-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth.config.ts
More file actions
136 lines (124 loc) · 3.94 KB
/
auth.config.ts
File metadata and controls
136 lines (124 loc) · 3.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
// CRITICAL: Import auth-init FIRST to ensure process.env.AUTH_URL is set
// before Auth.js reads it during initialization
import "./src/lib/auth-init";
import { DrizzleAdapter } from "@auth/drizzle-adapter";
import Google from "@auth/core/providers/google";
import type { AuthConfig } from "@auth/core";
import { db } from "./src/db/index";
import * as schema from "./src/db/schema";
import { isAdmin, getDailySignupLimit } from "./src/lib/admin";
import { eq, gte } from "drizzle-orm";
// Standard Auth.js config
// trustHost: true will let Auth.js determine the URL from the request
// We don't need to set redirect_uri explicitly
const providers = [
Google({
clientId: import.meta.env.GOOGLE_CLIENT_ID,
clientSecret: import.meta.env.GOOGLE_CLIENT_SECRET,
}),
];
export const authConfig: AuthConfig = {
adapter: DrizzleAdapter(db, {
usersTable: schema.users,
accountsTable: schema.accounts,
sessionsTable: schema.sessions,
verificationTokensTable: schema.verificationTokens,
}),
providers,
secret: import.meta.env.AUTH_SECRET,
trustHost: true, // Essential for Coolify/Proxy - this should handle URL detection
basePath: "/api/auth",
pages: {
signIn: "/auth/login",
},
cookies: {
sessionToken: {
name: import.meta.env.DEV
? `authjs.session-token`
: `__Secure-authjs.session-token`,
options: {
httpOnly: true,
sameSite: "lax",
path: "/",
secure: import.meta.env.PROD,
},
},
csrfToken: {
name: import.meta.env.DEV
? `authjs.csrf-token`
: `__Host-authjs.csrf-token`,
options: {
httpOnly: true,
sameSite: "lax",
path: "/",
secure: import.meta.env.PROD,
},
},
},
// Include user id in session
callbacks: {
async signIn({ user, account, profile }) {
if (!user.email) {
return false;
}
// Check if user already exists
const existingUser = await db.query.users.findFirst({
where: eq(schema.users.email, user.email),
});
// If new user, check rate limiting
if (!existingUser) {
// Count signups today
const today = new Date();
today.setHours(0, 0, 0, 0);
const signupsToday = await db
.select()
.from(schema.users)
.where(gte(schema.users.createdAt, today));
const uniqueEmailsToday = new Set(
signupsToday.map((u) => u.email.toLowerCase())
).size;
const dailyLimit = getDailySignupLimit();
if (uniqueEmailsToday >= dailyLimit) {
console.error(
`Daily signup limit reached: ${uniqueEmailsToday}/${dailyLimit}`
);
return false; // Block signup
}
// Note: Admin auto-approval will be handled after user creation in session callback
} else {
// Existing user - auto-approve if admin
if (isAdmin(user.email) && !existingUser.isApproved) {
await db
.update(schema.users)
.set({ isApproved: true })
.where(eq(schema.users.id, existingUser.id));
}
}
return true;
},
async session({ session, user }) {
if (session.user) {
session.user.id = user.id;
// Check if user is approved and auto-approve admins
const dbUser = await db.query.users.findFirst({
where: eq(schema.users.id, user.id),
});
if (dbUser) {
// Auto-approve admins if not already approved
if (isAdmin(dbUser.email) && !dbUser.isApproved) {
await db
.update(schema.users)
.set({ isApproved: true })
.where(eq(schema.users.id, user.id));
(session.user as any).isApproved = true;
} else {
(session.user as any).isApproved = dbUser.isApproved ?? false;
}
} else {
(session.user as any).isApproved = false;
}
}
return session;
},
},
};