ciphera-net/pulse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 15 Wiki Activity

fix(cors): allow credentials on options requests and update frontend auth flow

Browse Source
This commit is contained in:
Usman Baig
2026-01-18 21:27:22 +01:00
parent d4486f952f
commit 2fda4667ed
4 changed files with 535 additions and 531 deletions
Download Patch File Download Diff File Expand all files Collapse all files

287
app/actions/auth.ts
View File

@@ -1,143 +1,144 @@
'use server'
import { cookies } from 'next/headers'
const AUTH_API_URL = process.env.NEXT_PUBLIC_AUTH_API_URL || process.env.NEXT_PUBLIC_AUTH_URL || 'http://localhost:8081'
interface AuthResponse {
access_token: string
refresh_token: string
id_token: string
expires_in: number
}
interface UserPayload {
sub: string
email?: string
totp_enabled?: boolean
}
export async function exchangeAuthCode(code: string, codeVerifier: string, redirectUri: string) {
try {
const res = await fetch(`${AUTH_API_URL}/oauth/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
grant_type: 'authorization_code',
code,
client_id: 'analytics-app',
redirect_uri: redirectUri,
code_verifier: codeVerifier,
}),
})
if (!res.ok) {
const data = await res.json()
throw new Error(data.error || 'Failed to exchange token')
}
const data: AuthResponse = await res.json()
// * Decode payload (without verification, we trust the direct channel to Auth Server)
const payloadPart = data.access_token.split('.')[1]
const payload: UserPayload = JSON.parse(Buffer.from(payloadPart, 'base64').toString())
// * Set Cookies
const cookieStore = await cookies()
// * Access Token
cookieStore.set('access_token', data.access_token, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
maxAge: 60 * 15 // 15 minutes (short lived)
})
// * Refresh Token (Long lived)
cookieStore.set('refresh_token', data.refresh_token, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
maxAge: 60 * 60 * 24 * 30 // 30 days
})
return {
success: true,
user: {
id: payload.sub,
email: payload.email || 'user@ciphera.net',
totp_enabled: payload.totp_enabled || false
}
}
} catch (error: any) {
console.error('Auth Exchange Error:', error)
return { success: false, error: error.message }
}
}
export async function setSessionAction(accessToken: string, refreshToken: string) {
try {
const payloadPart = accessToken.split('.')[1]
const payload: UserPayload = JSON.parse(Buffer.from(payloadPart, 'base64').toString())
const cookieStore = await cookies()
cookieStore.set('access_token', accessToken, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
maxAge: 60 * 15
})
cookieStore.set('refresh_token', refreshToken, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
maxAge: 60 * 60 * 24 * 30
})
return {
success: true,
user: {
id: payload.sub,
email: payload.email || 'user@ciphera.net',
totp_enabled: payload.totp_enabled || false
}
}
} catch (e) {
return { success: false, error: 'Invalid token' }
}
}
export async function logoutAction() {
const cookieStore = await cookies()
cookieStore.delete('access_token')
cookieStore.delete('refresh_token')
return { success: true }
}
export async function getSessionAction() {
const cookieStore = await cookies()
const token = cookieStore.get('access_token')
if (!token) return null
try {
const payloadPart = token.value.split('.')[1]
const payload: UserPayload = JSON.parse(Buffer.from(payloadPart, 'base64').toString())
return {
id: payload.sub,
email: payload.email || 'user@ciphera.net',
totp_enabled: payload.totp_enabled || false
}
} catch {
return null
}
}
1|'use server'
2|
3|import { cookies } from 'next/headers'
4|
5|const AUTH_API_URL = process.env.NEXT_PUBLIC_AUTH_API_URL || process.env.NEXT_PUBLIC_AUTH_URL || 'http://localhost:8081'
6|
7|interface AuthResponse {
8| access_token: string
9| refresh_token: string
10| id_token: string
11| expires_in: number
12|}
13|
14|interface UserPayload {
15| sub: string
16| email?: string
17| totp_enabled?: boolean
18|}
19|
20|export async function exchangeAuthCode(code: string, codeVerifier: string, redirectUri: string) {
21| try {
22| const res = await fetch(`${AUTH_API_URL}/oauth/token`, {
23| method: 'POST',
24| headers: {
25| 'Content-Type': 'application/json',
26| },
27| body: JSON.stringify({
28| grant_type: 'authorization_code',
29| code,
30| client_id: 'analytics-app',
31| redirect_uri: redirectUri,
32| code_verifier: codeVerifier,
33| }),
34| })
35|
36| if (!res.ok) {
37| const data = await res.json()
38| throw new Error(data.error || 'Failed to exchange token')
39| }
40|
41| const data: AuthResponse = await res.json()
42|
43| // * Decode payload (without verification, we trust the direct channel to Auth Server)
44| const payloadPart = data.access_token.split('.')[1]
45| const payload: UserPayload = JSON.parse(Buffer.from(payloadPart, 'base64').toString())
46|
47| // * Set Cookies
48| const cookieStore = await cookies()
49|
50| // * Access Token
51| cookieStore.set('access_token', data.access_token, {
52| httpOnly: true,
53| secure: process.env.NODE_ENV === 'production',
54| sameSite: 'lax',
55| path: '/',
56| maxAge: 60 * 15 // 15 minutes (short lived)
57| })
58|
59| // * Refresh Token (Long lived)
60| cookieStore.set('refresh_token', data.refresh_token, {
61| httpOnly: true,
62| secure: process.env.NODE_ENV === 'production',
63| sameSite: 'lax',
64| path: '/',
65| maxAge: 60 * 60 * 24 * 30 // 30 days
66| })
67|
68| return {
69| success: true,
70| user: {
71| id: payload.sub,
72| email: payload.email || 'user@ciphera.net',
73| totp_enabled: payload.totp_enabled || false
74| }
75| }
76|
77| } catch (error: any) {
78| console.error('Auth Exchange Error:', error)
79| return { success: false, error: error.message }
80| }
81|}
82|
83|export async function setSessionAction(accessToken: string, refreshToken: string) {
84| try {
85| const payloadPart = accessToken.split('.')[1]
86| const payload: UserPayload = JSON.parse(Buffer.from(payloadPart, 'base64').toString())
87|
88| const cookieStore = await cookies()
89|
90| cookieStore.set('access_token', accessToken, {
91| httpOnly: true,
92| secure: process.env.NODE_ENV === 'production',
93| sameSite: 'lax',
94| path: '/',
95| maxAge: 60 * 15
96| })
97|
98| cookieStore.set('refresh_token', refreshToken, {
99| httpOnly: true,
100| secure: process.env.NODE_ENV === 'production',
101| sameSite: 'lax',
102| path: '/',
103| maxAge: 60 * 60 * 24 * 30
104| })
105|
106| return {
107| success: true,
108| user: {
109| id: payload.sub,
110| email: payload.email || 'user@ciphera.net',
111| totp_enabled: payload.totp_enabled || false
112| }
113| }
114| } catch (e) {
115| return { success: false, error: 'Invalid token' }
116| }
117|}
118|
119|export async function logoutAction() {
120| const cookieStore = await cookies()
121| cookieStore.delete('access_token')
122| cookieStore.delete('refresh_token')
123| return { success: true }
124|}
125|
126|export async function getSessionAction() {
127| const cookieStore = await cookies()
128| const token = cookieStore.get('access_token')
129|
130| if (!token) return null
131|
132| try {
133| const payloadPart = token.value.split('.')[1]
134| const payload: UserPayload = JSON.parse(Buffer.from(payloadPart, 'base64').toString())
135| return {
136| id: payload.sub,
137| email: payload.email || 'user@ciphera.net',
138| totp_enabled: payload.totp_enabled || false
139| }
140| } catch {
141| return null
142| }
143|}
144|

269
app/auth/callback/page.tsx
View File

@@ -1,134 +1,135 @@
'use client'
import { useEffect, useState, Suspense, useRef } from 'react'
import { useRouter, useSearchParams } from 'next/navigation'
import { useAuth } from '@/lib/auth/context'
import { AUTH_URL } from '@/lib/api/client'
import { exchangeAuthCode, setSessionAction } from '@/app/actions/auth'
function AuthCallbackContent() {
const router = useRouter()
const searchParams = useSearchParams()
const { login } = useAuth()
const [error, setError] = useState<string | null>(null)
const processedRef = useRef(false)
useEffect(() => {
// * Prevent double execution (React Strict Mode or fast re-renders)
if (processedRef.current) return
// * Check for direct token passing (from auth-frontend direct login)
// * TODO: This flow exposes tokens in URL, should be deprecated in favor of Authorization Code flow
const token = searchParams.get('token')
const refreshToken = searchParams.get('refresh_token')
if (token && refreshToken) {
processedRef.current = true
const handleDirectTokens = async () => {
const result = await setSessionAction(token, refreshToken)
if (result.success && result.user) {
login(result.user)
const returnTo = searchParams.get('returnTo') || '/'
router.push(returnTo)
} else {
setError('Invalid token received')
}
}
handleDirectTokens()
return
}
const code = searchParams.get('code')
const state = searchParams.get('state')
// * Skip if params are missing (might be initial render before params are ready)
if (!code || !state) return
processedRef.current = true
const storedState = localStorage.getItem('oauth_state')
const codeVerifier = localStorage.getItem('oauth_code_verifier')
if (!code || !state) {
setError('Missing code or state')
return
}
if (state !== storedState) {
console.error('State mismatch', { received: state, stored: storedState })
setError('Invalid state')
return
}
if (!codeVerifier) {
setError('Missing code verifier')
return
}
const exchangeCode = async () => {
try {
const redirectUri = window.location.origin + '/auth/callback'
const result = await exchangeAuthCode(code, codeVerifier, redirectUri)
if (!result.success || !result.user) {
throw new Error(result.error || 'Failed to exchange token')
}
login(result.user)
// * Cleanup
localStorage.removeItem('oauth_state')
localStorage.removeItem('oauth_code_verifier')
router.push('/')
} catch (err: any) {
setError(err.message)
}
}
exchangeCode()
}, [searchParams, login, router])
if (error) {
return (
<div className="flex min-h-screen items-center justify-center p-4">
<div className="rounded-md bg-red-50 dark:bg-red-900/20 p-4 text-red-500">
Error: {error}
<div className="mt-4">
<button
onClick={() => window.location.href = `${AUTH_URL}/login`}
className="text-sm underline"
>
Back to Login
</button>
</div>
</div>
</div>
)
}
return (
<div className="flex min-h-screen items-center justify-center p-4">
<div className="text-center">
<div className="h-8 w-8 animate-spin rounded-full border-4 border-neutral-200 border-t-neutral-800 mx-auto mb-4"></div>
<p className="text-neutral-600 dark:text-neutral-400">Completing sign in...</p>
</div>
</div>
)
}
export default function AuthCallback() {
return (
<Suspense fallback={
<div className="flex min-h-screen items-center justify-center p-4">
<div className="text-center">
<div className="h-8 w-8 animate-spin rounded-full border-4 border-neutral-200 border-t-neutral-800 mx-auto mb-4"></div>
<p className="text-neutral-600 dark:text-neutral-400">Loading...</p>
</div>
</div>
}>
<AuthCallbackContent />
</Suspense>
)
}
1|'use client'
2|
3|import { useEffect, useState, Suspense, useRef } from 'react'
4|import { useRouter, useSearchParams } from 'next/navigation'
5|import { useAuth } from '@/lib/auth/context'
6|import { AUTH_URL } from '@/lib/api/client'
7|import { exchangeAuthCode, setSessionAction } from '@/app/actions/auth'
8|
9|function AuthCallbackContent() {
10| const router = useRouter()
11| const searchParams = useSearchParams()
12| const { login } = useAuth()
13| const [error, setError] = useState<string | null>(null)
14| const processedRef = useRef(false)
15|
16| useEffect(() => {
17| // * Prevent double execution (React Strict Mode or fast re-renders)
18| if (processedRef.current) return
19|
20| // * Check for direct token passing (from auth-frontend direct login)
21| // * TODO: This flow exposes tokens in URL, should be deprecated in favor of Authorization Code flow
22| const token = searchParams.get('token')
23| const refreshToken = searchParams.get('refresh_token')
24|
25| if (token && refreshToken) {
26| processedRef.current = true
27|
28| const handleDirectTokens = async () => {
29| const result = await setSessionAction(token, refreshToken)
30| if (result.success && result.user) {
31| login(result.user)
32| const returnTo = searchParams.get('returnTo') || '/'
33| router.push(returnTo)
34| } else {
35| setError('Invalid token received')
36| }
37| }
38| handleDirectTokens()
39| return
40| }
41|
42| const code = searchParams.get('code')
43| const state = searchParams.get('state')
44|
45| // * Skip if params are missing (might be initial render before params are ready)
46| if (!code || !state) return
47|
48| processedRef.current = true
49|
50| const storedState = localStorage.getItem('oauth_state')
51| const codeVerifier = localStorage.getItem('oauth_code_verifier')
52|
53| if (!code || !state) {
54| setError('Missing code or state')
55| return
56| }
57|
58| if (state !== storedState) {
59| console.error('State mismatch', { received: state, stored: storedState })
60| setError('Invalid state')
61| return
62| }
63|
64| if (!codeVerifier) {
65| setError('Missing code verifier')
66| return
67| }
68|
69| const exchangeCode = async () => {
70| try {
71| const redirectUri = window.location.origin + '/auth/callback'
72| const result = await exchangeAuthCode(code, codeVerifier, redirectUri)
73|
74| if (!result.success || !result.user) {
75| throw new Error(result.error || 'Failed to exchange token')
76| }
77|
78| login(result.user)
79|
80| // * Cleanup
81| localStorage.removeItem('oauth_state')
82| localStorage.removeItem('oauth_code_verifier')
83|
84| router.push('/')
85| } catch (err: any) {
86| setError(err.message)
87| }
88| }
89|
90| exchangeCode()
91| }, [searchParams, login, router])
92|
93| if (error) {
94| return (
95| <div className="flex min-h-screen items-center justify-center p-4">
96| <div className="rounded-md bg-red-50 dark:bg-red-900/20 p-4 text-red-500">
97| Error: {error}
98| <div className="mt-4">
99| <button
100| onClick={() => window.location.href = `${AUTH_URL}/login`}
101| className="text-sm underline"
102| >
103| Back to Login
104| </button>
105| </div>
106| </div>
107| </div>
108| )
109| }
110|
111| return (
112| <div className="flex min-h-screen items-center justify-center p-4">
113| <div className="text-center">
114| <div className="h-8 w-8 animate-spin rounded-full border-4 border-neutral-200 border-t-neutral-800 mx-auto mb-4"></div>
115| <p className="text-neutral-600 dark:text-neutral-400">Completing sign in...</p>
116| </div>
117| </div>
118| )
119|}
120|
121|export default function AuthCallback() {
122| return (
123| <Suspense fallback={
124| <div className="flex min-h-screen items-center justify-center p-4">
125| <div className="text-center">
126| <div className="h-8 w-8 animate-spin rounded-full border-4 border-neutral-200 border-t-neutral-800 mx-auto mb-4"></div>
127| <p className="text-neutral-600 dark:text-neutral-400">Loading...</p>
128| </div>
129| </div>
130| }>
131| <AuthCallbackContent />
132| </Suspense>
133| )
134|}
135|

293
lib/api/client.ts
View File

@@ -1,146 +1,147 @@
/**
* HTTP client wrapper for API calls
*/
export const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8082'
export const AUTH_URL = process.env.NEXT_PUBLIC_AUTH_URL || 'http://localhost:3000'
export const APP_URL = process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3003'
export const AUTH_API_URL = process.env.NEXT_PUBLIC_AUTH_API_URL || 'https://auth-api.ciphera.net'
export function getLoginUrl(redirectPath = '/auth/callback') {
const redirectUri = encodeURIComponent(`${APP_URL}${redirectPath}`)
return `${AUTH_URL}/login?client_id=analytics-app&redirect_uri=${redirectUri}&response_type=code`
}
export function getSignupUrl(redirectPath = '/auth/callback') {
const redirectUri = encodeURIComponent(`${APP_URL}${redirectPath}`)
return `${AUTH_URL}/signup?client_id=analytics-app&redirect_uri=${redirectUri}&response_type=code`
}
export class ApiError extends Error {
status: number
constructor(message: string, status: number) {
super(message)
this.status = status
}
}
// * Mutex for token refresh
let isRefreshing = false
let refreshSubscribers: (() => void)[] = []
function subscribeToTokenRefresh(cb: () => void) {
refreshSubscribers.push(cb)
}
function onRefreshed() {
refreshSubscribers.map((cb) => cb())
refreshSubscribers = []
}
/**
* Base API client with error handling
*/
async function apiRequest<T>(
endpoint: string,
options: RequestInit = {}
): Promise<T> {
// * Determine base URL
const isAuthRequest = endpoint.startsWith('/auth')
const baseUrl = isAuthRequest ? AUTH_API_URL : API_URL
const url = `${baseUrl}/api/v1${endpoint}`
const headers: HeadersInit = {
'Content-Type': 'application/json',
...options.headers,
}
// * We rely on HttpOnly cookies, so no manual Authorization header injection.
// * We MUST set credentials: 'include' for the browser to send cookies cross-origin (or same-site).
const response = await fetch(url, {
...options,
headers,
credentials: 'include', // * IMPORTANT: Send cookies
})
if (!response.ok) {
if (response.status === 401) {
// * Attempt Token Refresh if 401
if (typeof window !== 'undefined') {
// * Prevent infinite loop: Don't refresh if the failed request WAS a refresh request (unlikely via apiRequest but safe to check)
if (!endpoint.includes('/auth/refresh')) {
if (isRefreshing) {
// * If refresh is already in progress, wait for it to complete
return new Promise((resolve, reject) => {
subscribeToTokenRefresh(async () => {
// Retry original request (browser uses new cookie)
try {
const retryResponse = await fetch(url, {
...options,
headers,
credentials: 'include',
})
if (retryResponse.ok) {
resolve(retryResponse.json())
} else {
reject(new ApiError('Retry failed', retryResponse.status))
}
} catch (e) {
reject(e)
}
})
})
}
isRefreshing = true
try {
// * Call our internal Next.js API route to handle refresh securely
const refreshRes = await fetch('/api/auth/refresh', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
})
if (refreshRes.ok) {
// * Refresh successful, cookies updated
onRefreshed()
// * Retry original request
const retryResponse = await fetch(url, {
...options,
headers,
credentials: 'include',
})
if (retryResponse.ok) {
return retryResponse.json()
}
} else {
// * Refresh failed, logout
localStorage.removeItem('user')
// * Redirect to login if needed, or let the app handle 401
// window.location.href = '/'
}
} catch (e) {
// * Network error during refresh
throw e
} finally {
isRefreshing = false
}
}
}
}
const errorBody = await response.json().catch(() => ({
error: 'Unknown error',
message: `HTTP ${response.status}: ${response.statusText}`,
}))
throw new ApiError(errorBody.message || errorBody.error || 'Request failed', response.status)
}
return response.json()
}
export const authFetch = apiRequest
export default apiRequest
1|/**
2| * HTTP client wrapper for API calls
3| */
4|
5|export const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8082'
6|export const AUTH_URL = process.env.NEXT_PUBLIC_AUTH_URL || 'http://localhost:3000'
7|export const APP_URL = process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3003'
8|export const AUTH_API_URL = process.env.NEXT_PUBLIC_AUTH_API_URL || 'https://auth-api.ciphera.net'
9|
10|export function getLoginUrl(redirectPath = '/auth/callback') {
11| const redirectUri = encodeURIComponent(`${APP_URL}${redirectPath}`)
12| return `${AUTH_URL}/login?client_id=analytics-app&redirect_uri=${redirectUri}&response_type=code`
13|}
14|
15|export function getSignupUrl(redirectPath = '/auth/callback') {
16| const redirectUri = encodeURIComponent(`${APP_URL}${redirectPath}`)
17| return `${AUTH_URL}/signup?client_id=analytics-app&redirect_uri=${redirectUri}&response_type=code`
18|}
19|
20|export class ApiError extends Error {
21| status: number
22| constructor(message: string, status: number) {
23| super(message)
24| this.status = status
25| }
26|}
27|
28|// * Mutex for token refresh
29|let isRefreshing = false
30|let refreshSubscribers: (() => void)[] = []
31|
32|function subscribeToTokenRefresh(cb: () => void) {
33| refreshSubscribers.push(cb)
34|}
35|
36|function onRefreshed() {
37| refreshSubscribers.map((cb) => cb())
38| refreshSubscribers = []
39|}
40|
41|/**
42| * Base API client with error handling
43| */
44|async function apiRequest<T>(
45| endpoint: string,
46| options: RequestInit = {}
47|): Promise<T> {
48| // * Determine base URL
49| const isAuthRequest = endpoint.startsWith('/auth')
50| const baseUrl = isAuthRequest ? AUTH_API_URL : API_URL
51| const url = `${baseUrl}/api/v1${endpoint}`
52|
53| const headers: HeadersInit = {
54| 'Content-Type': 'application/json',
55| ...options.headers,
56| }
57|
58| // * We rely on HttpOnly cookies, so no manual Authorization header injection.
59| // * We MUST set credentials: 'include' for the browser to send cookies cross-origin (or same-site).
60|
61| const response = await fetch(url, {
62| ...options,
63| headers,
64| credentials: 'include', // * IMPORTANT: Send cookies
65| })
66|
67| if (!response.ok) {
68| if (response.status === 401) {
69| // * Attempt Token Refresh if 401
70| if (typeof window !== 'undefined') {
71| // * Prevent infinite loop: Don't refresh if the failed request WAS a refresh request (unlikely via apiRequest but safe to check)
72| if (!endpoint.includes('/auth/refresh')) {
73| if (isRefreshing) {
74| // * If refresh is already in progress, wait for it to complete
75| return new Promise((resolve, reject) => {
76| subscribeToTokenRefresh(async () => {
77| // Retry original request (browser uses new cookie)
78| try {
79| const retryResponse = await fetch(url, {
80| ...options,
81| headers,
82| credentials: 'include',
83| })
84| if (retryResponse.ok) {
85| resolve(retryResponse.json())
86| } else {
87| reject(new ApiError('Retry failed', retryResponse.status))
88| }
89| } catch (e) {
90| reject(e)
91| }
92| })
93| })
94| }
95|
96| isRefreshing = true
97|
98| try {
99| // * Call our internal Next.js API route to handle refresh securely
100| const refreshRes = await fetch('/api/auth/refresh', {
101| method: 'POST',
102| headers: { 'Content-Type': 'application/json' },
103| })
104|
105| if (refreshRes.ok) {
106| // * Refresh successful, cookies updated
107| onRefreshed()
108|
109| // * Retry original request
110| const retryResponse = await fetch(url, {
111| ...options,
112| headers,
113| credentials: 'include',
114| })
115|
116| if (retryResponse.ok) {
117| return retryResponse.json()
118| }
119| } else {
120| // * Refresh failed, logout
121| localStorage.removeItem('user')
122| // * Redirect to login if needed, or let the app handle 401
123| // window.location.href = '/'
124| }
125| } catch (e) {
126| // * Network error during refresh
127| throw e
128| } finally {
129| isRefreshing = false
130| }
131| }
132| }
133| }
134|
135| const errorBody = await response.json().catch(() => ({
136| error: 'Unknown error',
137| message: `HTTP ${response.status}: ${response.statusText}`,
138| }))
139| throw new ApiError(errorBody.message || errorBody.error || 'Request failed', response.status)
140| }
141|
142| return response.json()
143|}
144|
145|export const authFetch = apiRequest
146|export default apiRequest
147|

217
lib/auth/context.tsx
View File

@@ -1,108 +1,109 @@
'use client'
import React, { createContext, useContext, useEffect, useState, useCallback } from 'react'
import { useRouter } from 'next/navigation'
import apiRequest from '@/lib/api/client'
import LoadingOverlay from '@/components/LoadingOverlay'
import { logoutAction, getSessionAction } from '@/app/actions/auth'
interface User {
id: string
email: string
totp_enabled: boolean
}
interface AuthContextType {
user: User | null
loading: boolean
login: (user: User) => void
logout: () => void
refresh: () => Promise<void>
refreshSession: () => Promise<void>
}
const AuthContext = createContext<AuthContextType>({
user: null,
loading: true,
login: () => {},
logout: () => {},
refresh: async () => {},
refreshSession: async () => {},
})
export function AuthProvider({ children }: { children: React.ReactNode }) {
const [user, setUser] = useState<User | null>(null)
const [loading, setLoading] = useState(true)
const [isLoggingOut, setIsLoggingOut] = useState(false)
const router = useRouter()
const login = (userData: User) => {
// * We still store user profile in localStorage for optimistic UI, but NOT the token
localStorage.setItem('user', JSON.stringify(userData))
setUser(userData)
router.refresh()
}
const logout = useCallback(async () => {
setIsLoggingOut(true)
await logoutAction()
localStorage.removeItem('user')
// * Clear legacy tokens if they exist
localStorage.removeItem('token')
localStorage.removeItem('refreshToken')
setTimeout(() => {
window.location.href = '/'
}, 500)
}, [])
const refresh = useCallback(async () => {
try {
const userData = await apiRequest<User>('/auth/user/me')
setUser(userData)
localStorage.setItem('user', JSON.stringify(userData))
} catch (e) {
console.error('Failed to refresh user data', e)
}
router.refresh()
}, [router])
const refreshSession = useCallback(async () => {
await refresh()
}, [refresh])
// Initial load
useEffect(() => {
const init = async () => {
// * 1. Check server-side session (cookies)
const session = await getSessionAction()
if (session) {
setUser(session)
localStorage.setItem('user', JSON.stringify(session))
} else {
// * Session invalid/expired
localStorage.removeItem('user')
setUser(null)
}
// * Clear legacy tokens if they exist (migration)
if (localStorage.getItem('token')) {
localStorage.removeItem('token')
localStorage.removeItem('refreshToken')
}
setLoading(false)
}
init()
}, [])
return (
<AuthContext.Provider value={{ user, loading, login, logout, refresh, refreshSession }}>
{isLoggingOut && <LoadingOverlay logoSrc="/ciphera_icon_no_margins.png" title="Ciphera Analytics" />}
{children}
</AuthContext.Provider>
)
}
export const useAuth = () => useContext(AuthContext)
1|'use client'
2|
3|import React, { createContext, useContext, useEffect, useState, useCallback } from 'react'
4|import { useRouter } from 'next/navigation'
5|import apiRequest from '@/lib/api/client'
6|import LoadingOverlay from '@/components/LoadingOverlay'
7|import { logoutAction, getSessionAction } from '@/app/actions/auth'
8|
9|interface User {
10| id: string
11| email: string
12| totp_enabled: boolean
13|}
14|
15|interface AuthContextType {
16| user: User | null
17| loading: boolean
18| login: (user: User) => void
19| logout: () => void
20| refresh: () => Promise<void>
21| refreshSession: () => Promise<void>
22|}
23|
24|const AuthContext = createContext<AuthContextType>({
25| user: null,
26| loading: true,
27| login: () => {},
28| logout: () => {},
29| refresh: async () => {},
30| refreshSession: async () => {},
31|})
32|
33|export function AuthProvider({ children }: { children: React.ReactNode }) {
34| const [user, setUser] = useState<User | null>(null)
35| const [loading, setLoading] = useState(true)
36| const [isLoggingOut, setIsLoggingOut] = useState(false)
37| const router = useRouter()
38|
39| const login = (userData: User) => {
40| // * We still store user profile in localStorage for optimistic UI, but NOT the token
41| localStorage.setItem('user', JSON.stringify(userData))
42| setUser(userData)
43| router.refresh()
44| }
45|
46| const logout = useCallback(async () => {
47| setIsLoggingOut(true)
48| await logoutAction()
49| localStorage.removeItem('user')
50| // * Clear legacy tokens if they exist
51| localStorage.removeItem('token')
52| localStorage.removeItem('refreshToken')
53|
54| setTimeout(() => {
55| window.location.href = '/'
56| }, 500)
57| }, [])
58|
59| const refresh = useCallback(async () => {
60| try {
61| const userData = await apiRequest<User>('/auth/user/me')
62| setUser(userData)
63| localStorage.setItem('user', JSON.stringify(userData))
64| } catch (e) {
65| console.error('Failed to refresh user data', e)
66| }
67| router.refresh()
68| }, [router])
69|
70| const refreshSession = useCallback(async () => {
71| await refresh()
72| }, [refresh])
73|
74| // Initial load
75| useEffect(() => {
76| const init = async () => {
77| // * 1. Check server-side session (cookies)
78| const session = await getSessionAction()
79|
80| if (session) {
81| setUser(session)
82| localStorage.setItem('user', JSON.stringify(session))
83| } else {
84| // * Session invalid/expired
85| localStorage.removeItem('user')
86| setUser(null)
87| }
88|
89| // * Clear legacy tokens if they exist (migration)
90| if (localStorage.getItem('token')) {
91| localStorage.removeItem('token')
92| localStorage.removeItem('refreshToken')
93| }
94|
95| setLoading(false)
96| }
97| init()
98| }, [])
99|
100| return (
101| <AuthContext.Provider value={{ user, loading, login, logout, refresh, refreshSession }}>
102| {isLoggingOut && <LoadingOverlay logoSrc="/ciphera_icon_no_margins.png" title="Ciphera Analytics" />}
103| {children}
104| </AuthContext.Provider>
105| )
106|}
107|
108|export const useAuth = () => useContext(AuthContext)
109|