Files
Momento/memento-note/auth.ts
Antigravity 5703d5bd49
Some checks failed
CI / Lint, Unit Tests & Build (push) Successful in 5m39s
CI / Deploy production (on server) (push) Failing after 18s
feat(4-5/4-6): audit logging + zero-data-retention headers
Audit Logging (story 4-6):
- Nouveau modèle AuditLog (userId, action, resource, metadata, ip, createdAt)
- Migration 20260529143000_add_audit_log appliquée
- lib/audit-log.ts : logAuditEvent (fire-and-forget) + logAuditEventAsync + getClientIp
- auth.ts : LOG LOGIN / LOGOUT / USER_CREATED sur chaque event NextAuth
- /api/chat : log AI_REQUEST avec tokens + byok flag dans onFinish
- /api/agents/run-for-note : log AI_REQUEST avec featureKey + noteId

Zero-data-retention (story 4-5):
- OpenAI provider : header OpenAI-No-Training: 1
- Anthropic provider : header Anthropic-No-Train: 1
- DeepSeek provider : header X-No-Train: 1

sprint-status: 4-5 et 4-6 → done

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-29 14:36:06 +00:00

105 lines
3.7 KiB
TypeScript

import NextAuth from 'next-auth';
import { PrismaAdapter } from '@auth/prisma-adapter';
import { authConfig } from './auth.config';
import prisma from '@/lib/prisma';
import { buildAuthProviders } from '@/lib/auth-providers';
import { logAuditEvent } from '@/lib/audit-log';
export const { auth, signIn, signOut, handlers } = NextAuth({
...authConfig,
adapter: PrismaAdapter(prisma),
providers: buildAuthProviders(),
events: {
async createUser({ user }) {
const adminEmail = process.env.ADMIN_EMAIL?.toLowerCase();
if (!adminEmail || !user.id || user.email?.toLowerCase() !== adminEmail) {
logAuditEvent({ userId: user.id, action: 'USER_CREATED', metadata: { email: user.email } });
return;
}
await prisma.user.update({
where: { id: user.id },
data: { role: 'ADMIN', emailVerified: new Date() },
});
logAuditEvent({ userId: user.id, action: 'USER_CREATED', metadata: { email: user.email, role: 'ADMIN' } });
},
async signOut(message) {
const userId =
'token' in message && message.token?.sub
? message.token.sub
: 'session' in message && message.session?.userId
? message.session.userId
: null;
if (!userId) return;
logAuditEvent({ userId, action: 'LOGOUT' });
await prisma.$transaction([
prisma.user.update({
where: { id: userId },
data: { sessionVersion: { increment: 1 } },
}),
prisma.session.deleteMany({ where: { userId } }),
]);
},
},
callbacks: {
...authConfig.callbacks,
async signIn({ user, account }) {
if (account?.provider === 'google' && user.email) {
const email = user.email.toLowerCase();
const adminEmail = process.env.ADMIN_EMAIL?.toLowerCase();
const existing = await prisma.user.findUnique({ where: { email } });
if (existing && adminEmail && email === adminEmail && existing.role !== 'ADMIN') {
await prisma.user.update({
where: { id: existing.id },
data: { role: 'ADMIN', emailVerified: new Date() },
});
}
}
logAuditEvent({
userId: user.id,
action: 'LOGIN',
metadata: { provider: account?.provider ?? 'credentials', email: user.email },
});
return true;
},
async jwt({ token, user, trigger, session }) {
if (trigger === 'update' && session) {
if ('aiSessionConsent' in session) token.aiSessionConsent = session.aiSessionConsent === true;
if ('onboardingCompleted' in session) token.onboardingCompleted = session.onboardingCompleted === true;
return token;
}
if (user?.id) {
token.id = user.id;
token.aiSessionConsent = false;
const dbUser = await prisma.user.findUnique({
where: { id: user.id },
select: { role: true, sessionVersion: true, onboardingCompleted: true },
});
if (!dbUser) return null;
token.role = dbUser.role;
token.sessionVersion = dbUser.sessionVersion;
token.onboardingCompleted = dbUser.onboardingCompleted;
} else if (token.sub) {
const dbUser = await prisma.user.findUnique({
where: { id: token.sub },
select: { role: true, sessionVersion: true, onboardingCompleted: true },
});
if (!dbUser) return null;
if (
typeof token.sessionVersion === 'number' &&
token.sessionVersion !== dbUser.sessionVersion
) {
return null;
}
token.id = token.sub;
token.role = dbUser.role;
token.sessionVersion = dbUser.sessionVersion;
token.onboardingCompleted = dbUser.onboardingCompleted;
}
return token;
},
},
});