-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth.ts
More file actions
123 lines (108 loc) · 4.67 KB
/
auth.ts
File metadata and controls
123 lines (108 loc) · 4.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
import NextAuth from "next-auth";
import { PrismaAdapter } from "@auth/prisma-adapter";
import { PrismaClient, Role } from "@prisma/client";
import type { AdapterUser } from "@auth/core/adapters";
import GoogleProvider from "next-auth/providers/google";
import GitHubProvider from "next-auth/providers/github";
import Credentials from "next-auth/providers/credentials";
import bcrypt from "bcryptjs";
const prisma = new PrismaClient();
export const { handlers, signIn, signOut, auth } = NextAuth({
adapter: PrismaAdapter(prisma),
secret: process.env.AUTH_SECRET,
providers: [
GoogleProvider({
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
}),
GitHubProvider({
clientId: process.env.GITHUB_CLIENT_ID!,
clientSecret: process.env.GITHUB_CLIENT_SECRET!,
}),
Credentials({
name: "Credentials",
credentials: {
email: { label: "Email", type: "email" },
password: { label: "Password", type: "password" },
},
async authorize(credentials) {
if (!credentials?.email || !credentials?.password) {
return null;
}
// ── Account-lock check (brute-force protection) ──────────────
// This is a secondary guard — the action layer checks first,
// but we also check here so direct API calls are protected too.
const lock = await (prisma as any).rateLimit.findUnique({
where: { identifier: `account:${(credentials.email as string).toLowerCase().trim()}` },
});
const now = new Date();
if (lock?.lockedUntil && lock.lockedUntil > now) {
// Do NOT reveal lock status — just refuse
return null;
}
// ── Look up user ─────────────────────────────────────────────
const user = await prisma.user.findUnique({
where: { email: credentials.email as string },
});
// Always hash-compare to avoid timing attacks revealing user existence
const dummyHash = "$2b$10$dummyhashpaddingtomatchbcrypttime.dummyvalue00";
const isPasswordValid = user?.password
? await bcrypt.compare(credentials.password as string, user.password)
: (await bcrypt.compare(credentials.password as string, dummyHash), false);
if (!user || !user.password || !isPasswordValid) {
return null;
}
// ── Additional guards (no descriptive errors — return null) ──
if (!user.emailVerified) return null;
if ((user as any).isBlocked) return null;
return user as unknown as AdapterUser;
},
}),
],
session: {
strategy: "jwt",
},
callbacks: {
async signIn({ user, account }) {
// Allow OAuth without 2FA for now (or handle separately)
if (account?.provider !== "credentials") return true;
const existingUser = await prisma.user.findUnique({
where: { id: user.id }
});
// Check if user is blocked
if (existingUser?.isBlocked) {
return false;
}
if (existingUser?.isTwoFactorEnabled) {
const twoFactorConfirmation = await prisma.twoFactorConfirmation.findUnique({
where: { userId: existingUser.id }
});
if (!twoFactorConfirmation) return false;
// Delete confirmation for next sign in
await prisma.twoFactorConfirmation.delete({
where: { id: twoFactorConfirmation.id }
});
}
return true;
},
async jwt({ token, user }) {
if (user) {
token.id = user.id;
token.role = user.role;
}
return token;
},
async session({ session, token }) {
if (session.user) {
session.user.id = token.id as string;
// Use cast to any to avoid "Role" import issues if direct import fails
// The underlying value is compatible
session.user.role = token.role as Role;
}
return session;
},
},
pages: {
signIn: "/login",
},
});