pequenas correções + doc update

2026-05-30 12:14:46 +01:00 · 2026-05-30 12:14:46 +01:00 · 98f6444736
commit 98f6444736
parent 1bc837e606
3 changed files with 15 additions and 17 deletions
--- a/apps/admin-web/lib/auth.ts
+++ b/apps/admin-web/lib/auth.ts
@ -3,13 +3,12 @@ import Credentials from 'next-auth/providers/credentials';
 import { prisma } from '@repo/db';
 import { authenticateCredential } from '@repo/api';
 import type { SessionUser } from '@repo/api';
 import { env } from '../env';
 import { authConfig } from './auth.config';
 const AUTH_SECRET = process.env['AUTH_SECRET'];
 export const { handlers, auth, signIn, signOut } = NextAuth({
  ...authConfig,
-  secret: AUTH_SECRET,
+  secret: env.AUTH_SECRET,
  providers: [
    Credentials({
      name: 'Email + password',
--- a/apps/operator-pwa/lib/auth.ts
+++ b/apps/operator-pwa/lib/auth.ts
@ -2,33 +2,30 @@ import NextAuth from 'next-auth';
 import Credentials from 'next-auth/providers/credentials';
 import { prisma } from '@repo/db';
 import { authenticateCredential } from '@repo/api';
-import type { SessionUser } from '@repo/api';  // eslint-disable-line @typescript-eslint/no-unused-vars
+import type { SessionUser } from '@repo/api';
 import { env } from '../env';
 import { authConfig } from './auth.config';
 /**
 * ============================================================================
- *  Auth.js v5 — PLACEHOLDER configuration for the scaffold phase.
+ *  Auth.js v5 — operator authentication (v0.2).
 * ============================================================================
 *
- *  The Credentials provider below accepts ANY email that exists in the User
+ *  The Credentials provider below verifies an operator's PIN against the
- *  table (seeded by `pnpm db:seed`). NO PASSWORD CHECK is performed. This is
+ *  scrypt hash in User.passwordHash (via authenticateCredential, which also
- *  deliberately minimal — just enough to populate the tRPC context with a real
+ *  enforces role and account lockout). Only OPERATOR users may sign in here.
 *  Auth.js session — and MUST be replaced with real authentication before any
 *  non-dev deployment.
 *
 *  Auto sign-in
 *  ------------
 *  See `resolveUser()` below. When AUTH_DEV_AUTOLOGIN=true, server-side code
- *  that has no session falls back to the seeded admin user. This is a back
+ *  that has no session falls back to the seeded admin user. This is a dev/CI
- *  door and is gated by an explicit env flag whose default in .env.example is
+ *  back door, gated TWICE: by an explicit env flag (default FALSE in
- *  FALSE.
+ *  .env.example) AND by NODE_ENV — it is IGNORED when NODE_ENV=production.
 *
 *      !!! NEVER set AUTH_DEV_AUTOLOGIN=true in production. !!!
 *
- *  In production with AUTH_DEV_AUTOLOGIN unset/false, requests without a
+ *  In production (or with the flag off), requests without a signed Auth.js
- *  signed Auth.js session resolve to user=null, and protectedProcedure throws
+ *  session resolve to user=null, and protectedProcedure throws 401.
 *  401.
 * ============================================================================
 */
--- a/docs/plans/auth-v0.2.md
+++ b/docs/plans/auth-v0.2.md
@ -1,6 +1,8 @@
 # Plano — Auth real v0.2 (pré-piloto)
-> Autor: Opus 4.8 (sessão de design, 2026-05-30). Destinado a implementação pelo Sonnet.
+> **ESTADO: IMPLEMENTADO (2026-05-30).** Os 8 passos foram concluídos e verificados (typecheck limpo, `scripts/auth-smoke.ts` 11/11, E2E do MAI CALL verde). Endurecimentos pré-piloto ainda diferidos (não-bugs): enumeração por timing, rate-limit por IP, prefixo `__Secure-` dos cookies, PINs/segredo de demo, HTTPS em produção. Ver §10 e a memory `project-phase`.
 >
 > Autor: Opus 4.8 (sessão de design, 2026-05-30). Implementado pelo Sonnet.
 > Pré-requisito: MAI CALL v0.1 completo (ver [`mai-call-v0.1.md`](./mai-call-v0.1.md)). Estado do código no momento do design verificado contra o repo.
 ## Objetivo numa frase