Expand Freebuff auth code diagnostics

jahooma · jahooma · commit 6b85906126d3 · 2026-05-12T14:16:29.000-07:00
diff --git a/freebuff/web/src/app/api/auth/[...nextauth]/auth-options.ts b/freebuff/web/src/app/api/auth/[...nextauth]/auth-options.ts
@@ -15,6 +15,10 @@ import GitHubProvider from 'next-auth/providers/github'
 import type { NextAuthOptions } from 'next-auth'
 import type { Adapter } from 'next-auth/adapters'
 
+import {
+  getCliAuthCodeHashPrefix,
+  isCliAuthCodeCandidate,
+} from '@/app/onboard/_helpers'
 import { logger } from '@/util/logger'
 
 async function createAndLinkStripeCustomer(params: {
@@ -104,6 +108,31 @@ export const authOptions: NextAuthOptions = {
       const authCode = potentialRedirectUrl.searchParams.get('auth_code')
 
       if (authCode) {
+        if (!isCliAuthCodeCandidate(authCode)) {
+          const searchParamKeys = Array.from(
+            potentialRedirectUrl.searchParams.keys(),
+          ).sort()
+          logger.warn(
+            {
+              authCodeLength: authCode.length,
+              authCodeTrimmedLength: authCode.trim().length,
+              authCodeHashPrefix: getCliAuthCodeHashPrefix(authCode),
+              authCodeParamCount:
+                potentialRedirectUrl.searchParams.getAll('auth_code').length,
+              searchParamKeys,
+              searchParamCount: searchParamKeys.length,
+              hasCallbackUrlParam: searchParamKeys.includes('callbackUrl'),
+              hasCodeParam: searchParamKeys.includes('code'),
+              hasRedirectParam: searchParamKeys.includes('redirect'),
+              dotCount: authCode.match(/\./g)?.length ?? 0,
+              hyphenCount: authCode.match(/-/g)?.length ?? 0,
+              redirectUrlOrigin: potentialRedirectUrl.origin,
+              baseUrl,
+            },
+            'Freebuff auth redirect received non-CLI-shaped auth_code',
+          )
+        }
+
         const onboardUrl = new URL(`${baseUrl}/onboard`)
         potentialRedirectUrl.searchParams.forEach((value, key) => {
           onboardUrl.searchParams.set(key, value)
diff --git a/freebuff/web/src/app/login/page.tsx b/freebuff/web/src/app/login/page.tsx
@@ -29,6 +29,7 @@ export default async function LoginPage({
   const resolvedSearchParams = searchParams ? await searchParams : {}
   const rawAuthCode = resolvedSearchParams?.auth_code
   const authCode = Array.isArray(rawAuthCode) ? rawAuthCode[0] : rawAuthCode
+  const searchParamKeys = Object.keys(resolvedSearchParams).sort()
 
   if (authCode) {
     if (!isCliAuthCodeCandidate(authCode)) {
@@ -41,6 +42,11 @@ export default async function LoginPage({
           authCodeParamCount: Array.isArray(rawAuthCode)
             ? rawAuthCode.length
             : 1,
+          searchParamKeys,
+          searchParamCount: searchParamKeys.length,
+          hasCallbackUrlParam: searchParamKeys.includes('callbackUrl'),
+          hasCodeParam: searchParamKeys.includes('code'),
+          hasRedirectParam: searchParamKeys.includes('redirect'),
           dotCount: authCode.match(/\./g)?.length ?? 0,
           hyphenCount: authCode.match(/-/g)?.length ?? 0,
           requestHost: headerStore.get('host') ?? '',
