-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth.ts
More file actions
122 lines (109 loc) · 2.81 KB
/
Copy pathauth.ts
File metadata and controls
122 lines (109 loc) · 2.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
// auth.ts
import NextAuth from 'next-auth';
import Google from 'next-auth/providers/google';
function toOrigin(value?: string | null): string | null {
if (!value) {
return null;
}
const trimmed = value.trim();
if (!trimmed) {
return null;
}
try {
const withScheme =
trimmed.startsWith('http://') || trimmed.startsWith('https://')
? trimmed
: `https://${trimmed}`;
return new URL(withScheme).origin;
} catch {
return null;
}
}
function getAllowedOrigins(baseUrl: string): Set<string> {
const origins = new Set<string>();
const baseOrigin = toOrigin(baseUrl);
if (baseOrigin) {
origins.add(baseOrigin);
}
const envCandidates = [
process.env.AUTH_URL,
process.env.NEXTAUTH_URL,
process.env.NEXT_PUBLIC_SITE_URL,
process.env.VERCEL_URL,
];
for (const candidate of envCandidates) {
const origin = toOrigin(candidate || null);
if (origin) {
origins.add(origin);
}
}
const extraOrigins = process.env.AUTH_ALLOWED_ORIGINS;
if (extraOrigins) {
for (const originValue of extraOrigins.split(',')) {
const origin = toOrigin(originValue);
if (origin) {
origins.add(origin);
}
}
}
return origins;
}
export const { handlers, signIn, signOut, auth } = NextAuth({
trustHost: true,
providers: [
Google({
clientId:
process.env.GOOGLE_CLIENT_ID ||
process.env.AUTH_GOOGLE_ID ||
'',
clientSecret:
process.env.GOOGLE_CLIENT_SECRET ||
process.env.AUTH_GOOGLE_SECRET ||
'',
}),
],
callbacks: {
signIn({ user }) {
const email = user.email;
// Whitelist specific emails for testing/contractors
const whitelist = ['me@julianbaker.design'];
// Allow @audius.co emails OR whitelisted emails
if (email?.endsWith('@audius.co') || whitelist.includes(email || '')) {
return true;
}
return false;
},
redirect({ url, baseUrl }) {
const allowedOrigins = getAllowedOrigins(baseUrl);
if (url.startsWith('/')) {
if (url.startsWith('/api/auth/callback')) {
return `${baseUrl}/admin`;
}
return `${baseUrl}${url}`;
}
try {
const targetUrl = new URL(url);
if (!allowedOrigins.has(targetUrl.origin)) {
return `${baseUrl}/admin`;
}
if (targetUrl.pathname.startsWith('/api/auth/callback')) {
return `${targetUrl.origin}/admin`;
}
return targetUrl.toString();
} catch {
return `${baseUrl}/admin`;
}
},
session({ session, token }) {
// Add user id to session
if (session.user && token.sub) {
session.user.id = token.sub;
}
return session;
},
},
pages: {
signIn: '/login',
error: '/login',
},
});