Merge pull request #79 from MR-medreport/keycloak-updates-v2

update login/signup/update-account for keycloak
2025-09-08 08:25:19 +00:00
parent dfcfdb8f97 aa441d4055
commit 321c85bc9c
41 changed files with 723 additions and 309 deletions
--- a/.env
+++ b/.env
@@ -13,7 +13,7 @@ NEXT_PUBLIC_THEME_COLOR="#ffffff"
 NEXT_PUBLIC_THEME_COLOR_DARK="#0a0a0a"

 # AUTH
-NEXT_PUBLIC_AUTH_PASSWORD=true
+NEXT_PUBLIC_AUTH_PASSWORD=false
 NEXT_PUBLIC_AUTH_MAGIC_LINK=false
 NEXT_PUBLIC_CAPTCHA_SITE_KEY=

@@ -65,3 +65,6 @@ NEXT_PUBLIC_TEAM_NAVIGATION_STYLE=custom
 NEXT_PUBLIC_USER_NAVIGATION_STYLE=custom

 NEXT_PUBLIC_MEDUSA_PUBLISHABLE_KEY=
+
+# Configure Medusa password secret for Keycloak users
+MEDUSA_PASSWORD_SECRET=ODEwMGNiMmUtOGMxYS0xMWYwLWJlZDYtYTM3YzYyMWY0NGEzCg==
--- a/.env.development
+++ b/.env.development
@@ -3,6 +3,7 @@

 # SITE
 NEXT_PUBLIC_SITE_URL=http://localhost:3000
+NEXT_PUBLIC_AUTH_PASSWORD=true

 # SUPABASE DEVELOPMENT

--- a/app/(marketing)/_components/site-header-account-section.tsx
+++ b/app/(marketing)/_components/site-header-account-section.tsx
@@ -13,10 +13,7 @@ import { Button } from '@kit/ui/button';
 import { If } from '@kit/ui/if';
 import { Trans } from '@kit/ui/trans';

-import { featureFlagsConfig } from '@kit/shared/config';
-
-import { pathsConfig } from '@kit/shared/config';
-
+import { authConfig, featureFlagsConfig, pathsConfig } from '@kit/shared/config';

 const ModeToggle = dynamic(() =>
  import('@kit/ui/mode-toggle').then((mod) => ({
@@ -75,11 +72,13 @@ function AuthButtons() {
          </Link>
        </Button>

+        {authConfig.providers.password && (
          <Button asChild className="text-xs md:text-sm" variant={'default'}>
            <Link href={pathsConfig.auth.signUp}>
              <Trans i18nKey={'auth:signUp'} />
            </Link>
          </Button>
+        )}
      </div>
    </div>
  );
--- a/app/(marketing)/page.tsx
+++ b/app/(marketing)/page.tsx
@@ -1,6 +1,7 @@
 import Link from 'next/link';

 import { MedReportLogo } from '@kit/shared/components/med-report-logo';
+import { pathsConfig } from '@kit/shared/config';
 import { ArrowRightIcon } from 'lucide-react';

 import { CtaButton, Hero } from '@kit/ui/marketing';
@@ -32,7 +33,7 @@ function MainCallToActionButton() {
  return (
    <div className={'flex space-x-4'}>
      <CtaButton>
-        <Link href={'/auth/sign-up'}>
+        <Link href={pathsConfig.auth.signUp}>
          <span className={'flex items-center space-x-0.5'}>
            <span>
              <Trans i18nKey={'common:getStarted'} />
--- a/app/auth/callback/route.ts
+++ b/app/auth/callback/route.ts
@@ -1,19 +1,62 @@
 import { redirect } from 'next/navigation';
 import type { NextRequest } from 'next/server';

-import { createAuthCallbackService } from '@kit/supabase/auth';
+import { createAuthCallbackService, getErrorURLParameters } from '@kit/supabase/auth';
 import { getSupabaseServerClient } from '@kit/supabase/server-client';

 import { pathsConfig } from '@kit/shared/config';
+import { createAccountsApi } from '@/packages/features/accounts/src/server/api';

+const ERROR_PATH = '/auth/callback/error';
+
+const redirectOnError = (searchParams?: string) => {
+  return redirect(`${ERROR_PATH}${searchParams ? `?${searchParams}` : ''}`);
+}

 export async function GET(request: NextRequest) {
-  const service = createAuthCallbackService(getSupabaseServerClient());
+  const { searchParams } = new URL(request.url);

-  const { nextPath } = await service.exchangeCodeForSession(request, {
-    joinTeamPath: pathsConfig.app.joinTeam,
-    redirectPath: pathsConfig.app.home,
+  const error = searchParams.get('error');
+  if (error) {
+    const { searchParams } = getErrorURLParameters({ error });
+    return redirectOnError(searchParams);
+  }
+
+  const authCode = searchParams.get('code');
+  if (!authCode) {
+    return redirectOnError();
+  }
+
+  let redirectPath = searchParams.get('next') || pathsConfig.app.home;
+  // if we have an invite token, we redirect to the join team page
+  // instead of the default next url. This is because the user is trying
+  // to join a team and we want to make sure they are redirected to the
+  // correct page.
+  const inviteToken = searchParams.get('invite_token');
+  if (inviteToken) {
+    const urlParams = new URLSearchParams({
+      invite_token: inviteToken,
+      email: searchParams.get('email') ?? '',
    });

-  return redirect(nextPath);
+    redirectPath = `${pathsConfig.app.joinTeam}?${urlParams.toString()}`;
+  }
+
+  const service = createAuthCallbackService(getSupabaseServerClient());
+  const oauthResult = await service.exchangeCodeForSession(authCode);
+  if (!("isSuccess" in oauthResult)) {
+    return redirectOnError(oauthResult.searchParams);
+  }
+
+  const api = createAccountsApi(getSupabaseServerClient());
+
+  const account = await api.getPersonalAccountByUserId(
+    oauthResult.user.id,
+  );
+
+  if (!account.email || !account.name || !account.last_name) {
+    return redirect(pathsConfig.auth.updateAccount);
+  }
+  
+  return redirect(redirectPath);
 }
--- a/app/auth/confirm/route.ts
+++ b/app/auth/confirm/route.ts
@@ -5,7 +5,6 @@ import { getSupabaseServerClient } from '@kit/supabase/server-client';

 import { pathsConfig } from '@kit/shared/config';

-
 export async function GET(request: NextRequest) {
  const service = createAuthCallbackService(getSupabaseServerClient());

--- a/app/auth/sign-in/components/PasswordOption.tsx
+++ b/app/auth/sign-in/components/PasswordOption.tsx
@@ -0,0 +1,54 @@
+import Link from 'next/link';
+
+import { SignInMethodsContainer } from '@kit/auth/sign-in';
+import { authConfig, pathsConfig } from '@kit/shared/config';
+import { Button } from '@kit/ui/button';
+import { Heading } from '@kit/ui/heading';
+import { Trans } from '@kit/ui/trans';
+
+export default function PasswordOption({
+  inviteToken,
+  returnPath,
+}: {
+  inviteToken?: string;
+  returnPath?: string;
+}) {
+  const signUpPath =
+    pathsConfig.auth.signUp +
+    (inviteToken ? `?invite_token=${inviteToken}` : '');
+
+  const paths = {
+    callback: pathsConfig.auth.callback,
+    returnPath: returnPath ?? pathsConfig.app.home,
+    joinTeam: pathsConfig.app.joinTeam,
+    updateAccount: pathsConfig.auth.updateAccount,
+  };
+
+  return (
+    <>
+      <div className={'flex flex-col items-center gap-1'}>
+        <Heading level={4} className={'tracking-tight'}>
+          <Trans i18nKey={'auth:signInHeading'} />
+        </Heading>
+
+        <p className={'text-muted-foreground text-sm'}>
+          <Trans i18nKey={'auth:signInSubheading'} />
+        </p>
+      </div>
+
+      <SignInMethodsContainer
+        inviteToken={inviteToken}
+        paths={paths}
+        providers={authConfig.providers}
+      />
+
+      <div className={'flex justify-center'}>
+        <Button asChild variant={'link'} size={'sm'}>
+          <Link href={signUpPath} prefetch={true}>
+            <Trans i18nKey={'auth:doNotHaveAccountYet'} />
+          </Link>
+        </Button>
+      </div>
+    </>
+  );
+}
--- a/app/auth/sign-in/components/SignInPageClientRedirect.tsx
+++ b/app/auth/sign-in/components/SignInPageClientRedirect.tsx
@@ -0,0 +1,37 @@
+'use client';
+
+import Loading from '@/app/home/loading';
+import { useEffect } from 'react';
+import { getSupabaseBrowserClient } from '@/packages/supabase/src/clients/browser-client';
+import { useRouter } from 'next/navigation';
+
+export function SignInPageClientRedirect() {
+  const router = useRouter();
+
+  useEffect(() => {
+    async function signIn() {
+      const { data, error } = await getSupabaseBrowserClient()
+        .auth
+        .signInWithOAuth({
+          provider: 'keycloak',
+          options: {
+            redirectTo: `${window.location.origin}/auth/callback`,
+            queryParams: {
+              prompt: 'login',
+            },
+          }
+        });
+
+      if (error) {
+        console.error('OAuth error', error);
+        router.push('/');
+      } else if (data.url) {
+        router.push(data.url);
+      }
+    }
+
+    signIn();
+  }, [router]);
+
+  return <Loading />;
+}
--- a/app/auth/sign-in/page.tsx
+++ b/app/auth/sign-in/page.tsx
@@ -1,14 +1,9 @@
-import Link from 'next/link';
-
-
-import { SignInMethodsContainer } from '@kit/auth/sign-in';
-import { authConfig, pathsConfig } from '@kit/shared/config';
-import { Button } from '@kit/ui/button';
-import { Heading } from '@kit/ui/heading';
-import { Trans } from '@kit/ui/trans';
+import { pathsConfig, authConfig } from '@kit/shared/config';

 import { createI18nServerInstance } from '~/lib/i18n/i18n.server';
 import { withI18n } from '~/lib/i18n/with-i18n';
+import { SignInPageClientRedirect } from './components/SignInPageClientRedirect';
+import PasswordOption from './components/PasswordOption';

 interface SignInPageProps {
  searchParams: Promise<{
@@ -26,47 +21,14 @@ export const generateMetadata = async () => {
 };

 async function SignInPage({ searchParams }: SignInPageProps) {
-  const { invite_token: inviteToken, next = pathsConfig.app.home } =
+  const { invite_token: inviteToken, next: returnPath = pathsConfig.app.home } =
    await searchParams;

-  const signUpPath =
-    pathsConfig.auth.signUp +
-    (inviteToken ? `?invite_token=${inviteToken}` : '');
+  if (authConfig.providers.password) {
+    return <PasswordOption inviteToken={inviteToken} returnPath={returnPath} />;
+  }

-  const paths = {
-    callback: pathsConfig.auth.callback,
-    returnPath: next ?? pathsConfig.app.home,
-    joinTeam: pathsConfig.app.joinTeam,
-    updateAccount: pathsConfig.auth.updateAccount,
-  };
-
-  return (
-    <>
-      <div className={'flex flex-col items-center gap-1'}>
-        <Heading level={4} className={'tracking-tight'}>
-          <Trans i18nKey={'auth:signInHeading'} />
-        </Heading>
-
-        <p className={'text-muted-foreground text-sm'}>
-          <Trans i18nKey={'auth:signInSubheading'} />
-        </p>
-      </div>
-
-      <SignInMethodsContainer
-        inviteToken={inviteToken}
-        paths={paths}
-        providers={authConfig.providers}
-      />
-
-      <div className={'flex justify-center'}>
-        <Button asChild variant={'link'} size={'sm'}>
-          <Link href={signUpPath} prefetch={true}>
-            <Trans i18nKey={'auth:doNotHaveAccountYet'} />
-          </Link>
-        </Button>
-      </div>
-    </>
-  );
+  return <SignInPageClientRedirect />;
 }

 export default withI18n(SignInPage);
--- a/app/auth/sign-up/page.tsx
+++ b/app/auth/sign-up/page.tsx
@@ -1,4 +1,5 @@
 import Link from 'next/link';
+import { redirect } from 'next/navigation';

 import { SignUpMethodsContainer } from '@kit/auth/sign-up';
 import { authConfig, pathsConfig } from '@kit/shared/config';
@@ -37,6 +38,10 @@ async function SignUpPage({ searchParams }: Props) {
    pathsConfig.auth.signIn +
    (inviteToken ? `?invite_token=${inviteToken}` : '');

+  if (!authConfig.providers.password) {
+    return redirect('/');
+  }
+
  return (
    <>
      <div className={'flex flex-col items-center gap-1'}>
--- a/app/auth/update-account/_components/update-account-form.tsx
+++ b/app/auth/update-account/_components/update-account-form.tsx
@@ -2,8 +2,6 @@

 import Link from 'next/link';

-import { User } from '@supabase/supabase-js';
-
 import { ExternalLink } from '@/public/assets/external-link';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useForm } from 'react-hook-form';
@@ -23,31 +21,52 @@ import { Trans } from '@kit/ui/trans';

 import { UpdateAccountSchema } from '../_lib/schemas/update-account.schema';
 import { onUpdateAccount } from '../_lib/server/update-account';
+import { z } from 'zod';

-export function UpdateAccountForm({ user }: { user: User }) {
+type UpdateAccountFormValues = z.infer<typeof UpdateAccountSchema>;
+
+export function UpdateAccountForm({
+  defaultValues,
+}: {
+  defaultValues: UpdateAccountFormValues,
+}) {
  const form = useForm({
    resolver: zodResolver(UpdateAccountSchema),
    mode: 'onChange',
-    defaultValues: {
-      firstName: '',
-      lastName: '',
-      personalCode: '',
-      email: user.email,
-      phone: '',
-      city: '',
-      weight: 0,
-      height: 0,
-      userConsent: false,
-    },
+    defaultValues,
  });
+
+  const { firstName, lastName, personalCode, email, weight, height, userConsent } = defaultValues;
+
+  const hasFirstName = !!firstName;
+  const hasLastName = !!lastName;
+  const hasPersonalCode = !!personalCode;
+  const hasEmail = !!email;
+  const hasWeight = !!weight;
+  const hasHeight = !!height;
+  const hasUserConsent = !!userConsent;
+
+  const onUpdateAccountOptions = async (values: UpdateAccountFormValues) =>
+    onUpdateAccount({
+      ...values,
+      ...(hasFirstName && { firstName }),
+      ...(hasLastName && { lastName }),
+      ...(hasPersonalCode && { personalCode }),
+      ...(hasEmail && { email }),
+      ...(hasWeight && { weight: values.weight ?? weight }),
+      ...(hasHeight && { height: values.height ?? height }),
+      ...(hasUserConsent && { userConsent: values.userConsent ?? userConsent }),
+    });
+
  return (
    <Form {...form}>
      <form
        className="flex flex-col gap-6 px-6 pt-10 text-left"
-        onSubmit={form.handleSubmit(onUpdateAccount)}
+        onSubmit={form.handleSubmit(onUpdateAccountOptions)}
      >
        <FormField
          name="firstName"
+          disabled={hasFirstName}
          render={({ field }) => (
            <FormItem>
              <FormLabel>
@@ -63,6 +82,7 @@ export function UpdateAccountForm({ user }: { user: User }) {

        <FormField
          name="lastName"
+          disabled={hasLastName}
          render={({ field }) => (
            <FormItem>
              <FormLabel>
@@ -78,6 +98,7 @@ export function UpdateAccountForm({ user }: { user: User }) {

        <FormField
          name="personalCode"
+          disabled={hasPersonalCode}
          render={({ field }) => (
            <FormItem>
              <FormLabel>
@@ -93,13 +114,14 @@ export function UpdateAccountForm({ user }: { user: User }) {

        <FormField
          name="email"
+          disabled={hasEmail}
          render={({ field }) => (
            <FormItem>
              <FormLabel>
                <Trans i18nKey={'common:formField:email'} />
              </FormLabel>
              <FormControl>
-                <Input {...field} disabled />
+                <Input {...field} />
              </FormControl>
              <FormMessage />
            </FormItem>
--- a/app/auth/update-account/_lib/schemas/update-account.schema.ts
+++ b/app/auth/update-account/_lib/schemas/update-account.schema.ts
@@ -1,4 +1,5 @@
 import { z } from 'zod';
+import parsePhoneNumber from 'libphonenumber-js/min';

 export const UpdateAccountSchema = z.object({
  firstName: z
@@ -23,7 +24,20 @@ export const UpdateAccountSchema = z.object({
    .string({
      error: 'Phone number is required',
    })
-    .nonempty(),
+    .nonempty()
+    .refine(
+      (phone) => {
+        try {
+          const phoneNumber = parsePhoneNumber(phone);
+          return !!phoneNumber && phoneNumber.isValid() && phoneNumber.country === 'EE';
+        } catch {
+          return false;
+        }
+      },
+      {
+        message: 'common:formFieldError.invalidPhoneNumber',
+      }
+    ),
  city: z.string().optional(),
  weight: z
    .number({
--- a/app/auth/update-account/_lib/server/update-account.ts
+++ b/app/auth/update-account/_lib/server/update-account.ts
@@ -28,11 +28,15 @@ export const onUpdateAccount = enhanceAction(
      console.warn('On update account error: ', err);
    }

+    try {
      await updateCustomer({
        first_name: params.firstName,
        last_name: params.lastName,
        phone: params.phone,
      });
+    } catch (e) {
+      console.error("Failed to update Medusa customer", e);
+    }

    const hasUnseenMembershipConfirmation =
      await api.hasUnseenMembershipConfirmation();
--- a/app/auth/update-account/page.tsx
+++ b/app/auth/update-account/page.tsx
@@ -11,18 +11,39 @@ import { Trans } from '@kit/ui/trans';
 import { withI18n } from '~/lib/i18n/with-i18n';

 import { UpdateAccountForm } from './_components/update-account-form';
+import { loadCurrentUserAccount } from '@/app/home/(user)/_lib/server/load-user-account';
+import { toTitleCase } from '~/lib/utils';

 async function UpdateAccount() {
  const client = getSupabaseServerClient();
+  const account = await loadCurrentUserAccount();

  const {
    data: { user },
  } = await client.auth.getUser();
+  const isKeycloakUser = user?.app_metadata?.provider === 'keycloak';

  if (!user) {
    redirect(pathsConfig.auth.signIn);
  }

+  const defaultValues = {
+    firstName: account?.name ? toTitleCase(account.name) : '',
+    lastName: account?.last_name ? toTitleCase(account.last_name) : '',
+    personalCode: account?.personal_code ?? '',
+    email: (() => {
+      if (isKeycloakUser) {
+        return account?.email ?? '';
+      }
+      return account?.email ?? user?.email ?? '';
+    })(),
+    phone: account?.phone ?? '',
+    city: account?.city ?? '',
+    weight: account?.accountParams?.weight ?? 0,
+    height: account?.accountParams?.height ?? 0,
+    userConsent: account?.has_consent_personal_data ?? false,
+  };
+
  return (
    <div className="border-border flex max-w-5xl flex-row overflow-hidden rounded-3xl border">
      <div className="relative flex min-w-md flex-col px-12 pt-7 pb-22 text-center md:w-1/2">
@@ -34,7 +55,7 @@ async function UpdateAccount() {
        <p className="text-muted-foreground pt-1 text-sm">
          <Trans i18nKey={'account:updateAccount:description'} />
        </p>
-        <UpdateAccountForm user={user} />
+        <UpdateAccountForm defaultValues={defaultValues} />
      </div>
      <div className="hidden w-1/2 min-w-[460px] bg-[url(/assets/med-report-logo-big.png)] bg-cover bg-center bg-no-repeat md:block"></div>
    </div>
--- a/app/home/(user)/(dashboard)/page.tsx
+++ b/app/home/(user)/(dashboard)/page.tsx
@@ -27,7 +27,7 @@ async function UserHomePage() {
  const client = getSupabaseServerClient();

  const account = await loadCurrentUserAccount();
-  const api = await createAccountsApi(client);
+  const api = createAccountsApi(client);
  const bmiThresholds = await api.fetchBmiThresholds();

  if (!account) {
--- a/app/home/(user)/_components/dashboard.tsx
+++ b/app/home/(user)/_components/dashboard.tsx
@@ -84,7 +84,7 @@ const cards = ({
    },
    {
      title: 'dashboard:bmi',
-      description: bmiFromMetric(weight || 0, height || 0).toString(),
+      description: bmiFromMetric(weight || 0, height || 0)?.toString() ?? '-',
      icon: <TrendingUp />,
      iconBg: getBmiBackgroundColor(bmiStatus),
    },
--- a/app/home/(user)/_components/order-analyses-cards.tsx
+++ b/app/home/(user)/_components/order-analyses-cards.tsx
@@ -94,7 +94,7 @@ export default function OrderAnalysesCards({
                    className="px-2 text-black"
                    onClick={() => handleSelect(variant.id)}
                  >
-                    {variantAddingToCart ? <Loader2 className="size-4 stroke-2 animate-spin" /> : <ShoppingCart className="size-4 stroke-2" />}
+                    {variantAddingToCart === variant.id ? <Loader2 className="size-4 stroke-2 animate-spin" /> : <ShoppingCart className="size-4 stroke-2" />}
                  </Button>
                </div>
              )}
--- a/app/home/(user)/_lib/server/load-user-account.ts
+++ b/app/home/(user)/_lib/server/load-user-account.ts
@@ -16,14 +16,14 @@ export const loadUserAccount = cache(accountLoader);

 export async function loadCurrentUserAccount() {
  const user = await requireUserInServerComponent();
-  return user?.identities?.[0]?.id
-    ? await loadUserAccount(user?.identities?.[0]?.id)
+  return user?.id
+    ? await loadUserAccount(user.id)
    : null;
 }

-async function accountLoader(accountId: string) {
+async function accountLoader(userId: string) {
  const client = getSupabaseServerClient();
  const api = createAccountsApi(client);

-  return api.getAccount(accountId);
+  return api.getPersonalAccountByUserId(userId);
 }
--- a/lib/actions/sign-out.tsx
+++ b/lib/actions/sign-out.tsx
@@ -3,9 +3,26 @@
 import { redirect } from 'next/navigation';

 import { createClient } from '@/utils/supabase/server';
+import { medusaLogout } from '@lib/data/customer';

 export const signOutAction = async () => {
-  const supabase = await createClient();
-  await supabase.auth.signOut();
+  const client = await createClient();
+
+  try {
+    try {
+      await medusaLogout();
+    } catch (medusaError) {
+      console.warn('Medusa logout failed or not available:', medusaError);
+    }
+
+    const { error } = await client.auth.signOut();
+    if (error) {
+      throw error;
+    }
+  } catch (error) {
+    console.error('Logout error:', error);
+    throw error;
+  }
+
  return redirect('/');
 };
--- a/lib/utils.ts
+++ b/lib/utils.ts
@@ -15,11 +15,12 @@ export function toArray<T>(input?: T | T[] | null): T[] {
 }

 export function toTitleCase(str?: string) {
-  if (!str) return '';
-  return str.replace(
-    /\w\S*/g,
-    (text: string) =>
-      text.charAt(0).toUpperCase() + text.substring(1).toLowerCase(),
+  return (
+    str
+      ?.toLowerCase()
+      .replace(/[^-'’\s]+/g, (match) =>
+        match.replace(/^./, (first) => first.toUpperCase()),
+      ) ?? ""
  );
 }

@@ -40,8 +41,12 @@ export function sortByDate<T>(

 export const bmiFromMetric = (kg: number, cm: number) => {
  const m = cm / 100;
-  const bmi = kg / (m * m);
-  return bmi ? Math.round(bmi) : NaN;
+  const m2 = m * m;
+  if (m2 === 0) {
+    return null;
+  }
+  const bmi = kg / m2;
+  return !Number.isNaN(bmi) ? Math.round(bmi) : null;
 };

 export function getBmiStatus(
@@ -58,7 +63,9 @@ export function getBmiStatus(
    ) || null;
  const bmi = bmiFromMetric(params.weight, params.height);

-  if (!thresholdByAge || Number.isNaN(bmi)) return null;
+  if (!thresholdByAge || bmi === null) {
+    return null;
+  }

  if (bmi > thresholdByAge.obesity_min) return BmiCategory.OBESE;
  if (bmi > thresholdByAge.strong_min) return BmiCategory.VERY_OVERWEIGHT;
--- a/package.json
+++ b/package.json
@@ -69,6 +69,7 @@
    "fast-xml-parser": "^5.2.5",
    "isikukood": "3.1.7",
    "jsonwebtoken": "9.0.2",
+    "libphonenumber-js": "^1.12.15",
    "lodash": "^4.17.21",
    "lucide-react": "^0.510.0",
    "next": "15.3.2",
--- a/packages/features/accounts/src/components/personal-account-dropdown.tsx
+++ b/packages/features/accounts/src/components/personal-account-dropdown.tsx
@@ -79,15 +79,9 @@ export function PersonalAccountDropdown({
 }) {
  const { data: personalAccountData } = usePersonalAccountData(user.id);

-  const signedInAsLabel = useMemo(() => {
-    const email = user?.email ?? undefined;
-    const phone = user?.phone ?? undefined;
-
-    return email ?? phone;
-  }, [user]);
-
-  const displayName =
-    personalAccountData?.name ?? account?.name ?? user?.email ?? '';
+  const { name, last_name } = personalAccountData ?? {};
+  const firstNameLabel = toTitleCase(name) ?? '-';
+  const fullNameLabel = name && last_name ? toTitleCase(`${name} ${last_name}`) : '-';

  const hasTotpFactor = useMemo(() => {
    const factors = user?.factors ?? [];
@@ -128,7 +122,7 @@ export function PersonalAccountDropdown({
        <ProfileAvatar
          className={'rounded-md'}
          fallbackClassName={'rounded-md border'}
-          displayName={displayName ?? user?.email ?? ''}
+          displayName={firstNameLabel}
          pictureUrl={personalAccountData?.picture_url}
        />

@@ -142,7 +136,7 @@ export function PersonalAccountDropdown({
              data-test={'account-dropdown-display-name'}
              className={'truncate text-sm'}
            >
-              {toTitleCase(displayName)}
+              {firstNameLabel}
            </span>
          </div>

@@ -164,7 +158,7 @@ export function PersonalAccountDropdown({
            </div>

            <div>
-              <span className={'block truncate'}>{signedInAsLabel}</span>
+              <span className={'block truncate'}>{fullNameLabel}</span>
            </div>
          </div>
        </DropdownMenuItem>
--- a/packages/features/accounts/src/server/api.ts
+++ b/packages/features/accounts/src/server/api.ts
@@ -48,6 +48,41 @@ class AccountsApi {
    return data;
  }

+  /**
+   * @name getPersonalAccountByUserId
+   * @description Get the personal account data for the given user ID.
+   * @param userId
+   */
+  async getPersonalAccountByUserId(userId: string): Promise<AccountWithParams> {
+    const { data, error } = await this.client
+      .schema('medreport')
+      .from('accounts')
+      .select(
+        '*, accountParams: account_params (weight, height, isSmoker:is_smoker)',
+      )
+      .eq('primary_owner_user_id', userId)
+      .eq('is_personal_account', true)
+      .single();
+
+    if (error) {
+      throw error;
+    }
+
+    const { personal_code, ...rest } = data;
+    return {
+      ...rest,
+      personal_code: (() => {
+        if (!personal_code) {
+          return null;
+        }
+        if (personal_code.toLowerCase().startsWith('ee')) {
+          return personal_code.substring(2);
+        }
+        return personal_code;
+      })(),
+    };
+  }
+
  /**
   * @name getAccountWorkspace
   * @description Get the account workspace data.
--- a/packages/features/auth/src/components/oauth-providers.tsx
+++ b/packages/features/auth/src/components/oauth-providers.tsx
@@ -25,8 +25,8 @@ import { AuthProviderButton } from './auth-provider-button';
 * @see https://supabase.com/docs/guides/auth/social-login
 */
 const OAUTH_SCOPES: Partial<Record<Provider, string>> = {
-  azure: 'email',
-  keycloak: 'openid',
+  // azure: 'email',
+  // keycloak: 'openid',
  // add your OAuth providers here
 };

@@ -88,10 +88,12 @@ export const OauthProviders: React.FC<{
                    queryParams.set('invite_token', props.inviteToken);
                  }

-                  const redirectPath = [
-                    props.paths.callback,
-                    queryParams.toString(),
-                  ].join('?');
+                  // signicat/keycloak will not allow redirect-uri with changing query params
+                  const INCLUDE_QUERY_PARAMS = false as boolean;
+
+                  const redirectPath = INCLUDE_QUERY_PARAMS
+                    ? [props.paths.callback, queryParams.toString()].join('?')
+                    : props.paths.callback;

                  const redirectTo = [origin, redirectPath].join('');
                  const scopes = OAUTH_SCOPES[provider] ?? undefined;
@@ -102,6 +104,7 @@ export const OauthProviders: React.FC<{
                      redirectTo,
                      queryParams: props.queryParams,
                      scopes,
+                      // skipBrowserRedirect: false,
                    },
                  } satisfies SignInWithOAuthCredentials;

--- a/packages/features/auth/src/components/sign-in-methods-container.tsx
+++ b/packages/features/auth/src/components/sign-in-methods-container.tsx
@@ -108,6 +108,9 @@ export function SignInMethodsContainer(props: {
            callback: props.paths.callback,
            returnPath: props.paths.returnPath,
          }}
+          queryParams={{
+            prompt: 'login',
+          }}
        />
      </If>
    </>
--- a/packages/features/auth/src/components/sign-up-methods-container.tsx
+++ b/packages/features/auth/src/components/sign-up-methods-container.tsx
@@ -44,7 +44,7 @@ export function SignUpMethodsContainer(props: {
          emailRedirectTo={props.paths.callback}
          defaultValues={defaultValues}
          displayTermsCheckbox={props.displayTermsCheckbox}
-          onSignUp={() => redirect(redirectUrl)}
+          //onSignUp={() => redirect(redirectUrl)}
        />
      </If>

@@ -79,6 +79,9 @@ export function SignUpMethodsContainer(props: {
            callback: props.paths.callback,
            returnPath: props.paths.appHome,
          }}
+          queryParams={{
+            prompt: 'login',
+          }}
        />
      </If>
    </>
--- a/packages/features/medusa-storefront/src/lib/data/customer.ts
+++ b/packages/features/medusa-storefront/src/lib/data/customer.ts
@@ -4,7 +4,6 @@ import { sdk } from "@lib/config"
 import medusaError from "@lib/util/medusa-error"
 import { HttpTypes } from "@medusajs/types"
 import { revalidateTag } from "next/cache"
-import { redirect } from "next/navigation"
 import {
  getAuthHeaders,
  getCacheOptions,
@@ -127,7 +126,7 @@ export async function login(_currentState: unknown, formData: FormData) {
  }
 }

-export async function signout(countryCode?: string, shouldRedirect = true) {
+export async function medusaLogout(countryCode = 'ee') {
  await sdk.auth.logout()

  await removeAuthToken()
@@ -139,10 +138,6 @@ export async function signout(countryCode?: string, shouldRedirect = true) {

  const cartCacheTag = await getCacheTag("carts")
  revalidateTag(cartCacheTag)
-
-  if (shouldRedirect) {
-    redirect(`/${countryCode!}/account`)
-  }
 }

 export async function transferCart() {
@@ -262,17 +257,8 @@ export const updateCustomerAddress = async (
    })
 }

-export async function medusaLoginOrRegister(credentials: {
-  email: string
-  password?: string
-}) {
-  const { email, password } = credentials;
-
-  try {
-    const token = await sdk.auth.login("customer", "emailpass", {
-      email,
-      password,
-    });
+async function medusaLogin(email: string, password: string) {
+  const token = await sdk.auth.login("customer", "emailpass", { email, password });
  await setAuthToken(token as string);

  try {
@@ -281,53 +267,100 @@ export async function medusaLoginOrRegister(credentials: {
    console.error("Failed to transfer cart", e);
  }

-    const customerCacheTag = await getCacheTag("customers");
-    revalidateTag(customerCacheTag);
-
  const customer = await retrieveCustomer();
  if (!customer) {
-      throw new Error("Customer not found");
+    throw new Error("Customer not found for active session");
  }
+
  return customer.id;
-  } catch (error) {
-    console.error("Failed to login customer, attempting to register", error);
-    try {
-      const registerToken = await sdk.auth.register("customer", "emailpass", {
-        email: email,
-        password: password,
-      })
+}

-      await setAuthToken(registerToken as string);
-
-      const headers = {
-        ...(await getAuthHeaders()),
-      };
-
-      await sdk.store.customer.create({ email }, {}, headers);
-
-      const loginToken = await sdk.auth.login("customer", "emailpass", {
+async function medusaRegister({
  email,
  password,
+  name,
+  lastName,
+}: {
+  email: string;
+  password: string;
+  name: string | undefined;
+  lastName: string | undefined;
+}) {
+  console.info(`Creating new Medusa account for Keycloak user with email=${email}`);
+  
+  const registerToken = await sdk.auth.register("customer", "emailpass", { email, password });
+  await setAuthToken(registerToken);
+
+  console.info(`Creating new Medusa customer profile for Keycloak user with email=${email} and name=${name} and lastName=${lastName}`);
+  await sdk.store.customer.create(
+    { email, first_name: name, last_name: lastName },
+    {},
+    {
+      ...(await getAuthHeaders()),
    });
+}

-      await setAuthToken(loginToken as string);
+export async function medusaLoginOrRegister(credentials: {
+  email: string
+  supabaseUserId?: string
+  name?: string,
+  lastName?: string,
+} & ({ isDevPasswordLogin: true; password: string } | { isDevPasswordLogin?: false; password?: undefined })) {
+  const { email, supabaseUserId, name, lastName } = credentials;

-      const customerCacheTag = await getCacheTag("customers");
-      revalidateTag(customerCacheTag);
+
+  const password = await (async () => {
+    if (credentials.isDevPasswordLogin) {
+      return credentials.password;
+    }
+
+    return generateDeterministicPassword(email, supabaseUserId);
+  })();

  try {
-        await transferCart();
-      } catch (e) {
-        console.error("Failed to transfer cart", e);
-      }
+    return await medusaLogin(email, password);
+  } catch (loginError) {
+    console.error("Failed to login customer, attempting to register", loginError);

-      const customer = await retrieveCustomer();
-      if (!customer) {
-        throw new Error("Customer not found");
-      }
-      return customer.id;
+    try {
+      await medusaRegister({ email, password, name, lastName });
+      return await medusaLogin(email, password);
    } catch (registerError) {
+      console.error("Failed to create Medusa account for user with email=${email}", registerError);
      throw medusaError(registerError);
    }
  }
 }
+
+/**
+ * Generate a deterministic password based on user identifier
+ * This ensures the same user always gets the same password for Medusa
+ */
+async function generateDeterministicPassword(email: string, userId?: string): Promise<string> {
+  // Use the user ID or email as the base for deterministic generation
+  const baseString = userId || email;
+  const secret = process.env.MEDUSA_PASSWORD_SECRET!;
+
+  // Create a deterministic password using HMAC
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  const messageData = encoder.encode(baseString);
+
+  // Import key for HMAC
+  const key = await crypto.subtle.importKey(
+    'raw',
+    keyData,
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+  // Generate HMAC
+  const signature = await crypto.subtle.sign('HMAC', key, messageData);
+  // Convert to base64 and make it a valid password
+  const hashArray = Array.from(new Uint8Array(signature));
+  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+  // Take first 24 characters and add some complexity
+  const basePassword = hashHex.substring(0, 24);
+  // Add some required complexity for Medusa (uppercase, lowercase, numbers, symbols)
+  return `Mk${basePassword}9!`;
+}
--- a/packages/features/medusa-storefront/src/modules/account/components/account-nav/index.tsx
+++ b/packages/features/medusa-storefront/src/modules/account/components/account-nav/index.tsx
@@ -10,7 +10,7 @@ import MapPin from "@modules/common/icons/map-pin"
 import Package from "@modules/common/icons/package"
 import LocalizedClientLink from "@modules/common/components/localized-client-link"
 import { HttpTypes } from "@medusajs/types"
-import { signout } from "@lib/data/customer"
+import { medusaLogout } from "@lib/data/customer"

 const AccountNav = ({
  customer,
@@ -21,7 +21,7 @@ const AccountNav = ({
  const { countryCode } = useParams() as { countryCode: string }

  const handleLogout = async () => {
-    await signout(countryCode)
+    await medusaLogout(countryCode)
  }

  return (
--- a/packages/shared/src/config/auth.config.ts
+++ b/packages/shared/src/config/auth.config.ts
@@ -32,7 +32,7 @@ const authConfig = AuthConfigSchema.parse({
  providers: {
    password: process.env.NEXT_PUBLIC_AUTH_PASSWORD === 'true',
    magicLink: process.env.NEXT_PUBLIC_AUTH_MAGIC_LINK === 'true',
-    oAuth: ['google'],
+    oAuth: ['keycloak'],
  },
 } satisfies z.infer<typeof AuthConfigSchema>);

--- a/packages/supabase/src/auth-callback.service.ts
+++ b/packages/supabase/src/auth-callback.service.ts
@@ -4,6 +4,7 @@ import {
  AuthError,
  type EmailOtpType,
  SupabaseClient,
+  User,
 } from '@supabase/supabase-js';

 /**
@@ -128,58 +129,31 @@ class AuthCallbackService {
  /**
   * @name exchangeCodeForSession
   * @description Exchanges the auth code for a session and redirects the user to the next page or an error page
-   * @param request
-   * @param params
+   * @param authCode
   */
-  async exchangeCodeForSession(
-    request: Request,
-    params: {
-      joinTeamPath: string;
-      redirectPath: string;
-      errorPath?: string;
-    },
-  ): Promise<{
-    nextPath: string;
-  }> {
-    const requestUrl = new URL(request.url);
-    const searchParams = requestUrl.searchParams;
-
-    const authCode = searchParams.get('code');
-    const error = searchParams.get('error');
-    const nextUrlPathFromParams = searchParams.get('next');
-    const inviteToken = searchParams.get('invite_token');
-    const errorPath = params.errorPath ?? '/auth/callback/error';
-
-    let nextUrl = nextUrlPathFromParams ?? params.redirectPath;
-
-    // if we have an invite token, we redirect to the join team page
-    // instead of the default next url. This is because the user is trying
-    // to join a team and we want to make sure they are redirected to the
-    // correct page.
-    if (inviteToken) {
-      const emailParam = searchParams.get('email');
-
-      const urlParams = new URLSearchParams({
-        invite_token: inviteToken,
-        email: emailParam ?? '',
-      });
-
-      nextUrl = `${params.joinTeamPath}?${urlParams.toString()}`;
-    }
-
-    if (authCode) {
+  async exchangeCodeForSession(authCode: string): Promise<{
+    isSuccess: boolean;
+    user: User;
+  } | ErrorURLParameters> {
+    let user: User;
    try {
-        const { error } =
+      const { data, error } =
        await this.client.auth.exchangeCodeForSession(authCode);

      // if we have an error, we redirect to the error page
      if (error) {
-          return onError({
+        return getErrorURLParameters({
          code: error.code,
          error: error.message,
-            path: errorPath,
        });
      }
+
+      // Handle Keycloak users - set up Medusa integration
+      if (data?.user && this.isKeycloakUser(data.user)) {
+        await this.setupMedusaUserForKeycloak(data.user);
+      }
+
+      user = data.user;
    } catch (error) {
      console.error(
        {
@@ -191,26 +165,81 @@ class AuthCallbackService {

      const message = error instanceof Error ? error.message : error;

-        return onError({
+      return getErrorURLParameters({
        code: (error as AuthError)?.code,
        error: message as string,
-          path: errorPath,
-        });
-      }
-    }
-
-    if (error) {
-      return onError({
-        error,
-        path: errorPath,
      });
    }

    return {
-      nextPath: nextUrl,
+      isSuccess: true,
+      user,
    };
  }

+  /**
+   * Check if user is from Keycloak provider
+   */
+  private isKeycloakUser(user: any): boolean {
+    return user?.app_metadata?.provider === 'keycloak' ||
+      user?.app_metadata?.providers?.includes('keycloak');
+  }
+
+  private async setupMedusaUserForKeycloak(user: any): Promise<void> {
+    if (!user.email) {
+      console.warn('Keycloak user has no email, skipping Medusa setup');
+      return;
+    }
+
+    try {
+      // Check if user already has medusa_account_id
+      const { data: accountData, error: fetchError } = await this.client
+        .schema('medreport')
+        .from('accounts')
+        .select('medusa_account_id, name, last_name')
+        .eq('primary_owner_user_id', user.id)
+        .eq('is_personal_account', true)
+        .single();
+
+      if (fetchError && fetchError.code !== 'PGRST116') {
+        console.error('Error fetching account data for Keycloak user:', fetchError);
+        return;
+      }
+
+      // If user already has Medusa account, we're done
+      if (accountData?.medusa_account_id) {
+        console.log('Keycloak user already has Medusa account:', accountData.medusa_account_id);
+        return;
+      }
+
+      const { medusaLoginOrRegister } = await import('../../features/medusa-storefront/src/lib/data/customer');
+
+      const medusaAccountId = await medusaLoginOrRegister({
+        email: user.email,
+        supabaseUserId: user.id,
+        name: accountData?.name ?? '-',
+        lastName: accountData?.last_name ?? '-',
+      });
+
+      // Update the account with the Medusa account ID
+      const { error: updateError } = await this.client
+        .schema('medreport')
+        .from('accounts')
+        .update({ medusa_account_id: medusaAccountId })
+        .eq('primary_owner_user_id', user.id)
+        .eq('is_personal_account', true);
+
+      if (updateError) {
+        console.error('Error updating account with Medusa ID:', updateError);
+        return;
+      }
+
+      console.log('Successfully set up Medusa account for Keycloak user:', medusaAccountId);
+    } catch (error) {
+      console.error('Error setting up Medusa account for Keycloak user:', error);
+    }
+  }
+
  private adjustUrlHostForLocalDevelopment(url: URL, host: string | null) {
    if (this.isLocalhost(url.host) && !this.isLocalhost(host)) {
      url.host = host as string;
@@ -231,15 +260,19 @@ class AuthCallbackService {
  }
 }

-function onError({
+interface ErrorURLParameters {
+  error: string;
+  code?: string;
+  searchParams: string;
+}
+
+export function getErrorURLParameters({
  error,
-  path,
  code,
 }: {
  error: string;
-  path: string;
  code?: string;
-}) {
+}): ErrorURLParameters {
  const errorMessage = getAuthErrorMessage({ error, code });

  console.error(
@@ -255,10 +288,10 @@ function onError({
    code: code ?? '',
  });

-  const nextPath = `${path}?${searchParams.toString()}`;
-
  return {
-    nextPath,
+    error: errorMessage,
+    code: code ?? '',
+    searchParams: searchParams.toString(),
  };
 }

--- a/packages/supabase/src/clients/browser-client.ts
+++ b/packages/supabase/src/clients/browser-client.ts
@@ -10,5 +10,11 @@ import { getSupabaseClientKeys } from '../get-supabase-client-keys';
 export function getSupabaseBrowserClient<GenericSchema = Database>() {
  const keys = getSupabaseClientKeys();

-  return createBrowserClient<GenericSchema>(keys.url, keys.anonKey);
+  return createBrowserClient<GenericSchema>(keys.url, keys.anonKey, {
+    auth: {
+      flowType: 'pkce',
+      autoRefreshToken: true,
+      persistSession: true,
+    },
+  });
 }
--- a/packages/supabase/src/clients/middleware-client.ts
+++ b/packages/supabase/src/clients/middleware-client.ts
@@ -20,6 +20,11 @@ export function createMiddlewareClient<GenericSchema = Database>(
  const keys = getSupabaseClientKeys();

  return createServerClient<GenericSchema>(keys.url, keys.anonKey, {
+    auth: {
+      flowType: 'pkce',
+      autoRefreshToken: true,
+      persistSession: true,
+    },
    cookies: {
      getAll() {
        return request.cookies.getAll();
--- a/packages/supabase/src/clients/server-client.ts
+++ b/packages/supabase/src/clients/server-client.ts
@@ -15,6 +15,11 @@ export function getSupabaseServerClient<GenericSchema = Database>() {
  const keys = getSupabaseClientKeys();

  return createServerClient<GenericSchema>(keys.url, keys.anonKey, {
+    auth: {
+      flowType: 'pkce',
+      autoRefreshToken: true,
+      persistSession: true,
+    },
    cookies: {
      async getAll() {
        const cookieStore = await cookies();
--- a/packages/supabase/src/hooks/use-sign-in-with-email-password.ts
+++ b/packages/supabase/src/hooks/use-sign-in-with-email-password.ts
@@ -28,6 +28,7 @@ export function useSignInWithEmailPassword() {
        const medusaAccountId = await medusaLoginOrRegister({
          email: credentials.email,
          password: credentials.password,
+          isDevPasswordLogin: true,
        });
        await client
          .schema('medreport').from('accounts')
--- a/packages/supabase/src/hooks/use-sign-in-with-provider.ts
+++ b/packages/supabase/src/hooks/use-sign-in-with-provider.ts
@@ -9,7 +9,13 @@ export function useSignInWithProvider() {
  const mutationKey = ['auth', 'sign-in-with-provider'];

  const mutationFn = async (credentials: SignInWithOAuthCredentials) => {
-    const response = await client.auth.signInWithOAuth(credentials);
+    const response = await client.auth.signInWithOAuth({
+      ...credentials,
+      options: {
+        ...credentials.options,
+        redirectTo: `${window.location.origin}/auth/callback`,
+      },
+    });

    if (response.error) {
      throw response.error.message;
--- a/packages/supabase/src/hooks/use-sign-out.ts
+++ b/packages/supabase/src/hooks/use-sign-out.ts
@@ -1,15 +1,28 @@
 import { useMutation } from '@tanstack/react-query';

 import { useSupabase } from './use-supabase';
-import { signout } from '../../../features/medusa-storefront/src/lib/data/customer';

 export function useSignOut() {
  const client = useSupabase();

  return useMutation({
    mutationFn: async () => {
-      await signout(undefined, false);
-      return client.auth.signOut();
+      try {
+        try {
+          const { medusaLogout } = await import('../../../features/medusa-storefront/src/lib/data/customer');
+          await medusaLogout();
+        } catch (medusaError) {
+          console.warn('Medusa logout failed or not available:', medusaError);
+        }
+
+        const { error } = await client.auth.signOut();
+        if (error) {
+          throw error;
+        }
+      } catch (error) {
+        console.error('Logout error:', error);
+        throw error;
+      }
    },
  });
 }
--- a/packages/supabase/src/hooks/use-sign-up-with-email-password.ts
+++ b/packages/supabase/src/hooks/use-sign-up-with-email-password.ts
@@ -43,6 +43,7 @@ export function useSignUpWithEmailAndPassword() {
        const medusaAccountId = await medusaLoginOrRegister({
          email: credentials.email,
          password: credentials.password,
+          isDevPasswordLogin: true,
        });
        await client
          .schema('medreport').from('accounts')
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -128,6 +128,9 @@ importers:
      jsonwebtoken:
        specifier: 9.0.2
        version: 9.0.2
+      libphonenumber-js:
+        specifier: ^1.12.15
+        version: 1.12.15
      lodash:
        specifier: ^4.17.21
        version: 4.17.21
@@ -475,10 +478,10 @@ importers:
    dependencies:
      '@keystatic/core':
        specifier: 0.5.47
-        version: 0.5.47(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+        version: 0.5.47(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
      '@keystatic/next':
        specifier: ^5.0.4
-        version: 5.0.4(@keystatic/core@0.5.47(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+        version: 5.0.4(@keystatic/core@0.5.47(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
      '@markdoc/markdoc':
        specifier: ^0.5.1
        version: 0.5.4(@types/react@19.1.4)(react@19.1.0)
@@ -1269,7 +1272,7 @@ importers:
    dependencies:
      '@sentry/nextjs':
        specifier: ^9.19.0
-        version: 9.46.0(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react@19.1.0)(webpack@5.101.3)
+        version: 9.46.0(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react@19.1.0)(webpack@5.101.3)
      import-in-the-middle:
        specifier: 1.13.2
        version: 1.13.2
@@ -8174,6 +8177,9 @@ packages:
    engines: {node: '>=16'}
    hasBin: true

+  libphonenumber-js@1.12.15:
+    resolution: {integrity: sha512-TMDCtIhWUDHh91wRC+wFuGlIzKdPzaTUHHVrIZ3vPUEoNaXFLrsIQ1ZpAeZeXApIF6rvDksMTvjrIQlLKaYxqQ==}
+
  lightningcss-darwin-arm64@1.30.1:
    resolution: {integrity: sha512-c8JK7hyE65X1MHMN+Viq9n11RRC7hgin3HhYKhrMyaXflk5GVplZ60IxyoVtzILeKr+xAJwg6zK6sjTBJ0FKYQ==}
    engines: {node: '>= 12.0.0'}
@@ -11455,7 +11461,7 @@ snapshots:

  '@juggle/resize-observer@3.4.0': {}

-  '@keystar/ui@0.7.19(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
+  '@keystar/ui@0.7.19(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
    dependencies:
      '@babel/runtime': 7.27.6
      '@emotion/css': 11.13.5
@@ -11548,18 +11554,18 @@ snapshots:
      react: 19.1.0
      react-dom: 19.1.0(react@19.1.0)
    optionalDependencies:
-      next: 15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      next: 15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
    transitivePeerDependencies:
      - supports-color

-  '@keystatic/core@0.5.47(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
+  '@keystatic/core@0.5.47(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
    dependencies:
      '@babel/runtime': 7.27.6
      '@braintree/sanitize-url': 6.0.4
      '@emotion/weak-memoize': 0.3.1
      '@floating-ui/react': 0.24.8(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
      '@internationalized/string': 3.2.7
-      '@keystar/ui': 0.7.19(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      '@keystar/ui': 0.7.19(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
      '@markdoc/markdoc': 0.4.0(@types/react@19.1.4)(react@19.1.0)
      '@react-aria/focus': 3.20.4(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
      '@react-aria/i18n': 3.12.10(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
@@ -11630,13 +11636,13 @@ snapshots:
      - next
      - supports-color

-  '@keystatic/next@5.0.4(@keystatic/core@0.5.47(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
+  '@keystatic/next@5.0.4(@keystatic/core@0.5.47(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
    dependencies:
      '@babel/runtime': 7.27.6
-      '@keystatic/core': 0.5.47(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      '@keystatic/core': 0.5.47(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
      '@types/react': 19.1.4
      chokidar: 3.6.0
-      next: 15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      next: 15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
      react: 19.1.0
      react-dom: 19.1.0(react@19.1.0)
      server-only: 0.0.1
@@ -17230,7 +17236,7 @@ snapshots:

  '@sentry/core@9.46.0': {}

-  '@sentry/nextjs@9.46.0(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react@19.1.0)(webpack@5.101.3)':
+  '@sentry/nextjs@9.46.0(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(next@15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0))(react@19.1.0)(webpack@5.101.3)':
    dependencies:
      '@opentelemetry/api': 1.9.0
      '@opentelemetry/semantic-conventions': 1.34.0
@@ -17243,7 +17249,7 @@ snapshots:
      '@sentry/vercel-edge': 9.46.0(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))
      '@sentry/webpack-plugin': 3.5.0(webpack@5.101.3)
      chalk: 3.0.0
-      next: 15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
+      next: 15.3.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
      resolve: 1.22.8
      rollup: 4.35.0
      stacktrace-parser: 0.1.11
@@ -20630,6 +20636,8 @@ snapshots:
    dependencies:
      isomorphic.js: 0.2.5

+  libphonenumber-js@1.12.15: {}
+
  lightningcss-darwin-arm64@1.30.1:
    optional: true

@@ -21265,31 +21273,6 @@ snapshots:
      - '@babel/core'
      - babel-plugin-macros

-  next@15.5.2(@babel/core@7.28.3)(@opentelemetry/api@1.9.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.1.0-rc.2)(react-dom@19.1.0(react@19.1.0))(react@19.1.0):
-    dependencies:
-      '@next/env': 15.5.2
-      '@swc/helpers': 0.5.15
-      caniuse-lite: 1.0.30001723
-      postcss: 8.4.31
-      react: 19.1.0
-      react-dom: 19.1.0(react@19.1.0)
-      styled-jsx: 5.1.6(@babel/core@7.28.3)(babel-plugin-macros@3.1.0)(react@19.1.0)
-    optionalDependencies:
-      '@next/swc-darwin-arm64': 15.5.2
-      '@next/swc-darwin-x64': 15.5.2
-      '@next/swc-linux-arm64-gnu': 15.5.2
-      '@next/swc-linux-arm64-musl': 15.5.2
-      '@next/swc-linux-x64-gnu': 15.5.2
-      '@next/swc-linux-x64-musl': 15.5.2
-      '@next/swc-win32-arm64-msvc': 15.5.2
-      '@next/swc-win32-x64-msvc': 15.5.2
-      '@opentelemetry/api': 1.9.0
-      babel-plugin-react-compiler: 19.1.0-rc.2
-      sharp: 0.34.3
-    transitivePeerDependencies:
-      - '@babel/core'
-      - babel-plugin-macros
-
  no-case@3.0.4:
    dependencies:
      lower-case: 2.0.2
--- a/public/locales/en/common.json
+++ b/public/locales/en/common.json
@@ -128,6 +128,9 @@
    "amount": "Amount",
    "selectDate": "Select date"
  },
+  "formFieldError": {
+    "invalidPhoneNumber": "Please enter a valid Estonian phone number (must include country code +372)"
+  },
  "wallet": {
    "balance": "Your MedReport account balance",
    "expiredAt": "Valid until {{expiredAt}}"
--- a/public/locales/et/common.json
+++ b/public/locales/et/common.json
@@ -128,6 +128,9 @@
    "amount": "Summa",
    "selectDate": "Vali kuupäev"
  },
+  "formFieldError": {
+    "invalidPhoneNumber": "Palun sisesta Eesti telefoninumber (peab sisaldama riigikoodi +372)"
+  },
  "wallet": {
    "balance": "Sinu MedReporti konto saldo",
    "expiredAt": "Kehtiv kuni {{expiredAt}}"
--- a/supabase/migrations/20250907000001_update_keycloak_user_creation.sql
+++ b/supabase/migrations/20250907000001_update_keycloak_user_creation.sql
@@ -0,0 +1,94 @@
+-- Update the user creation trigger to properly handle Keycloak user metadata
+CREATE OR REPLACE FUNCTION kit.setup_new_user()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path TO ''
+AS $$
+DECLARE
+    user_name text;
+    picture_url text;
+    personal_code text;
+    full_name text;
+    given_name text;
+    family_name text;
+    preferred_username text;
+BEGIN
+    -- Extract data from Keycloak user metadata
+    -- Check raw_user_meta_data first (this is where Keycloak data is stored)
+    IF new.raw_user_meta_data IS NOT NULL THEN
+        -- Try full_name first, then name field
+        full_name := new.raw_user_meta_data ->> 'full_name';
+        IF full_name IS NULL THEN
+            full_name := new.raw_user_meta_data ->> 'name';
+        END IF;
+        
+        -- Extract individual name components
+        given_name := new.raw_user_meta_data -> 'custom_claims' ->> 'given_name';
+        family_name := new.raw_user_meta_data -> 'custom_claims' ->> 'family_name';
+        preferred_username := new.raw_user_meta_data -> 'custom_claims' ->> 'preferred_username';
+        
+        -- Use given_name (first name) for the name field
+        IF given_name IS NOT NULL THEN
+            user_name := given_name;
+        ELSIF full_name IS NOT NULL THEN
+            user_name := full_name;
+        ELSIF preferred_username IS NOT NULL THEN
+            user_name := preferred_username;
+        END IF;
+        
+        -- Extract personal code from preferred_username (Keycloak provides Estonian personal codes here)
+        IF preferred_username IS NOT NULL THEN
+            personal_code := preferred_username;
+        END IF;
+        
+        -- Also try personalCode field as fallback
+        IF personal_code IS NULL THEN
+            personal_code := new.raw_user_meta_data ->> 'personalCode';
+        END IF;
+    END IF;
+
+    -- Fall back to email if no name found
+    IF user_name IS NULL AND new.email IS NOT NULL THEN
+        user_name := split_part(new.email, '@', 1);
+    END IF;
+
+    -- Default empty string if still no name
+    IF user_name IS NULL THEN
+        user_name := '';
+    END IF;
+
+    -- Extract picture URL
+    IF new.raw_user_meta_data ->> 'avatar_url' IS NOT NULL THEN
+        picture_url := new.raw_user_meta_data ->> 'avatar_url';
+    ELSE
+        picture_url := null;
+    END IF;
+
+    -- Insert into medreport.accounts
+    INSERT INTO medreport.accounts (
+        id,
+        primary_owner_user_id,
+        name,
+        last_name,
+        is_personal_account,
+        picture_url,
+        email,
+        personal_code,
+        application_role
+    )
+    VALUES (
+        new.id,
+        new.id,
+        user_name,
+        family_name,
+        true,
+        picture_url,
+        NULL, -- Keycloak email !== customer personal email, they will set this later
+        personal_code,
+        'user'  -- Default role for new users
+    );
+
+    RETURN new;
+END;
+$$;