-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth.ts
More file actions
71 lines (66 loc) · 2.14 KB
/
auth.ts
File metadata and controls
71 lines (66 loc) · 2.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import NextAuth, { Account } from 'next-auth';
import type { JWT } from 'next-auth/jwt';
import MicrosoftEntraID from 'next-auth/providers/microsoft-entra-id';
const decodeJWT = (token: string) => JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString());
export const { handlers, signIn, signOut, auth } = NextAuth({
providers: [
MicrosoftEntraID({
clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID!,
clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET!,
issuer: process.env.AUTH_MICROSOFT_ENTRA_ID_ISSUER!,
authorization: {
params: {
scope: 'openid email profile',
},
},
}),
],
callbacks: {
authorized: async ({ auth }) => !!auth,
jwt: async ({ token, account }: { token: JWT; account?: Account | null }) => {
try {
if (account?.access_token && account?.id_token) {
const accessToken = decodeJWT(account.access_token);
const idToken = decodeJWT(account.id_token);
return {
...token,
access_token: account.access_token,
expires_at: account.expires_at,
oid: idToken.oid || '',
tid: accessToken.tid || '',
email: idToken.email,
picture: token.picture || '',
uniqueid: idToken.uniqueid,
username: idToken.gaspar || '',
name: `${idToken.given_name ?? ''} ${idToken.family_name ?? ''}`.trim(),
groups: idToken.groups || [],
};
}
const accessToken = decodeJWT(token.access_token as string);
if (Date.now() < accessToken.exp * 1000) {
return token;
}
return { ...token, error: 'TokenExpired' };
} catch (error) {
console.error('Error processing tokens:', error);
return { ...token, error: 'TokenProcessingError' };
}
},
session: async ({ session, token }) => {
return {
...session,
user: {
email: token?.email || session.user?.email || '',
name: token?.name || '',
image: session.user?.image || null,
sciper: token?.uniqueid || '',
username: token?.username || '',
oid: token.oid || '',
tid: token.tid || '',
isAdmin: (token.groups as Array<string>).includes('CREP-admin_AppGrpU') || false,
groups: token.groups as string[],
},
};
},
},
});