---
status: resolved
trigger: "GearBox deployed on Coolify throws Invalid session (HTTP 500) from @hono/oidc-auth middleware when accessing GET /login"
created: 2026-04-08T00:00:00Z
updated: 2026-04-08T00:01:00Z
---

## Current Focus

hypothesis: CONFIRMED — oidcAuthMiddleware swallows all errors (including OIDC discovery network failures) as "Invalid session". The actual error is most likely Logto OIDC discovery endpoint unreachable from the Docker container.
test: deployed OIDC startup check — check Coolify logs after next deploy for "[OIDC]" lines
expecting: logs will show either "Discovery endpoint reachable" or "Discovery endpoint unreachable" with the actual network error
next_action: await_human_verify — user deploys and checks Coolify logs

## Symptoms

expected: User visits /login, gets redirected to Logto for authentication, completes login, and returns with a valid session.
actual: GET /login immediately throws HTTP 500 "Invalid session" from @hono/oidc-auth middleware. The error originates at node_modules/@hono/oidc-auth/dist/index.js:330 — the OIDC session validation catches an error, deletes the cookie, and throws.
errors: |
  Error thrown at node_modules/@hono/oidc-auth/dist/index.js:330 in the catch block.
  The middleware catches ALL errors from OIDC session validation and throws HTTPException 500 "Invalid session".
reproduction: Visit the deployed GearBox instance's /login page
started: Was an existing issue locally, temporarily fixed (possibly via Logto config/DB changes), but broke again on deploy to Coolify

## Eliminated

- hypothesis: Missing/invalid OIDC env vars (OIDC_AUTH_SECRET too short, OIDC_ISSUER missing, etc.)
  evidence: getOidcAuthEnv() throws with DIFFERENT messages for missing vars (not "Invalid session"). The error at line 330 only runs AFTER getOidcAuthEnv succeeds. .env.coolify-test shows 32-char secret (minimum OK).
  timestamp: 2026-04-08

- hypothesis: Stale session cookie from wrong-secret JWT
  evidence: If verify() fails (wrong secret), the inner try-catch at line 123-127 catches it and returns null — not throw. Only throws at line 129 if cookie decodes OK but rtkexp/ssnexp are undefined. This would require the same secret but different JWT structure.
  timestamp: 2026-04-08

- hypothesis: Error is thrown from setOidcAuthEnv before try-catch
  evidence: getOidcAuthEnv is called at line 293 OUTSIDE the try block. If it threw, the error message would be from setOidcAuthEnv ("Session secret is not provided", etc.), not "Invalid session".
  timestamp: 2026-04-08

## Evidence

- timestamp: 2026-04-08
  checked: @hono/oidc-auth/dist/index.js lines 292-330 (oidcAuthMiddleware)
  found: The outer try-catch at line 298-330 wraps ALL of: getAuth(c), and the redirect-building code (generateAuthorizationRequestUrl → getAuthorizationServer → OIDC discovery fetch). Any error from any of these is caught and re-thrown as HTTPException(500, "Invalid session"). The original error is LOST.
  implication: "Invalid session" is a misleading umbrella for any failure in the login flow.

- timestamp: 2026-04-08
  checked: Error stack trace — lines 325-326 are setCookie("continue"...) and c.redirect(url), inside the if(getAuth===null) block
  found: These lines are context in the error display, NOT where the error occurred. The throw is at line 330 (catch block). The fact that code is within the getAuth===null branch means getAuth returned null (no cookie or expired) and then generateAuthorizationRequestUrl was called — which calls getAuthorizationServer — which does OIDC discovery.
  implication: The error occurred during OIDC discovery (network call to OIDC_ISSUER/.well-known/openid-configuration).

- timestamp: 2026-04-08
  checked: src/server/index.ts app.onError handler
  found: Custom onError does NOT handle HTTPException specially — it bypasses getResponse() and returns generic JSON. Hono's default handler uses getResponse() for HTTPException. Both log the error, but the logged HTTPException doesn't carry the original network error (the catch in oidcAuthMiddleware doesn't attach original cause).
  implication: Server logs show "Invalid session" HTTPException but not the original TypeError (network error). This made diagnosis harder.

- timestamp: 2026-04-08
  checked: OIDC env vars in .env.coolify-test
  found: OIDC_ISSUER=https://auth.gearbox-test.jeanlucmakiola.de/oidc, OIDC_AUTH_SECRET=8515017c9c54186230b6d5210b08a94b (32 chars), OIDC_REDIRECT_URI=https://gearbox-test.jeanlucmakiola.de/callback. All look structurally valid.
  implication: The issue is NOT invalid env var values — it's runtime failure when using them.

## Resolution

root_cause: oidcAuthMiddleware swallows all errors as "Invalid session" — the actual error is almost certainly the OIDC discovery fetch failing because Logto (https://auth.gearbox-test.jeanlucmakiola.de) is either not running, not accessible from the Docker container, or the OIDC_ISSUER URL is wrong in Coolify's environment.
fix: |
  1. Added OIDC startup connectivity check in src/server/index.ts that fetches OIDC_ISSUER/.well-known/openid-configuration at startup and logs the real error if it fails.
  2. Fixed app.onError to properly return HTTPException.getResponse() so the correct status/message is preserved.
  3. To fully fix: deploy, check Coolify logs for "[OIDC]" lines, and fix whatever the actual cause is (restart Logto, fix Coolify network, correct OIDC_ISSUER URL).
verification:
files_changed:
  - src/server/index.ts