fix: complete CSP configuration for Firebase Auth + add debug endpoint

sirjamesgray · sirjamesgray · commit a81ccf2a254e · 2025-08-02T22:27:07.000-05:00
- Add Firebase app domains to frame-src for auth popups
- Add Vercel live feedback script to script-src
- Create auth status debug endpoint for troubleshooting
- Should resolve remaining Firebase Auth CSP blocking issues
diff --git a/app/api/debug/auth-status/route.ts b/app/api/debug/auth-status/route.ts
@@ -0,0 +1,107 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { getFirebaseAdmin } from '../../../firebase/firebaseAdmin';
+
+/**
+ * Debug Auth Status API Endpoint
+ * 
+ * Returns detailed authentication status information
+ * to help debug authentication issues.
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const cookieStore = await cookies();
+    const allCookies = cookieStore.getAll();
+    
+    // Get session cookie
+    const sessionCookie = cookieStore.get('simpleUserSession');
+    
+    // Environment info
+    const envInfo = {
+      nodeEnv: process.env.NODE_ENV,
+      vercelEnv: process.env.VERCEL_ENV,
+      useDevAuth: process.env.NODE_ENV === 'development' && process.env.NEXT_PUBLIC_USE_DEV_AUTH === 'true'
+    };
+    
+    // Cookie info
+    const cookieInfo = {
+      totalCookies: allCookies.length,
+      cookieNames: allCookies.map(c => c.name),
+      hasSimpleUserSession: !!sessionCookie,
+      sessionCookieValue: sessionCookie ? 'present' : 'missing'
+    };
+    
+    // Session data
+    let sessionData = null;
+    let sessionError = null;
+    
+    if (sessionCookie) {
+      try {
+        sessionData = JSON.parse(sessionCookie.value);
+      } catch (error) {
+        sessionError = 'Failed to parse session cookie';
+      }
+    }
+    
+    // Firebase Admin status
+    let firebaseAdminStatus = 'unknown';
+    try {
+      const admin = getFirebaseAdmin();
+      firebaseAdminStatus = admin ? 'initialized' : 'not initialized';
+    } catch (error) {
+      firebaseAdminStatus = `error: ${error.message}`;
+    }
+    
+    const debugInfo = {
+      timestamp: new Date().toISOString(),
+      environment: envInfo,
+      cookies: cookieInfo,
+      session: {
+        hasSessionData: !!sessionData,
+        sessionError,
+        userData: sessionData ? {
+          uid: sessionData.uid,
+          email: sessionData.email,
+          username: sessionData.username,
+          emailVerified: sessionData.emailVerified
+        } : null
+      },
+      firebase: {
+        adminStatus: firebaseAdminStatus
+      },
+      request: {
+        url: request.url,
+        method: request.method,
+        userAgent: request.headers.get('user-agent'),
+        origin: request.headers.get('origin'),
+        referer: request.headers.get('referer')
+      }
+    };
+    
+    return NextResponse.json(debugInfo, {
+      headers: {
+        'Cache-Control': 'no-cache, no-store, must-revalidate',
+        'Pragma': 'no-cache',
+        'Expires': '0'
+      }
+    });
+  } catch (error) {
+    console.error('Error in auth status debug API:', error);
+    
+    return NextResponse.json(
+      { 
+        error: 'Failed to get auth status',
+        message: error instanceof Error ? error.message : 'Unknown error',
+        timestamp: new Date().toISOString()
+      },
+      { 
+        status: 500,
+        headers: {
+          'Cache-Control': 'no-cache, no-store, must-revalidate',
+          'Pragma': 'no-cache',
+          'Expires': '0'
+        }
+      }
+    );
+  }
+}
diff --git a/next.config.js b/next.config.js
@@ -142,12 +142,12 @@ const nextConfig = {
             key: 'Content-Security-Policy',
             value: [
               "default-src 'self'",
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com https://connect-js.stripe.com https://*.stripe.com https://cdn.logrocket.io https://cdn.lr-ingest.io https://cdn.lr-in.com https://cdn.lr-in-prod.com https://cdn.lr-ingest.com https://cdn.ingest-lr.com https://cdn.lgrckt-in.com https://www.googletagmanager.com https://*.googleapis.com https://apis.google.com https://va.vercel-scripts.com",
+              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com https://connect-js.stripe.com https://*.stripe.com https://cdn.logrocket.io https://cdn.lr-ingest.io https://cdn.lr-in.com https://cdn.lr-in-prod.com https://cdn.lr-ingest.com https://cdn.ingest-lr.com https://cdn.lgrckt-in.com https://www.googletagmanager.com https://*.googleapis.com https://apis.google.com https://va.vercel-scripts.com https://vercel.live",
               "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://connect-js.stripe.com https://*.stripe.com",
               "font-src 'self' https://fonts.gstatic.com",
               "img-src 'self' data: https: https://*.stripe.com https://*.tile.openstreetmap.org https://*.basemaps.cartocdn.com https://cdnjs.cloudflare.com",
               "connect-src 'self' https://api.stripe.com https://connect-js.stripe.com https://*.stripe.com wss://*.stripe.com https://*.googleapis.com https://apis.google.com https://firebase.googleapis.com https://firebaseinstallations.googleapis.com wss://*.firebaseio.com https://*.firebaseio.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://*.logrocket.io https://*.lr-ingest.io https://*.logrocket.com https://*.lr-in.com https://*.lr-in-prod.com https://*.lr-ingest.com https://*.ingest-lr.com https://cdn.lgrckt-in.com https://*.lgrckt-in.com https://va.vercel-scripts.com https://*.vercel-scripts.com",
-              "frame-src 'self' https://js.stripe.com https://connect-js.stripe.com https://*.stripe.com",
+              "frame-src 'self' https://js.stripe.com https://connect-js.stripe.com https://*.stripe.com https://*.firebaseapp.com https://wewrite-ccd82.firebaseapp.com",
               "worker-src 'self' blob:",
               "child-src 'self' blob:",
               "object-src 'none'",
