feat(auth): Improved NextAuth configuration to include allowed callback domains and custom redirect logic.

Author: johnlindquist

.npmrc

@@ -1,3 +1,7 @@
+use-node-version=16.20.0
+node-version=16.20.0
+engine-strict=false
+auto-install-peers=true
 strict-peer-dependencies=false
 public-hoist-pattern[]=*prisma*
 public-hoist-pattern[]=*playwright*

apps/scriptkit/src/lib/get-user-scripts.ts

@@ -108,7 +108,34 @@ export async function getReleases() {
     page: 2,
   })
 
-  releases = [...releaseResponse1.data, ...releaseResponse2.data]
+  const releaseResponse3 = await octokit.repos.listReleases({
+    owner: 'johnlindquist',
+    repo: 'kitapp',
+    per_page: 100,
+    page: 3,
+  })
+
+  const releaseResponse4 = await octokit.repos.listReleases({
+    owner: 'johnlindquist',
+    repo: 'kitapp',
+    per_page: 100,
+    page: 4,
+  })
+
+  const releaseResponse5 = await octokit.repos.listReleases({
+    owner: 'johnlindquist',
+    repo: 'kitapp',
+    per_page: 100,
+    page: 5,
+  })
+
+  releases = [
+    ...releaseResponse1.data,
+    ...releaseResponse2.data,
+    ...releaseResponse3.data,
+    ...releaseResponse4.data,
+    ...releaseResponse5.data,
+  ]
   console.log(`Releases`, releases.length)
 
   return releases

apps/scriptkit/src/pages/api/auth/[...nextauth].ts

@@ -1,5 +1,4 @@
 import NextAuth, {type NextAuthOptions, Theme} from 'next-auth'
-
 import {createOptions} from '@skillrecordings/skill-api'
 import {NextApiRequest, NextApiResponse} from 'next'
 import GitHubProvider from 'next-auth/providers/github'
@@ -9,6 +8,33 @@ const productTheme: Theme = {
   brandColor: '#10172a',
 }
 
+// Add your allowed callback domains here
+const allowedCallbackDomains = [
+  'scriptkit.com',
+  'dev-scriptkit.vercel.app',
+  'staging-scriptkit.vercel.app',
+  'localhost:3000',
+  'localhost:3001',
+  // Add a pattern for dynamic Vercel preview URLs
+  'script-generator-*.vercel.app',
+]
+
+const isAllowedDomain = (url: string) => {
+  try {
+    const hostname = new URL(url).hostname
+    return allowedCallbackDomains.some((domain) => {
+      // Handle wildcard patterns
+      if (domain.includes('*')) {
+        const pattern = domain.replace('*', '.*')
+        return new RegExp(pattern).test(hostname)
+      }
+      return hostname === domain || hostname.endsWith(`.${domain}`)
+    })
+  } catch {
+    return false
+  }
+}
+
 const providers = [
   GitHubProvider({
     clientId: process.env.GITHUB_ID,
@@ -17,20 +43,29 @@ const providers = [
   }),
 ]
 
-export const nextAuthOptions: NextAuthOptions = createOptions({
-  theme: productTheme,
-})
+export const nextAuthOptions: NextAuthOptions = {
+  ...createOptions({
+    theme: productTheme,
+  }),
+  callbacks: {
+    async redirect({url, baseUrl}: {url: string; baseUrl: string}) {
+      // First check if it's a relative URL
+      if (url.startsWith('/')) return `${baseUrl}${url}`
+
+      // Then check our allowed domains
+      if (isAllowedDomain(url)) {
+        return url
+      }
+
+      // Fall back to base URL
+      return baseUrl
+    },
+  },
+}
 
 export default async function NextAuthEndpoint(
   req: NextApiRequest,
   res: NextApiResponse,
 ) {
-  NextAuth(
-    req,
-    res,
-    createOptions({
-      req,
-      theme: productTheme,
-    }),
-  )
+  return await NextAuth(req, res, nextAuthOptions)
 }

apps/scriptkit/src/pages/api/github/webhook.ts

@@ -0,0 +1,50 @@
+import {NextApiRequest, NextApiResponse} from 'next'
+import crypto from 'crypto'
+
+const WEBHOOK_SECRET = process.env.GITHUB_WEBHOOK_SECRET
+
+function verifyGithubWebhook(req: NextApiRequest) {
+  const signature = req.headers['x-hub-signature-256']
+  if (!signature || !WEBHOOK_SECRET) return false
+
+  const hmac = crypto.createHmac('sha256', WEBHOOK_SECRET)
+  const digest = 'sha256=' + hmac.update(JSON.stringify(req.body)).digest('hex')
+  return crypto.timingSafeEqual(
+    Buffer.from(signature as string),
+    Buffer.from(digest),
+  )
+}
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
+  // Only accept POST requests
+  if (req.method !== 'POST') {
+    res.setHeader('Allow', 'POST')
+    return res.status(405).end('Method Not Allowed')
+  }
+
+  // Verify webhook signature
+  if (!verifyGithubWebhook(req)) {
+    return res.status(401).json({error: 'Invalid signature'})
+  }
+
+  const event = req.headers['x-github-event']
+  const payload = req.body
+
+  // Handle different webhook events
+  switch (event) {
+    case 'installation':
+      // Handle app installation events
+      console.log('App installation event:', payload.action)
+      break
+    case 'installation_repositories':
+      // Handle repository installation events
+      console.log('Repository installation event:', payload.action)
+      break
+    // Add more event handlers as needed
+  }
+
+  res.status(200).json({received: true})
+}