Auth hardening: JWT middleware, sign-in bypass fix, dev-mode gate, marketing build

apps/api/lib/user.ts

@@ -3,20 +3,28 @@ import { db, users } from '@baseline/db';
 import { eq } from 'drizzle-orm';
 
 export async function getCurrentUserId(): Promise<string> {
-  // Try real auth session first
   const session = await auth();
   if (session?.user?.id) {
     return session.user.id;
   }
 
-  // Dev fallback: use seed user
-  if (process.env.NODE_ENV === 'development') {
+  if (
+    process.env.NODE_ENV === 'development' &&
+    process.env.BASELINE_DEV_AUTO_LOGIN === 'true' &&
+    process.env.DATABASE_URL?.includes('localhost')
+  ) {
     const [user] = await db
       .select({ id: users.id })
       .from(users)
       .where(eq(users.email, 'dev@baseline.local'))
       .limit(1);
-    if (user) return user.id;
+    if (user) {
+      console.warn(
+        '[auth] ⚠️  dev auto-login active — request resolved to dev@baseline.local. ' +
+          'Unset BASELINE_DEV_AUTO_LOGIN to disable.',
+      );
+      return user.id;
+    }
   }
 
   throw new Error('Unauthorized');

apps/marketing/Dockerfile

@@ -17,6 +17,8 @@ COPY --from=deps /app/ ./
 COPY apps/marketing ./apps/marketing
 COPY pnpm-workspace.yaml package.json turbo.json tsconfig.base.json ./
 
+ARG NEXT_PUBLIC_GITHUB_USERNAME
+ENV NEXT_PUBLIC_GITHUB_USERNAME=${NEXT_PUBLIC_GITHUB_USERNAME}
 ENV NEXT_TELEMETRY_DISABLED=1
 ENV NODE_ENV=production
 

apps/web/src/app/components/sidebar.tsx

@@ -45,10 +45,18 @@ export function Sidebar() {
 
       <div className="px-3 py-4 border-t border-neutral-200 dark:border-neutral-800">
         <button
-          onClick={() => {
-            document.cookie = 'baseline-session=; path=/; max-age=0';
-            document.cookie = 'authjs.session-token=; path=/; max-age=0';
-            document.cookie = '__Secure-authjs.session-token=; path=/; max-age=0';
+          onClick={async () => {
+            const apiUrl = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3001';
+            const csrfRes = await fetch(`${apiUrl}/api/auth/csrf`, {
+              credentials: 'include',
+            });
+            const { csrfToken } = await csrfRes.json();
+            await fetch(`${apiUrl}/api/auth/signout`, {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+              body: new URLSearchParams({ csrfToken, redirect: 'false' }),
+              credentials: 'include',
+            });
             window.location.href = '/sign-in';
           }}
           className="w-full text-left px-3 py-2 text-sm text-neutral-500 hover:text-neutral-900 dark:hover:text-white rounded-lg hover:bg-neutral-50 dark:hover:bg-neutral-900 transition-colors"

apps/web/src/app/sign-in/page.tsx

@@ -25,19 +25,23 @@ export default function SignIn() {
       await fetch(`${apiUrl}/api/auth/callback/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-        body: new URLSearchParams({ email, password, csrfToken, redirect: 'false' }),
+        body: new URLSearchParams({ email, password, csrfToken }),
         credentials: 'include',
-        redirect: 'manual',
+        redirect: 'follow',
       });
 
-      // Check if session cookie was set by verifying with the session endpoint
+      // NextAuth v5 beta returns a 302 from the credentials callback whether
+      // the attempt succeeded or failed, so we can't derive the result from
+      // the response directly. Instead we check the session: authorize() only
+      // sets a session cookie on success, so if session.user.email matches
+      // the submitted email, this attempt succeeded.
       const sessionRes = await fetch(`${apiUrl}/api/auth/session`, {
         credentials: 'include',
+        cache: 'no-store',
       });
       const session = await sessionRes.json();
 
-      if (session?.user) {
-        document.cookie = `baseline-session=true; path=/; max-age=${60 * 60 * 24 * 30}`;
+      if (session?.user?.email?.toLowerCase() === email.toLowerCase()) {
         window.location.href = '/';
       } else {
         setError('Invalid email or password');

apps/web/src/app/sign-up/page.tsx

@@ -39,7 +39,6 @@ export default function SignUp() {
           redirect: 'follow',
         });
 
-        document.cookie = `baseline-session=true; path=/; max-age=${60 * 60 * 24 * 30}`;
         window.location.href = '/';
       } else {
         const data = await res.json();

apps/web/src/middleware.ts

@@ -0,0 +1,37 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+import { getToken } from 'next-auth/jwt';
+
+const publicPaths = ['/sign-in', '/sign-up'];
+
+export async function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+
+  if (publicPaths.some((p) => pathname.startsWith(p))) {
+    return NextResponse.next();
+  }
+
+  const apiUrl = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3001';
+  const secureCookie = apiUrl.startsWith('https://');
+  const cookieName = secureCookie
+    ? '__Secure-authjs.session-token'
+    : 'authjs.session-token';
+
+  const token = await getToken({
+    req: request,
+    secret: process.env.AUTH_SECRET,
+    secureCookie,
+    cookieName,
+    salt: cookieName,
+  });
+
+  if (!token) {
+    return NextResponse.redirect(new URL('/sign-in', request.url));
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+};

docker-compose.yml

@@ -66,6 +66,7 @@ services:
     environment:
       - NODE_ENV=production
       - NEXT_PUBLIC_API_URL=http://localhost:3001
+      - AUTH_SECRET=${AUTH_SECRET:-change-me}
     ports:
       - "3002:3002"
     networks:
@@ -75,6 +76,8 @@ services:
     build:
       context: .
       dockerfile: apps/marketing/Dockerfile
+      args:
+        NEXT_PUBLIC_GITHUB_USERNAME: ${GITHUB_USERNAME:-}
     container_name: baseline-marketing
     restart: unless-stopped
     environment: