fix(auth): revoke JWT on logout and harden Google sign-in
Logout now increments sessionVersion so existing JWTs are rejected server-side, deletes orphaned DB sessions, and uses redirectTo for signOut. Google OAuth requests account selection each time; optional AUTH_GOOGLE_PROMPT=login forces Google re-authentication on shared devices. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -19,6 +19,24 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
|
||||
data: { role: 'ADMIN', emailVerified: new Date() },
|
||||
});
|
||||
},
|
||||
async signOut(message) {
|
||||
const userId =
|
||||
'token' in message && message.token?.sub
|
||||
? message.token.sub
|
||||
: 'session' in message && message.session?.userId
|
||||
? message.session.userId
|
||||
: null;
|
||||
|
||||
if (!userId) return;
|
||||
|
||||
await prisma.$transaction([
|
||||
prisma.user.update({
|
||||
where: { id: userId },
|
||||
data: { sessionVersion: { increment: 1 } },
|
||||
}),
|
||||
prisma.session.deleteMany({ where: { userId } }),
|
||||
]);
|
||||
},
|
||||
},
|
||||
callbacks: {
|
||||
...authConfig.callbacks,
|
||||
@@ -41,18 +59,26 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
|
||||
token.id = user.id;
|
||||
const dbUser = await prisma.user.findUnique({
|
||||
where: { id: user.id },
|
||||
select: { role: true },
|
||||
select: { role: true, sessionVersion: true },
|
||||
});
|
||||
token.role = dbUser?.role ?? 'USER';
|
||||
if (!dbUser) return null;
|
||||
token.role = dbUser.role;
|
||||
token.sessionVersion = dbUser.sessionVersion;
|
||||
} else if (token.sub) {
|
||||
const dbUser = await prisma.user.findUnique({
|
||||
where: { id: token.sub },
|
||||
select: { role: true },
|
||||
select: { role: true, sessionVersion: true },
|
||||
});
|
||||
if (dbUser) {
|
||||
token.id = token.sub;
|
||||
token.role = dbUser.role;
|
||||
if (!dbUser) return null;
|
||||
if (
|
||||
typeof token.sessionVersion === 'number' &&
|
||||
token.sessionVersion !== dbUser.sessionVersion
|
||||
) {
|
||||
return null;
|
||||
}
|
||||
token.id = token.sub;
|
||||
token.role = dbUser.role;
|
||||
token.sessionVersion = dbUser.sessionVersion;
|
||||
}
|
||||
return token;
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user