import NextAuth from 'next-auth'; import Credentials from 'next-auth/providers/credentials'; import { prisma } from '@repo/db'; import { authenticateCredential } from '@repo/api'; import type { SessionUser } from '@repo/api'; import { env } from '../env'; import { authConfig } from './auth.config'; export const { handlers, auth, signIn, signOut } = NextAuth({ ...authConfig, secret: env.AUTH_SECRET, providers: [ Credentials({ name: 'Email + password', credentials: { email: { label: 'Email', type: 'email' }, password: { label: 'Password', type: 'password' }, }, async authorize(credentials) { const email = credentials?.email; const password = credentials?.password; if (typeof email !== 'string' || typeof password !== 'string') return null; const u = await authenticateCredential({ email, secret: password, allowedRoles: ['ADMIN', 'SUPERVISOR'], }); if (!u) return null; return { id: u.id, email: u.email, name: u.email, // eslint-disable-next-line @typescript-eslint/no-explicit-any role: u.role as any, // eslint-disable-next-line @typescript-eslint/no-explicit-any tenantId: u.tenantId as any, }; }, }), ], }); /** * Resolve the current user for server-side code (RSC, route handlers, tRPC). * Falls back to dev autologin only outside production. */ export async function resolveUser(): Promise { const session = await auth(); // eslint-disable-next-line @typescript-eslint/no-explicit-any const u = session?.user as any; if (u?.id && u?.tenantId) { return { id: u.id, email: u.email, role: u.role, tenantId: u.tenantId }; } const autologinAllowed = process.env['AUTH_DEV_AUTOLOGIN'] === 'true' && process.env.NODE_ENV !== 'production'; if (autologinAllowed) { const admin = await prisma.user.findFirst({ where: { email: 'admin@demo.local' } }); if (admin) { return { id: admin.id, email: admin.email, // eslint-disable-next-line @typescript-eslint/no-explicit-any role: admin.role as any, tenantId: admin.tenantId, }; } } return null; }