Pedro Gomes
1bc837e606
# O que mudou 1 Schema: failedAttempts + lockedUntil em User; migration auth_v0_2_lockout aplicada; crypto.ts com hashSecret/verifySecret (Node scrypt nativo, zero deps) 2 packages/api/src/auth.ts — authenticateCredential com lockout de 5 tentativas 3 Seed reescrito: admin hashed admin1234, operadores hashed 1111/2222/3333 4 Porta das traseiras fechada: AUTH_DEV_AUTOLOGIN ignorado quando NODE_ENV=production, em ambas as apps 5 operator-pwa: Credentials provider usa PIN + allowedRoles:['OPERATOR']; cookies fieldops-op.* 6 Picker em 2 estados: lista → teclado PIN (botões grandes, dots de progresso, mensagem de erro sem dar pistas) 7 admin-web: Auth.js completo (auth.config, auth.ts, route handler, middleware, /login page, AUTH_SECRET no env) com cookies fieldops-admin.* 8 scripts/auth-smoke.ts (11/11 ✓); .env.example e README atualizados
40 lines
1.5 KiB
TypeScript
40 lines
1.5 KiB
TypeScript
import NextAuth from 'next-auth';
|
|
import { authConfig } from './lib/auth.config';
|
|
|
|
// Edge-runtime middleware. Uses the edge-safe authConfig (no Credentials
|
|
// provider, no Prisma) — it only validates and refreshes the JWT cookie. The
|
|
// full auth config with the Credentials provider lives in lib/auth.ts and
|
|
// runs in the Node.js runtime via the route handlers.
|
|
const { auth } = NextAuth(authConfig);
|
|
|
|
export default auth((req) => {
|
|
const isLoggedIn = !!req.auth?.user;
|
|
// AUTH_DEV_AUTOLOGIN bypasses the picker redirect in dev only.
|
|
// Ignored in production even when the flag is set.
|
|
const isAutologin =
|
|
process.env['AUTH_DEV_AUTOLOGIN'] === 'true' && process.env.NODE_ENV !== 'production';
|
|
const { pathname } = req.nextUrl;
|
|
|
|
// On the picker itself: skip if already logged in.
|
|
if (pathname === '/select-operator') {
|
|
if (isLoggedIn) {
|
|
return Response.redirect(new URL('/', req.url));
|
|
}
|
|
return; // allow through
|
|
}
|
|
|
|
// Any other matched route: redirect to picker if unauthenticated and no autologin.
|
|
if (!isLoggedIn && !isAutologin) {
|
|
return Response.redirect(new URL('/select-operator', req.url));
|
|
}
|
|
});
|
|
|
|
export const config = {
|
|
matcher: [
|
|
// Run on every path except static assets, image optimization, and the
|
|
// PWA manifest. The Auth.js / tRPC API routes are excluded explicitly
|
|
// because they handle session resolution themselves.
|
|
'/((?!api/auth|api/trpc|_next/static|_next/image|favicon.ico|manifest.webmanifest|icon-.*\\.svg).*)',
|
|
],
|
|
};
|