3a16d6e9b1
- Replace next-auth v5 beta with better-auth v1.6.2 (stable releases)
- Add multi-provider OAuth support with admin UI configuration
- New oauthProviders table with encrypted secrets (AES-256-GCM)
- Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable
- OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers
- Settings page "Authentication Providers" section for admin management
- Account linking uses new accounts table (multi-provider per user)
- Username plugin for credentials sign-in (replaces email@localhost pattern)
- bcrypt password compatibility (existing hashes work)
- Database-backed sessions via Kysely adapter (bun:sqlite direct)
- Configurable rate limiting via AUTH_RATE_LIMIT_* env vars
- All DB columns migrated from snake_case to camelCase
- All TypeScript types/models migrated to camelCase properties
- Removed casing: "snake_case" from Drizzle config
- Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId}
- package-lock.json removed and gitignored (using bun.lock)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
81 lines
2.2 KiB
TypeScript
81 lines
2.2 KiB
TypeScript
import { NextRequest, NextResponse } from "next/server";
|
|
import { auth, checkSameOrigin } from "@/src/lib/auth";
|
|
import { getUserById } from "@/src/lib/models/user";
|
|
import { createAuditEvent } from "@/src/lib/models/audit";
|
|
import db from "@/src/lib/db";
|
|
import { accounts } from "@/src/lib/db/schema";
|
|
import { and, eq, ne } from "drizzle-orm";
|
|
|
|
export async function POST(request: NextRequest) {
|
|
const originCheck = checkSameOrigin(request);
|
|
if (originCheck) return originCheck;
|
|
|
|
try {
|
|
const session = await auth();
|
|
if (!session?.user?.id) {
|
|
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
|
}
|
|
|
|
const userId = Number(session.user.id);
|
|
const user = await getUserById(userId);
|
|
|
|
if (!user) {
|
|
return NextResponse.json({ error: "User not found" }, { status: 404 });
|
|
}
|
|
|
|
// Must have a password before unlinking OAuth
|
|
if (!user.passwordHash) {
|
|
return NextResponse.json(
|
|
{ error: "Cannot unlink OAuth: You must set a password first" },
|
|
{ status: 400 }
|
|
);
|
|
}
|
|
|
|
// Check if user has any OAuth account links
|
|
const oauthAccounts = await db.select().from(accounts).where(
|
|
and(
|
|
eq(accounts.userId, userId),
|
|
ne(accounts.providerId, "credential")
|
|
)
|
|
);
|
|
|
|
if (oauthAccounts.length === 0) {
|
|
return NextResponse.json(
|
|
{ error: "No OAuth account to unlink" },
|
|
{ status: 400 }
|
|
);
|
|
}
|
|
|
|
const previousProvider = oauthAccounts[0].providerId;
|
|
|
|
// Delete the OAuth account link(s)
|
|
await db.delete(accounts).where(
|
|
and(
|
|
eq(accounts.userId, userId),
|
|
ne(accounts.providerId, "credential")
|
|
)
|
|
);
|
|
|
|
// Audit log
|
|
await createAuditEvent({
|
|
userId,
|
|
action: "oauth_unlinked",
|
|
entityType: "user",
|
|
entityId: userId,
|
|
summary: `User unlinked OAuth account: ${previousProvider}`,
|
|
data: JSON.stringify({ provider: previousProvider })
|
|
});
|
|
|
|
return NextResponse.json({
|
|
success: true,
|
|
message: "OAuth account unlinked successfully"
|
|
});
|
|
} catch (error) {
|
|
console.error("OAuth unlink error:", error);
|
|
return NextResponse.json(
|
|
{ error: "Failed to unlink OAuth account" },
|
|
{ status: 500 }
|
|
);
|
|
}
|
|
}
|