diff --git a/apps/admin-web/lib/auth.ts b/apps/admin-web/lib/auth.ts index 55ba266..a7eff68 100644 --- a/apps/admin-web/lib/auth.ts +++ b/apps/admin-web/lib/auth.ts @@ -3,13 +3,12 @@ import Credentials from 'next-auth/providers/credentials'; import { prisma } from '@repo/db'; import { authenticateCredential } from '@repo/api'; import type { SessionUser } from '@repo/api'; +import { env } from '../env'; import { authConfig } from './auth.config'; -const AUTH_SECRET = process.env['AUTH_SECRET']; - export const { handlers, auth, signIn, signOut } = NextAuth({ ...authConfig, - secret: AUTH_SECRET, + secret: env.AUTH_SECRET, providers: [ Credentials({ name: 'Email + password', diff --git a/apps/operator-pwa/lib/auth.ts b/apps/operator-pwa/lib/auth.ts index 1cf2bfd..1becab5 100644 --- a/apps/operator-pwa/lib/auth.ts +++ b/apps/operator-pwa/lib/auth.ts @@ -2,33 +2,30 @@ import NextAuth from 'next-auth'; import Credentials from 'next-auth/providers/credentials'; import { prisma } from '@repo/db'; import { authenticateCredential } from '@repo/api'; -import type { SessionUser } from '@repo/api'; // eslint-disable-line @typescript-eslint/no-unused-vars +import type { SessionUser } from '@repo/api'; import { env } from '../env'; import { authConfig } from './auth.config'; /** * ============================================================================ - * Auth.js v5 — PLACEHOLDER configuration for the scaffold phase. + * Auth.js v5 — operator authentication (v0.2). * ============================================================================ * - * The Credentials provider below accepts ANY email that exists in the User - * table (seeded by `pnpm db:seed`). NO PASSWORD CHECK is performed. This is - * deliberately minimal — just enough to populate the tRPC context with a real - * Auth.js session — and MUST be replaced with real authentication before any - * non-dev deployment. + * The Credentials provider below verifies an operator's PIN against the + * scrypt hash in User.passwordHash (via authenticateCredential, which also + * enforces role and account lockout). Only OPERATOR users may sign in here. * * Auto sign-in * ------------ * See `resolveUser()` below. When AUTH_DEV_AUTOLOGIN=true, server-side code - * that has no session falls back to the seeded admin user. This is a back - * door and is gated by an explicit env flag whose default in .env.example is - * FALSE. + * that has no session falls back to the seeded admin user. This is a dev/CI + * back door, gated TWICE: by an explicit env flag (default FALSE in + * .env.example) AND by NODE_ENV — it is IGNORED when NODE_ENV=production. * * !!! NEVER set AUTH_DEV_AUTOLOGIN=true in production. !!! * - * In production with AUTH_DEV_AUTOLOGIN unset/false, requests without a - * signed Auth.js session resolve to user=null, and protectedProcedure throws - * 401. + * In production (or with the flag off), requests without a signed Auth.js + * session resolve to user=null, and protectedProcedure throws 401. * ============================================================================ */ diff --git a/docs/plans/auth-v0.2.md b/docs/plans/auth-v0.2.md index 5048ed1..537ea39 100644 --- a/docs/plans/auth-v0.2.md +++ b/docs/plans/auth-v0.2.md @@ -1,6 +1,8 @@ # Plano — Auth real v0.2 (pré-piloto) -> Autor: Opus 4.8 (sessão de design, 2026-05-30). Destinado a implementação pelo Sonnet. +> **ESTADO: IMPLEMENTADO (2026-05-30).** Os 8 passos foram concluídos e verificados (typecheck limpo, `scripts/auth-smoke.ts` 11/11, E2E do MAI CALL verde). Endurecimentos pré-piloto ainda diferidos (não-bugs): enumeração por timing, rate-limit por IP, prefixo `__Secure-` dos cookies, PINs/segredo de demo, HTTPS em produção. Ver §10 e a memory `project-phase`. +> +> Autor: Opus 4.8 (sessão de design, 2026-05-30). Implementado pelo Sonnet. > Pré-requisito: MAI CALL v0.1 completo (ver [`mai-call-v0.1.md`](./mai-call-v0.1.md)). Estado do código no momento do design verificado contra o repo. ## Objetivo numa frase