import type { NextAuthConfig } from 'next-auth' import type { UserRole } from '@prisma/client' // Extend the built-in session types declare module 'next-auth' { interface Session { user: { id: string email: string name?: string | null role: UserRole mustSetPassword?: boolean } } interface User { role?: UserRole mustSetPassword?: boolean } } declare module '@auth/core/jwt' { interface JWT { id: string role: UserRole mustSetPassword?: boolean } } // Edge-compatible auth config (no Node.js-only modules) // This is used by middleware and can be extended in auth.ts for full functionality export const authConfig: NextAuthConfig = { providers: [], // Providers are added in auth.ts callbacks: { authorized({ auth, request: { nextUrl } }) { const isLoggedIn = !!auth?.user const { pathname } = nextUrl // Public paths that don't require authentication const publicPaths = [ '/login', '/verify-email', '/auth-error', '/api/auth', ] // Check if it's a public path if (publicPaths.some((path) => pathname.startsWith(path))) { return true } // If not logged in, redirect to login if (!isLoggedIn) { return false // Will redirect to signIn page } // Check if user needs to set password const mustSetPassword = auth?.user?.mustSetPassword const passwordSetupAllowedPaths = [ '/set-password', '/api/auth', '/api/trpc', ] if (mustSetPassword) { // Allow access to password setup related paths if (passwordSetupAllowedPaths.some((path) => pathname.startsWith(path))) { return true } // Redirect to set-password page return Response.redirect(new URL('/set-password', nextUrl)) } return true }, }, pages: { signIn: '/login', verifyRequest: '/verify-email', error: '/auth-error', newUser: '/set-password', }, session: { strategy: 'jwt', maxAge: parseInt(process.env.SESSION_MAX_AGE || '86400'), // 24 hours }, }