link-stack/apps/link/app/_lib/authentication.ts

import type {
  GetServerSidePropsContext,
  NextApiRequest,
  NextApiResponse,
} from "next";
import {
  NextAuthOptions,
  getServerSession as internalGetServerSession,
} from "next-auth";
import Google from "next-auth/providers/google";
import Credentials from "next-auth/providers/credentials";
import Apple from "next-auth/providers/apple";
import AzureADProvider from "next-auth/providers/azure-ad";
import { createLogger } from "@link-stack/logger";

const logger = createLogger('link-authentication');

const headers = { Authorization: `Token ${process.env.ZAMMAD_API_TOKEN}` };

const fetchRoles = async () => {
  const url = `${process.env.ZAMMAD_URL}/api/v1/roles`;
  const res = await fetch(url, { headers });
  const roles = await res.json();
  const formattedRoles = roles.reduce((acc: any, role: any) => {
    acc[role.id] = role.name;
    return acc;
  }, {});
  return formattedRoles;
};

const fetchUser = async (email: string) => {
  const url = `${process.env.ZAMMAD_URL}/api/v1/users/search?query=${encodeURIComponent(`login:${email}`)}&limit=1`;
  const res = await fetch(url, { headers });
  const users = await res.json();
  const user = users?.[0];

  return user;
};

const getUserRoles = async (email: string) => {
  try {
    const user = await fetchUser(email);
    if (!user) {
      return [];
    }
    const allRoles = await fetchRoles();
    const roles = user.role_ids.map((roleID: number) => {
      const role = allRoles[roleID];
      return role ? role.toLowerCase().replace(" ", "_") : null;
    });
    return roles.filter((role: string) => role !== null);
  } catch (e) {
    logger.error({ error: e, email }, 'Failed to get user roles');
    return [];
  }
};

const login = async (email: string, password: string) => {
  const url = `${process.env.ZAMMAD_URL}/api/v1/users/me`;
  const authorization =
    "Basic " + Buffer.from(email + ":" + password).toString("base64");
  const res = await fetch(url, {
    headers: {
      authorization,
    },
  });
  const user = await res.json();

  if (user && !user.error && user.id) {
    return user;
  } else {
    return null;
  }
};

const providers = [];

if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
  providers.push(
    Google({
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
    }),
  );
} else if (process.env.APPLE_CLIENT_ID && process.env.APPLE_CLIENT_SECRET) {
  providers.push(
    Apple({
      clientId: process.env.APPLE_CLIENT_ID,
      clientSecret: process.env.APPLE_CLIENT_SECRET,
    }),
  );
} else if (
  process.env.AZURE_AD_CLIENT_ID &&
  process.env.AZURE_AD_CLIENT_SECRET &&
  process.env.AZURE_AD_TENANT_ID
) {
  providers.push(
    AzureADProvider({
      clientId: process.env.AZURE_AD_CLIENT_ID,
      clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
      tenantId: process.env.AZURE_AD_TENANT_ID,
    }),
  );
} else {
  providers.push(
    Credentials({
      name: "Zammad",
      credentials: {
        email: { label: "Email", type: "text" },
        password: { label: "Password", type: "password" },
      },
      async authorize(credentials) {
        const user = await login(credentials.email, credentials.password);
        if (user) {
          return user;
        } else {
          return null;
        }
      },
    }),
  );
}

export const authOptions: NextAuthOptions = {
  pages: {
    signIn: "/login",
    error: "/login",
    signOut: "/logout",
  },
  providers,
  session: {
    maxAge: 3 * 24 * 60 * 60,
  },
  secret: process.env.NEXTAUTH_SECRET,
  callbacks: {
    signIn: async ({ user }) => {
      const roles = (await getUserRoles(user.email)) ?? [];
      return roles.includes("admin") || roles.includes("agent");
    },
    session: async ({ session, token }) => {
      // @ts-ignore
      session.user.roles = token.roles ?? [];
      // @ts-ignore
      session.user.zammadCsrfToken = token.zammadCsrfToken;

      return session;
    },
    jwt: async ({ token, user, trigger, session }) => {
      if (user) {
        token.roles = (await getUserRoles(user.email)) ?? [];
      }

      if (session && trigger === "update") {
        token.zammadCsrfToken = session.zammadCsrfToken;
      }

      return token;
    },
  },
};

export const getServerSession = (
  ...args:
    | [GetServerSidePropsContext["req"], GetServerSidePropsContext["res"]]
    | [NextApiRequest, NextApiResponse]
    | []
) => internalGetServerSession(...args, authOptions);
WIP 5 2024-03-20 17:51:21 +01:00			`import type {`
			`GetServerSidePropsContext,`
			`NextApiRequest,`
			`NextApiResponse,`
			`} from "next";`
			`import {`
			`NextAuthOptions,`
			`getServerSession as internalGetServerSession,`
			`} from "next-auth";`
			`import Google from "next-auth/providers/google";`
			`import Credentials from "next-auth/providers/credentials";`
			`import Apple from "next-auth/providers/apple";`
Add Azure auth 2025-01-20 11:25:13 +01:00			`import AzureADProvider from "next-auth/providers/azure-ad";`
feat: Add centralized logging system with @link-stack/logger package - Create new @link-stack/logger package wrapping Pino for structured logging - Replace all console.log/error/warn statements across the monorepo - Configure environment-aware logging (pretty-print in dev, JSON in prod) - Add automatic redaction of sensitive fields (passwords, tokens, etc.) - Remove dead commented-out logger file from bridge-worker - Follow Pino's standard argument order (context object first, message second) - Support log levels via LOG_LEVEL environment variable - Export TypeScript types for better IDE support This provides consistent, structured logging across all applications and packages, making debugging easier and production logs more parseable. 2025-08-20 11:37:39 +02:00			`import { createLogger } from "@link-stack/logger";`

			`const logger = createLogger('link-authentication');`
WIP 5 2024-03-20 17:51:21 +01:00
			const headers = { Authorization: `Token ${process.env.ZAMMAD_API_TOKEN}` };

			`const fetchRoles = async () => {`
			const url = `${process.env.ZAMMAD_URL}/api/v1/roles`;
			`const res = await fetch(url, { headers });`
			`const roles = await res.json();`
			`const formattedRoles = roles.reduce((acc: any, role: any) => {`
			`acc[role.id] = role.name;`
			`return acc;`
			`}, {});`
			`return formattedRoles;`
			`};`

			`const fetchUser = async (email: string) => {`
Repo cleanup and updates 2025-11-10 14:55:22 +01:00			const url = `${process.env.ZAMMAD_URL}/api/v1/users/search?query=${encodeURIComponent(`login:${email}`)}&limit=1`;
WIP 5 2024-03-20 17:51:21 +01:00			`const res = await fetch(url, { headers });`
			`const users = await res.json();`
			`const user = users?.[0];`

			`return user;`
			`};`

			`const getUserRoles = async (email: string) => {`
			`try {`
			`const user = await fetchUser(email);`
Update deps and Zammad version (6.4.1) 2025-01-15 14:15:02 +01:00			`if (!user) {`
			`return [];`
			`}`
WIP 5 2024-03-20 17:51:21 +01:00			`const allRoles = await fetchRoles();`
			`const roles = user.role_ids.map((roleID: number) => {`
			`const role = allRoles[roleID];`
			`return role ? role.toLowerCase().replace(" ", "_") : null;`
			`});`
			`return roles.filter((role: string) => role !== null);`
			`} catch (e) {`
feat: Add centralized logging system with @link-stack/logger package - Create new @link-stack/logger package wrapping Pino for structured logging - Replace all console.log/error/warn statements across the monorepo - Configure environment-aware logging (pretty-print in dev, JSON in prod) - Add automatic redaction of sensitive fields (passwords, tokens, etc.) - Remove dead commented-out logger file from bridge-worker - Follow Pino's standard argument order (context object first, message second) - Support log levels via LOG_LEVEL environment variable - Export TypeScript types for better IDE support This provides consistent, structured logging across all applications and packages, making debugging easier and production logs more parseable. 2025-08-20 11:37:39 +02:00			`logger.error({ error: e, email }, 'Failed to get user roles');`
WIP 5 2024-03-20 17:51:21 +01:00			`return [];`
			`}`
			`};`

			`const login = async (email: string, password: string) => {`
			const url = `${process.env.ZAMMAD_URL}/api/v1/users/me`;
			`const authorization =`
			`"Basic " + Buffer.from(email + ":" + password).toString("base64");`
			`const res = await fetch(url, {`
			`headers: {`
			`authorization,`
			`},`
			`});`
			`const user = await res.json();`

			`if (user && !user.error && user.id) {`
			`return user;`
			`} else {`
			`return null;`
			`}`
			`};`

Only allow single NextAuth provider, Login middleware updates 2024-09-27 14:52:44 +02:00			`const providers = [];`

			`if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {`
			`providers.push(`
WIP 5 2024-03-20 17:51:21 +01:00			`Google({`
			`clientId: process.env.GOOGLE_CLIENT_ID,`
			`clientSecret: process.env.GOOGLE_CLIENT_SECRET,`
			`}),`
Only allow single NextAuth provider, Login middleware updates 2024-09-27 14:52:44 +02:00			`);`
			`} else if (process.env.APPLE_CLIENT_ID && process.env.APPLE_CLIENT_SECRET) {`
			`providers.push(`
WIP 5 2024-03-20 17:51:21 +01:00			`Apple({`
			`clientId: process.env.APPLE_CLIENT_ID,`
			`clientSecret: process.env.APPLE_CLIENT_SECRET,`
			`}),`
Only allow single NextAuth provider, Login middleware updates 2024-09-27 14:52:44 +02:00			`);`
Add Azure auth 2025-01-20 11:25:13 +01:00			`} else if (`
			`process.env.AZURE_AD_CLIENT_ID &&`
			`process.env.AZURE_AD_CLIENT_SECRET &&`
			`process.env.AZURE_AD_TENANT_ID`
			`) {`
			`providers.push(`
			`AzureADProvider({`
			`clientId: process.env.AZURE_AD_CLIENT_ID,`
			`clientSecret: process.env.AZURE_AD_CLIENT_SECRET,`
			`tenantId: process.env.AZURE_AD_TENANT_ID,`
			`}),`
			`);`
Only allow single NextAuth provider, Login middleware updates 2024-09-27 14:52:44 +02:00			`} else {`
			`providers.push(`
WIP 5 2024-03-20 17:51:21 +01:00			`Credentials({`
			`name: "Zammad",`
			`credentials: {`
			`email: { label: "Email", type: "text" },`
			`password: { label: "Password", type: "password" },`
			`},`
Dependency cleanup 2024-08-07 12:02:33 +02:00			`async authorize(credentials) {`
WIP 5 2024-03-20 17:51:21 +01:00			`const user = await login(credentials.email, credentials.password);`
			`if (user) {`
			`return user;`
			`} else {`
			`return null;`
			`}`
			`},`
			`}),`
Only allow single NextAuth provider, Login middleware updates 2024-09-27 14:52:44 +02:00			`);`
			`}`

			`export const authOptions: NextAuthOptions = {`
			`pages: {`
Repo cleanup and updates 2025-11-10 14:55:22 +01:00			`signIn: "/login",`
			`error: "/login",`
			`signOut: "/logout",`
Only allow single NextAuth provider, Login middleware updates 2024-09-27 14:52:44 +02:00			`},`
			`providers,`
Shorten session length, change device ID calc 2024-11-25 12:20:49 +01:00			`session: {`
Login, logout and middleware updates 2024-12-13 16:37:20 +01:00			`maxAge: 3 * 24 * 60 * 60,`
Shorten session length, change device ID calc 2024-11-25 12:20:49 +01:00			`},`
WIP 5 2024-03-20 17:51:21 +01:00			`secret: process.env.NEXTAUTH_SECRET,`
			`callbacks: {`
Dependency cleanup 2024-08-07 12:02:33 +02:00			`signIn: async ({ user }) => {`
WIP 5 2024-03-20 17:51:21 +01:00			`const roles = (await getUserRoles(user.email)) ?? [];`
Clean up middleware, add security-headers to non-Zammad pages 2024-09-04 12:09:28 +02:00			`return roles.includes("admin") \|\| roles.includes("agent");`
WIP 5 2024-03-20 17:51:21 +01:00			`},`
Dependency cleanup 2024-08-07 12:02:33 +02:00			`session: async ({ session, token }) => {`
WIP 5 2024-03-20 17:51:21 +01:00			`// @ts-ignore`
			`session.user.roles = token.roles ?? [];`
Restore missing CSRF header 2024-10-09 12:21:06 +02:00			`// @ts-ignore`
			`session.user.zammadCsrfToken = token.zammadCsrfToken;`
Use server actions instead of client-side API calls 2024-08-05 23:31:15 +02:00
WIP 5 2024-03-20 17:51:21 +01:00			`return session;`
			`},`
Restore missing CSRF header 2024-10-09 12:21:06 +02:00			`jwt: async ({ token, user, trigger, session }) => {`
WIP 5 2024-03-20 17:51:21 +01:00			`if (user) {`
			`token.roles = (await getUserRoles(user.email)) ?? [];`
			`}`
Use server actions instead of client-side API calls 2024-08-05 23:31:15 +02:00
Restore missing CSRF header 2024-10-09 12:21:06 +02:00			`if (session && trigger === "update") {`
			`token.zammadCsrfToken = session.zammadCsrfToken;`
			`}`

WIP 5 2024-03-20 17:51:21 +01:00			`return token;`
			`},`
			`},`
Use server actions instead of client-side API calls 2024-08-05 23:31:15 +02:00			`};`
WIP 5 2024-03-20 17:51:21 +01:00
			`export const getServerSession = (`
			`...args:`
			`\| [GetServerSidePropsContext["req"], GetServerSidePropsContext["res"]]`
			`\| [NextApiRequest, NextApiResponse]`
			`\| []`
			`) => internalGetServerSession(...args, authOptions);`