97 lines
3.5 KiB
TypeScript
97 lines
3.5 KiB
TypeScript
import NextAuth from 'next-auth';
|
|
import Credentials from 'next-auth/providers/credentials';
|
|
import { prisma } from '@repo/db';
|
|
import { authenticateCredential } from '@repo/api';
|
|
import type { SessionUser } from '@repo/api';
|
|
import { env } from '../env';
|
|
import { authConfig } from './auth.config';
|
|
|
|
/**
|
|
* ============================================================================
|
|
* Auth.js v5 — operator authentication (v0.2).
|
|
* ============================================================================
|
|
*
|
|
* The Credentials provider below verifies an operator's PIN against the
|
|
* scrypt hash in User.passwordHash (via authenticateCredential, which also
|
|
* enforces role and account lockout). Only OPERATOR users may sign in here.
|
|
*
|
|
* Auto sign-in
|
|
* ------------
|
|
* See `resolveUser()` below. When AUTH_DEV_AUTOLOGIN=true, server-side code
|
|
* that has no session falls back to the seeded admin user. This is a dev/CI
|
|
* back door, gated TWICE: by an explicit env flag (default FALSE in
|
|
* .env.example) AND by NODE_ENV — it is IGNORED when NODE_ENV=production.
|
|
*
|
|
* !!! NEVER set AUTH_DEV_AUTOLOGIN=true in production. !!!
|
|
*
|
|
* In production (or with the flag off), requests without a signed Auth.js
|
|
* session resolve to user=null, and protectedProcedure throws 401.
|
|
* ============================================================================
|
|
*/
|
|
|
|
export const { handlers, auth, signIn, signOut } = NextAuth({
|
|
...authConfig,
|
|
secret: env.AUTH_SECRET,
|
|
providers: [
|
|
Credentials({
|
|
name: 'Operador (PIN)',
|
|
credentials: {
|
|
email: { label: 'Email', type: 'text' },
|
|
pin: { label: 'PIN', type: 'password' },
|
|
},
|
|
async authorize(credentials) {
|
|
const email = credentials?.email;
|
|
const pin = credentials?.pin;
|
|
if (typeof email !== 'string' || typeof pin !== 'string') return null;
|
|
const u = await authenticateCredential({
|
|
email,
|
|
secret: pin,
|
|
allowedRoles: ['OPERATOR'],
|
|
});
|
|
if (!u) return null;
|
|
return {
|
|
id: u.id,
|
|
email: u.email,
|
|
name: u.email,
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
role: u.role as any,
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
tenantId: u.tenantId as any,
|
|
};
|
|
},
|
|
}),
|
|
],
|
|
});
|
|
|
|
/**
|
|
* Resolve the current user for server-side code (RSC, route handlers, tRPC).
|
|
* Single chokepoint that combines the real Auth.js session with the dev-only
|
|
* auto-login fallback. Application code MUST use this and not call `auth()`
|
|
* directly when it expects to honour AUTH_DEV_AUTOLOGIN.
|
|
*/
|
|
export async function resolveUser(): Promise<SessionUser | null> {
|
|
const session = await auth();
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
const u = session?.user as any;
|
|
if (u?.id && u?.tenantId) {
|
|
return { id: u.id, email: u.email, role: u.role, tenantId: u.tenantId };
|
|
}
|
|
|
|
const autologinAllowed = env.AUTH_DEV_AUTOLOGIN && process.env.NODE_ENV !== 'production';
|
|
if (autologinAllowed) {
|
|
// Dev back door. Disabled in production even if the env flag is set.
|
|
const admin = await prisma.user.findFirst({ where: { email: 'admin@demo.local' } });
|
|
if (admin) {
|
|
return {
|
|
id: admin.id,
|
|
email: admin.email,
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
role: admin.role as any,
|
|
tenantId: admin.tenantId,
|
|
};
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|