@opensaas/keystone-nextjs-auth 20.5.0 → 21.1.1

package/pages/NextAuthPage/dist/opensaas-keystone-nextjs-auth-pages-NextAuthPage.esm.js

@@ -49,23 +49,42 @@ async function validateNextAuth(identityField, identity, protectIdentities, item
 
 function NextAuthPage(props) {
   const {
+    autoCreate,
+    cookies,
+    events,
+    identityField,
+    jwt,
+    listKey,
+    pages,
     providers,
     query,
-    identityField,
+    resolver,
     sessionData,
-    listKey,
-    autoCreate,
-    userMap,
-    accountMap,
-    profileMap,
     sessionSecret
-  } = props;
+  } = props; // TODO: (v1.1). https://github.com/ijsto/keystone-6-oauth/projects/1#card-78602004
+
+  console.log('NextAuthPages... ', pages);
+
+  if (!query) {
+    console.error('NextAuthPage got no query.');
+    return null;
+  }
+
+  if (!providers || !providers.length) {
+    console.error('You need to provide at least one provider.');
+    return null;
+  }
+
   const list = query[listKey];
   const queryAPI = query[listKey];
   const protectIdentities = true;
   return NextAuth({
-    secret: sessionSecret,
+    cookies,
     providers,
+    pages: pages || {},
+    events: events || {},
+    jwt: jwt || {},
+    secret: sessionSecret,
     callbacks: {
       async signIn({
         user,
@@ -82,28 +101,16 @@ function NextAuthPage(props) {
           identity = 0;
         }
 
-        const result = await validateNextAuth(identityField, identity, protectIdentities, queryAPI);
-        const data = {}; // eslint-disable-next-line no-restricted-syntax
-
-        for (const key in userMap) {
-          if (Object.prototype.hasOwnProperty.call(userMap, key)) {
-            data[key] = user[userMap[key]];
-          }
-        } // eslint-disable-next-line no-restricted-syntax
-
+        const userInput = resolver ? await resolver({
+          user,
+          account,
+          profile
+        }) : {};
+        const result = await validateNextAuth(identityField, identity, protectIdentities, queryAPI); // ID
 
-        for (const key in accountMap) {
-          if (Object.prototype.hasOwnProperty.call(accountMap, key)) {
-            data[key] = account[accountMap[key]];
-          }
-        } // eslint-disable-next-line no-restricted-syntax
-
-
-        for (const key in profileMap) {
-          if (Object.prototype.hasOwnProperty.call(profileMap, key)) {
-            data[key] = profile[profileMap[key]];
-          }
-        }
+        const data = _objectSpread({
+          [identityField]: identity
+        }, userInput);
 
         if (!result.success) {
           if (!autoCreate) {
@@ -158,9 +165,7 @@ function NextAuthPage(props) {
           const result = await validateNextAuth(identityField, identity, protectIdentities, queryAPI);
 
           if (!result.success) {
-            return {
-              result: false
-            };
+            return token;
           }
 
           token.itemId = result.item.id;

package/src/gql/getBaseAuthSchema.ts

@@ -1,15 +1,11 @@
 import type { BaseItem } from '@keystone-6/core/types';
 import { graphql } from '@keystone-6/core';
 
-import { AuthGqlNames } from '../types';
-
 export function getBaseAuthSchema({
   listKey,
-  gqlNames,
   base,
 }: {
   listKey: string;
-  gqlNames: AuthGqlNames;
   base: graphql.BaseSchemaMeta;
 }) {
   const extension = {

package/src/index.ts

@@ -1,4 +1,4 @@
-import url from 'url';
+import url from "url";
 import {
   AdminFileToWrite,
   BaseListTypeInfo,
@@ -7,23 +7,19 @@ import {
   AdminUIConfig,
   SessionStrategy,
   BaseKeystoneTypeInfo,
-} from '@keystone-6/core/types';
-import { getSession } from 'next-auth/react';
-import { getToken } from 'next-auth/jwt';
-import * as cookie from 'cookie';
-import { Provider } from 'next-auth/providers';
-import { NextApiRequest } from 'next';
-import { nextConfigTemplate } from './templates/next-config';
+} from "@keystone-6/core/types";
+import { getSession } from "next-auth/react";
+import { getToken } from "next-auth/jwt";
+import { Provider } from "next-auth/providers";
+
+import * as cookie from "cookie";
+
+import { nextConfigTemplate } from "./templates/next-config";
 // import * as Path from 'path';
 
-import {
-  AuthConfig,
-  AuthGqlNames,
-  KeystoneAuthConfig,
-  NextAuthSession,
-} from './types';
-import { getSchemaExtension } from './schema';
-import { authTemplate } from './templates/auth';
+import { AuthConfig, KeystoneOAuthConfig, NextAuthSession } from "./types";
+import { getSchemaExtension } from "./schema";
+import { authTemplate } from "./templates/auth";
 
 /**
  * createAuth function
@@ -31,35 +27,25 @@ import { authTemplate } from './templates/auth';
  * Generates config for Keystone to implement standard auth features.
  */
 
-export type { NextAuthProviders, KeystoneAuthConfig } from './types';
+export type { NextAuthProviders, KeystoneOAuthConfig } from "./types";
 export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
-  listKey,
-  identityField,
-  sessionData,
   autoCreate,
-  userMap,
-  accountMap,
-  profileMap,
+  cookies,
+  identityField,
+  listKey,
   keystonePath,
+  pages,
+  resolver,
   providers,
+  sessionData,
   sessionSecret,
 }: AuthConfig<GeneratedListTypes>) {
   // The protectIdentities flag is currently under review to see whether it should be
   // part of the createAuth API (in which case its use cases need to be documented and tested)
   // or whether always being true is what we want, in which case we can refactor our code
   // to match this. -TL
-  const gqlNames: AuthGqlNames = {
-    // Core
-    authenticateItemWithPassword: `authenticate${listKey}WithPassword`,
-    ItemAuthenticationWithPasswordResult: `${listKey}AuthenticationWithPasswordResult`,
-    ItemAuthenticationWithPasswordSuccess: `${listKey}AuthenticationWithPasswordSuccess`,
-    ItemAuthenticationWithPasswordFailure: `${listKey}AuthenticationWithPasswordFailure`,
-    // Initial data
-    CreateInitialInput: `CreateInitial${listKey}Input`,
-    createInitialItem: `createInitial${listKey}`,
-  };
 
-  const customPath = !keystonePath || keystonePath === '/' ? '' : keystonePath;
+  const customPath = !keystonePath || keystonePath === "/" ? "" : keystonePath;
   /**
    * pageMiddleware
    *
@@ -70,25 +56,34 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
    *  - to the init page when initFirstItem is configured, and there are no user in the database
    *  - to the signin page when no valid session is present
    */
-  const pageMiddleware: AdminUIConfig<BaseKeystoneTypeInfo>['pageMiddleware'] =
+  const pageMiddleware: AdminUIConfig<BaseKeystoneTypeInfo>["pageMiddleware"] =
     async ({ context, isValidSession }) => {
       const { req, session } = context;
       const pathname = url.parse(req?.url!).pathname!;
-      if (pathname === `${customPath}/api/__keystone_api_build`) {
-        return;
-      }
+
       if (isValidSession) {
         if (pathname === `${customPath}/api/auth/signin`) {
-          return { kind: 'redirect', to: `${customPath}` };
+          return { kind: "redirect", to: `${customPath}` };
         }
-        if (customPath !== '' && pathname === '/') {
-          return { kind: 'redirect', to: `${customPath}` };
+        if (customPath !== "" && pathname === "/") {
+          return { kind: "redirect", to: `${customPath}` };
         }
         return;
       }
-
+      if (
+        pathname.includes("/_next/") ||
+        pathname.includes("/api/auth/") ||
+        pathname.includes(pages?.signIn) ||
+        pathname.includes(pages?.error) ||
+        pathname.includes(pages?.signOut)
+      ) {
+        return;
+      }
       if (!session && !pathname.includes(`${customPath}/api/auth/`)) {
-        return { kind: 'redirect', to: `${customPath}/api/auth/signin` };
+        return {
+          kind: "redirect",
+          to: pages?.signIn || `${customPath}/api/auth/signin`,
+        };
       }
     };
 
@@ -103,23 +98,19 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
   const getAdditionalFiles = () => {
     const filesToWrite: AdminFileToWrite[] = [
       {
-        mode: 'write',
-        outputPath: 'pages/api/auth/[...nextauth].js',
+        mode: "write",
+        outputPath: "pages/api/auth/[...nextauth].js",
         src: authTemplate({
-          gqlNames,
+          autoCreate,
           identityField,
-          sessionData,
           listKey,
-          autoCreate,
-          userMap,
-          accountMap,
-          profileMap,
+          sessionData,
           sessionSecret,
         }),
       },
       {
-        mode: 'write',
-        outputPath: 'next.config.js',
+        mode: "write",
+        outputPath: "next.config.js",
         src: nextConfigTemplate({ keystonePath: customPath }),
       },
     ];
@@ -132,13 +123,17 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
    * Must be added to the ui.publicPages config
    */
   const publicPages = [
+    `${customPath}/api/__keystone_api_build`,
     `${customPath}/api/auth/csrf`,
     `${customPath}/api/auth/signin`,
     `${customPath}/api/auth/callback`,
     `${customPath}/api/auth/session`,
     `${customPath}/api/auth/providers`,
     `${customPath}/api/auth/signout`,
+    `${customPath}/api/auth/error`,
   ];
+  // TODO: Add Provider Types
+  // @ts-ignore
   function addPages(provider: Provider) {
     const name = provider.id;
     publicPages.push(`${customPath}/api/auth/signin/${name}`);
@@ -154,7 +149,6 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
   const extendGraphqlSchema = getSchemaExtension({
     identityField,
     listKey,
-    gqlNames,
   });
 
   /**
@@ -169,13 +163,16 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
       throw new Error(msg);
     }
 
+    // TODO: Check if providers
+    // TODO: Check other required commands/data
+
     // TODO: Check for String-like typing for identityField? How?
     // TODO: Validate that the identifyField is unique.
     // TODO: If this field isn't required, what happens if I try to log in as `null`?
     const identityFieldConfig = listConfig.fields[identityField];
     if (identityFieldConfig === undefined) {
-      const i = JSON.stringify(identityField);
-      const msg = `A createAuth() invocation for the "${listKey}" list specifies ${i} as its identityField but no field with that key exists on the list.`;
+      const identityFieldName = JSON.stringify(identityField);
+      const msg = `A createAuth() invocation for the "${listKey}" list specifies ${identityFieldName} as its identityField but no field with that key exists on the list.`;
       throw new Error(msg);
     }
   };
@@ -194,18 +191,25 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
     const { get, start, ...sessionStrategy } = _sessionStrategy;
     return {
       ...sessionStrategy,
-      start,
+      start: async ({ res }) => {
+        console.log("start");
+
+        const session = await start({ res });
+        return session;
+      },
       get: async ({ req }) => {
         const pathname = url.parse(req?.url!).pathname!;
-        if (pathname.includes('/api/auth')) {
+        if (pathname.includes("/api/auth")) {
           return;
         }
-        if (req.headers.authorization?.split(' ')[0] === 'Bearer') {
-          const request = req as NextApiRequest;
-          const token = await getToken({ req: request, secret: sessionSecret });
+        if (req.headers.authorization?.split(" ")[0] === "Bearer") {
+          const token = (await getToken({
+            req,
+            secret: sessionSecret,
+          })) as NextAuthSession;
 
           if (token?.data?.id) {
-            return token as NextAuthSession;
+            return token;
           }
         }
         const nextSession: unknown = await getSession({ req });
@@ -216,18 +220,19 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
       },
       end: async ({ res, req }) => {
         const TOKEN_NAME =
-          process.env.NODE_ENV === 'production'
-            ? '__Secure-next-auth.session-token'
-            : 'next-auth.session-token';
+          process.env.NODE_ENV === "production"
+            ? "__Secure-next-auth.session-token"
+            : "next-auth.session-token";
         res.setHeader(
-          'Set-Cookie',
-          cookie.serialize(TOKEN_NAME, '', {
+          "Set-Cookie",
+          cookie.serialize(TOKEN_NAME, "", {
             maxAge: 0,
             expires: new Date(),
             httpOnly: true,
-            secure: process.env.NODE_ENV === 'production',
-            path: '/',
-            sameSite: 'lax',
+            secure: process.env.NODE_ENV === "production",
+            path: "/",
+            sameSite: "lax",
+            // TODO: Update parse to URL
             domain: url.parse(req.url as string).hostname as string,
           })
         );
@@ -245,7 +250,7 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
    * It validates the auth config against the provided keystone config, and preserves existing
    * config by composing existing extendGraphqlSchema functions and ui config.
    */
-  const withAuth = (keystoneConfig: KeystoneConfig): KeystoneAuthConfig => {
+  const withAuth = (keystoneConfig: KeystoneConfig): KeystoneOAuthConfig => {
     validateConfig(keystoneConfig);
     let { ui } = keystoneConfig;
     if (keystoneConfig.ui) {
@@ -261,47 +266,44 @@ export function createAuth<GeneratedListTypes extends BaseListTypeInfo>({
           keystoneConfig?.ui?.pageMiddleware?.(args),
         enableSessionItem: true,
         isAccessAllowed: async (context: KeystoneContext) => {
+          const { req } = context;
+          const pathname = url.parse(req?.url!).pathname!;
+
+          // Allow nextjs scripts and static files to be accessed without auth
+          if (pathname.includes("/_next/")) {
+            return true;
+          }
+
+          // Allow keystone to access /api/__keystone_api_build for hot reloading
           if (
-            process.env.NODE_ENV !== 'production' &&
+            process.env.NODE_ENV !== "production" &&
             context.req?.url !== undefined &&
-            new URL(context.req.url, 'http://example.com').pathname ===
+            new URL(context.req.url, "http://example.com").pathname ===
               `${customPath}/api/__keystone_api_build`
           ) {
             return true;
           }
-          // Allow access to the adminMeta data from the /init path to correctly render that page
-          // even if the user isn't logged in (which should always be the case if they're seeing /init)
-          const headers = context.req?.headers;
-          const host = headers
-            ? headers['x-forwarded-host'] || headers.host
-            : null;
-          const thisUrl = headers?.referer
-            ? new URL(headers.referer)
-            : undefined;
-          const accessingInitPage =
-            thisUrl?.pathname === '/init' &&
-            thisUrl?.host === host &&
-            (await context.sudo().query[listKey].count({})) === 0;
-          return (
-            accessingInitPage ||
-            (keystoneConfig.ui?.isAccessAllowed
-              ? keystoneConfig.ui.isAccessAllowed(context)
-              : context.session !== undefined)
-          );
+
+          return keystoneConfig.ui?.isAccessAllowed
+            ? keystoneConfig.ui.isAccessAllowed(context)
+            : context.session !== undefined;
         },
       };
     }
 
     if (!keystoneConfig.session)
-      throw new TypeError('Missing .session configuration');
+      throw new TypeError("Missing .session configuration");
     const session = withItemData(keystoneConfig.session);
 
     const existingExtendGraphQLSchema = keystoneConfig.extendGraphqlSchema;
     return {
       ...keystoneConfig,
       ui,
-      session,
+      cookies,
       providers,
+      pages,
+      resolver,
+      session,
       lists: {
         ...keystoneConfig.lists,
       },

package/src/pages/NextAuthPage.tsx

@@ -1,43 +1,74 @@
-import NextAuth from 'next-auth';
+import NextAuth, {
+  CookiesOptions,
+  EventCallbacks,
+  PagesOptions,
+} from 'next-auth';
 import type { KeystoneListsAPI } from '@keystone-6/core/types';
 import { Provider } from 'next-auth/providers';
+import { JWTOptions } from 'next-auth/jwt';
 import { validateNextAuth } from '../lib/validateNextAuth';
 
-// Need to bring in correct props
-type NextAuthPageProps = {
+// TODO: See if possible to merge with `type AuthConfig`
+type CoreNextAuthPageProps = {
+  autoCreate: boolean;
+  cookies?: Partial<CookiesOptions>;
+  events?: Partial<EventCallbacks>;
   identityField: string;
-  mutationName: string;
-  providers: Provider[];
-  query: KeystoneListsAPI<any>;
-  sessionData: string;
+  jwt?: Partial<JWTOptions>;
   listKey: string;
-  autoCreate: boolean;
-  userMap: any;
-  accountMap: any;
-  profileMap: any;
+  pages?: Partial<PagesOptions>;
+  providers?: Provider[];
+  resolver?: Function | undefined;
+  sessionData: string | undefined;
   sessionSecret: string;
 };
 
+type NextAuthGglProps = {
+  mutationName?: string;
+  query?: KeystoneListsAPI<any>;
+};
+
+export type NextAuthPageProps = CoreNextAuthPageProps & NextAuthGglProps;
+
 export default function NextAuthPage(props: NextAuthPageProps) {
   const {
+    autoCreate,
+    cookies,
+    events,
+    identityField,
+    jwt,
+    listKey,
+    pages,
     providers,
     query,
-    identityField,
+    resolver,
     sessionData,
-    listKey,
-    autoCreate,
-    userMap,
-    accountMap,
-    profileMap,
     sessionSecret,
   } = props;
+  // TODO: (v1.1). https://github.com/ijsto/keystone-6-oauth/projects/1#card-78602004
+  console.log('NextAuthPages... ', pages);
+
+  if (!query) {
+    console.error('NextAuthPage got no query.');
+    return null;
+  }
+
+  if (!providers || !providers.length) {
+    console.error('You need to provide at least one provider.');
+    return null;
+  }
+
   const list = query[listKey];
   const queryAPI = query[listKey];
   const protectIdentities = true;
 
   return NextAuth({
-    secret: sessionSecret,
+    cookies,
     providers,
+    pages: pages || {},
+    events: events || {},
+    jwt: jwt || {},
+    secret: sessionSecret,
     callbacks: {
       async signIn({ user, account, profile }) {
         let identity;
@@ -48,31 +79,21 @@ export default function NextAuthPage(props: NextAuthPageProps) {
         } else {
           identity = 0;
         }
+        const userInput = resolver
+          ? await resolver({ user, account, profile })
+          : {};
+
         const result = await validateNextAuth(
           identityField,
           identity,
           protectIdentities,
           queryAPI
         );
-        const data: any = {};
-        // eslint-disable-next-line no-restricted-syntax
-        for (const key in userMap) {
-          if (Object.prototype.hasOwnProperty.call(userMap, key)) {
-            data[key] = user[userMap[key]];
-          }
-        }
-        // eslint-disable-next-line no-restricted-syntax
-        for (const key in accountMap) {
-          if (Object.prototype.hasOwnProperty.call(accountMap, key)) {
-            data[key] = account[accountMap[key]];
-          }
-        }
-        // eslint-disable-next-line no-restricted-syntax
-        for (const key in profileMap) {
-          if (Object.prototype.hasOwnProperty.call(profileMap, key)) {
-            data[key] = profile[profileMap[key]];
-          }
-        }
+        // ID
+        const data: any = {
+          [identityField]: identity,
+          ...userInput,
+        };
 
         if (!result.success) {
           if (!autoCreate) {
@@ -125,7 +146,7 @@ export default function NextAuthPage(props: NextAuthPageProps) {
           );
 
           if (!result.success) {
-            return { result: false };
+            return token;
           }
           token.itemId = result.item.id;
         }

package/src/schema.ts

@@ -1,39 +1,17 @@
 import { ExtendGraphqlSchema } from '@keystone-6/core/types';
 
-import { assertInputObjectType, GraphQLString, GraphQLID } from 'graphql';
 import { graphql } from '@keystone-6/core';
-import { AuthGqlNames } from './types';
 import { getBaseAuthSchema } from './gql/getBaseAuthSchema';
 
 export const getSchemaExtension = ({
-  identityField,
   listKey,
-  gqlNames,
 }: {
   identityField: string;
   listKey: string;
-  gqlNames: AuthGqlNames;
 }): ExtendGraphqlSchema =>
   graphql.extend((base) => {
-    const uniqueWhereInputType = assertInputObjectType(
-      base.schema.getType(`${listKey}WhereUniqueInput`)
-    );
-    const identityFieldOnUniqueWhere =
-      uniqueWhereInputType.getFields()[identityField];
-    if (
-      identityFieldOnUniqueWhere?.type !== GraphQLString &&
-      identityFieldOnUniqueWhere?.type !== GraphQLID
-    ) {
-      throw new Error(
-        `createAuth was called with an identityField of ${identityField} on the list ${listKey} ` +
-          `but that field doesn't allow being searched uniquely with a String or ID. ` +
-          `You should likely add \`isIndexed: 'unique'\` ` +
-          `to the field at ${listKey}.${identityField}`
-      );
-    }
     const baseSchema = getBaseAuthSchema({
       listKey,
-      gqlNames,
       base,
     });