FieldOps/apps/admin-web/lib/auth.ts

import NextAuth from 'next-auth';
import Credentials from 'next-auth/providers/credentials';
import { prisma } from '@repo/db';
import { authenticateCredential } from '@repo/api';
import type { SessionUser } from '@repo/api';
import { env } from '../env';
import { authConfig } from './auth.config';

export const { handlers, auth, signIn, signOut } = NextAuth({
  ...authConfig,
  secret: env.AUTH_SECRET,
  providers: [
    Credentials({
      name: 'Email + password',
      credentials: {
        email:    { label: 'Email',    type: 'email' },
        password: { label: 'Password', type: 'password' },
      },
      async authorize(credentials) {
        const email    = credentials?.email;
        const password = credentials?.password;
        if (typeof email !== 'string' || typeof password !== 'string') return null;
        const u = await authenticateCredential({
          email,
          secret: password,
          allowedRoles: ['ADMIN', 'SUPERVISOR', 'QUALITY'],
        });
        if (!u) return null;
        return {
          id: u.id,
          email: u.email,
          name: u.email,
          // eslint-disable-next-line @typescript-eslint/no-explicit-any
          role: u.role as any,
          // eslint-disable-next-line @typescript-eslint/no-explicit-any
          tenantId: u.tenantId as any,
        };
      },
    }),
  ],
});

/**
 * Resolve the current user for server-side code (RSC, route handlers, tRPC).
 * Falls back to dev autologin only outside production.
 */
export async function resolveUser(): Promise<SessionUser | null> {
  const session = await auth();
  // eslint-disable-next-line @typescript-eslint/no-explicit-any
  const u = session?.user as any;
  if (u?.id && u?.tenantId) {
    return { id: u.id, email: u.email, role: u.role, tenantId: u.tenantId };
  }

  const autologinAllowed =
    process.env['AUTH_DEV_AUTOLOGIN'] === 'true' && process.env.NODE_ENV !== 'production';
  if (autologinAllowed) {
    const admin = await prisma.user.findFirst({ where: { email: 'admin@demo.local' } });
    if (admin) {
      return {
        id: admin.id,
        email: admin.email,
        // eslint-disable-next-line @typescript-eslint/no-explicit-any
        role: admin.role as any,
        tenantId: admin.tenantId,
      };
    }
  }

  return null;
}