class="w-5 h-5" viewBox="0 0 24 24" fill="#1877F2">
diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml
index 2b672dd..661e246 100644
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -39,8 +39,9 @@ services:
         condition: service_healthy
     volumes:
       - ./machinekey:/machinekey
+      - ./zitadel-healthcheck.yaml:/zitadel-healthcheck.yaml:ro
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:8080/debug/healthz"]
+      test: ["CMD", "/app/zitadel", "ready", "--config", "/zitadel-healthcheck.yaml"]
       interval: 10s
       timeout: 5s
       retries: 15
diff --git a/docker/setup-zitadel.sh b/docker/setup-zitadel.sh
index 94f4941..bdedc30 100755
--- a/docker/setup-zitadel.sh
+++ b/docker/setup-zitadel.sh
@@ -102,7 +102,7 @@ create_oidc_app() {
     -d '{
       "name": "PVM Dashboard",
       "redirectUris": ["http://localhost:5173/auth/callback/zitadel"],
-      "postLogoutRedirectUris": ["http://localhost:5173"],
+      "postLogoutRedirectUris": ["http://localhost:5173", "http://localhost:5173/login"],
       "responseTypes": ["OIDC_RESPONSE_TYPE_CODE"],
       "grantTypes": ["OIDC_GRANT_TYPE_AUTHORIZATION_CODE"],
       "appType": "OIDC_APP_TYPE_WEB",
diff --git a/docker/zitadel-healthcheck.yaml b/docker/zitadel-healthcheck.yaml
new file mode 100644
index 0000000..42b2dc8
--- /dev/null
+++ b/docker/zitadel-healthcheck.yaml
@@ -0,0 +1,2 @@
+TLS:
+  Mode: disabled