dev_stats/auth.ts at main · m-sanjid/dev_stats · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
import NextAuth, { NextAuthConfig, User } from "next-auth";
import { PrismaAdapter } from "@auth/prisma-adapter";
import Google from "next-auth/providers/google";
import GitHub from "next-auth/providers/github";
import Credentials from "next-auth/providers/credentials";
import { prisma } from "./lib/prisma";

// Password hashing and verification using Web Crypto API
async function hashPassword(password: string): Promise<string> {
  const encoder = new TextEncoder();
  const data = encoder.encode(password);
  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
  return Buffer.from(hashBuffer).toString("hex");
}

async function verifyPassword(
  inputPassword: string,
  hashedPassword: string,
): Promise<boolean> {
  const hashedInput = await hashPassword(inputPassword);
  return hashedInput === hashedPassword;
}

const authConfig: NextAuthConfig = {
  adapter: PrismaAdapter(prisma),
  providers: [
    Google({
      clientId: process.env.AUTH_GOOGLE_ID,
      clientSecret: process.env.AUTH_GOOGLE_SECRET,
      allowDangerousEmailAccountLinking: true,
    }),
    GitHub({
      clientId: process.env.AUTH_GITHUB_ID,
      clientSecret: process.env.AUTH_GITHUB_SECRET,
      allowDangerousEmailAccountLinking: true,
      authorization: { params: { scope: "repo read:user read:email" } },
    }),
    Credentials({
      name: "credentials",
      credentials: {
        email: { label: "Email", type: "text" },
        password: { label: "Password", type: "password" },
      },
      async authorize(credentials): Promise<User | null> {
        if (!credentials?.email || !credentials?.password) return null;

        const user = await prisma.user.findUnique({
          where: { email: credentials.email as string },
        });

        if (!user || !user.password) return null;

        const isValid = await verifyPassword(
          credentials.password as string,
          user.password,
        );

        return isValid
          ? {
              id: user.id.toString(),
              email: user.email!,
              role: user.role ?? "user",
              name: user.name!,
            }
          : null;
      },
    }),
  ],
  session: { strategy: "jwt" },
  callbacks: {
    async jwt({ token, user, account }) {
      if (user) {
        token.sub = user.id;
        token.role = user.role ?? "user";

        if (!token.sub) {
          console.error("Missing userId in JWT callback.");
          return token;
        }

        const dbUser = await prisma.user.findUnique({
          where: { id: token.sub },
          select: { subscription: true, useWebhook: true },
        });

        token.subscription = dbUser?.subscription ?? "free";
        token.useWebhook = dbUser?.useWebhook ?? false;

        // Store GitHub token if present
        if (account?.provider === "github" && account.access_token) {
          try {
            await prisma.githubToken.upsert({
              where: { userId: token.sub },
              create: { userId: token.sub, accessToken: account.access_token },
              update: { accessToken: account.access_token },
            });

            // Store in JWT token for easy access
            token.githubAccessToken = account.access_token;
          } catch (error) {
            console.error("Error storing GitHub token:", error);
          }
        }
      }
      return token;
    },

    async session({ session, token }) {
      if (!token.sub) return session;
      const githubToken = await prisma.account.findFirst({
        where: { userId: token.sub, provider: "github" },
        select: { access_token: true },
      });

      return {
        ...session,
        user: {
          ...session.user,
          id: token.sub as string,
          role: token.role,
          hasGithubToken: !!(await prisma.githubToken.findUnique({
            where: { userId: token.sub as string },
          })),
          githubAccessToken: githubToken?.access_token || null,
          subscription: token.subscription ?? "free",
          useWebhook: token.useWebhook ?? false,
        },
      };
    },
  },
  pages: {
    signIn: "/login",
    error: "/auth/error",
  },
  secret: process.env.AUTH_SECRET,
  trustHost: true,
  debug: process.env.NODE_ENV === "development",
};

export const { handlers, auth, signIn, signOut } = NextAuth(authConfig);