autoworkflow 3.1.4 → 3.5.0

package/.claude/skills/auth-nextauth.md

@@ -0,0 +1,359 @@
+# NextAuth.js Skill
+
+## Setup (App Router)
+\`\`\`typescript
+// app/api/auth/[...nextauth]/route.ts
+import NextAuth from 'next-auth';
+import { authOptions } from '@/lib/auth';
+
+const handler = NextAuth(authOptions);
+export { handler as GET, handler as POST };
+
+// lib/auth.ts
+import { NextAuthOptions } from 'next-auth';
+import GoogleProvider from 'next-auth/providers/google';
+import GitHubProvider from 'next-auth/providers/github';
+import CredentialsProvider from 'next-auth/providers/credentials';
+import { PrismaAdapter } from '@auth/prisma-adapter';
+import { prisma } from '@/lib/prisma';
+import bcrypt from 'bcryptjs';
+
+export const authOptions: NextAuthOptions = {
+  adapter: PrismaAdapter(prisma),
+
+  providers: [
+    // OAuth Providers
+    GoogleProvider({
+      clientId: process.env.GOOGLE_CLIENT_ID!,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+    }),
+
+    GitHubProvider({
+      clientId: process.env.GITHUB_ID!,
+      clientSecret: process.env.GITHUB_SECRET!,
+    }),
+
+    // Credentials Provider (email/password)
+    CredentialsProvider({
+      name: 'credentials',
+      credentials: {
+        email: { label: 'Email', type: 'email' },
+        password: { label: 'Password', type: 'password' },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password) {
+          throw new Error('Invalid credentials');
+        }
+
+        const user = await prisma.user.findUnique({
+          where: { email: credentials.email },
+        });
+
+        if (!user || !user.password) {
+          throw new Error('Invalid credentials');
+        }
+
+        const isValid = await bcrypt.compare(credentials.password, user.password);
+
+        if (!isValid) {
+          throw new Error('Invalid credentials');
+        }
+
+        return {
+          id: user.id,
+          email: user.email,
+          name: user.name,
+          image: user.image,
+        };
+      },
+    }),
+  ],
+
+  session: {
+    strategy: 'jwt', // Required for credentials provider
+    maxAge: 30 * 24 * 60 * 60, // 30 days
+  },
+
+  pages: {
+    signIn: '/auth/signin',
+    signOut: '/auth/signout',
+    error: '/auth/error',
+    verifyRequest: '/auth/verify-request',
+  },
+
+  callbacks: {
+    async jwt({ token, user, account }) {
+      // First sign in
+      if (user) {
+        token.id = user.id;
+        token.role = user.role;
+      }
+      if (account) {
+        token.accessToken = account.access_token;
+      }
+      return token;
+    },
+
+    async session({ session, token }) {
+      if (session.user) {
+        session.user.id = token.id as string;
+        session.user.role = token.role as string;
+      }
+      return session;
+    },
+
+    async signIn({ user, account, profile }) {
+      // Custom sign-in logic
+      if (account?.provider === 'google') {
+        return profile?.email?.endsWith('@company.com') ?? false;
+      }
+      return true;
+    },
+
+    async redirect({ url, baseUrl }) {
+      // Custom redirect logic
+      if (url.startsWith(baseUrl)) return url;
+      if (url.startsWith('/')) return \`\${baseUrl}\${url}\`;
+      return baseUrl;
+    },
+  },
+
+  events: {
+    async signIn({ user, account, isNewUser }) {
+      if (isNewUser) {
+        // Send welcome email, create default settings, etc.
+        console.log('New user signed up:', user.email);
+      }
+    },
+    async signOut({ token }) {
+      // Cleanup on sign out
+    },
+  },
+
+  debug: process.env.NODE_ENV === 'development',
+};
+\`\`\`
+
+## TypeScript Types
+\`\`\`typescript
+// types/next-auth.d.ts
+import { DefaultSession, DefaultUser } from 'next-auth';
+import { JWT, DefaultJWT } from 'next-auth/jwt';
+
+declare module 'next-auth' {
+  interface Session {
+    user: {
+      id: string;
+      role: string;
+    } & DefaultSession['user'];
+  }
+
+  interface User extends DefaultUser {
+    role: string;
+  }
+}
+
+declare module 'next-auth/jwt' {
+  interface JWT extends DefaultJWT {
+    id: string;
+    role: string;
+    accessToken?: string;
+  }
+}
+\`\`\`
+
+## Server Components (App Router)
+\`\`\`typescript
+// Get session in Server Component
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { redirect } from 'next/navigation';
+
+export default async function ProtectedPage() {
+  const session = await getServerSession(authOptions);
+
+  if (!session) {
+    redirect('/auth/signin');
+  }
+
+  return (
+    <div>
+      <h1>Welcome, {session.user.name}</h1>
+      <p>User ID: {session.user.id}</p>
+      <p>Role: {session.user.role}</p>
+    </div>
+  );
+}
+
+// API Route Protection
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  const session = await getServerSession(authOptions);
+
+  if (!session) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  // Proceed with authenticated request
+  return NextResponse.json({ user: session.user });
+}
+\`\`\`
+
+## Client Components
+\`\`\`tsx
+'use client';
+
+import { useSession, signIn, signOut } from 'next-auth/react';
+
+export function AuthButton() {
+  const { data: session, status } = useSession();
+
+  if (status === 'loading') {
+    return <div>Loading...</div>;
+  }
+
+  if (session) {
+    return (
+      <div>
+        <p>Signed in as {session.user?.email}</p>
+        <button onClick={() => signOut({ callbackUrl: '/' })}>
+          Sign out
+        </button>
+      </div>
+    );
+  }
+
+  return (
+    <div>
+      <button onClick={() => signIn('google')}>Sign in with Google</button>
+      <button onClick={() => signIn('github')}>Sign in with GitHub</button>
+      <button onClick={() => signIn('credentials', { email: '', password: '' })}>
+        Sign in with Email
+      </button>
+    </div>
+  );
+}
+
+// Session Provider (required in layout)
+// app/providers.tsx
+'use client';
+
+import { SessionProvider } from 'next-auth/react';
+
+export function Providers({ children }: { children: React.ReactNode }) {
+  return <SessionProvider>{children}</SessionProvider>;
+}
+
+// app/layout.tsx
+import { Providers } from './providers';
+
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        <Providers>{children}</Providers>
+      </body>
+    </html>
+  );
+}
+\`\`\`
+
+## Middleware (Route Protection)
+\`\`\`typescript
+// middleware.ts
+import { withAuth } from 'next-auth/middleware';
+import { NextResponse } from 'next/server';
+
+export default withAuth(
+  function middleware(req) {
+    const token = req.nextauth.token;
+    const path = req.nextUrl.pathname;
+
+    // Admin-only routes
+    if (path.startsWith('/admin') && token?.role !== 'admin') {
+      return NextResponse.redirect(new URL('/unauthorized', req.url));
+    }
+
+    return NextResponse.next();
+  },
+  {
+    callbacks: {
+      authorized: ({ token }) => !!token,
+    },
+  }
+);
+
+export const config = {
+  matcher: ['/dashboard/:path*', '/admin/:path*', '/api/protected/:path*'],
+};
+\`\`\`
+
+## Prisma Schema
+\`\`\`prisma
+// prisma/schema.prisma
+model User {
+  id            String    @id @default(cuid())
+  name          String?
+  email         String?   @unique
+  emailVerified DateTime?
+  image         String?
+  password      String?   // For credentials provider
+  role          String    @default("user")
+  accounts      Account[]
+  sessions      Session[]
+  createdAt     DateTime  @default(now())
+  updatedAt     DateTime  @updatedAt
+}
+
+model Account {
+  id                String  @id @default(cuid())
+  userId            String
+  type              String
+  provider          String
+  providerAccountId String
+  refresh_token     String? @db.Text
+  access_token      String? @db.Text
+  expires_at        Int?
+  token_type        String?
+  scope             String?
+  id_token          String? @db.Text
+  session_state     String?
+  user              User    @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([provider, providerAccountId])
+}
+
+model Session {
+  id           String   @id @default(cuid())
+  sessionToken String   @unique
+  userId       String
+  expires      DateTime
+  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+}
+
+model VerificationToken {
+  identifier String
+  token      String   @unique
+  expires    DateTime
+
+  @@unique([identifier, token])
+}
+\`\`\`
+
+## ❌ DON'T
+- Store sensitive data in JWT (it's readable client-side)
+- Use credentials provider without HTTPS
+- Forget to add NEXTAUTH_SECRET to env
+- Skip session validation in API routes
+- Expose internal user IDs unnecessarily
+
+## ✅ DO
+- Use environment variables for secrets
+- Implement proper session callbacks
+- Add TypeScript declarations for extended types
+- Use middleware for route protection
+- Validate roles in callbacks and middleware
+- Use database adapter for persistent sessions

package/.claude/skills/auth-supabase.md

@@ -0,0 +1,368 @@
+# Supabase Auth Skill
+
+## Setup (Next.js App Router)
+\`\`\`typescript
+// lib/supabase/client.ts (Browser client)
+import { createBrowserClient } from '@supabase/ssr';
+
+export function createClient() {
+  return createBrowserClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
+  );
+}
+
+// lib/supabase/server.ts (Server client)
+import { createServerClient, type CookieOptions } from '@supabase/ssr';
+import { cookies } from 'next/headers';
+
+export function createClient() {
+  const cookieStore = cookies();
+
+  return createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        get(name: string) {
+          return cookieStore.get(name)?.value;
+        },
+        set(name: string, value: string, options: CookieOptions) {
+          cookieStore.set({ name, value, ...options });
+        },
+        remove(name: string, options: CookieOptions) {
+          cookieStore.set({ name, value: '', ...options });
+        },
+      },
+    }
+  );
+}
+
+// middleware.ts
+import { createServerClient, type CookieOptions } from '@supabase/ssr';
+import { NextResponse, type NextRequest } from 'next/server';
+
+export async function middleware(request: NextRequest) {
+  let response = NextResponse.next({ request: { headers: request.headers } });
+
+  const supabase = createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        get(name: string) {
+          return request.cookies.get(name)?.value;
+        },
+        set(name: string, value: string, options: CookieOptions) {
+          response.cookies.set({ name, value, ...options });
+        },
+        remove(name: string, options: CookieOptions) {
+          response.cookies.set({ name, value: '', ...options });
+        },
+      },
+    }
+  );
+
+  // Refresh session if needed
+  const { data: { user } } = await supabase.auth.getUser();
+
+  // Protect routes
+  if (!user && request.nextUrl.pathname.startsWith('/dashboard')) {
+    return NextResponse.redirect(new URL('/login', request.url));
+  }
+
+  return response;
+}
+
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+};
+\`\`\`
+
+## Authentication Methods
+\`\`\`typescript
+const supabase = createClient();
+
+// Email/Password Sign Up
+const { data, error } = await supabase.auth.signUp({
+  email: 'user@example.com',
+  password: 'password123',
+  options: {
+    data: {
+      full_name: 'John Doe',
+      avatar_url: 'https://example.com/avatar.png',
+    },
+    emailRedirectTo: \`\${window.location.origin}/auth/callback\`,
+  },
+});
+
+// Email/Password Sign In
+const { data, error } = await supabase.auth.signInWithPassword({
+  email: 'user@example.com',
+  password: 'password123',
+});
+
+// OAuth Sign In
+const { data, error } = await supabase.auth.signInWithOAuth({
+  provider: 'google', // or 'github', 'discord', etc.
+  options: {
+    redirectTo: \`\${window.location.origin}/auth/callback\`,
+  },
+});
+
+// Magic Link
+const { data, error } = await supabase.auth.signInWithOtp({
+  email: 'user@example.com',
+  options: {
+    emailRedirectTo: \`\${window.location.origin}/auth/callback\`,
+  },
+});
+
+// Phone/SMS OTP
+const { data, error } = await supabase.auth.signInWithOtp({
+  phone: '+15551234567',
+});
+
+// Verify OTP
+const { data, error } = await supabase.auth.verifyOtp({
+  phone: '+15551234567',
+  token: '123456',
+  type: 'sms',
+});
+
+// Sign Out
+await supabase.auth.signOut();
+\`\`\`
+
+## Auth Callback Handler
+\`\`\`typescript
+// app/auth/callback/route.ts
+import { createClient } from '@/lib/supabase/server';
+import { NextResponse } from 'next/server';
+
+export async function GET(request: Request) {
+  const requestUrl = new URL(request.url);
+  const code = requestUrl.searchParams.get('code');
+
+  if (code) {
+    const supabase = createClient();
+    await supabase.auth.exchangeCodeForSession(code);
+  }
+
+  return NextResponse.redirect(new URL('/dashboard', request.url));
+}
+\`\`\`
+
+## Server Components
+\`\`\`typescript
+// app/dashboard/page.tsx
+import { createClient } from '@/lib/supabase/server';
+import { redirect } from 'next/navigation';
+
+export default async function DashboardPage() {
+  const supabase = createClient();
+
+  const { data: { user }, error } = await supabase.auth.getUser();
+
+  if (!user) {
+    redirect('/login');
+  }
+
+  // Fetch user's data
+  const { data: profile } = await supabase
+    .from('profiles')
+    .select('*')
+    .eq('id', user.id)
+    .single();
+
+  return (
+    <div>
+      <h1>Welcome, {profile?.full_name || user.email}</h1>
+      <p>Email: {user.email}</p>
+    </div>
+  );
+}
+\`\`\`
+
+## Client Components
+\`\`\`tsx
+'use client';
+
+import { createClient } from '@/lib/supabase/client';
+import { useEffect, useState } from 'react';
+import { User, Session } from '@supabase/supabase-js';
+
+export function useAuth() {
+  const supabase = createClient();
+  const [user, setUser] = useState<User | null>(null);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    // Get initial session
+    supabase.auth.getSession().then(({ data: { session } }) => {
+      setUser(session?.user ?? null);
+      setLoading(false);
+    });
+
+    // Listen for auth changes
+    const { data: { subscription } } = supabase.auth.onAuthStateChange(
+      (event, session) => {
+        setUser(session?.user ?? null);
+
+        if (event === 'SIGNED_IN') {
+          // Handle sign in
+        }
+        if (event === 'SIGNED_OUT') {
+          // Handle sign out
+        }
+      }
+    );
+
+    return () => subscription.unsubscribe();
+  }, []);
+
+  return { user, loading };
+}
+
+// Login Form Component
+export function LoginForm() {
+  const supabase = createClient();
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  const handleLogin = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setLoading(true);
+    setError(null);
+
+    const { error } = await supabase.auth.signInWithPassword({
+      email,
+      password,
+    });
+
+    if (error) {
+      setError(error.message);
+    }
+
+    setLoading(false);
+  };
+
+  return (
+    <form onSubmit={handleLogin}>
+      <input
+        type="email"
+        value={email}
+        onChange={(e) => setEmail(e.target.value)}
+        placeholder="Email"
+        required
+      />
+      <input
+        type="password"
+        value={password}
+        onChange={(e) => setPassword(e.target.value)}
+        placeholder="Password"
+        required
+      />
+      {error && <p className="error">{error}</p>}
+      <button type="submit" disabled={loading}>
+        {loading ? 'Loading...' : 'Sign In'}
+      </button>
+    </form>
+  );
+}
+\`\`\`
+
+## Row Level Security (RLS)
+\`\`\`sql
+-- Enable RLS on tables
+ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
+ALTER TABLE posts ENABLE ROW LEVEL SECURITY;
+
+-- Users can only read their own profile
+CREATE POLICY "Users can view own profile"
+  ON profiles FOR SELECT
+  USING (auth.uid() = id);
+
+-- Users can update their own profile
+CREATE POLICY "Users can update own profile"
+  ON profiles FOR UPDATE
+  USING (auth.uid() = id);
+
+-- Users can read all published posts
+CREATE POLICY "Anyone can view published posts"
+  ON posts FOR SELECT
+  USING (published = true);
+
+-- Users can CRUD their own posts
+CREATE POLICY "Users can manage own posts"
+  ON posts FOR ALL
+  USING (auth.uid() = author_id);
+
+-- Insert policy for new users
+CREATE POLICY "Users can create profile"
+  ON profiles FOR INSERT
+  WITH CHECK (auth.uid() = id);
+\`\`\`
+
+## Database Triggers for Auth
+\`\`\`sql
+-- Auto-create profile on user signup
+CREATE OR REPLACE FUNCTION public.handle_new_user()
+RETURNS TRIGGER AS $$
+BEGIN
+  INSERT INTO public.profiles (id, email, full_name, avatar_url)
+  VALUES (
+    new.id,
+    new.email,
+    new.raw_user_meta_data->>'full_name',
+    new.raw_user_meta_data->>'avatar_url'
+  );
+  RETURN new;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+CREATE TRIGGER on_auth_user_created
+  AFTER INSERT ON auth.users
+  FOR EACH ROW EXECUTE FUNCTION public.handle_new_user();
+\`\`\`
+
+## Password Management
+\`\`\`typescript
+// Update password (when logged in)
+const { data, error } = await supabase.auth.updateUser({
+  password: 'new-password',
+});
+
+// Reset password (send email)
+const { data, error } = await supabase.auth.resetPasswordForEmail(
+  'user@example.com',
+  { redirectTo: \`\${window.location.origin}/auth/reset-password\` }
+);
+
+// Handle reset callback
+// app/auth/reset-password/page.tsx
+export default function ResetPasswordPage() {
+  const handleReset = async (newPassword: string) => {
+    const { error } = await supabase.auth.updateUser({
+      password: newPassword,
+    });
+  };
+}
+\`\`\`
+
+## ❌ DON'T
+- Use anon key for server-side admin operations
+- Skip RLS policies on user data tables
+- Store session data manually (use SSR helpers)
+- Forget to handle auth state changes
+- Expose service role key to client
+
+## ✅ DO
+- Enable RLS on all user-related tables
+- Use SSR package for Next.js App Router
+- Handle auth callback for OAuth/magic links
+- Create database triggers for user profiles
+- Use middleware for session refresh
+- Handle all auth state changes