3a16d6e9b1
- Replace next-auth v5 beta with better-auth v1.6.2 (stable releases)
- Add multi-provider OAuth support with admin UI configuration
- New oauthProviders table with encrypted secrets (AES-256-GCM)
- Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable
- OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers
- Settings page "Authentication Providers" section for admin management
- Account linking uses new accounts table (multi-provider per user)
- Username plugin for credentials sign-in (replaces email@localhost pattern)
- bcrypt password compatibility (existing hashes work)
- Database-backed sessions via Kysely adapter (bun:sqlite direct)
- Configurable rate limiting via AUTH_RATE_LIMIT_* env vars
- All DB columns migrated from snake_case to camelCase
- All TypeScript types/models migrated to camelCase properties
- Removed casing: "snake_case" from Drizzle config
- Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId}
- package-lock.json removed and gitignored (using bun.lock)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
51 lines
1.9 KiB
TypeScript
51 lines
1.9 KiB
TypeScript
import { auth } from "@/src/lib/auth";
|
|
import { getProviderDisplayList } from "@/src/lib/models/oauth-providers";
|
|
import { isForwardAuthDomain, createRedirectIntent } from "@/src/lib/models/forward-auth";
|
|
import PortalLoginForm from "./PortalLoginForm";
|
|
|
|
interface PortalPageProps {
|
|
searchParams: Promise<{ rd?: string; rid?: string }>;
|
|
}
|
|
|
|
export default async function PortalPage({ searchParams }: PortalPageProps) {
|
|
const params = await searchParams;
|
|
const redirectUri = params.rd ?? "";
|
|
// After OAuth callback, the portal is loaded with ?rid= (the opaque ID we created earlier)
|
|
const existingRid = params.rid ?? "";
|
|
|
|
// Two entry modes:
|
|
// 1. Fresh from Caddy redirect: ?rd=<full-url> → validate, store server-side, create rid
|
|
// 2. Returning from OAuth: ?rid=<opaque-id> → reuse the existing rid (redirect already stored)
|
|
let targetDomain = "";
|
|
let rid = existingRid;
|
|
if (!rid && redirectUri) {
|
|
try {
|
|
const parsed = new URL(redirectUri);
|
|
if (
|
|
(parsed.protocol === "https:" || parsed.protocol === "http:") &&
|
|
await isForwardAuthDomain(parsed.hostname)
|
|
) {
|
|
targetDomain = parsed.hostname;
|
|
// Store the redirect URI server-side. The client only gets an opaque ID,
|
|
// so a tampered ?rd= parameter cannot influence the final redirect target.
|
|
rid = await createRedirectIntent(redirectUri);
|
|
}
|
|
} catch {
|
|
// invalid URL — portal will show a generic message
|
|
}
|
|
}
|
|
|
|
const session = await auth();
|
|
const enabledProviders = await getProviderDisplayList();
|
|
|
|
return (
|
|
<PortalLoginForm
|
|
rid={rid}
|
|
hasRedirect={!!redirectUri || !!existingRid}
|
|
targetDomain={targetDomain}
|
|
enabledProviders={enabledProviders}
|
|
existingSession={session ? { userId: session.user.id, name: session.user.name ?? null, email: session.user.email ?? null } : null}
|
|
/>
|
|
);
|
|
}
|