MOPC-App/src/lib/auth.config.ts

import type { NextAuthConfig } from 'next-auth'
import type { UserRole } from '@prisma/client'

// Extend the built-in session types
declare module 'next-auth' {
  interface Session {
    user: {
      id: string
      email: string
      name?: string | null
      role: UserRole
      mustSetPassword?: boolean
    }
  }

  interface User {
    role?: UserRole
    mustSetPassword?: boolean
  }
}

declare module '@auth/core/jwt' {
  interface JWT {
    id: string
    role: UserRole
    mustSetPassword?: boolean
  }
}

// Edge-compatible auth config (no Node.js-only modules)
// This is used by middleware and can be extended in auth.ts for full functionality
export const authConfig: NextAuthConfig = {
  providers: [], // Providers are added in auth.ts
  callbacks: {
    authorized({ auth, request: { nextUrl } }) {
      const isLoggedIn = !!auth?.user
      const { pathname } = nextUrl

      // Public paths that don't require authentication
      const publicPaths = [
        '/login',
        '/verify-email',
        '/auth-error',
        '/api/auth',
      ]

      // Check if it's a public path
      if (publicPaths.some((path) => pathname.startsWith(path))) {
        return true
      }

      // If not logged in, redirect to login
      if (!isLoggedIn) {
        return false // Will redirect to signIn page
      }

      // Check if user needs to set password
      const mustSetPassword = auth?.user?.mustSetPassword
      const passwordSetupAllowedPaths = [
        '/set-password',
        '/api/auth',
        '/api/trpc',
      ]

      if (mustSetPassword) {
        // Allow access to password setup related paths
        if (passwordSetupAllowedPaths.some((path) => pathname.startsWith(path))) {
          return true
        }
        // Redirect to set-password page
        return Response.redirect(new URL('/set-password', nextUrl))
      }

      return true
    },
  },
  pages: {
    signIn: '/login',
    verifyRequest: '/verify-email',
    error: '/auth-error',
    newUser: '/set-password',
  },
  session: {
    strategy: 'jwt',
    maxAge: parseInt(process.env.SESSION_MAX_AGE || '86400'), // 24 hours
  },
}
Initial commit: MOPC platform with Docker deployment setup Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 13:41:32 +01:00			`import type { NextAuthConfig } from 'next-auth'`
			`import type { UserRole } from '@prisma/client'`

			`// Extend the built-in session types`
			`declare module 'next-auth' {`
			`interface Session {`
			`user: {`
			`id: string`
			`email: string`
			`name?: string \| null`
			`role: UserRole`
			`mustSetPassword?: boolean`
			`}`
			`}`

			`interface User {`
			`role?: UserRole`
			`mustSetPassword?: boolean`
			`}`
			`}`

			`declare module '@auth/core/jwt' {`
			`interface JWT {`
			`id: string`
			`role: UserRole`
			`mustSetPassword?: boolean`
			`}`
			`}`

			`// Edge-compatible auth config (no Node.js-only modules)`
			`// This is used by middleware and can be extended in auth.ts for full functionality`
			`export const authConfig: NextAuthConfig = {`
			`providers: [], // Providers are added in auth.ts`
			`callbacks: {`
			`authorized({ auth, request: { nextUrl } }) {`
			`const isLoggedIn = !!auth?.user`
			`const { pathname } = nextUrl`

			`// Public paths that don't require authentication`
			`const publicPaths = [`
			`'/login',`
			`'/verify-email',`
			`'/auth-error',`
			`'/api/auth',`
			`]`

			`// Check if it's a public path`
			`if (publicPaths.some((path) => pathname.startsWith(path))) {`
			`return true`
			`}`

			`// If not logged in, redirect to login`
			`if (!isLoggedIn) {`
			`return false // Will redirect to signIn page`
			`}`

			`// Check if user needs to set password`
			`const mustSetPassword = auth?.user?.mustSetPassword`
			`const passwordSetupAllowedPaths = [`
			`'/set-password',`
			`'/api/auth',`
			`'/api/trpc',`
			`]`

			`if (mustSetPassword) {`
			`// Allow access to password setup related paths`
			`if (passwordSetupAllowedPaths.some((path) => pathname.startsWith(path))) {`
			`return true`
			`}`
			`// Redirect to set-password page`
			`return Response.redirect(new URL('/set-password', nextUrl))`
			`}`

			`return true`
			`},`
			`},`
			`pages: {`
			`signIn: '/login',`
			`verifyRequest: '/verify-email',`
			`error: '/auth-error',`
			`newUser: '/set-password',`
			`},`
			`session: {`
			`strategy: 'jwt',`
			`maxAge: parseInt(process.env.SESSION_MAX_AGE \|\| '86400'), // 24 hours`
			`},`
			`}`