267 lines
8.3 KiB
TypeScript
267 lines
8.3 KiB
TypeScript
import { prisma } from "@capakraken/db";
|
|
import { authRateLimiter } from "@capakraken/api/middleware/rate-limit";
|
|
import { createAuditEntry } from "@capakraken/api/lib/audit";
|
|
import { logger } from "@capakraken/api/lib/logger";
|
|
import NextAuth, { type NextAuthConfig } from "next-auth";
|
|
import Credentials from "next-auth/providers/credentials";
|
|
import { verify } from "@node-rs/argon2";
|
|
import { z } from "zod";
|
|
import { assertSecureRuntimeEnv } from "./runtime-env";
|
|
|
|
assertSecureRuntimeEnv();
|
|
|
|
const LoginSchema = z.object({
|
|
email: z.string().email(),
|
|
password: z.string().min(1),
|
|
totp: z.string().optional(),
|
|
});
|
|
|
|
const authConfig = {
|
|
trustHost: true,
|
|
providers: [
|
|
Credentials({
|
|
name: "credentials",
|
|
credentials: {
|
|
email: { label: "Email", type: "email" },
|
|
password: { label: "Password", type: "password" },
|
|
totp: { label: "TOTP", type: "text" },
|
|
},
|
|
async authorize(credentials) {
|
|
const parsed = LoginSchema.safeParse(credentials);
|
|
if (!parsed.success) return null;
|
|
|
|
const { email, password, totp } = parsed.data;
|
|
const isE2eTestMode = process.env["E2E_TEST_MODE"] === "true";
|
|
|
|
// Rate limit: 5 login attempts per 15 minutes per email
|
|
const rateLimitResult = isE2eTestMode
|
|
? { allowed: true }
|
|
: await authRateLimiter(email.toLowerCase());
|
|
if (!rateLimitResult.allowed) {
|
|
// Audit failed login (rate limited)
|
|
void createAuditEntry({
|
|
db: prisma,
|
|
entityType: "Auth",
|
|
entityId: email.toLowerCase(),
|
|
entityName: email,
|
|
action: "CREATE",
|
|
summary: "Login blocked — rate limit exceeded",
|
|
source: "ui",
|
|
});
|
|
throw new Error("Too many login attempts. Please try again later.");
|
|
}
|
|
|
|
const user = await prisma.user.findUnique({ where: { email } });
|
|
if (!user?.passwordHash) {
|
|
logger.warn({ email, reason: "user_not_found" }, "Failed login attempt");
|
|
// Audit failed login (unknown user)
|
|
void createAuditEntry({
|
|
db: prisma,
|
|
entityType: "Auth",
|
|
entityId: email.toLowerCase(),
|
|
entityName: email,
|
|
action: "CREATE",
|
|
summary: "Login failed — user not found",
|
|
source: "ui",
|
|
});
|
|
return null;
|
|
}
|
|
|
|
const isValid = await verify(user.passwordHash, password);
|
|
if (!isValid) {
|
|
logger.warn({ email, reason: "invalid_password" }, "Failed login attempt");
|
|
// Audit failed login (bad password)
|
|
void createAuditEntry({
|
|
db: prisma,
|
|
entityType: "Auth",
|
|
entityId: user.id,
|
|
entityName: user.email,
|
|
action: "CREATE",
|
|
userId: user.id,
|
|
summary: "Login failed — invalid password",
|
|
source: "ui",
|
|
});
|
|
return null;
|
|
}
|
|
|
|
// MFA check: if TOTP is enabled, require the token
|
|
if (user.totpEnabled && user.totpSecret) {
|
|
if (!totp) {
|
|
// Signal to the client that MFA is required (include userId for re-submission)
|
|
throw new Error("MFA_REQUIRED:" + user.id);
|
|
}
|
|
|
|
const { TOTP, Secret } = await import("otpauth");
|
|
const totpInstance = new TOTP({
|
|
issuer: "CapaKraken",
|
|
label: user.email,
|
|
algorithm: "SHA1",
|
|
digits: 6,
|
|
period: 30,
|
|
secret: Secret.fromBase32(user.totpSecret),
|
|
});
|
|
|
|
const delta = totpInstance.validate({ token: totp, window: 1 });
|
|
if (delta === null) {
|
|
logger.warn({ email, reason: "invalid_totp" }, "Failed MFA verification");
|
|
void createAuditEntry({
|
|
db: prisma,
|
|
entityType: "Auth",
|
|
entityId: user.id,
|
|
entityName: user.email,
|
|
action: "CREATE",
|
|
userId: user.id,
|
|
summary: "Login failed — invalid TOTP token",
|
|
source: "ui",
|
|
});
|
|
throw new Error("INVALID_TOTP");
|
|
}
|
|
}
|
|
|
|
// Track last login time
|
|
await prisma.user.update({
|
|
where: { id: user.id },
|
|
data: { lastLoginAt: new Date() },
|
|
});
|
|
|
|
logger.info({ email, userId: user.id }, "Successful login");
|
|
// Audit successful login
|
|
void createAuditEntry({
|
|
db: prisma,
|
|
entityType: "Auth",
|
|
entityId: user.id,
|
|
entityName: user.email,
|
|
action: "CREATE",
|
|
userId: user.id,
|
|
summary: "User logged in",
|
|
source: "ui",
|
|
});
|
|
|
|
return {
|
|
id: user.id,
|
|
email: user.email,
|
|
name: user.name,
|
|
role: user.systemRole,
|
|
};
|
|
},
|
|
}),
|
|
],
|
|
callbacks: {
|
|
async session({ session, token }) {
|
|
if (token.sub) {
|
|
session.user.id = token.sub;
|
|
}
|
|
if (token.role) {
|
|
(session.user as typeof session.user & { role: string }).role = token.role as string;
|
|
}
|
|
return session;
|
|
},
|
|
async jwt({ token, user }) {
|
|
if (user) {
|
|
token.role = (user as typeof user & { role: string }).role;
|
|
|
|
// Generate a unique JWT ID for session tracking
|
|
const jti = crypto.randomUUID();
|
|
token.jti = jti;
|
|
|
|
// Enforce concurrent session limit (kick-oldest strategy)
|
|
try {
|
|
const settings = await prisma.systemSettings.findUnique({
|
|
where: { id: "singleton" },
|
|
select: { maxConcurrentSessions: true },
|
|
});
|
|
const maxSessions = settings?.maxConcurrentSessions ?? 3;
|
|
|
|
// Register this new session
|
|
await prisma.activeSession.create({
|
|
data: { userId: user.id!, jti },
|
|
});
|
|
|
|
// Count active sessions and delete the oldest if over the limit
|
|
const activeSessions = await prisma.activeSession.findMany({
|
|
where: { userId: user.id! },
|
|
orderBy: { createdAt: "asc" },
|
|
select: { id: true },
|
|
});
|
|
|
|
if (activeSessions.length > maxSessions) {
|
|
const toDelete = activeSessions.slice(0, activeSessions.length - maxSessions);
|
|
await prisma.activeSession.deleteMany({
|
|
where: { id: { in: toDelete.map((s) => s.id) } },
|
|
});
|
|
logger.info({ userId: user.id, kicked: toDelete.length, maxSessions }, "Kicked oldest sessions");
|
|
}
|
|
} catch (err) {
|
|
// Non-blocking: don't prevent login if session tracking fails
|
|
logger.error({ err }, "Failed to enforce concurrent session limit");
|
|
}
|
|
}
|
|
return token;
|
|
},
|
|
},
|
|
events: {
|
|
async signOut(message) {
|
|
// Auth.js fires this event on sign-out; extract userId from the JWT token
|
|
const token = "token" in message ? message.token : null;
|
|
const userId = token?.sub ?? null;
|
|
const email = token?.email ?? "unknown";
|
|
const jti = token?.jti as string | undefined;
|
|
|
|
// Remove from active session registry
|
|
if (jti) {
|
|
void prisma.activeSession.delete({ where: { jti } }).catch(() => { /* already gone */ });
|
|
}
|
|
|
|
void createAuditEntry({
|
|
db: prisma,
|
|
entityType: "Auth",
|
|
entityId: userId ?? email,
|
|
entityName: email,
|
|
action: "DELETE",
|
|
...(userId ? { userId } : {}),
|
|
summary: "User logged out",
|
|
source: "ui",
|
|
});
|
|
},
|
|
},
|
|
cookies: {
|
|
sessionToken: {
|
|
name: "authjs.session-token",
|
|
options: {
|
|
httpOnly: true,
|
|
sameSite: "strict" as const,
|
|
path: "/",
|
|
secure: process.env.NODE_ENV === "production",
|
|
},
|
|
},
|
|
callbackUrl: {
|
|
name: "authjs.callback-url",
|
|
options: {
|
|
httpOnly: true,
|
|
sameSite: "strict" as const,
|
|
path: "/",
|
|
secure: process.env.NODE_ENV === "production",
|
|
},
|
|
},
|
|
csrfToken: {
|
|
name: "authjs.csrf-token",
|
|
options: {
|
|
httpOnly: true,
|
|
sameSite: "strict" as const,
|
|
path: "/",
|
|
secure: process.env.NODE_ENV === "production",
|
|
},
|
|
},
|
|
},
|
|
pages: {
|
|
signIn: "/auth/signin",
|
|
},
|
|
session: {
|
|
strategy: "jwt",
|
|
maxAge: 28800, // 8 hours absolute timeout
|
|
updateAge: 1800, // Refresh token every 30 minutes (idle timeout)
|
|
},
|
|
} satisfies NextAuthConfig;
|
|
|
|
export const { handlers, auth } = NextAuth(authConfig);
|