packages/auth/configuration.ts

import type { ReadonlyHeaders } from "next/dist/server/web/spec-extension/adapters/headers";
import { cookies } from "next/headers";
import NextAuth from "next-auth";
import Credentials from "next-auth/providers/credentials";

import { db } from "@homarr/db";
import type { SupportedAuthProvider } from "@homarr/definitions";

import { createAdapter } from "./adapter";
import { createSessionCallback } from "./callbacks";
import { env } from "./env.mjs";
import { createSignInEventHandler } from "./events";
import { createCredentialsConfiguration, createLdapConfiguration } from "./providers/credentials/credentials-provider";
import { EmptyNextAuthProvider } from "./providers/empty/empty-provider";
import { filterProviders } from "./providers/filter-providers";
import { OidcProvider } from "./providers/oidc/oidc-provider";
import { createRedirectUri } from "./redirect";
import { expireDateAfter, generateSessionToken, sessionTokenCookieName } from "./session";

// See why it's unknown in the [...nextauth]/route.ts file
export const createConfiguration = (
  provider: SupportedAuthProvider | "unknown",
  headers: ReadonlyHeaders | null,
  useSecureCookies: boolean,
) => {
  const adapter = createAdapter(db, provider);
  return NextAuth({
    logger: {
      error: (code, ...message) => {
        // Remove the big error message for failed login attempts
        // as it is not useful for the user.
        if (code.name === "CredentialsSignin") {
          console.warn("The login attempt of a user was not successful.");
          return;
        }

        console.error(code, ...message);
      },
    },
    trustHost: true,
    cookies: {
      sessionToken: {
        name: sessionTokenCookieName,
      },
    },
    adapter,
    providers: filterProviders([
      Credentials(createCredentialsConfiguration(db)),
      Credentials(createLdapConfiguration(db)),
      EmptyNextAuthProvider(),
      OidcProvider(headers),
    ]),
    callbacks: {
      session: createSessionCallback(db),
      // eslint-disable-next-line no-restricted-syntax
      signIn: async ({ user }) => {
        /**
         * For credentials provider only jwt is supported by default
         * so we have to create the session and set the cookie manually.
         */
        if (provider !== "credentials" && provider !== "ldap") {
          return true;
        }

        if (!adapter.createSession || !user.id) {
          return false;
        }

        const expires = expireDateAfter(env.AUTH_SESSION_EXPIRY_TIME);
        const sessionToken = generateSessionToken();
        await adapter.createSession({
          sessionToken,
          expires,
          userId: user.id,
        });

        cookies().set(sessionTokenCookieName, sessionToken, {
          path: "/",
          expires: expires,
          httpOnly: true,
          sameSite: "lax",
          secure: useSecureCookies,
        });

        return true;
      },
    },
    events: {
      signIn: createSignInEventHandler(db),
    },
    redirectProxyUrl: createRedirectUri(headers, "/api/auth"),
    session: {
      strategy: "database",
      maxAge: env.AUTH_SESSION_EXPIRY_TIME,
      generateSessionToken,
    },
    pages: {
      signIn: "/auth/login",
      error: "/auth/login",
    },
    jwt: {
      encode() {
        const cookie = cookies().get(sessionTokenCookieName)?.value;
        return cookie ?? "";
      },

      decode() {
        return null;
      },
    },
  });
};
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`import type { ReadonlyHeaders } from "next/dist/server/web/spec-extension/adapters/headers";`
feat: add credentials authentication (#1) 2023-12-10 17:12:20 +01:00			`import { cookies } from "next/headers";`
			`import NextAuth from "next-auth";`
			`import Credentials from "next-auth/providers/credentials";`

chore: restructure packages of the project (#7) * chore: restructure validation package * chore: move zod only to validation package * chore: rename packages from alparr to homarr * chore: move mantine core, dates and icons library to ui package, move most other mantine packages to seperate packages for further customization and centralization * chore: fix formatting * fix: wrong typecheck command in turbo generator * chore: fix formatting * chore: address pull request feedback * chore: fix ci check issues 2024-01-02 14:18:37 +01:00			`import { db } from "@homarr/db";`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`import type { SupportedAuthProvider } from "@homarr/definitions";`
feat: add credentials authentication (#1) 2023-12-10 17:12:20 +01:00
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`import { createAdapter } from "./adapter";`
			`import { createSessionCallback } from "./callbacks";`
feat: add session expiry (#951) 2024-08-09 15:59:00 +02:00			`import { env } from "./env.mjs";`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`import { createSignInEventHandler } from "./events";`
			`import { createCredentialsConfiguration, createLdapConfiguration } from "./providers/credentials/credentials-provider";`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`import { EmptyNextAuthProvider } from "./providers/empty/empty-provider";`
			`import { filterProviders } from "./providers/filter-providers";`
			`import { OidcProvider } from "./providers/oidc/oidc-provider";`
			`import { createRedirectUri } from "./redirect";`
fix: credentials auth not working (#1284) 2024-10-11 23:36:05 +02:00			`import { expireDateAfter, generateSessionToken, sessionTokenCookieName } from "./session";`
feat: add credentials authentication (#1) 2023-12-10 17:12:20 +01:00
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`// See why it's unknown in the [...nextauth]/route.ts file`
fix: credentials login not working cause of cookie secure flag not possible for http (#1421) * fix: credentials login not working cause of cookie secure flag not possible for http * chore: add missing comment * fix: lint issue 2024-11-04 19:20:19 +01:00			`export const createConfiguration = (`
			`provider: SupportedAuthProvider \| "unknown",`
			`headers: ReadonlyHeaders \| null,`
			`useSecureCookies: boolean,`
			`) => {`
fix: credentials auth not working (#1284) 2024-10-11 23:36:05 +02:00			`const adapter = createAdapter(db, provider);`
			`return NextAuth({`
fix: next auth host not trusted (#144) 2024-02-23 17:15:24 +01:00			`logger: {`
			`error: (code, ...message) => {`
			`// Remove the big error message for failed login attempts`
			`// as it is not useful for the user.`
			`if (code.name === "CredentialsSignin") {`
			`console.warn("The login attempt of a user was not successful.");`
			`return;`
			`}`

			`console.error(code, ...message);`
			`},`
			`},`
			`trustHost: true,`
fix: inconsistent session cookie (#1310) 2024-10-16 21:46:12 +02:00			`cookies: {`
			`sessionToken: {`
			`name: sessionTokenCookieName,`
			`},`
			`},`
fix: credentials auth not working (#1284) 2024-10-11 23:36:05 +02:00			`adapter,`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`providers: filterProviders([`
			`Credentials(createCredentialsConfiguration(db)),`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`Credentials(createLdapConfiguration(db)),`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`EmptyNextAuthProvider(),`
			`OidcProvider(headers),`
			`]),`
feat: add credentials authentication (#1) 2023-12-10 17:12:20 +01:00			`callbacks: {`
feat: board access group permissions (#422) * fix: cache is not exportet from react * fix: format issue * wip: add usage of group permissions * feat: show inherited groups and add manage group * refactor: improve board access management * chore: address pull request feedback * fix: type issues * fix: migrations * test: add unit tests for board permissions, permissions and board router * test: add unit tests for board router and get current user permissions method * fix: format issues * fix: deepsource issue 2024-05-04 18:34:41 +02:00			`session: createSessionCallback(db),`
fix: credentials auth not working (#1284) 2024-10-11 23:36:05 +02:00			`// eslint-disable-next-line no-restricted-syntax`
			`signIn: async ({ user }) => {`
			`/**`
			`* For credentials provider only jwt is supported by default`
			`* so we have to create the session and set the cookie manually.`
			`*/`
			`if (provider !== "credentials" && provider !== "ldap") {`
			`return true;`
			`}`

			`if (!adapter.createSession \|\| !user.id) {`
			`return false;`
			`}`

			`const expires = expireDateAfter(env.AUTH_SESSION_EXPIRY_TIME);`
			`const sessionToken = generateSessionToken();`
			`await adapter.createSession({`
			`sessionToken,`
			`expires,`
			`userId: user.id,`
			`});`

			`cookies().set(sessionTokenCookieName, sessionToken, {`
			`path: "/",`
			`expires: expires,`
			`httpOnly: true,`
			`sameSite: "lax",`
fix: credentials login not working cause of cookie secure flag not possible for http (#1421) * fix: credentials login not working cause of cookie secure flag not possible for http * chore: add missing comment * fix: lint issue 2024-11-04 19:20:19 +01:00			`secure: useSecureCookies,`
fix: credentials auth not working (#1284) 2024-10-11 23:36:05 +02:00			`});`

			`return true;`
			`},`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`},`
			`events: {`
			`signIn: createSignInEventHandler(db),`
feat: add credentials authentication (#1) 2023-12-10 17:12:20 +01:00			`},`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`redirectProxyUrl: createRedirectUri(headers, "/api/auth"),`
feat: add credentials authentication (#1) 2023-12-10 17:12:20 +01:00			`session: {`
			`strategy: "database",`
feat: add session expiry (#951) 2024-08-09 15:59:00 +02:00			`maxAge: env.AUTH_SESSION_EXPIRY_TIME,`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`generateSessionToken,`
feat: add credentials authentication (#1) 2023-12-10 17:12:20 +01:00			`},`
			`pages: {`
			`signIn: "/auth/login",`
			`error: "/auth/login",`
			`},`
			`jwt: {`
			`encode() {`
test: add initial unit tests (#56) * chore: add initial db migration * test: add unit tests for packages auth, common, widgets * fix: deep source issues * fix: format issues * wip: add unit tests for api routers * fix: deep source issues * test: add missing unit tests for integration router * wip: board tests * test: add unit tests for board router * fix: remove unnecessary null assertions * fix: deepsource issues * fix: formatting * fix: pnpm lock * fix: lint and typecheck issues * chore: address pull request feedback * fix: non-null assertions * fix: lockfile broken 2024-02-10 19:00:08 +01:00			`const cookie = cookies().get(sessionTokenCookieName)?.value;`
feat: add credentials authentication (#1) 2023-12-10 17:12:20 +01:00			`return cookie ?? "";`
			`},`

			`decode() {`
			`return null;`
			`},`
			`},`
			`});`
fix: credentials auth not working (#1284) 2024-10-11 23:36:05 +02:00			`};`