Files
Momento/memento-note/auth.config.ts
Antigravity 4d96605144
All checks were successful
CI / Lint, Unit Tests & Build (push) Successful in 5m42s
CI / Deploy production (on server) (push) Successful in 33s
fix(security): Phase 1 P0 hardening from cross-project audit
Close open uploads, image-proxy SSRF, fail-open AI quotas in production,
auth gaps on app routes, and MCP tenant isolation issues.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-20 16:53:19 +00:00

80 lines
3.1 KiB
TypeScript

import type { NextAuthConfig } from 'next-auth';
export const authConfig = {
pages: {
signIn: '/login',
newUser: '/register',
},
secret: process.env.NEXTAUTH_SECRET,
trustHost: true,
session: {
strategy: 'jwt',
maxAge: 60 * 60 * 24 * 7,
updateAge: 60 * 60 * 12,
},
callbacks: {
authorized({ auth, request: { nextUrl } }) {
const isLoggedIn = !!auth?.user;
const isAdmin = (auth?.user as any)?.role === 'ADMIN';
const isDashboardPage = nextUrl.pathname === '/home' ||
nextUrl.pathname.startsWith('/reminders') ||
nextUrl.pathname.startsWith('/archive') ||
nextUrl.pathname.startsWith('/trash') ||
nextUrl.pathname.startsWith('/settings') ||
nextUrl.pathname.startsWith('/lab') ||
nextUrl.pathname.startsWith('/agents') ||
nextUrl.pathname.startsWith('/chat') ||
nextUrl.pathname.startsWith('/canvas') ||
nextUrl.pathname.startsWith('/notebooks') ||
nextUrl.pathname.startsWith('/note/') ||
nextUrl.pathname.startsWith('/brainstorm') ||
nextUrl.pathname.startsWith('/insights') ||
nextUrl.pathname.startsWith('/graph') ||
nextUrl.pathname.startsWith('/revision') ||
nextUrl.pathname.startsWith('/support');
const isAdminPage = nextUrl.pathname.startsWith('/admin');
const isPublicPage = nextUrl.pathname === '/' ||
nextUrl.pathname === '/login' ||
nextUrl.pathname === '/register' ||
nextUrl.pathname === '/forgot-password' ||
nextUrl.pathname.startsWith('/reset-password');
if (isAdminPage) {
return isLoggedIn && isAdmin;
}
if (isDashboardPage) {
if (isLoggedIn) return true;
return false;
}
if (isLoggedIn && (nextUrl.pathname === '/login' || nextUrl.pathname === '/register')) {
return Response.redirect(new URL('/home', nextUrl));
}
return true;
},
async jwt({ token, user, trigger, session }) {
if (trigger === 'update' && session && 'aiSessionConsent' in session) {
token.aiSessionConsent = session.aiSessionConsent === true;
return token;
}
if (user) {
token.id = user.id;
token.role = (user as any).role;
token.aiSessionConsent = false;
}
return token;
},
async session({ session, token }) {
if (token && session.user) {
(session.user as any).id = token.id;
(session.user as any).role = token.role;
session.aiSessionConsent = token.aiSessionConsent === true;
(session.user as any).onboardingCompleted = token.onboardingCompleted === true;
}
return session;
},
},
providers: [],
} satisfies NextAuthConfig;