From db175ebff6b17c8410bd8c127654ad519cfc6473 Mon Sep 17 00:00:00 2001 From: Antigravity Date: Sun, 17 May 2026 17:29:51 +0000 Subject: [PATCH] fix(auth): revoke JWT on logout and harden Google sign-in Logout now increments sessionVersion so existing JWTs are rejected server-side, deletes orphaned DB sessions, and uses redirectTo for signOut. Google OAuth requests account selection each time; optional AUTH_GOOGLE_PROMPT=login forces Google re-authentication on shared devices. Co-authored-by: Cursor --- memento-note/.env.example | 1 + memento-note/app/(auth)/login/page.tsx | 8 +++- .../(main)/settings/profile/profile-form.tsx | 4 +- memento-note/auth.config.ts | 2 + memento-note/auth.ts | 38 ++++++++++++++++--- memento-note/components/admin-sidebar.tsx | 5 ++- .../legal/delete-account-dialog.tsx | 4 +- memento-note/components/login-form.tsx | 14 +++++++ memento-note/components/sidebar.tsx | 4 +- memento-note/lib/auth-client.ts | 8 ++++ memento-note/lib/auth-providers.ts | 10 ++++- memento-note/locales/en.json | 2 + memento-note/locales/fr.json | 2 + .../migration.sql | 2 + memento-note/prisma/schema.prisma | 1 + 15 files changed, 89 insertions(+), 16 deletions(-) create mode 100644 memento-note/lib/auth-client.ts create mode 100644 memento-note/prisma/migrations/20260517180000_add_user_session_version/migration.sql diff --git a/memento-note/.env.example b/memento-note/.env.example index 370070d..12f4a06 100644 --- a/memento-note/.env.example +++ b/memento-note/.env.example @@ -24,6 +24,7 @@ NEXTAUTH_URL="http://localhost:3000" # Authorized redirect URI: {NEXTAUTH_URL}/api/auth/callback/google # AUTH_GOOGLE_ID="....apps.googleusercontent.com" # AUTH_GOOGLE_SECRET="GOCSPX-..." +# AUTH_GOOGLE_PROMPT="select_account" # or "login" to force Google password every time # ----------------------------------------------------------------------------- # AI Providers diff --git a/memento-note/app/(auth)/login/page.tsx b/memento-note/app/(auth)/login/page.tsx index 3b45e0c..7e086bb 100644 --- a/memento-note/app/(auth)/login/page.tsx +++ b/memento-note/app/(auth)/login/page.tsx @@ -2,14 +2,20 @@ import { LoginForm } from '@/components/login-form'; import { getSystemConfig } from '@/lib/config'; import { isGoogleAuthEnabled } from '@/lib/auth-providers'; -export default async function LoginPage() { +export default async function LoginPage({ + searchParams, +}: { + searchParams: Promise<{ error?: string }>; +}) { const config = await getSystemConfig(); const allowRegister = config.ALLOW_REGISTRATION !== 'false' && process.env.ALLOW_REGISTRATION !== 'false'; + const { error: authError } = await searchParams; return ( ); } diff --git a/memento-note/app/(main)/settings/profile/profile-form.tsx b/memento-note/app/(main)/settings/profile/profile-form.tsx index 800f70b..d0a0b7e 100644 --- a/memento-note/app/(main)/settings/profile/profile-form.tsx +++ b/memento-note/app/(main)/settings/profile/profile-form.tsx @@ -4,7 +4,7 @@ import { useState } from 'react' import { Input } from '@/components/ui/input' import { updateProfile, changePassword } from '@/app/actions/profile' import { updateUserSettings } from '@/app/actions/user-settings' -import { signOut } from 'next-auth/react' +import { performSignOut } from '@/lib/auth-client' import { toast } from 'sonner' import { useLanguage } from '@/lib/i18n' import { User, Mail, Shield, LogOut, Camera, Bell } from 'lucide-react' @@ -143,7 +143,7 @@ export function ProfileForm({ user }: { user: { name: string | null; email: stri {/* Logout */}