fix(auth): revoke JWT on logout and harden Google sign-in
Some checks failed
CI / Lint, Test & Build (push) Failing after 7m49s
CI / Deploy production (on server) (push) Has been cancelled

Logout now increments sessionVersion so existing JWTs are rejected
server-side, deletes orphaned DB sessions, and uses redirectTo for signOut.
Google OAuth requests account selection each time; optional AUTH_GOOGLE_PROMPT=login
forces Google re-authentication on shared devices.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Antigravity
2026-05-17 17:29:51 +00:00
parent 5b794d6449
commit db175ebff6
15 changed files with 89 additions and 16 deletions

View File

@@ -19,6 +19,24 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
data: { role: 'ADMIN', emailVerified: new Date() },
});
},
async signOut(message) {
const userId =
'token' in message && message.token?.sub
? message.token.sub
: 'session' in message && message.session?.userId
? message.session.userId
: null;
if (!userId) return;
await prisma.$transaction([
prisma.user.update({
where: { id: userId },
data: { sessionVersion: { increment: 1 } },
}),
prisma.session.deleteMany({ where: { userId } }),
]);
},
},
callbacks: {
...authConfig.callbacks,
@@ -41,18 +59,26 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
token.id = user.id;
const dbUser = await prisma.user.findUnique({
where: { id: user.id },
select: { role: true },
select: { role: true, sessionVersion: true },
});
token.role = dbUser?.role ?? 'USER';
if (!dbUser) return null;
token.role = dbUser.role;
token.sessionVersion = dbUser.sessionVersion;
} else if (token.sub) {
const dbUser = await prisma.user.findUnique({
where: { id: token.sub },
select: { role: true },
select: { role: true, sessionVersion: true },
});
if (dbUser) {
token.id = token.sub;
token.role = dbUser.role;
if (!dbUser) return null;
if (
typeof token.sessionVersion === 'number' &&
token.sessionVersion !== dbUser.sessionVersion
) {
return null;
}
token.id = token.sub;
token.role = dbUser.role;
token.sessionVersion = dbUser.sessionVersion;
}
return token;
},