claudeinone-cli 1.0.1 → 1.0.3

package/kit/.claude/skills/auth-nextauth.md

@@ -0,0 +1,446 @@
+# NextAuth.js
+
+Complete authentication solution for Next.js with built-in session management and OAuth support.
+
+## Setup
+
+```bash
+npm install next-auth
+
+# Environment variables
+NEXTAUTH_URL=http://localhost:3000
+NEXTAUTH_SECRET=$(openssl rand -base64 32)
+```
+
+## Basic Configuration (app/api/auth/[...nextauth]/route.ts)
+
+```typescript
+import NextAuth from 'next-auth';
+import GithubProvider from 'next-auth/providers/github';
+import GoogleProvider from 'next-auth/providers/google';
+import CredentialsProvider from 'next-auth/providers/credentials';
+import { PrismaAdapter } from '@auth/prisma-adapter';
+import { prisma } from '@/lib/prisma';
+
+export const authOptions = {
+  adapter: PrismaAdapter(prisma),
+  providers: [
+    GithubProvider({
+      clientId: process.env.GITHUB_ID,
+      clientSecret: process.env.GITHUB_SECRET
+    }),
+    GoogleProvider({
+      clientId: process.env.GOOGLE_ID,
+      clientSecret: process.env.GOOGLE_SECRET
+    }),
+    CredentialsProvider({
+      name: 'Credentials',
+      credentials: {
+        email: { label: 'Email', type: 'email' },
+        password: { label: 'Password', type: 'password' }
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password) return null;
+
+        const user = await prisma.user.findUnique({
+          where: { email: credentials.email }
+        });
+
+        if (!user) return null;
+
+        const isValid = await bcrypt.compare(credentials.password, user.password);
+        if (!isValid) return null;
+
+        return { id: user.id.toString(), email: user.email, name: user.name };
+      }
+    })
+  ],
+  callbacks: {
+    // Include user.id in session
+    async session({ session, user }) {
+      session.user.id = user.id;
+      return session;
+    },
+    // Control which users can sign in
+    async signIn({ user, account, profile }) {
+      if (account?.provider === 'github') {
+        // Allow GitHub users
+        return true;
+      }
+      // Restrict credentials login to existing users
+      return !!user;
+    },
+    // Modify JWT token
+    async jwt({ token, user, account }) {
+      if (user) {
+        token.id = user.id;
+      }
+      if (account) {
+        token.accessToken = account.access_token;
+      }
+      return token;
+    }
+  },
+  pages: {
+    signIn: '/login',
+    signOut: '/logout',
+    error: '/auth/error',
+    verifyRequest: '/auth/verify-request'
+  },
+  session: {
+    strategy: 'jwt', // or 'database'
+    maxAge: 30 * 24 * 60 * 60 // 30 days
+  },
+  debug: process.env.NODE_ENV === 'development'
+};
+
+export const handler = NextAuth(authOptions);
+
+export { handler as GET, handler as POST };
+```
+
+## Get Session in Components
+
+```typescript
+'use client';
+
+import { useSession, signIn, signOut } from 'next-auth/react';
+
+export function LoginButton() {
+  const { data: session } = useSession();
+
+  if (session) {
+    return (
+      <>
+        Signed in as {session.user.email} <br />
+        <button onClick={() => signOut()}>Sign out</button>
+      </>
+    );
+  }
+
+  return <button onClick={() => signIn()}>Sign in</button>;
+}
+```
+
+## Server-Side Session Access
+
+```typescript
+// Route handler
+import { getServerSession } from 'next-auth/next';
+
+export async function GET(request: Request) {
+  const session = await getServerSession();
+
+  if (!session) {
+    return Response.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  return Response.json({ user: session.user });
+}
+
+// Server Component
+import { getServerSession } from 'next-auth/next';
+
+export default async function Dashboard() {
+  const session = await getServerSession();
+
+  if (!session) {
+    redirect('/login');
+  }
+
+  return <div>Welcome {session.user.name}</div>;
+}
+```
+
+## Session Provider Wrapper
+
+```typescript
+// app/layout.tsx
+'use client';
+
+import { SessionProvider } from 'next-auth/react';
+
+export default function RootLayout({
+  children
+}: {
+  children: React.ReactNode;
+}) {
+  return (
+    <html>
+      <body>
+        <SessionProvider>{children}</SessionProvider>
+      </body>
+    </html>
+  );
+}
+```
+
+## Custom Sign In Page
+
+```typescript
+// app/login/page.tsx
+'use client';
+
+import { signIn } from 'next-auth/react';
+import { useRouter } from 'next/navigation';
+import { useState } from 'react';
+
+export default function LoginPage() {
+  const router = useRouter();
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [error, setError] = useState('');
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+
+    const result = await signIn('credentials', {
+      email,
+      password,
+      redirect: false
+    });
+
+    if (result?.error) {
+      setError(result.error);
+    } else {
+      router.push('/dashboard');
+    }
+  }
+
+  return (
+    <form onSubmit={handleSubmit}>
+      <input
+        type="email"
+        value={email}
+        onChange={(e) => setEmail(e.target.value)}
+        placeholder="Email"
+      />
+      <input
+        type="password"
+        value={password}
+        onChange={(e) => setPassword(e.target.value)}
+        placeholder="Password"
+      />
+      {error && <p style={{ color: 'red' }}>{error}</p>}
+      <button type="submit">Sign In</button>
+
+      <hr />
+
+      <button
+        type="button"
+        onClick={() => signIn('github')}
+      >
+        Sign in with GitHub
+      </button>
+      <button
+        type="button"
+        onClick={() => signIn('google')}
+      >
+        Sign in with Google
+      </button>
+    </form>
+  );
+}
+```
+
+## Protected Routes with Middleware
+
+```typescript
+// middleware.ts
+import { withAuth } from 'next-auth/middleware';
+
+export default withAuth(function middleware(req) {
+  // Add custom logic here if needed
+});
+
+export const config = {
+  matcher: ['/dashboard/:path*', '/admin/:path*']
+};
+```
+
+## Email Sign-In (Magic Links)
+
+```typescript
+import EmailProvider from 'next-auth/providers/email';
+import { PrismaAdapter } from '@auth/prisma-adapter';
+
+export const authOptions = {
+  adapter: PrismaAdapter(prisma),
+  providers: [
+    EmailProvider({
+      server: {
+        host: process.env.EMAIL_SERVER_HOST,
+        port: parseInt(process.env.EMAIL_SERVER_PORT),
+        auth: {
+          user: process.env.EMAIL_SERVER_USER,
+          pass: process.env.EMAIL_SERVER_PASSWORD
+        }
+      },
+      from: process.env.EMAIL_FROM,
+      sendVerificationRequest: async ({ identifier, url, provider, theme }) => {
+        // Custom email sending logic
+        await sendCustomEmail(identifier, url);
+      }
+    })
+  ]
+};
+```
+
+## Custom User Model (Prisma)
+
+```prisma
+model User {
+  id            String    @id @default(cuid())
+  name          String?
+  email         String?   @unique
+  emailVerified DateTime?
+  image         String?
+  password      String?   // For credentials provider
+
+  role          String    @default("user") // Custom field
+
+  accounts      Account[]
+  sessions      Session[]
+  posts         Post[]
+}
+
+model Account {
+  id                 String  @id @default(cuid())
+  userId             String
+  type               String
+  provider           String
+  providerAccountId  String
+  refresh_token      String?  @db.Text
+  access_token       String?  @db.Text
+  expires_at         Int?
+  token_type         String?
+  scope              String?
+  id_token           String?  @db.Text
+  session_state      String?
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([provider, providerAccountId])
+}
+
+model Session {
+  id           String   @id @default(cuid())
+  sessionToken String   @unique
+  userId       String
+  expires      DateTime
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+}
+
+model VerificationToken {
+  identifier String
+  token      String   @unique
+  expires    DateTime
+
+  @@unique([identifier, token])
+}
+```
+
+## Role-Based Access Control
+
+```typescript
+// lib/auth.ts
+import { getServerSession } from 'next-auth/next';
+import { authOptions } from '@/app/api/auth/[...nextauth]/route';
+
+export async function requireAuth(requiredRole?: string) {
+  const session = await getServerSession(authOptions);
+
+  if (!session) {
+    throw new Error('Unauthorized');
+  }
+
+  if (requiredRole && session.user.role !== requiredRole) {
+    throw new Error('Forbidden');
+  }
+
+  return session;
+}
+
+// Usage in route handler
+import { requireAuth } from '@/lib/auth';
+
+export async function POST(request: Request) {
+  const session = await requireAuth('admin');
+
+  // Admin-only logic
+  return Response.json({ success: true });
+}
+```
+
+## Event Callbacks
+
+```typescript
+export const authOptions = {
+  // ... other config
+  events: {
+    async signIn({ user, account, profile, isNewUser }) {
+      console.log(`User ${user.email} signed in`);
+
+      if (isNewUser) {
+        // Send welcome email
+        await sendWelcomeEmail(user.email);
+      }
+    },
+    async signOut({ token }) {
+      console.log(`User ${token.email} signed out`);
+    },
+    async session({ session, user, newSession, trigger }) {
+      // Called whenever session is checked
+      console.log('Session checked');
+    }
+  }
+};
+```
+
+## Best Practices
+
+✅ **Never commit NEXTAUTH_SECRET** - Use environment variables
+✅ **Always use HTTPS in production** - Set NEXTAUTH_URL to https
+✅ **Secure cookies** - Enabled by default in production
+✅ **Custom credentials** - Always hash passwords with bcrypt
+✅ **Session strategy** - Use JWT for stateless, database for sessions
+✅ **CSRF protection** - Built-in protection enabled by default
+✅ **Database safety** - Use PrismaAdapter for database session storage
+
+## Common Patterns
+
+```typescript
+// Check if user is admin
+const isAdmin = session?.user?.role === 'admin';
+
+// Redirect if not authenticated
+if (!session) {
+  redirect('/login');
+}
+
+// Use session in API route
+const userId = session?.user?.id;
+
+// Update session after changes
+await useSession().update();
+```
+
+## When to Use NextAuth
+
+✅ Next.js projects needing authentication
+✅ OAuth integration (GitHub, Google, etc.)
+✅ Email sign-in with magic links
+✅ Credential-based authentication
+✅ Session management
+
+❌ APIs without web interface
+❌ Non-Next.js applications
+❌ Ultra-simple projects (consider Auth0 instead)
+
+## Resources
+
+- [NextAuth.js Documentation](https://next-auth.js.org/)
+- [NextAuth Providers](https://next-auth.js.org/providers/overview)
+- [Prisma Adapter](https://authjs.dev/reference/adapter/prisma)
+- [Database Session Strategy](https://next-auth.js.org/configuration/databases)

package/kit/.claude/skills/auth-oauth.md

@@ -0,0 +1,208 @@
+# OAuth 2.0 & OpenID Connect
+
+Secure third-party authentication and authorization.
+
+## OAuth 2.0 Flow
+
+```typescript
+// Authorization Code Flow (most secure)
+import express from 'express';
+import { OAuth2Client } from 'google-auth-library';
+
+const oauth2Client = new OAuth2Client(
+  process.env.GOOGLE_CLIENT_ID,
+  process.env.GOOGLE_CLIENT_SECRET,
+  process.env.GOOGLE_REDIRECT_URL
+);
+
+// Step 1: Generate authorization URL
+app.get('/auth/google', (req, res) => {
+  const authUrl = oauth2Client.generateAuthUrl({
+    access_type: 'offline',
+    scope: ['openid', 'email', 'profile']
+  });
+
+  res.redirect(authUrl);
+});
+
+// Step 2: Handle callback and exchange code for token
+app.get('/auth/google/callback', async (req, res) => {
+  const { code } = req.query;
+
+  const { tokens } = await oauth2Client.getToken(code);
+  oauth2Client.setCredentials(tokens);
+
+  const userInfo = await oauth2Client.request({
+    url: 'https://www.googleapis.com/oauth2/v2/userinfo'
+  });
+
+  // Create or update user
+  let user = await db.users.findByEmail(userInfo.data.email);
+  if (!user) {
+    user = await db.users.create({
+      email: userInfo.data.email,
+      name: userInfo.data.name,
+      googleId: userInfo.data.id
+    });
+  }
+
+  // Create session
+  req.session.userId = user.id;
+  res.redirect('/dashboard');
+});
+```
+
+## GitHub OAuth
+
+```typescript
+// Simplified GitHub OAuth
+app.get('/auth/github', (req, res) => {
+  const authUrl = `https://github.com/login/oauth/authorize?` +
+    `client_id=${process.env.GITHUB_CLIENT_ID}&` +
+    `redirect_uri=${process.env.GITHUB_REDIRECT_URL}&` +
+    `scope=user:email`;
+
+  res.redirect(authUrl);
+});
+
+app.get('/auth/github/callback', async (req, res) => {
+  const { code } = req.query;
+
+  // Exchange code for token
+  const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Accept': 'application/json'
+    },
+    body: JSON.stringify({
+      client_id: process.env.GITHUB_CLIENT_ID,
+      client_secret: process.env.GITHUB_CLIENT_SECRET,
+      code
+    })
+  });
+
+  const { access_token } = await tokenResponse.json();
+
+  // Get user info
+  const userResponse = await fetch('https://api.github.com/user', {
+    headers: { Authorization: `Bearer ${access_token}` }
+  });
+
+  const user = await userResponse.json();
+
+  // Upsert user
+  const dbUser = await db.users.findOrCreate({
+    where: { githubId: user.id },
+    defaults: {
+      email: user.email,
+      name: user.name,
+      githubId: user.id,
+      avatar: user.avatar_url
+    }
+  });
+
+  req.session.userId = dbUser.id;
+  res.redirect('/dashboard');
+});
+```
+
+## Token Management
+
+```typescript
+// Store and use tokens securely
+async function storeTokens(userId: string, tokens: any) {
+  await db.userTokens.create({
+    userId,
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token,
+    expiresAt: new Date(Date.now() + tokens.expires_in * 1000)
+  });
+}
+
+// Refresh expired token
+async function getValidToken(userId: string) {
+  let tokenData = await db.userTokens.findOne({ userId });
+
+  if (tokenData.expiresAt < new Date()) {
+    // Token expired, refresh it
+    const newTokens = await oauth2Client.refreshAccessToken(
+      tokenData.refreshToken
+    );
+
+    await db.userTokens.update(userId, {
+      accessToken: newTokens.access_token,
+      expiresAt: new Date(Date.now() + newTokens.expires_in * 1000)
+    });
+
+    tokenData = await db.userTokens.findOne({ userId });
+  }
+
+  return tokenData.accessToken;
+}
+```
+
+## OpenID Connect
+
+```typescript
+// OpenID Connect adds identity layer on top of OAuth 2.0
+// Includes ID token with user claims
+
+const idToken = jwt.verify(
+  tokens.id_token,
+  process.env.GOOGLE_CLIENT_SECRET
+);
+
+console.log({
+  sub: idToken.sub,      // Subject (user ID)
+  email: idToken.email,
+  name: idToken.name,
+  picture: idToken.picture
+});
+```
+
+## Security Considerations
+
+```typescript
+// Always use HTTPS
+// Verify state parameter to prevent CSRF
+app.get('/auth/google', (req, res) => {
+  const state = crypto.randomBytes(32).toString('hex');
+  
+  // Store state in session
+  req.session.oauth_state = state;
+
+  const authUrl = oauth2Client.generateAuthUrl({
+    state,
+    access_type: 'offline',
+    scope: ['openid', 'email']
+  });
+
+  res.redirect(authUrl);
+});
+
+app.get('/auth/google/callback', (req, res) => {
+  const { state, code } = req.query;
+
+  // Verify state
+  if (state !== req.session.oauth_state) {
+    return res.status(400).send('Invalid state parameter');
+  }
+
+  // Continue with code exchange...
+});
+```
+
+## Best Practices
+
+✅ **Use HTTPS** - Encrypt in transit
+✅ **Verify state** - Prevent CSRF attacks
+✅ **Store tokens securely** - Use secure storage
+✅ **Refresh tokens** - Use refresh tokens for long-lived access
+✅ **Scope minimally** - Request only needed permissions
+
+## Resources
+
+- [OAuth 2.0 Spec](https://tools.ietf.org/html/rfc6749)
+- [OpenID Connect](https://openid.net/connect/)
+- [Auth0 Documentation](https://auth0.com/docs)