fix(auth): correct callbackUrl and auto-redirect to Authentik

- Use NEXTAUTH_URL instead of request.url for callbackUrl (was 0.0.0.0:3000)
- Add custom /auth/signin page that auto-calls signIn("authentik")
- Skip the intermediate "Sign in with Authentik" button page
- Exclude /auth/signin from middleware matcher

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/app/auth/signin/page.tsx

@@ -0,0 +1,29 @@
+"use client";
+
+import { signIn } from "next-auth/react";
+import { useSearchParams } from "next/navigation";
+import { useEffect } from "react";
+
+/**
+ * Custom sign-in page that auto-redirects to Authentik.
+ * Skips the default NextAuth provider chooser (no "Sign in with Authentik" button).
+ */
+export default function SignInPage() {
+  const searchParams = useSearchParams();
+  const callbackUrl = searchParams.get("callbackUrl") || "/";
+
+  useEffect(() => {
+    void signIn("authentik", { callbackUrl });
+  }, [callbackUrl]);
+
+  return (
+    <div className="flex h-screen items-center justify-center bg-background">
+      <div className="flex flex-col items-center gap-4">
+        <div className="h-8 w-8 animate-spin rounded-full border-4 border-primary border-t-transparent" />
+        <p className="text-sm text-muted-foreground">
+          Se redirecționează către autentificare...
+        </p>
+      </div>
+    </div>
+  );
+}

src/middleware.ts

@@ -27,9 +27,13 @@ export async function middleware(request: NextRequest) {
     );
   }
 
-  // Page routes: redirect to NextAuth sign-in with callbackUrl
+  // Use NEXTAUTH_URL as base (request.url uses container's internal 0.0.0.0:3000)
-  const signInUrl = new URL("/api/auth/signin", request.url);
+  const baseUrl = process.env.NEXTAUTH_URL || "https://tools.beletage.ro";
-  signInUrl.searchParams.set("callbackUrl", request.url);
+  const callbackUrl = `${baseUrl}${pathname}${request.nextUrl.search}`;
+
+  // Redirect to custom sign-in page (auto-forwards to Authentik)
+  const signInUrl = new URL("/auth/signin", baseUrl);
+  signInUrl.searchParams.set("callbackUrl", callbackUrl);
   return NextResponse.redirect(signInUrl);
 }
 
@@ -42,6 +46,6 @@ export const config = {
      * - /favicon.ico, /robots.txt, /sitemap.xml
      * - Files with extensions (images, fonts, etc.)
      */
-    "/((?!api/auth|_next|favicon\\.ico|robots\\.txt|sitemap\\.xml|.*\\..*).*)",
+    "/((?!api/auth|auth/signin|_next|favicon\\.ico|robots\\.txt|sitemap\\.xml|.*\\..*).*)",
   ],
 };