From 0280b941542290f66cdacc43e9f2d2e52b09a7fa Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Mon, 2 Mar 2026 20:39:12 +0000
Subject: [PATCH] Fix MSAL redirect_uri to match Azure AD registered URI

Change redirect_uri to app root (without /auth.php) to match what's
registered in Azure portal. Use relative URLs for auth fetch and reload
on success instead of computed absolute paths.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 AuthMiddleware.php | 4 ++--
 auth.php           | 2 +-
 config.php         | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/AuthMiddleware.php b/AuthMiddleware.php
index ebb51e6..2f7e2f8 100644
--- a/AuthMiddleware.php
+++ b/AuthMiddleware.php
@@ -289,7 +289,7 @@ class AuthMiddleware {
                         });
 
                         // Send token to server
-                        const response = await fetch('<?php echo rtrim(dirname($this->redirectUri), '/'); ?>/auth.php?action=login', {
+                        const response = await fetch('auth.php?action=login', {
                             method: 'POST',
                             headers: {
                                 'Content-Type': 'application/json'
@@ -302,7 +302,7 @@ class AuthMiddleware {
                         const result = await response.json();
 
                         if (result.success) {
-                            window.location.href = '<?php echo rtrim(dirname($this->redirectUri), '/'); ?>/';
+                            window.location.reload();
                         } else {
                             alert('Login failed: ' + result.message);
                         }
diff --git a/auth.php b/auth.php
index 65e3395..30fe7b0 100644
--- a/auth.php
+++ b/auth.php
@@ -71,7 +71,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET' && $action === 'logout') {
 
     // Build Azure AD logout URL
     $tenantId = $config['sso']['tenant_id'];
-    $postLogoutRedirect = urlencode('https://ai-sandbox.oliver.solutions/loreal-global-kickoff/');
+    $postLogoutRedirect = urlencode('https://ai-sandbox.oliver.solutions/loreal-global-kickoff');
     $logoutUrl = "https://login.microsoftonline.com/{$tenantId}/oauth2/v2.0/logout?post_logout_redirect_uri={$postLogoutRedirect}";
 
     header('Location: ' . $logoutUrl);
diff --git a/config.php b/config.php
index 368ddf8..b941fc8 100644
--- a/config.php
+++ b/config.php
@@ -12,7 +12,7 @@ return [
         // Azure AD Configuration (for production use)
         'tenant_id' => 'e519c2e6-bc6d-4fdf-8d9c-923c2f002385',
         'client_id' => '9079054c-9620-4757-a256-23413042f1ef',
-        'redirect_uri' => 'https://ai-sandbox.oliver.solutions/loreal-global-kickoff/auth.php',
+        'redirect_uri' => 'https://ai-sandbox.oliver.solutions/loreal-global-kickoff',
 
         // Local development user (used when SSO is disabled)
         'local_user' => [