Pedro Gomes
1bc837e606
# O que mudou 1 Schema: failedAttempts + lockedUntil em User; migration auth_v0_2_lockout aplicada; crypto.ts com hashSecret/verifySecret (Node scrypt nativo, zero deps) 2 packages/api/src/auth.ts — authenticateCredential com lockout de 5 tentativas 3 Seed reescrito: admin hashed admin1234, operadores hashed 1111/2222/3333 4 Porta das traseiras fechada: AUTH_DEV_AUTOLOGIN ignorado quando NODE_ENV=production, em ambas as apps 5 operator-pwa: Credentials provider usa PIN + allowedRoles:['OPERATOR']; cookies fieldops-op.* 6 Picker em 2 estados: lista → teclado PIN (botões grandes, dots de progresso, mensagem de erro sem dar pistas) 7 admin-web: Auth.js completo (auth.config, auth.ts, route handler, middleware, /login page, AUTH_SECRET no env) com cookies fieldops-admin.* 8 scripts/auth-smoke.ts (11/11 ✓); .env.example e README atualizados
73 lines
2.3 KiB
TypeScript
73 lines
2.3 KiB
TypeScript
import NextAuth from 'next-auth';
|
|
import Credentials from 'next-auth/providers/credentials';
|
|
import { prisma } from '@repo/db';
|
|
import { authenticateCredential } from '@repo/api';
|
|
import type { SessionUser } from '@repo/api';
|
|
import { authConfig } from './auth.config';
|
|
|
|
const AUTH_SECRET = process.env['AUTH_SECRET'];
|
|
|
|
export const { handlers, auth, signIn, signOut } = NextAuth({
|
|
...authConfig,
|
|
secret: AUTH_SECRET,
|
|
providers: [
|
|
Credentials({
|
|
name: 'Email + password',
|
|
credentials: {
|
|
email: { label: 'Email', type: 'email' },
|
|
password: { label: 'Password', type: 'password' },
|
|
},
|
|
async authorize(credentials) {
|
|
const email = credentials?.email;
|
|
const password = credentials?.password;
|
|
if (typeof email !== 'string' || typeof password !== 'string') return null;
|
|
const u = await authenticateCredential({
|
|
email,
|
|
secret: password,
|
|
allowedRoles: ['ADMIN', 'SUPERVISOR'],
|
|
});
|
|
if (!u) return null;
|
|
return {
|
|
id: u.id,
|
|
email: u.email,
|
|
name: u.email,
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
role: u.role as any,
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
tenantId: u.tenantId as any,
|
|
};
|
|
},
|
|
}),
|
|
],
|
|
});
|
|
|
|
/**
|
|
* Resolve the current user for server-side code (RSC, route handlers, tRPC).
|
|
* Falls back to dev autologin only outside production.
|
|
*/
|
|
export async function resolveUser(): Promise<SessionUser | null> {
|
|
const session = await auth();
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
const u = session?.user as any;
|
|
if (u?.id && u?.tenantId) {
|
|
return { id: u.id, email: u.email, role: u.role, tenantId: u.tenantId };
|
|
}
|
|
|
|
const autologinAllowed =
|
|
process.env['AUTH_DEV_AUTOLOGIN'] === 'true' && process.env.NODE_ENV !== 'production';
|
|
if (autologinAllowed) {
|
|
const admin = await prisma.user.findFirst({ where: { email: 'admin@demo.local' } });
|
|
if (admin) {
|
|
return {
|
|
id: admin.id,
|
|
email: admin.email,
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
role: admin.role as any,
|
|
tenantId: admin.tenantId,
|
|
};
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|