Deploy

lib/auth/constants.ts

@@ -20,7 +20,7 @@ import {
 
 export const GetSession = async ({ cookies = '' }) => {
   try {
-    const response = await fetch(`${process.env.AUTH_URL}/api/auth/session`, {
+    const response = await fetch(`${process.env.AUTH_URL}/api/v1/auth/session`, {
       method: 'GET',
       headers: {
         Accept: 'application/json',
@@ -180,13 +180,22 @@ export const authConfig = {
         secure: true,
       },
     },
+    csrfToken: {
+      name: `authjs.csrf-token`,
+      options: {
+        httpOnly: true,
+        sameSite: 'none',
+        path: '/',
+        secure: true,
+      },
+    },
   },
   trustHost: true,
   pages: {
-    signIn: '/signin',
+    signIn: '/dash/signin',
     signOut: '/',
-    error: '/error', // Error code passed in query string as ?error=
-    verifyRequest: '/verify', // (used for check email message)
+    error: '/dash/error', // Error code passed in query string as ?error=
+    verifyRequest: '/dash/verify', // (used for check email message)
     // newUser: '/' // New users will be directed here on first sign in (leave the property out if not of interest)
   },
 } satisfies NextAuthConfig;

lib/state/providers.tsx

@@ -23,7 +23,7 @@ export function RootProviders({ children }: { children: React.ReactNode }) {
   if (!authState?.initd) return;
 
   return (
-    <SessionProvider basePath={base ? `${base}/api/auth` : '/api/auth'}>
+    <SessionProvider basePath={base ? `${base}/api/v1/auth` : '/api/v1/auth'}>
       <AuthContext.Provider value={authState}>{children}</AuthContext.Provider>
     </SessionProvider>
   );

patches/@auth+core+0.34.2.patch

@@ -0,0 +1,19 @@
+diff --git a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js
+index a35e8f0..792a6ce 100644
+--- a/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js
++++ b/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js
+@@ -17,12 +17,13 @@ import { MissingCSRF } from "../../../../errors.js";
+ export async function createCSRFToken({ options, cookieValue, isPost, bodyValue, }) {
+     if (cookieValue) {
+         const [csrfToken, csrfTokenHash] = cookieValue.split("|");
++        const [bodyValueToken] = bodyValue?.split("|") || [];
+         const expectedCsrfTokenHash = await createHash(`${csrfToken}${options.secret}`);
+         if (csrfTokenHash === expectedCsrfTokenHash) {
+             // If hash matches then we trust the CSRF token value
+             // If this is a POST request and the CSRF Token in the POST request matches
+             // the cookie we have already verified is the one we have set, then the token is verified!
+-            const csrfTokenVerified = isPost && csrfToken === bodyValue;
++            const csrfTokenVerified = isPost && csrfToken === bodyValueToken;
+             return { csrfTokenVerified, csrfToken };
+         }
+     }

src/app/api/auth/callback/apple/route.ts → src/app/api/v1/auth/callback/apple/route.ts

@@ -15,7 +15,7 @@ export async function POST(req: NextRequest) {
   const searchParams = new URLSearchParams(queryParams);
 
   const response = NextResponse.redirect(
-    `https://${req.headers.get('host')}/api/auth/callback/apple?${searchParams.toString()}`,
+    `https://${req.headers.get('host')}/api/v1/auth/callback/apple?${searchParams.toString()}`,
     {
       status: 302,
     },

src/middleware.ts

@@ -3,37 +3,42 @@
 import type { NextRequest } from 'next/server';
 import { next } from '@vercel/edge';
 import { ipAddress } from '@vercel/functions';
-// import { kv } from '@vercel/kv';
+import { kv } from '@vercel/kv';
 import { NextResponse } from 'next/server';
-// import { Ratelimit } from '@upstash/ratelimit';
+import { Ratelimit } from '@upstash/ratelimit';
 
-// const ratelimit = new Ratelimit({
-//   redis: kv,
-//   limiter: Ratelimit.slidingWindow(10, '3 s'),
-// });
+const ratelimit = new Ratelimit({
+  redis: kv,
+  limiter: Ratelimit.slidingWindow(10, '3 s'),
+});
 
 export const config = {
   matcher: ['/api/:path*'],
 };
 
 const headers: Record<string, any> = {
-  // 'content-type': 'application/json',
-  'Access-Control-Allow-Origin': process.env.MAIN_URL || 'https://alpha.dreampip.com',
+  'Access-Control-Allow-Origin': process.env.MAIN_URL || 'https://www.dreampip.com',
   'Cache-Control': 'maxage=0, s-maxage=300, stale-while-revalidate=300',
+  // DEV-DEBUG:
+  // 'content-type': 'application/json',
+  // 'Access-Control-Allow-Origin': 'http://localhost:2999',
+  'Access-Control-Allow-Credentials': 'true',
+  'Access-Control-Allow-Headers': '*',
 };
 
 export default async function middleware(request: NextRequest) {
   // You could alternatively limit based on user ID or similar
   const response = next();
   const ip = ipAddress(request) || '127.0.0.1';
 
-  // const { success, pending, limit, reset, remaining } = await ratelimit.limit(ip);
+  const { success, pending, limit, reset, remaining } = await ratelimit.limit(ip);
+
   if (!request?.url?.includes('auth')) {
     Object.keys(headers).forEach((key: string) => {
       response.headers.set(key, headers[key]);
     });
   }
 
-  // return success ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url));
-  return response ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url));
+  return success ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url));
+  // return response ? response : NextResponse.redirect(new URL('https://www.dreampip.com/404', request.url));
 }