packages/auth/events.ts

import { cookies } from "next/headers";
import dayjs from "dayjs";
import type { NextAuthConfig } from "next-auth";

import { and, eq, inArray } from "@homarr/db";
import type { Database } from "@homarr/db";
import { groupMembers, groups, users } from "@homarr/db/schema";
import { colorSchemeCookieKey, everyoneGroup } from "@homarr/definitions";
import { logger } from "@homarr/log";

import { env } from "./env.mjs";

export const createSignInEventHandler = (db: Database): Exclude<NextAuthConfig["events"], undefined>["signIn"] => {
  return async ({ user, profile }) => {
    if (!user.id) throw new Error("User ID is missing");

    const dbUser = await db.query.users.findFirst({
      where: eq(users.id, user.id),
      columns: {
        name: true,
        colorScheme: true,
      },
    });

    if (!dbUser) throw new Error("User not found");

    const groupsKey = env.AUTH_OIDC_GROUPS_ATTRIBUTE;
    // Groups from oidc provider are provided from the profile, it's not typed.
    if (profile && groupsKey in profile && Array.isArray(profile[groupsKey])) {
      await synchronizeGroupsWithExternalForUserAsync(db, user.id, profile[groupsKey] as string[]);
    }

    // In ldap-authroization we return the groups from ldap, it's not typed.
    if ("groups" in user && Array.isArray(user.groups)) {
      await synchronizeGroupsWithExternalForUserAsync(db, user.id, user.groups as string[]);
    }
    await addUserToEveryoneGroupIfNotMemberAsync(db, user.id);

    if (dbUser.name !== user.name) {
      await db.update(users).set({ name: user.name }).where(eq(users.id, user.id));
      logger.info(
        `Username for user of credentials provider has changed. user=${user.id} old=${dbUser.name} new=${user.name}`,
      );
    }

    const profileUsername = profile?.preferred_username?.includes("@") ? profile.name : profile?.preferred_username;
    if (profileUsername && dbUser.name !== profileUsername) {
      await db.update(users).set({ name: profileUsername }).where(eq(users.id, user.id));
      logger.info(
        `Username for user of oidc provider has changed. user=${user.id} old='${dbUser.name}' new='${profileUsername}'`,
      );
    }

    logger.info(`User '${dbUser.name}' logged in at ${dayjs().format()}`);

    // We use a cookie as localStorage is not shared with server (otherwise flickering would occur)
    cookies().set(colorSchemeCookieKey, dbUser.colorScheme, {
      path: "/",
      expires: dayjs().add(1, "year").toDate(),
    });
  };
};

const addUserToEveryoneGroupIfNotMemberAsync = async (db: Database, userId: string) => {
  const dbEveryoneGroup = await db.query.groups.findFirst({
    where: eq(groups.name, everyoneGroup),
    with: {
      members: {
        where: eq(groupMembers.userId, userId),
      },
    },
  });

  if (dbEveryoneGroup?.members.length === 0) {
    await db.insert(groupMembers).values({
      userId,
      groupId: dbEveryoneGroup.id,
    });
    logger.info(`Added user to everyone group. user=${userId}`);
  }
};

const synchronizeGroupsWithExternalForUserAsync = async (db: Database, userId: string, externalGroups: string[]) => {
  const ignoredGroups = [everyoneGroup];
  const dbGroupMembers = await db.query.groupMembers.findMany({
    where: eq(groupMembers.userId, userId),
    with: {
      group: { columns: { name: true } },
    },
  });

  /**
   * The below groups are those groups the user is part of in the external system, but not in Homarr.
   * So he has to be added to those groups.
   */
  const missingExternalGroupsForUser = externalGroups.filter(
    (externalGroup) => !dbGroupMembers.some(({ group }) => group.name === externalGroup),
  );

  if (missingExternalGroupsForUser.length > 0) {
    logger.debug(
      `Homarr does not have the user in certain groups. user=${userId} count=${missingExternalGroupsForUser.length}`,
    );

    const groupIds = await db.query.groups.findMany({
      columns: {
        id: true,
      },
      where: inArray(groups.name, missingExternalGroupsForUser),
    });

    logger.debug(`Homarr has found groups in the database user is not in. user=${userId} count=${groupIds.length}`);

    if (groupIds.length > 0) {
      await db.insert(groupMembers).values(
        groupIds.map((group) => ({
          userId,
          groupId: group.id,
        })),
      );

      logger.info(`Added user to groups successfully. user=${userId} count=${groupIds.length}`);
    } else {
      logger.debug(`User is already in all groups of Homarr. user=${userId}`);
    }
  }

  /**
   * The below groups are those groups the user is part of in Homarr, but not in the external system and not ignored.
   * So he has to be removed from those groups.
   */
  const groupsUserIsNoLongerMemberOfExternally = dbGroupMembers.filter(
    ({ group }) => !externalGroups.concat(ignoredGroups).includes(group.name),
  );

  if (groupsUserIsNoLongerMemberOfExternally.length > 0) {
    logger.debug(
      `Homarr has the user in certain groups that LDAP does not have. user=${userId} count=${groupsUserIsNoLongerMemberOfExternally.length}`,
    );

    await db.delete(groupMembers).where(
      and(
        eq(groupMembers.userId, userId),
        inArray(
          groupMembers.groupId,
          groupsUserIsNoLongerMemberOfExternally.map(({ groupId }) => groupId),
        ),
      ),
    );

    logger.info(
      `Removed user from groups successfully. user=${userId} count=${groupsUserIsNoLongerMemberOfExternally.length}`,
    );
  }
};
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`import { cookies } from "next/headers";`
			`import dayjs from "dayjs";`
			`import type { NextAuthConfig } from "next-auth";`

			`import { and, eq, inArray } from "@homarr/db";`
			`import type { Database } from "@homarr/db";`
fix: mysql operations not working (#1728) 2024-12-19 16:10:22 +01:00			`import { groupMembers, groups, users } from "@homarr/db/schema";`
feat: add server settings for default board, default color scheme and default locale (#1373) * feat: add server settings for default board, default color scheme and default locale * chore: address pull request feedback * test: adjust unit tests to match requirements * fix: deepsource issue * chore: add deepsource as dependency to translation library * refactor: restructure language-combobox, adjust default locale for next-intl * chore: change cookie keys prefix from homarr- to homarr. 2024-11-02 21:15:46 +01:00			`import { colorSchemeCookieKey, everyoneGroup } from "@homarr/definitions";`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`import { logger } from "@homarr/log";`

			`import { env } from "./env.mjs";`

			`export const createSignInEventHandler = (db: Database): Exclude<NextAuthConfig["events"], undefined>["signIn"] => {`
			`return async ({ user, profile }) => {`
			`if (!user.id) throw new Error("User ID is missing");`

			`const dbUser = await db.query.users.findFirst({`
			`where: eq(users.id, user.id),`
			`columns: {`
			`name: true,`
			`colorScheme: true,`
			`},`
			`});`

			`if (!dbUser) throw new Error("User not found");`

			`const groupsKey = env.AUTH_OIDC_GROUPS_ATTRIBUTE;`
			`// Groups from oidc provider are provided from the profile, it's not typed.`
			`if (profile && groupsKey in profile && Array.isArray(profile[groupsKey])) {`
			`await synchronizeGroupsWithExternalForUserAsync(db, user.id, profile[groupsKey] as string[]);`
			`}`

			`// In ldap-authroization we return the groups from ldap, it's not typed.`
			`if ("groups" in user && Array.isArray(user.groups)) {`
			`await synchronizeGroupsWithExternalForUserAsync(db, user.id, user.groups as string[]);`
			`}`
feat: add everyone group (#1322) * feat: add everyone group through seed * feat: add reserved group name check in group router actions * feat: improve user interface for everyone group * fix: reserved group alert is a server component * feat: add all users to everyone group * chore: update lockfile * fix: format issues * fix: lint issues * fix: lint format issues * test: add unit tests for everyone group * refactor: add codegen for documentation urls by sitemap * refactor: change group query to count * chore: remove migrations temporarily * chore: add migrations again * chore: add lint rule to prevent usage of raw documentation links * fix: format issues 2024-10-21 17:23:51 +02:00			`await addUserToEveryoneGroupIfNotMemberAsync(db, user.id);`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00
			`if (dbUser.name !== user.name) {`
			`await db.update(users).set({ name: user.name }).where(eq(users.id, user.id));`
			`logger.info(`
			`Username for user of credentials provider has changed. user=${user.id} old=${dbUser.name} new=${user.name}`,
			`);`
			`}`

			`const profileUsername = profile?.preferred_username?.includes("@") ? profile.name : profile?.preferred_username;`
			`if (profileUsername && dbUser.name !== profileUsername) {`
			`await db.update(users).set({ name: profileUsername }).where(eq(users.id, user.id));`
			`logger.info(`
			`Username for user of oidc provider has changed. user=${user.id} old='${dbUser.name}' new='${profileUsername}'`,
			`);`
			`}`

feat: #511 log user logged in (#1405) 2024-11-03 00:06:49 +01:00			logger.info(`User '${dbUser.name}' logged in at ${dayjs().format()}`);

refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`// We use a cookie as localStorage is not shared with server (otherwise flickering would occur)`
feat: add server settings for default board, default color scheme and default locale (#1373) * feat: add server settings for default board, default color scheme and default locale * chore: address pull request feedback * test: adjust unit tests to match requirements * fix: deepsource issue * chore: add deepsource as dependency to translation library * refactor: restructure language-combobox, adjust default locale for next-intl * chore: change cookie keys prefix from homarr- to homarr. 2024-11-02 21:15:46 +01:00			`cookies().set(colorSchemeCookieKey, dbUser.colorScheme, {`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`path: "/",`
			`expires: dayjs().add(1, "year").toDate(),`
			`});`
			`};`
			`};`

feat: add everyone group (#1322) * feat: add everyone group through seed * feat: add reserved group name check in group router actions * feat: improve user interface for everyone group * fix: reserved group alert is a server component * feat: add all users to everyone group * chore: update lockfile * fix: format issues * fix: lint issues * fix: lint format issues * test: add unit tests for everyone group * refactor: add codegen for documentation urls by sitemap * refactor: change group query to count * chore: remove migrations temporarily * chore: add migrations again * chore: add lint rule to prevent usage of raw documentation links * fix: format issues 2024-10-21 17:23:51 +02:00			`const addUserToEveryoneGroupIfNotMemberAsync = async (db: Database, userId: string) => {`
			`const dbEveryoneGroup = await db.query.groups.findFirst({`
			`where: eq(groups.name, everyoneGroup),`
			`with: {`
			`members: {`
			`where: eq(groupMembers.userId, userId),`
			`},`
			`},`
			`});`

			`if (dbEveryoneGroup?.members.length === 0) {`
			`await db.insert(groupMembers).values({`
			`userId,`
			`groupId: dbEveryoneGroup.id,`
			`});`
			logger.info(`Added user to everyone group. user=${userId}`);
			`}`
			`};`

refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`const synchronizeGroupsWithExternalForUserAsync = async (db: Database, userId: string, externalGroups: string[]) => {`
feat: add everyone group (#1322) * feat: add everyone group through seed * feat: add reserved group name check in group router actions * feat: improve user interface for everyone group * fix: reserved group alert is a server component * feat: add all users to everyone group * chore: update lockfile * fix: format issues * fix: lint issues * fix: lint format issues * test: add unit tests for everyone group * refactor: add codegen for documentation urls by sitemap * refactor: change group query to count * chore: remove migrations temporarily * chore: add migrations again * chore: add lint rule to prevent usage of raw documentation links * fix: format issues 2024-10-21 17:23:51 +02:00			`const ignoredGroups = [everyoneGroup];`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`const dbGroupMembers = await db.query.groupMembers.findMany({`
			`where: eq(groupMembers.userId, userId),`
			`with: {`
			`group: { columns: { name: true } },`
			`},`
			`});`

			`/**`
			`* The below groups are those groups the user is part of in the external system, but not in Homarr.`
			`* So he has to be added to those groups.`
			`*/`
			`const missingExternalGroupsForUser = externalGroups.filter(`
			`(externalGroup) => !dbGroupMembers.some(({ group }) => group.name === externalGroup),`
			`);`

			`if (missingExternalGroupsForUser.length > 0) {`
			`logger.debug(`
			`Homarr does not have the user in certain groups. user=${userId} count=${missingExternalGroupsForUser.length}`,
			`);`

			`const groupIds = await db.query.groups.findMany({`
			`columns: {`
			`id: true,`
			`},`
			`where: inArray(groups.name, missingExternalGroupsForUser),`
			`});`

			logger.debug(`Homarr has found groups in the database user is not in. user=${userId} count=${groupIds.length}`);

			`if (groupIds.length > 0) {`
			`await db.insert(groupMembers).values(`
			`groupIds.map((group) => ({`
			`userId,`
			`groupId: group.id,`
			`})),`
			`);`

			logger.info(`Added user to groups successfully. user=${userId} count=${groupIds.length}`);
			`} else {`
			logger.debug(`User is already in all groups of Homarr. user=${userId}`);
			`}`
			`}`

			`/**`
feat: add everyone group (#1322) * feat: add everyone group through seed * feat: add reserved group name check in group router actions * feat: improve user interface for everyone group * fix: reserved group alert is a server component * feat: add all users to everyone group * chore: update lockfile * fix: format issues * fix: lint issues * fix: lint format issues * test: add unit tests for everyone group * refactor: add codegen for documentation urls by sitemap * refactor: change group query to count * chore: remove migrations temporarily * chore: add migrations again * chore: add lint rule to prevent usage of raw documentation links * fix: format issues 2024-10-21 17:23:51 +02:00			`* The below groups are those groups the user is part of in Homarr, but not in the external system and not ignored.`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`* So he has to be removed from those groups.`
			`*/`
			`const groupsUserIsNoLongerMemberOfExternally = dbGroupMembers.filter(`
feat: add everyone group (#1322) * feat: add everyone group through seed * feat: add reserved group name check in group router actions * feat: improve user interface for everyone group * fix: reserved group alert is a server component * feat: add all users to everyone group * chore: update lockfile * fix: format issues * fix: lint issues * fix: lint format issues * test: add unit tests for everyone group * refactor: add codegen for documentation urls by sitemap * refactor: change group query to count * chore: remove migrations temporarily * chore: add migrations again * chore: add lint rule to prevent usage of raw documentation links * fix: format issues 2024-10-21 17:23:51 +02:00			`({ group }) => !externalGroups.concat(ignoredGroups).includes(group.name),`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`);`

			`if (groupsUserIsNoLongerMemberOfExternally.length > 0) {`
			`logger.debug(`
			`Homarr has the user in certain groups that LDAP does not have. user=${userId} count=${groupsUserIsNoLongerMemberOfExternally.length}`,
			`);`

			`await db.delete(groupMembers).where(`
			`and(`
			`eq(groupMembers.userId, userId),`
			`inArray(`
			`groupMembers.groupId,`
			`groupsUserIsNoLongerMemberOfExternally.map(({ groupId }) => groupId),`
			`),`
			`),`
			`);`

			`logger.info(`
			`Removed user from groups successfully. user=${userId} count=${groupsUserIsNoLongerMemberOfExternally.length}`,
			`);`
			`}`
			`};`