Files
Momento/memento-note/auth.ts
Antigravity db175ebff6
Some checks failed
CI / Lint, Test & Build (push) Failing after 7m49s
CI / Deploy production (on server) (push) Has been cancelled
fix(auth): revoke JWT on logout and harden Google sign-in
Logout now increments sessionVersion so existing JWTs are rejected
server-side, deletes orphaned DB sessions, and uses redirectTo for signOut.
Google OAuth requests account selection each time; optional AUTH_GOOGLE_PROMPT=login
forces Google re-authentication on shared devices.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-17 17:29:51 +00:00

87 lines
2.7 KiB
TypeScript

import NextAuth from 'next-auth';
import { PrismaAdapter } from '@auth/prisma-adapter';
import { authConfig } from './auth.config';
import prisma from '@/lib/prisma';
import { buildAuthProviders } from '@/lib/auth-providers';
export const { auth, signIn, signOut, handlers } = NextAuth({
...authConfig,
adapter: PrismaAdapter(prisma),
providers: buildAuthProviders(),
events: {
async createUser({ user }) {
const adminEmail = process.env.ADMIN_EMAIL?.toLowerCase();
if (!adminEmail || !user.id || user.email?.toLowerCase() !== adminEmail) {
return;
}
await prisma.user.update({
where: { id: user.id },
data: { role: 'ADMIN', emailVerified: new Date() },
});
},
async signOut(message) {
const userId =
'token' in message && message.token?.sub
? message.token.sub
: 'session' in message && message.session?.userId
? message.session.userId
: null;
if (!userId) return;
await prisma.$transaction([
prisma.user.update({
where: { id: userId },
data: { sessionVersion: { increment: 1 } },
}),
prisma.session.deleteMany({ where: { userId } }),
]);
},
},
callbacks: {
...authConfig.callbacks,
async signIn({ user, account }) {
if (account?.provider === 'google' && user.email) {
const email = user.email.toLowerCase();
const adminEmail = process.env.ADMIN_EMAIL?.toLowerCase();
const existing = await prisma.user.findUnique({ where: { email } });
if (existing && adminEmail && email === adminEmail && existing.role !== 'ADMIN') {
await prisma.user.update({
where: { id: existing.id },
data: { role: 'ADMIN', emailVerified: new Date() },
});
}
}
return true;
},
async jwt({ token, user }) {
if (user?.id) {
token.id = user.id;
const dbUser = await prisma.user.findUnique({
where: { id: user.id },
select: { role: true, sessionVersion: true },
});
if (!dbUser) return null;
token.role = dbUser.role;
token.sessionVersion = dbUser.sessionVersion;
} else if (token.sub) {
const dbUser = await prisma.user.findUnique({
where: { id: token.sub },
select: { role: true, sessionVersion: true },
});
if (!dbUser) return null;
if (
typeof token.sessionVersion === 'number' &&
token.sessionVersion !== dbUser.sessionVersion
) {
return null;
}
token.id = token.sub;
token.role = dbUser.role;
token.sessionVersion = dbUser.sessionVersion;
}
return token;
},
},
});