From c561299ebd78c17f892982072fbaf038625739a7 Mon Sep 17 00:00:00 2001
From: Michele <michele@mlhub.it>
Date: Sat, 31 Jan 2026 19:39:52 +0100
Subject: [PATCH] Fix OAuth callback: remove from middleware, fix redirect URLs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 middleware.ts                  |  2 +-
 src/app/auth/callback/route.ts | 14 +++++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/middleware.ts b/middleware.ts
index 2e5ea0a..6150a20 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -38,6 +38,7 @@ export async function middleware(request: NextRequest) {
 export const config = {
   matcher: [
     // Only run middleware on specific routes that need auth handling
+    // Note: /auth/callback is excluded - it handles its own auth flow
     '/dashboard/:path*',
     '/settings/:path*',
     '/subscription/:path*',
@@ -45,6 +46,5 @@ export const config = {
     '/login/',
     '/register',
     '/register/',
-    '/auth/:path*',
   ],
 }
diff --git a/src/app/auth/callback/route.ts b/src/app/auth/callback/route.ts
index 7b76f5e..d33a84d 100644
--- a/src/app/auth/callback/route.ts
+++ b/src/app/auth/callback/route.ts
@@ -2,19 +2,23 @@ import { createClient } from '@/lib/supabase/server'
 import { NextResponse } from 'next/server'
 
 export async function GET(request: Request) {
-  const { searchParams, origin } = new URL(request.url)
+  const { searchParams } = new URL(request.url)
   const code = searchParams.get('code')
-  const next = searchParams.get('next') ?? '/dashboard'
+  const next = searchParams.get('next') ?? '/dashboard/'
+
+  // Use the configured app URL for redirects
+  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || 'https://lab.mlhub.it/leopost'
 
   if (code) {
     const supabase = await createClient()
     const { error } = await supabase.auth.exchangeCodeForSession(code)
 
     if (!error) {
-      return NextResponse.redirect(`${origin}${next}`)
+      // Redirect to dashboard (or next page) after successful auth
+      return NextResponse.redirect(`${baseUrl}${next}`)
     }
   }
 
-  // Return the user to an error page with instructions
-  return NextResponse.redirect(`${origin}/login?error=auth_callback_error`)
+  // Return the user to login page with error
+  return NextResponse.redirect(`${baseUrl}/login/?error=auth_callback_error`)
 }