@teleporthq/teleport-plugin-next-workflows 0.43.7 → 0.43.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -638,10 +638,31 @@ ${providerConfig}
638
638
  const token = params.token;
639
639
  const user = params.user;
640
640
  if (user) {
641
+ // Login: seed the token from the freshly-authorized user.
641
642
  const keys = Object.keys(user);
642
643
  for (let i = 0; i < keys.length; i++) {
643
644
  token[keys[i]] = user[keys[i]];
644
645
  }
646
+ return token;
647
+ }
648
+ // Subsequent calls (every /api/auth/session): re-read the user from the
649
+ // database so profile edits — name, image, role, etc. — propagate into the
650
+ // session. The JWT is otherwise a snapshot captured at login, which is why
651
+ // the navbar avatar/name reverted to the old value after a refresh: the
652
+ // navbar reads /api/auth/session, which is derived from this token.
653
+ try {
654
+ if (token && token.email && typeof findUserByEmail === 'function') {
655
+ const fresh = await findUserByEmail(String(token.email));
656
+ if (fresh) {
657
+ const safe = sanitizeUser(fresh);
658
+ const fk = Object.keys(safe);
659
+ for (let i = 0; i < fk.length; i++) {
660
+ token[fk[i]] = safe[fk[i]];
661
+ }
662
+ }
663
+ }
664
+ } catch (e) {
665
+ // Keep the existing token on any DB hiccup — never sign the user out.
645
666
  }
646
667
  return token;
647
668
  },
@@ -917,6 +938,42 @@ function getUserRoleFromToken(token) {
917
938
  return null;
918
939
  }
919
940
 
941
+ // Reads a single cookie value, tolerating both the Next 12 string shape and the
942
+ // newer { name, value } object shape returned by request.cookies.get().
943
+ function readCookie(request, name) {
944
+ try {
945
+ var c = request.cookies.get(name);
946
+ if (!c) return null;
947
+ return typeof c === 'string' ? c : (c.value || null);
948
+ } catch (e) {
949
+ return null;
950
+ }
951
+ }
952
+
953
+ // next-auth stores the session token under a secure-prefixed cookie on https
954
+ // and a plain one on http, and splits large JWTs into ".0"/".1" chunks. The
955
+ // Edge runtime's getToken() can return null for a session the Node runtime
956
+ // considers valid (e.g. NEXTAUTH_SECRET not identical in the Edge runtime, or
957
+ // the JWE simply failing to decode at the edge), which previously redirected
958
+ // logged-in users to sign-in. So cookie PRESENCE is the source of truth for
959
+ // "is there a session"; getToken is only trusted for the optional role check.
960
+ // Server-side (getServerSideProps / API routes) remain the authoritative
961
+ // validators of the session and role.
962
+ function hasSessionCookie(request) {
963
+ var names = [
964
+ '__Secure-next-auth.session-token',
965
+ 'next-auth.session-token',
966
+ '__Secure-authjs.session-token',
967
+ 'authjs.session-token'
968
+ ];
969
+ for (var i = 0; i < names.length; i++) {
970
+ if (readCookie(request, names[i]) || readCookie(request, names[i] + '.0')) {
971
+ return true;
972
+ }
973
+ }
974
+ return false;
975
+ }
976
+
920
977
  async function middleware(request) {
921
978
  const pathname = request.nextUrl.pathname;
922
979
 
@@ -945,29 +1002,33 @@ async function middleware(request) {
945
1002
  return NextResponse.next();
946
1003
  }
947
1004
 
948
- const secret = process.env.NEXTAUTH_SECRET;
949
- if (!secret) {
950
- console.error('[auth middleware] NEXTAUTH_SECRET is not set; blocking protected route.');
951
- var signInUrlMissing = new URL('${signInRoute}', request.url);
952
- signInUrlMissing.searchParams.set('callbackUrl', pathname);
953
- return NextResponse.redirect(signInUrlMissing);
1005
+ // Decode the JWT when we can — used for the role check only. A null result is
1006
+ // NOT treated as "logged out" on its own (see hasSessionCookie above), so a
1007
+ // missing/edge-incompatible NEXTAUTH_SECRET no longer false-redirects valid
1008
+ // sessions; it only disables edge-level role enforcement.
1009
+ var token = null;
1010
+ var secret = process.env.NEXTAUTH_SECRET;
1011
+ if (secret) {
1012
+ try {
1013
+ token = await getToken({ req: request, secret: secret });
1014
+ } catch (e) {
1015
+ token = null;
1016
+ }
954
1017
  }
955
1018
 
956
- var token = await getToken({ req: request, secret: secret });
1019
+ var isAuthenticated = !!token || hasSessionCookie(request);
957
1020
 
958
- if (matchedProtection.requiresAuth && !token) {
1021
+ if (matchedProtection.requiresAuth && !isAuthenticated) {
959
1022
  var signInUrl = new URL('${signInRoute}', request.url);
960
1023
  signInUrl.searchParams.set('callbackUrl', pathname);
961
1024
  return NextResponse.redirect(signInUrl);
962
1025
  }
963
1026
 
1027
+ // Enforce roles only when the token actually decoded; otherwise defer to the
1028
+ // page's server-side guard. This avoids false redirects when getToken returns
1029
+ // null in the Edge runtime for an authenticated user.
964
1030
  var allowedRoles = matchedProtection.allowedRoles || [];
965
- if (allowedRoles.length > 0) {
966
- if (!token) {
967
- var signInUrl2 = new URL('${signInRoute}', request.url);
968
- signInUrl2.searchParams.set('callbackUrl', pathname);
969
- return NextResponse.redirect(signInUrl2);
970
- }
1031
+ if (allowedRoles.length > 0 && token) {
971
1032
  var userRole = getUserRoleFromToken(token);
972
1033
  if (userRole == null || allowedRoles.indexOf(userRole) < 0) {
973
1034
  return NextResponse.redirect(new URL('/', request.url));