import { NextAuthOptions } from "next-auth"; import CredentialsProvider from "next-auth/providers/credentials"; import { api } from "@/lib/api"; /** 尝试使用 refresh token 获取新的 access token */ async function refreshAccessToken(token: Record) { try { const backendUrl = process.env.NEXT_PUBLIC_API_URL || "http://localhost:8000"; const res = await fetch(`${backendUrl}/api/v1/auth/refresh`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ refresh_token: token.refreshToken }), }); if (!res.ok) { throw new Error(`Refresh failed: ${res.status}`); } const data = await res.json(); return { ...token, accessToken: data.access_token, refreshToken: data.refresh_token, // 滑动过期:更新为新 refresh token // 新 access token 有效期 1 小时 expires_at: Date.now() + 60 * 60 * 1000, error: undefined, }; } catch (error) { // 刷新失败:记录错误,标记让前端展示重新登录 console.error("[Auth] Token refresh failed:", error); try { const Sentry = await import("@sentry/nextjs"); Sentry.captureException(error); } catch { // Sentry 未安装或未配置,静默忽略 } return { ...token, error: "RefreshAccessTokenError", }; } } export const authOptions: NextAuthOptions = { providers: [ CredentialsProvider({ name: "credentials", credentials: { email: { label: "邮箱", type: "email" }, password: { label: "密码", type: "password" }, }, async authorize(credentials) { if (!credentials?.email || !credentials?.password) { return null; } try { // 在 Docker 容器内,localhost 指向容器自身,需要使用服务名 backend const backendUrl = process.env.BACKEND_INTERNAL_URL || process.env.NEXT_PUBLIC_API_URL?.replace("localhost", "backend") || "http://backend:8000"; const res = await fetch(`${backendUrl}/api/v1/auth/login`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ email: credentials.email, password: credentials.password, }), }); if (!res.ok) { return null; } const data = await res.json(); if (data.access_token) { const user = { id: data.user?.id || credentials.email, name: data.user?.name, email: data.user?.email, accessToken: data.access_token, refreshToken: data.refresh_token, is_admin: data.user?.is_admin || false, }; return user; } return null; } catch (error) { console.error("[Auth] Login failed:", error); try { const Sentry = await import("@sentry/nextjs"); Sentry.captureException(error); } catch { // Sentry 未安装或未配置,静默忽略 } return null; } }, }), ], session: { strategy: "jwt", }, callbacks: { async jwt({ token, user }) { // 初次登录:将用户信息写入 token if (user) { token.sub = user.id; token.accessToken = user.accessToken; token.refreshToken = (user as unknown as Record).refreshToken as string; token.id = user.id; token.is_admin = (user as unknown as Record).is_admin as boolean; // access token 有效期 1 小时 token.expires_at = Date.now() + 60 * 60 * 1000; return token; } // 后续请求:检查 access token 是否即将过期(提前 5 分钟刷新) const expiresAt = token.expires_at as number | undefined; if (expiresAt && expiresAt < Date.now() + 5 * 60 * 1000) { return refreshAccessToken(token as Record); } return token; }, async session({ session, token }) { session.accessToken = token.accessToken as string; session.refreshToken = token.refreshToken as string; // 将 refresh 失败错误传递给前端,以便触发重新登录 session.error = token.error as string | undefined; if (session.user) { session.user.id = token.id as string; session.user.is_admin = token.is_admin as boolean; } return session; }, }, pages: { signIn: "/login", }, };