@girardmedia/bootspring 1.2.0 → 2.0.3

package/agents/auth-expert/context.md

@@ -1,399 +0,0 @@
-# Auth Expert Agent
-
-## Role
-Specialized in authentication patterns, session management, OAuth, protected routes, and security best practices for web applications.
-
-## Core Expertise
-
-### Clerk Authentication
-
-```typescript
-// middleware.ts
-import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
-
-const isPublicRoute = createRouteMatcher([
-  '/',
-  '/sign-in(.*)',
-  '/sign-up(.*)',
-  '/api/webhooks(.*)',
-]);
-
-export default clerkMiddleware((auth, req) => {
-  if (!isPublicRoute(req)) {
-    auth().protect();
-  }
-});
-
-export const config = {
-  matcher: ['/((?!.*\\..*|_next).*)', '/', '/(api|trpc)(.*)'],
-};
-```
-
-```tsx
-// app/layout.tsx
-import { ClerkProvider } from '@clerk/nextjs';
-
-export default function RootLayout({
-  children,
-}: {
-  children: React.ReactNode;
-}) {
-  return (
-    <ClerkProvider>
-      <html lang="en">
-        <body>{children}</body>
-      </html>
-    </ClerkProvider>
-  );
-}
-```
-
-```tsx
-// components/auth-buttons.tsx
-import { SignInButton, SignUpButton, UserButton, SignedIn, SignedOut } from '@clerk/nextjs';
-
-export function AuthButtons() {
-  return (
-    <>
-      <SignedOut>
-        <SignInButton mode="modal">
-          <button>Sign In</button>
-        </SignInButton>
-        <SignUpButton mode="modal">
-          <button>Sign Up</button>
-        </SignUpButton>
-      </SignedOut>
-      <SignedIn>
-        <UserButton afterSignOutUrl="/" />
-      </SignedIn>
-    </>
-  );
-}
-```
-
-### NextAuth.js (Auth.js)
-
-```typescript
-// auth.ts
-import NextAuth from 'next-auth';
-import GitHub from 'next-auth/providers/github';
-import Google from 'next-auth/providers/google';
-import Credentials from 'next-auth/providers/credentials';
-import { PrismaAdapter } from '@auth/prisma-adapter';
-import { prisma } from '@/lib/db';
-import bcrypt from 'bcryptjs';
-
-export const { handlers, auth, signIn, signOut } = NextAuth({
-  adapter: PrismaAdapter(prisma),
-  session: { strategy: 'jwt' },
-  providers: [
-    GitHub({
-      clientId: process.env.GITHUB_ID,
-      clientSecret: process.env.GITHUB_SECRET,
-    }),
-    Google({
-      clientId: process.env.GOOGLE_ID,
-      clientSecret: process.env.GOOGLE_SECRET,
-    }),
-    Credentials({
-      credentials: {
-        email: { type: 'email' },
-        password: { type: 'password' },
-      },
-      async authorize(credentials) {
-        const user = await prisma.user.findUnique({
-          where: { email: credentials.email as string },
-        });
-
-        if (!user?.password) return null;
-
-        const valid = await bcrypt.compare(
-          credentials.password as string,
-          user.password
-        );
-
-        if (!valid) return null;
-
-        return { id: user.id, email: user.email, name: user.name };
-      },
-    }),
-  ],
-  callbacks: {
-    async jwt({ token, user }) {
-      if (user) {
-        token.id = user.id;
-      }
-      return token;
-    },
-    async session({ session, token }) {
-      if (session.user) {
-        session.user.id = token.id as string;
-      }
-      return session;
-    },
-  },
-  pages: {
-    signIn: '/login',
-    error: '/login',
-  },
-});
-```
-
-```typescript
-// app/api/auth/[...nextauth]/route.ts
-import { handlers } from '@/auth';
-
-export const { GET, POST } = handlers;
-```
-
-### Protected API Routes
-
-```typescript
-// lib/auth.ts (helper)
-import { auth } from '@/auth';
-import { NextResponse } from 'next/server';
-
-export async function getSession() {
-  return auth();
-}
-
-export async function requireAuth() {
-  const session = await auth();
-
-  if (!session?.user) {
-    throw new Error('Unauthorized');
-  }
-
-  return session;
-}
-
-// Usage in API route
-export async function GET() {
-  try {
-    const session = await requireAuth();
-    const userId = session.user.id;
-
-    // Your logic here
-    return Response.json({ userId });
-  } catch {
-    return Response.json({ error: 'Unauthorized' }, { status: 401 });
-  }
-}
-```
-
-### Role-Based Access Control (RBAC)
-
-```typescript
-// lib/rbac.ts
-import { auth } from '@/auth';
-import { prisma } from '@/lib/db';
-
-export type Role = 'USER' | 'ADMIN' | 'SUPER_ADMIN';
-
-export async function getUserRole(userId: string): Promise<Role> {
-  const user = await prisma.user.findUnique({
-    where: { id: userId },
-    select: { role: true },
-  });
-
-  return (user?.role as Role) ?? 'USER';
-}
-
-export async function requireRole(allowedRoles: Role[]) {
-  const session = await auth();
-
-  if (!session?.user) {
-    throw new Error('Unauthorized');
-  }
-
-  const role = await getUserRole(session.user.id);
-
-  if (!allowedRoles.includes(role)) {
-    throw new Error('Forbidden');
-  }
-
-  return { session, role };
-}
-
-// Usage
-export async function DELETE(req: Request, { params }: { params: { id: string } }) {
-  try {
-    await requireRole(['ADMIN', 'SUPER_ADMIN']);
-
-    // Admin-only logic
-    await prisma.user.delete({ where: { id: params.id } });
-
-    return Response.json({ success: true });
-  } catch (error) {
-    if (error.message === 'Forbidden') {
-      return Response.json({ error: 'Forbidden' }, { status: 403 });
-    }
-    return Response.json({ error: 'Unauthorized' }, { status: 401 });
-  }
-}
-```
-
-### Session Management
-
-```typescript
-// lib/session.ts
-import { cookies } from 'next/headers';
-import { SignJWT, jwtVerify } from 'jose';
-
-const secret = new TextEncoder().encode(process.env.JWT_SECRET);
-
-export async function createSession(userId: string) {
-  const token = await new SignJWT({ userId })
-    .setProtectedHeader({ alg: 'HS256' })
-    .setIssuedAt()
-    .setExpirationTime('7d')
-    .sign(secret);
-
-  cookies().set('session', token, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    maxAge: 60 * 60 * 24 * 7, // 7 days
-    path: '/',
-  });
-
-  return token;
-}
-
-export async function getSessionData() {
-  const token = cookies().get('session')?.value;
-
-  if (!token) return null;
-
-  try {
-    const { payload } = await jwtVerify(token, secret);
-    return payload as { userId: string };
-  } catch {
-    return null;
-  }
-}
-
-export async function destroySession() {
-  cookies().delete('session');
-}
-```
-
-### OAuth Flow
-
-```typescript
-// app/api/auth/oauth/[provider]/route.ts
-import { generateState, generateCodeVerifier } from 'oslo/oauth2';
-import { cookies } from 'next/headers';
-
-const providers = {
-  github: {
-    authUrl: 'https://github.com/login/oauth/authorize',
-    clientId: process.env.GITHUB_ID!,
-    scopes: ['read:user', 'user:email'],
-  },
-  google: {
-    authUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
-    clientId: process.env.GOOGLE_ID!,
-    scopes: ['openid', 'email', 'profile'],
-  },
-};
-
-export async function GET(
-  req: Request,
-  { params }: { params: { provider: string } }
-) {
-  const provider = providers[params.provider];
-  if (!provider) {
-    return Response.json({ error: 'Invalid provider' }, { status: 400 });
-  }
-
-  const state = generateState();
-  const codeVerifier = generateCodeVerifier();
-
-  // Store state and verifier in cookies
-  cookies().set('oauth_state', state, { httpOnly: true, maxAge: 600 });
-  cookies().set('oauth_verifier', codeVerifier, { httpOnly: true, maxAge: 600 });
-
-  const url = new URL(provider.authUrl);
-  url.searchParams.set('client_id', provider.clientId);
-  url.searchParams.set('redirect_uri', `${process.env.NEXT_PUBLIC_APP_URL}/api/auth/callback/${params.provider}`);
-  url.searchParams.set('response_type', 'code');
-  url.searchParams.set('scope', provider.scopes.join(' '));
-  url.searchParams.set('state', state);
-
-  return Response.redirect(url.toString());
-}
-```
-
-### Webhook for User Sync
-
-```typescript
-// app/api/webhooks/clerk/route.ts
-import { Webhook } from 'svix';
-import { headers } from 'next/headers';
-import { WebhookEvent } from '@clerk/nextjs/server';
-import { prisma } from '@/lib/db';
-
-export async function POST(req: Request) {
-  const body = await req.text();
-  const headerPayload = headers();
-
-  const svix = new Webhook(process.env.CLERK_WEBHOOK_SECRET!);
-
-  let event: WebhookEvent;
-
-  try {
-    event = svix.verify(body, {
-      'svix-id': headerPayload.get('svix-id')!,
-      'svix-timestamp': headerPayload.get('svix-timestamp')!,
-      'svix-signature': headerPayload.get('svix-signature')!,
-    }) as WebhookEvent;
-  } catch {
-    return Response.json({ error: 'Invalid signature' }, { status: 400 });
-  }
-
-  switch (event.type) {
-    case 'user.created':
-      await prisma.user.create({
-        data: {
-          clerkId: event.data.id,
-          email: event.data.email_addresses[0].email_address,
-          name: `${event.data.first_name} ${event.data.last_name}`.trim(),
-        },
-      });
-      break;
-
-    case 'user.updated':
-      await prisma.user.update({
-        where: { clerkId: event.data.id },
-        data: {
-          email: event.data.email_addresses[0].email_address,
-          name: `${event.data.first_name} ${event.data.last_name}`.trim(),
-        },
-      });
-      break;
-
-    case 'user.deleted':
-      await prisma.user.delete({
-        where: { clerkId: event.data.id },
-      });
-      break;
-  }
-
-  return Response.json({ received: true });
-}
-```
-
-## Auth Checklist
-
-- [ ] Auth provider configured
-- [ ] Sign in/up flows working
-- [ ] Protected routes set up
-- [ ] Session management secure
-- [ ] OAuth providers configured
-- [ ] Role-based access implemented
-- [ ] User sync webhooks set up
-- [ ] Security headers configured
-
-## Trigger Keywords
-auth, authentication, authorization, login, session, OAuth, JWT, protected, middleware, Clerk, NextAuth, RBAC, role