@opensaas/keystone-nextjs-auth 20.3.0 → 21.0.0

package/src/index.ts

@@ -9,16 +9,15 @@ import {
   BaseKeystoneTypeInfo,
 } from '@keystone-6/core/types';
 import { getSession } from 'next-auth/react';
+import { getToken } from 'next-auth/jwt';
+import { Provider } from 'next-auth/providers';
+
 import * as cookie from 'cookie';
+
 import { nextConfigTemplate } from './templates/next-config';
 // import * as Path from 'path';
 
-import {
-  AuthConfig,
-  AuthGqlNames,
-  KeystoneAuthConfig,
-  NextAuthSession,
-} from './types';
+import { AuthConfig, KeystoneOAuthConfig, NextAuthSession } from './types';
 import { getSchemaExtension } from './schema';
 import { authTemplate } from './templates/auth';
 
@@ -28,33 +27,23 @@ import { authTemplate } from './templates/auth';
  * Generates config for Keystone to implement standard auth features.
  */
 
-export type { NextAuthProviders, KeystoneAuthConfig } from './types';
+export type { NextAuthProviders, KeystoneOAuthConfig } from './types';
 export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
-  listKey,
-  identityField,
-  sessionData,
   autoCreate,
-  userMap,
-  accountMap,
-  profileMap,
+  cookies,
+  identityField,
+  listKey,
   keystonePath,
+  pages,
+  resolver,
   providers,
+  sessionData,
   sessionSecret,
 }: AuthConfig<GeneratedListTypes>) {
   // The protectIdentities flag is currently under review to see whether it should be
   // part of the createAuth API (in which case its use cases need to be documented and tested)
   // or whether always being true is what we want, in which case we can refactor our code
   // to match this. -TL
-  const gqlNames: AuthGqlNames = {
-    // Core
-    authenticateItemWithPassword: `authenticate${listKey}WithPassword`,
-    ItemAuthenticationWithPasswordResult: `${listKey}AuthenticationWithPasswordResult`,
-    ItemAuthenticationWithPasswordSuccess: `${listKey}AuthenticationWithPasswordSuccess`,
-    ItemAuthenticationWithPasswordFailure: `${listKey}AuthenticationWithPasswordFailure`,
-    // Initial data
-    CreateInitialInput: `CreateInitial${listKey}Input`,
-    createInitialItem: `createInitial${listKey}`,
-  };
 
   const customPath = !keystonePath || keystonePath === '/' ? '' : keystonePath;
   /**
@@ -71,9 +60,7 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
     async ({ context, isValidSession }) => {
       const { req, session } = context;
       const pathname = url.parse(req?.url!).pathname!;
-      if (pathname === `${customPath}/api/__keystone_api_build`) {
-        return;
-      }
+
       if (isValidSession) {
         if (pathname === `${customPath}/api/auth/signin`) {
           return { kind: 'redirect', to: `${customPath}` };
@@ -83,8 +70,14 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
         }
         return;
       }
-
-      if (!session && !pathname.includes(`${customPath}/api/auth/`)) {
+      if (pathname.includes('/_next/') || pathname.includes('/api/auth/')) {
+        return;
+      }
+      if (
+        !session &&
+        !pathname.includes(`${customPath}/api/auth/`) &&
+        !(Object.values(pages).indexOf(pathname) > -1)
+      ) {
         return { kind: 'redirect', to: `${customPath}/api/auth/signin` };
       }
     };
@@ -103,14 +96,10 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
         mode: 'write',
         outputPath: 'pages/api/auth/[...nextauth].js',
         src: authTemplate({
-          gqlNames,
+          autoCreate,
           identityField,
-          sessionData,
           listKey,
-          autoCreate,
-          userMap,
-          accountMap,
-          profileMap,
+          sessionData,
           sessionSecret,
         }),
       },
@@ -129,14 +118,18 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
    * Must be added to the ui.publicPages config
    */
   const publicPages = [
+    `${customPath}/api/__keystone_api_build`,
     `${customPath}/api/auth/csrf`,
     `${customPath}/api/auth/signin`,
     `${customPath}/api/auth/callback`,
     `${customPath}/api/auth/session`,
     `${customPath}/api/auth/providers`,
     `${customPath}/api/auth/signout`,
+    `${customPath}/api/auth/error`,
   ];
-  function addPages(provider) {
+  // TODO: Add Provider Types
+  // @ts-ignore
+  function addPages(provider: Provider) {
     const name = provider.id;
     publicPages.push(`${customPath}/api/auth/signin/${name}`);
     publicPages.push(`${customPath}/api/auth/callback/${name}`);
@@ -151,7 +144,6 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
   const extendGraphqlSchema = getSchemaExtension({
     identityField,
     listKey,
-    gqlNames,
   });
 
   /**
@@ -166,13 +158,16 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
       throw new Error(msg);
     }
 
+    // TODO: Check if providers
+    // TODO: Check other required commands/data
+
     // TODO: Check for String-like typing for identityField? How?
     // TODO: Validate that the identifyField is unique.
     // TODO: If this field isn't required, what happens if I try to log in as `null`?
     const identityFieldConfig = listConfig.fields[identityField];
     if (identityFieldConfig === undefined) {
-      const i = JSON.stringify(identityField);
-      const msg = `A createAuth() invocation for the "${listKey}" list specifies ${i} as its identityField but no field with that key exists on the list.`;
+      const identityFieldName = JSON.stringify(identityField);
+      const msg = `A createAuth() invocation for the "${listKey}" list specifies ${identityFieldName} as its identityField but no field with that key exists on the list.`;
       throw new Error(msg);
     }
   };
@@ -188,15 +183,32 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
   const withItemData = (
     _sessionStrategy: SessionStrategy<Record<string, any>>
   ): SessionStrategy<NextAuthSession | undefined> => {
-    const { get, ...sessionStrategy } = _sessionStrategy;
+    const { get, start, ...sessionStrategy } = _sessionStrategy;
     return {
       ...sessionStrategy,
+      start: async ({ res }) => {
+        console.log('start');
+
+        const session = await start({ res });
+        return session;
+      },
       get: async ({ req }) => {
         const pathname = url.parse(req?.url!).pathname!;
         if (pathname.includes('/api/auth')) {
           return;
         }
+        if (req.headers.authorization?.split(' ')[0] === 'Bearer') {
+          const token = (await getToken({
+            req,
+            secret: sessionSecret,
+          })) as NextAuthSession;
+
+          if (token?.data?.id) {
+            return token;
+          }
+        }
         const nextSession: unknown = await getSession({ req });
+
         if (nextSession) {
           return nextSession as NextAuthSession;
         }
@@ -215,7 +227,8 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
             secure: process.env.NODE_ENV === 'production',
             path: '/',
             sameSite: 'lax',
-            domain: url.parse(req.url).hostname,
+            // TODO: Update parse to URL
+            domain: url.parse(req.url as string).hostname as string,
           })
         );
       },
@@ -232,7 +245,7 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
    * It validates the auth config against the provided keystone config, and preserves existing
    * config by composing existing extendGraphqlSchema functions and ui config.
    */
-  const withAuth = (keystoneConfig: KeystoneConfig): KeystoneAuthConfig => {
+  const withAuth = (keystoneConfig: KeystoneConfig): KeystoneOAuthConfig => {
     validateConfig(keystoneConfig);
     let { ui } = keystoneConfig;
     if (keystoneConfig.ui) {
@@ -248,6 +261,15 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
           keystoneConfig?.ui?.pageMiddleware?.(args),
         enableSessionItem: true,
         isAccessAllowed: async (context: KeystoneContext) => {
+          const { req } = context;
+          const pathname = url.parse(req?.url!).pathname!;
+
+          // Allow nextjs scripts and static files to be accessed without auth
+          if (pathname.includes('/_next/')) {
+            return true;
+          }
+
+          // Allow keystone to access /api/__keystone_api_build for hot reloading
           if (
             process.env.NODE_ENV !== 'production' &&
             context.req?.url !== undefined &&
@@ -256,25 +278,10 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
           ) {
             return true;
           }
-          // Allow access to the adminMeta data from the /init path to correctly render that page
-          // even if the user isn't logged in (which should always be the case if they're seeing /init)
-          const headers = context.req?.headers;
-          const host = headers
-            ? headers['x-forwarded-host'] || headers.host
-            : null;
-          const thisUrl = headers?.referer
-            ? new URL(headers.referer)
-            : undefined;
-          const accessingInitPage =
-            thisUrl?.pathname === '/init' &&
-            thisUrl?.host === host &&
-            (await context.sudo().query[listKey].count({})) === 0;
-          return (
-            accessingInitPage ||
-            (keystoneConfig.ui?.isAccessAllowed
-              ? keystoneConfig.ui.isAccessAllowed(context)
-              : context.session !== undefined)
-          );
+
+          return keystoneConfig.ui?.isAccessAllowed
+            ? keystoneConfig.ui.isAccessAllowed(context)
+            : context.session !== undefined;
         },
       };
     }
@@ -287,8 +294,11 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
     return {
       ...keystoneConfig,
       ui,
-      session,
+      cookies,
       providers,
+      pages,
+      resolver,
+      session,
       lists: {
         ...keystoneConfig.lists,
       },

package/src/pages/NextAuthPage.tsx

@@ -1,43 +1,74 @@
-import NextAuth from 'next-auth';
+import NextAuth, {
+  CookiesOptions,
+  EventCallbacks,
+  PagesOptions,
+} from 'next-auth';
 import type { KeystoneListsAPI } from '@keystone-6/core/types';
 import { Provider } from 'next-auth/providers';
+import { JWTOptions } from 'next-auth/jwt';
 import { validateNextAuth } from '../lib/validateNextAuth';
 
-// Need to bring in correct props
-type NextAuthPageProps = {
+// TODO: See if possible to merge with `type AuthConfig`
+type CoreNextAuthPageProps = {
+  autoCreate: boolean;
+  cookies?: Partial<CookiesOptions>;
+  events?: Partial<EventCallbacks>;
   identityField: string;
-  mutationName: string;
-  providers: Provider[];
-  query: KeystoneListsAPI<any>;
-  sessionData: string;
+  jwt?: Partial<JWTOptions>;
   listKey: string;
-  autoCreate: boolean;
-  userMap: any;
-  accountMap: any;
-  profileMap: any;
+  pages?: Partial<PagesOptions>;
+  providers?: Provider[];
+  resolver?: Function | undefined;
+  sessionData: string | undefined;
   sessionSecret: string;
 };
 
+type NextAuthGglProps = {
+  mutationName?: string;
+  query?: KeystoneListsAPI<any>;
+};
+
+export type NextAuthPageProps = CoreNextAuthPageProps & NextAuthGglProps;
+
 export default function NextAuthPage(props: NextAuthPageProps) {
   const {
+    autoCreate,
+    cookies,
+    events,
+    identityField,
+    jwt,
+    listKey,
+    pages,
     providers,
     query,
-    identityField,
+    resolver,
     sessionData,
-    listKey,
-    autoCreate,
-    userMap,
-    accountMap,
-    profileMap,
     sessionSecret,
   } = props;
+  // TODO: (v1.1). https://github.com/ijsto/keystone-6-oauth/projects/1#card-78602004
+  console.log('NextAuthPages... ', pages);
+
+  if (!query) {
+    console.error('NextAuthPage got no query.');
+    return null;
+  }
+
+  if (!providers || !providers.length) {
+    console.error('You need to provide at least one provider.');
+    return null;
+  }
+
   const list = query[listKey];
   const queryAPI = query[listKey];
   const protectIdentities = true;
 
   return NextAuth({
-    secret: sessionSecret,
+    cookies,
     providers,
+    pages: pages || {},
+    events: events || {},
+    jwt: jwt || {},
+    secret: sessionSecret,
     callbacks: {
       async signIn({ user, account, profile }) {
         let identity;
@@ -48,31 +79,21 @@ export default function NextAuthPage(props: NextAuthPageProps) {
         } else {
           identity = 0;
         }
+        const userInput = resolver
+          ? await resolver({ user, account, profile })
+          : {};
+
         const result = await validateNextAuth(
           identityField,
           identity,
           protectIdentities,
           queryAPI
         );
-        const data: any = {};
-        // eslint-disable-next-line no-restricted-syntax
-        for (const key in userMap) {
-          if (Object.prototype.hasOwnProperty.call(userMap, key)) {
-            data[key] = user[userMap[key]];
-          }
-        }
-        // eslint-disable-next-line no-restricted-syntax
-        for (const key in accountMap) {
-          if (Object.prototype.hasOwnProperty.call(accountMap, key)) {
-            data[key] = account[accountMap[key]];
-          }
-        }
-        // eslint-disable-next-line no-restricted-syntax
-        for (const key in profileMap) {
-          if (Object.prototype.hasOwnProperty.call(profileMap, key)) {
-            data[key] = profile[profileMap[key]];
-          }
-        }
+        // ID
+        const data: any = {
+          [identityField]: identity,
+          ...userInput,
+        };
 
         if (!result.success) {
           if (!autoCreate) {

package/src/schema.ts

@@ -1,39 +1,17 @@
 import { ExtendGraphqlSchema } from '@keystone-6/core/types';
 
-import { assertInputObjectType, GraphQLString, GraphQLID } from 'graphql';
 import { graphql } from '@keystone-6/core';
-import { AuthGqlNames } from './types';
 import { getBaseAuthSchema } from './gql/getBaseAuthSchema';
 
 export const getSchemaExtension = ({
-  identityField,
   listKey,
-  gqlNames,
 }: {
   identityField: string;
   listKey: string;
-  gqlNames: AuthGqlNames;
 }): ExtendGraphqlSchema =>
   graphql.extend((base) => {
-    const uniqueWhereInputType = assertInputObjectType(
-      base.schema.getType(`${listKey}WhereUniqueInput`)
-    );
-    const identityFieldOnUniqueWhere =
-      uniqueWhereInputType.getFields()[identityField];
-    if (
-      identityFieldOnUniqueWhere?.type !== GraphQLString &&
-      identityFieldOnUniqueWhere?.type !== GraphQLID
-    ) {
-      throw new Error(
-        `createAuth was called with an identityField of ${identityField} on the list ${listKey} ` +
-          `but that field doesn't allow being searched uniquely with a String or ID. ` +
-          `You should likely add \`isIndexed: 'unique'\` ` +
-          `to the field at ${listKey}.${identityField}`
-      );
-    }
     const baseSchema = getBaseAuthSchema({
       listKey,
-      gqlNames,
       base,
     });
 

package/src/templates/auth.ts

@@ -1,5 +1,5 @@
 import ejs from 'ejs';
-import { AuthGqlNames } from '../types';
+import { NextAuthPageProps } from '../pages/NextAuthPage';
 
 const template = `
 import getNextAuthPage from '@opensaas/keystone-nextjs-auth/pages/NextAuthPage';
@@ -7,49 +7,32 @@ import { query } from '.keystone/api';
 import keystoneConfig from '../../../../../keystone';
 
 export default getNextAuthPage({
+        autoCreate: <%= autoCreate %>,
         identityField: '<%= identityField %>',
-        sessionData: '<%= sessionData %>',
         listKey: '<%= listKey %>',
-        userMap: <%- JSON.stringify(userMap) %>,
-        accountMap: <%- JSON.stringify(accountMap) %>,
-        profileMap: <%- JSON.stringify(profileMap) %>,
-        autoCreate: <%= autoCreate %>,
-        sessionSecret: '<%= sessionSecret %>',
+        pages: keystoneConfig.pages,
         providers: keystoneConfig.providers,
         query,
+        resolver: keystoneConfig.resolver,
+        sessionData: '<%= sessionData %>',
+        sessionSecret: '<%= sessionSecret %>',
     });
   `;
 
+type AuthTemplateOptions = NextAuthPageProps;
+
 export const authTemplate = ({
-  gqlNames,
+  autoCreate,
   identityField,
-  sessionData,
   listKey,
-  autoCreate,
-  userMap,
-  accountMap,
-  profileMap,
+  sessionData,
   sessionSecret,
-}: {
-  gqlNames: AuthGqlNames;
-  identityField: string;
-  sessionData: any;
-  listKey: string;
-  autoCreate: boolean;
-  userMap: any;
-  accountMap: any;
-  profileMap: any;
-  sessionSecret: string;
-}) => {
+}: AuthTemplateOptions) => {
   const authOut = ejs.render(template, {
-    gqlNames,
     identityField,
     sessionData,
     listKey,
     autoCreate,
-    userMap,
-    accountMap,
-    profileMap,
     sessionSecret,
   });
   return authOut;

package/src/templates/next-config.ts

@@ -9,6 +9,9 @@ module.exports = withPreconstruct({
   typescript: {
     ignoreBuildErrors: true,
   },
+  env: {
+    NEXTAUTH_URL: process.env.NEXTAUTH_URL || 'http://localhost:<%= process.env.PORT || 3000 %><%= keystonePath || '' %>/api/auth',
+  },
   eslint: {
     ignoreDuringBuilds: true,
   },

package/src/types.ts

@@ -1,44 +1,43 @@
 import { BaseListTypeInfo, KeystoneConfig } from '@keystone-6/core/types';
+import { CookiesOptions, PagesOptions } from 'next-auth';
 import { Provider } from 'next-auth/providers';
 
-export type AuthGqlNames = {
-  CreateInitialInput: string;
-  createInitialItem: string;
-  authenticateItemWithPassword: string;
-  ItemAuthenticationWithPasswordResult: string;
-  ItemAuthenticationWithPasswordSuccess: string;
-  ItemAuthenticationWithPasswordFailure: string;
-};
-
 export type NextAuthSession = { listKey: string; itemId: string; data: any };
 
 export type NextAuthProviders = Provider[];
 
-type KeytoneAuthProviders = {
+type KeytoneOAuthOptions = {
   providers: NextAuthProviders;
+  pages?: Partial<PagesOptions>;
+};
+type NextAuthOptions = {
+  cookies?: Partial<CookiesOptions>;
+  resolver: any;
 };
 
-export type KeystoneAuthConfig = KeystoneConfig & KeytoneAuthProviders;
+export type KeystoneOAuthConfig = KeystoneConfig &
+  KeytoneOAuthOptions &
+  NextAuthOptions;
 
 export type AuthConfig<GeneratedListTypes extends BaseListTypeInfo> = {
+  /** Auth Create users in Keystone DB from Auth Provider */
+  autoCreate: boolean;
+  /** Adds ability to customize cookie options, for example, to facilitate cross-subdomain functionality */
+  cookies?: Partial<CookiesOptions>;
   /** The key of the list to authenticate users with */
   listKey: GeneratedListTypes['key'];
   /** The path of the field the identity is stored in; must be text-ish */
   identityField: GeneratedListTypes['fields'];
-  /** Session data population */
-  sessionData?: string;
-  /** Auth Create users in Keystone DB from Auth Provider */
-  autoCreate: boolean;
-  /** Map User in next-auth to item */
-  userMap: any;
-  /** Map Account in next-auth to item */
-  accountMap: any;
-  /** Map Profile in next-auth to item */
-  profileMap: any;
   /** Path for Keystone interface */
   keystonePath?: string;
+  // Custom pages for different NextAuth events
+  pages?: any; // TODO: Fix types
   /** Providers for Next Auth */
   providers: NextAuthProviders;
+  /** Resolver for user to define their profile */
+  resolver?: Function | undefined;
+  /** Session data population */
+  sessionData?: string | undefined;
   /** Next-Auth Session Secret */
   sessionSecret: string;
 };

package/src/gql/getInitFirstItemSchema.ts

@@ -1,81 +0,0 @@
-import type {
-  GraphQLSchemaExtension,
-  KeystoneContext,
-} from '@keystone-6/core/types';
-import {
-  assertInputObjectType,
-  GraphQLInputObjectType,
-  GraphQLSchema,
-  printType,
-} from 'graphql';
-
-import { AuthGqlNames, InitFirstItemConfig } from '../types';
-
-export function getInitFirstItemSchema({
-  listKey,
-  fields,
-  itemData,
-  gqlNames,
-  graphQLSchema,
-}: {
-  listKey: string;
-  fields: InitFirstItemConfig<any>['fields'];
-  itemData: InitFirstItemConfig<any>['itemData'];
-  gqlNames: AuthGqlNames;
-  graphQLSchema: GraphQLSchema;
-}): GraphQLSchemaExtension {
-  const createInputConfig = assertInputObjectType(
-    graphQLSchema.getType(`${listKey}CreateInput`)
-  ).toConfig();
-  const fieldsSet = new Set<any>(fields);
-  const initialCreateInput = printType(
-    new GraphQLInputObjectType({
-      ...createInputConfig,
-      fields: Object.fromEntries(
-        Object.entries(createInputConfig.fields).filter(([fieldKey]) =>
-          fieldsSet.has(fieldKey)
-        )
-      ),
-      name: gqlNames.CreateInitialInput,
-    })
-  );
-  return {
-    typeDefs: `
-        ${initialCreateInput}
-        type Mutation {
-          ${gqlNames.createInitialItem}(data: ${gqlNames.CreateInitialInput}!): ${gqlNames.ItemAuthenticationWithPasswordSuccess}!
-        }
-      `,
-    resolvers: {
-      Mutation: {
-        async [gqlNames.createInitialItem](
-          root: any,
-          { data }: { data: Record<string, any> },
-          context: KeystoneContext
-        ) {
-          if (!context.startSession) {
-            throw new Error('No session implementation available on context');
-          }
-
-          const dbItemAPI = context.sudo().db[listKey];
-          const count = await dbItemAPI.count({});
-          if (count !== 0) {
-            throw new Error(
-              'Initial items can only be created when no items exist in that list'
-            );
-          }
-
-          // Update system state
-          const item = await dbItemAPI.createOne({
-            data: { ...data, ...itemData },
-          });
-          const sessionToken = await context.startSession({
-            listKey,
-            itemId: item.id,
-          });
-          return { item, sessionToken };
-        },
-      },
-    },
-  };
-}