@teleporthq/teleport-plugin-next-workflows 0.43.7 → 0.43.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/auth-generator.d.ts.map +1 -1
- package/dist/cjs/auth-generator.js +75 -14
- package/dist/cjs/auth-generator.js.map +1 -1
- package/dist/cjs/tsconfig.tsbuildinfo +1 -1
- package/dist/esm/auth-generator.d.ts.map +1 -1
- package/dist/esm/auth-generator.js +75 -14
- package/dist/esm/auth-generator.js.map +1 -1
- package/dist/esm/tsconfig.tsbuildinfo +1 -1
- package/package.json +2 -2
- package/src/auth-generator.ts +75 -14
package/src/auth-generator.ts
CHANGED
|
@@ -638,10 +638,31 @@ ${providerConfig}
|
|
|
638
638
|
const token = params.token;
|
|
639
639
|
const user = params.user;
|
|
640
640
|
if (user) {
|
|
641
|
+
// Login: seed the token from the freshly-authorized user.
|
|
641
642
|
const keys = Object.keys(user);
|
|
642
643
|
for (let i = 0; i < keys.length; i++) {
|
|
643
644
|
token[keys[i]] = user[keys[i]];
|
|
644
645
|
}
|
|
646
|
+
return token;
|
|
647
|
+
}
|
|
648
|
+
// Subsequent calls (every /api/auth/session): re-read the user from the
|
|
649
|
+
// database so profile edits — name, image, role, etc. — propagate into the
|
|
650
|
+
// session. The JWT is otherwise a snapshot captured at login, which is why
|
|
651
|
+
// the navbar avatar/name reverted to the old value after a refresh: the
|
|
652
|
+
// navbar reads /api/auth/session, which is derived from this token.
|
|
653
|
+
try {
|
|
654
|
+
if (token && token.email && typeof findUserByEmail === 'function') {
|
|
655
|
+
const fresh = await findUserByEmail(String(token.email));
|
|
656
|
+
if (fresh) {
|
|
657
|
+
const safe = sanitizeUser(fresh);
|
|
658
|
+
const fk = Object.keys(safe);
|
|
659
|
+
for (let i = 0; i < fk.length; i++) {
|
|
660
|
+
token[fk[i]] = safe[fk[i]];
|
|
661
|
+
}
|
|
662
|
+
}
|
|
663
|
+
}
|
|
664
|
+
} catch (e) {
|
|
665
|
+
// Keep the existing token on any DB hiccup — never sign the user out.
|
|
645
666
|
}
|
|
646
667
|
return token;
|
|
647
668
|
},
|
|
@@ -917,6 +938,42 @@ function getUserRoleFromToken(token) {
|
|
|
917
938
|
return null;
|
|
918
939
|
}
|
|
919
940
|
|
|
941
|
+
// Reads a single cookie value, tolerating both the Next 12 string shape and the
|
|
942
|
+
// newer { name, value } object shape returned by request.cookies.get().
|
|
943
|
+
function readCookie(request, name) {
|
|
944
|
+
try {
|
|
945
|
+
var c = request.cookies.get(name);
|
|
946
|
+
if (!c) return null;
|
|
947
|
+
return typeof c === 'string' ? c : (c.value || null);
|
|
948
|
+
} catch (e) {
|
|
949
|
+
return null;
|
|
950
|
+
}
|
|
951
|
+
}
|
|
952
|
+
|
|
953
|
+
// next-auth stores the session token under a secure-prefixed cookie on https
|
|
954
|
+
// and a plain one on http, and splits large JWTs into ".0"/".1" chunks. The
|
|
955
|
+
// Edge runtime's getToken() can return null for a session the Node runtime
|
|
956
|
+
// considers valid (e.g. NEXTAUTH_SECRET not identical in the Edge runtime, or
|
|
957
|
+
// the JWE simply failing to decode at the edge), which previously redirected
|
|
958
|
+
// logged-in users to sign-in. So cookie PRESENCE is the source of truth for
|
|
959
|
+
// "is there a session"; getToken is only trusted for the optional role check.
|
|
960
|
+
// Server-side (getServerSideProps / API routes) remain the authoritative
|
|
961
|
+
// validators of the session and role.
|
|
962
|
+
function hasSessionCookie(request) {
|
|
963
|
+
var names = [
|
|
964
|
+
'__Secure-next-auth.session-token',
|
|
965
|
+
'next-auth.session-token',
|
|
966
|
+
'__Secure-authjs.session-token',
|
|
967
|
+
'authjs.session-token'
|
|
968
|
+
];
|
|
969
|
+
for (var i = 0; i < names.length; i++) {
|
|
970
|
+
if (readCookie(request, names[i]) || readCookie(request, names[i] + '.0')) {
|
|
971
|
+
return true;
|
|
972
|
+
}
|
|
973
|
+
}
|
|
974
|
+
return false;
|
|
975
|
+
}
|
|
976
|
+
|
|
920
977
|
async function middleware(request) {
|
|
921
978
|
const pathname = request.nextUrl.pathname;
|
|
922
979
|
|
|
@@ -945,29 +1002,33 @@ async function middleware(request) {
|
|
|
945
1002
|
return NextResponse.next();
|
|
946
1003
|
}
|
|
947
1004
|
|
|
948
|
-
|
|
949
|
-
|
|
950
|
-
|
|
951
|
-
|
|
952
|
-
|
|
953
|
-
|
|
1005
|
+
// Decode the JWT when we can — used for the role check only. A null result is
|
|
1006
|
+
// NOT treated as "logged out" on its own (see hasSessionCookie above), so a
|
|
1007
|
+
// missing/edge-incompatible NEXTAUTH_SECRET no longer false-redirects valid
|
|
1008
|
+
// sessions; it only disables edge-level role enforcement.
|
|
1009
|
+
var token = null;
|
|
1010
|
+
var secret = process.env.NEXTAUTH_SECRET;
|
|
1011
|
+
if (secret) {
|
|
1012
|
+
try {
|
|
1013
|
+
token = await getToken({ req: request, secret: secret });
|
|
1014
|
+
} catch (e) {
|
|
1015
|
+
token = null;
|
|
1016
|
+
}
|
|
954
1017
|
}
|
|
955
1018
|
|
|
956
|
-
var
|
|
1019
|
+
var isAuthenticated = !!token || hasSessionCookie(request);
|
|
957
1020
|
|
|
958
|
-
if (matchedProtection.requiresAuth && !
|
|
1021
|
+
if (matchedProtection.requiresAuth && !isAuthenticated) {
|
|
959
1022
|
var signInUrl = new URL('${signInRoute}', request.url);
|
|
960
1023
|
signInUrl.searchParams.set('callbackUrl', pathname);
|
|
961
1024
|
return NextResponse.redirect(signInUrl);
|
|
962
1025
|
}
|
|
963
1026
|
|
|
1027
|
+
// Enforce roles only when the token actually decoded; otherwise defer to the
|
|
1028
|
+
// page's server-side guard. This avoids false redirects when getToken returns
|
|
1029
|
+
// null in the Edge runtime for an authenticated user.
|
|
964
1030
|
var allowedRoles = matchedProtection.allowedRoles || [];
|
|
965
|
-
if (allowedRoles.length > 0) {
|
|
966
|
-
if (!token) {
|
|
967
|
-
var signInUrl2 = new URL('${signInRoute}', request.url);
|
|
968
|
-
signInUrl2.searchParams.set('callbackUrl', pathname);
|
|
969
|
-
return NextResponse.redirect(signInUrl2);
|
|
970
|
-
}
|
|
1031
|
+
if (allowedRoles.length > 0 && token) {
|
|
971
1032
|
var userRole = getUserRoleFromToken(token);
|
|
972
1033
|
if (userRole == null || allowedRoles.indexOf(userRole) < 0) {
|
|
973
1034
|
return NextResponse.redirect(new URL('/', request.url));
|