Fix Auth0 authentication: update auth routes with better logging and config handling

.env.example

@@ -1,32 +1,27 @@
-# Server Configuration
-PORT=9991
-NODE_ENV=development
-
-# App URL (your frontend URL)
-APP_URL=https://moxiegen.client.guacamolebox.net
-
-# CORS
-CORS_ORIGIN=https://moxiegen.client.guacamolebox.net
-
 # Auth0 Configuration
 AUTH0_DOMAIN=dev-t13zhs74oltgqtfx.us.auth0.com
-AUTH0_CLIENT_ID=your-client-id-here
+AUTH0_CLIENT_ID=AWRYU8EBnKaHvRQOMXXADxgGEoBN45oN
 AUTH0_CLIENT_SECRET=your-client-secret-here
 AUTH0_AUDIENCE=https://dev-t13zhs74oltgqtfx.us.auth0.com/api/v2/
 
-# Stripe Configuration (for future use)
-STRIPE_SECRET_KEY=sk_test_xxx
-STRIPE_WEBHOOK_SECRET=whsec_xxx
-STRIPE_PUBLISHABLE_KEY=pk_test_xxx
+# Application URL
+APP_URL=https://moxiegen.client.guacamolebox.net
 
-# PayPal Configuration (for future use)
-PAYPAL_CLIENT_ID=xxx
-PAYPAL_CLIENT_SECRET=xxx
-PAYPAL_WEBHOOK_ID=xxx
-PAYPAL_MODE=sandbox
+# Server Configuration
+PORT=9991
+NODE_ENV=production
 
-# JWT Secret (optional, for additional security)
-JWT_SECRET=your-super-secret-key-change-in-production
+# CORS Origin
+CORS_ORIGIN=https://moxiegen.client.guacamolebox.net
 
-# First Admin User (will be promoted to admin on first login if email matches)
-ADMIN_EMAIL=admin@example.com
+# JWT Secret for signing (optional, for additional security)
+JWT_SECRET=your-jwt-secret-change-this-in-production
+
+# Stripe (for future use)
+STRIPE_SECRET_KEY=
+STRIPE_WEBHOOK_SECRET=
+
+# PayPal (for future use)
+PAYPAL_CLIENT_ID=
+PAYPAL_CLIENT_SECRET=
+PAYPAL_WEBHOOK_ID=

src/routes/auth.js

@@ -7,6 +7,7 @@ const router = express.Router();
 const AUTH0_DOMAIN = process.env.AUTH0_DOMAIN || 'dev-t13zhs74oltgqtfx.us.auth0.com';
 const AUTH0_CLIENT_ID = process.env.AUTH0_CLIENT_ID;
 const AUTH0_CLIENT_SECRET = process.env.AUTH0_CLIENT_SECRET;
+const AUTH0_AUDIENCE = process.env.AUTH0_AUDIENCE || '';
 
 /**
  * @route   GET /api/auth/callback
@@ -26,26 +27,44 @@ router.get('/callback', asyncHandler(async (req, res) => {
   }
 
   try {
-    // Exchange code for tokens
-    const tokenResponse = await fetch(`https://${AUTH0_DOMAIN}/oauth/token`, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
+    // Build token request body
+    const tokenRequestBody = {
       grant_type: 'authorization_code',
       client_id: AUTH0_CLIENT_ID,
       client_secret: AUTH0_CLIENT_SECRET,
       code,
       redirect_uri: `${process.env.APP_URL || 'https://moxiegen.client.guacamolebox.net'}/dashboard.html`
-      })
+    };
+
+    // Only add audience if configured
+    if (AUTH0_AUDIENCE && AUTH0_AUDIENCE.trim() !== '') {
+      tokenRequestBody.audience = AUTH0_AUDIENCE;
+    }
+
+    console.log('Token exchange request:', {
+      domain: AUTH0_DOMAIN,
+      client_id: AUTH0_CLIENT_ID ? 'configured' : 'missing',
+      client_secret: AUTH0_CLIENT_SECRET ? 'configured' : 'missing',
+      redirect_uri: tokenRequestBody.redirect_uri,
+      audience: tokenRequestBody.audience || 'not set'
+    });
+
+    // Exchange code for tokens
+    const tokenResponse = await fetch(`https://${AUTH0_DOMAIN}/oauth/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(tokenRequestBody)
     });
 
     const tokens = await tokenResponse.json();
 
     if (tokens.error) {
-      console.error('Token exchange error:', tokens.error);
+      console.error('Token exchange error:', tokens.error, tokens.error_description);
       throw new Error(tokens.error_description || tokens.error);
     }
 
+    console.log('Token exchange successful');
+
     // Redirect to frontend with tokens
     const frontendUrl = process.env.APP_URL || 'https://moxiegen.client.guacamolebox.net';
     res.redirect(`${frontendUrl}/dashboard.html?access_token=${tokens.access_token}&id_token=${tokens.id_token}&expires_in=${tokens.expires_in}`);
@@ -69,24 +88,43 @@ router.post('/token', asyncHandler(async (req, res) => {
   }
 
   try {
-    const tokenResponse = await fetch(`https://${AUTH0_DOMAIN}/oauth/token`, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
+    // Build token request body
+    const tokenRequestBody = {
       grant_type: 'authorization_code',
       client_id: AUTH0_CLIENT_ID,
       client_secret: AUTH0_CLIENT_SECRET,
       code,
       redirect_uri: redirect_uri || `${process.env.APP_URL || 'https://moxiegen.client.guacamolebox.net'}/dashboard.html`
-      })
+    };
+
+    // Only add audience if configured
+    if (AUTH0_AUDIENCE && AUTH0_AUDIENCE.trim() !== '') {
+      tokenRequestBody.audience = AUTH0_AUDIENCE;
+    }
+
+    console.log('POST Token exchange request:', {
+      domain: AUTH0_DOMAIN,
+      client_id: AUTH0_CLIENT_ID ? 'configured' : 'missing',
+      client_secret: AUTH0_CLIENT_SECRET ? 'configured' : 'missing',
+      redirect_uri: tokenRequestBody.redirect_uri,
+      audience: tokenRequestBody.audience || 'not set'
+    });
+
+    const tokenResponse = await fetch(`https://${AUTH0_DOMAIN}/oauth/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(tokenRequestBody)
     });
 
     const tokens = await tokenResponse.json();
 
     if (tokens.error) {
+      console.error('POST Token exchange error:', tokens.error, tokens.error_description);
       return res.status(400).json(ApiResponse(false, null, tokens.error_description || tokens.error));
     }
 
+    console.log('POST Token exchange successful');
+
     res.json(ApiResponse(true, {
       access_token: tokens.access_token,
       id_token: tokens.id_token,
@@ -132,7 +170,7 @@ router.get('/config', (req, res) => {
   res.json(ApiResponse(true, {
     domain: AUTH0_DOMAIN,
     clientId: AUTH0_CLIENT_ID,
-    audience: process.env.AUTH0_AUDIENCE || `https://${AUTH0_DOMAIN}/api/v2/`
+    audience: AUTH0_AUDIENCE || ''
   }));
 });