113 lines
3.5 KiB
TypeScript
113 lines
3.5 KiB
TypeScript
import { NextAuthOptions } from "next-auth";
|
|
import CredentialsProvider from "next-auth/providers/credentials";
|
|
import { api } from "@/lib/api";
|
|
|
|
/** 尝试使用 refresh token 获取新的 access token */
|
|
async function refreshAccessToken(token: Record<string, unknown>) {
|
|
try {
|
|
const backendUrl = process.env.NEXT_PUBLIC_API_URL || "http://localhost:8000";
|
|
const res = await fetch(`${backendUrl}/api/v1/auth/refresh`, {
|
|
method: "POST",
|
|
headers: { "Content-Type": "application/json" },
|
|
body: JSON.stringify({ refresh_token: token.refreshToken }),
|
|
});
|
|
|
|
if (!res.ok) {
|
|
throw new Error(`Refresh failed: ${res.status}`);
|
|
}
|
|
|
|
const data = await res.json();
|
|
return {
|
|
...token,
|
|
accessToken: data.access_token,
|
|
refreshToken: data.refresh_token, // 滑动过期:更新为新 refresh token
|
|
// 新 access token 有效期 1 小时
|
|
expires_at: Date.now() + 60 * 60 * 1000,
|
|
error: undefined,
|
|
};
|
|
} catch (error) {
|
|
// 刷新失败:标记错误,让前端展示重新登录
|
|
return {
|
|
...token,
|
|
error: "RefreshAccessTokenError",
|
|
};
|
|
}
|
|
}
|
|
|
|
export const authOptions: NextAuthOptions = {
|
|
providers: [
|
|
CredentialsProvider({
|
|
name: "credentials",
|
|
credentials: {
|
|
email: { label: "邮箱", type: "email" },
|
|
password: { label: "密码", type: "password" },
|
|
},
|
|
async authorize(credentials) {
|
|
if (!credentials?.email || !credentials?.password) {
|
|
return null;
|
|
}
|
|
try {
|
|
const res = await api.auth.login({
|
|
email: credentials.email,
|
|
password: credentials.password,
|
|
});
|
|
if (res.access_token) {
|
|
const user = {
|
|
id: res.user?.id || credentials.email,
|
|
name: res.user?.name,
|
|
email: res.user?.email,
|
|
accessToken: res.access_token,
|
|
refreshToken: res.refresh_token,
|
|
is_admin: res.user?.is_admin || false,
|
|
};
|
|
return user;
|
|
}
|
|
return null;
|
|
} catch (error) {
|
|
return null;
|
|
}
|
|
},
|
|
}),
|
|
],
|
|
session: {
|
|
strategy: "jwt",
|
|
},
|
|
callbacks: {
|
|
async jwt({ token, user }) {
|
|
// 初次登录:将用户信息写入 token
|
|
if (user) {
|
|
token.sub = user.id;
|
|
token.accessToken = user.accessToken;
|
|
token.refreshToken = (user as unknown as Record<string, unknown>).refreshToken as string;
|
|
token.id = user.id;
|
|
token.is_admin = (user as unknown as Record<string, unknown>).is_admin as boolean;
|
|
// access token 有效期 1 小时
|
|
token.expires_at = Date.now() + 60 * 60 * 1000;
|
|
return token;
|
|
}
|
|
|
|
// 后续请求:检查 access token 是否即将过期(提前 5 分钟刷新)
|
|
const expiresAt = token.expires_at as number | undefined;
|
|
if (expiresAt && expiresAt < Date.now() + 5 * 60 * 1000) {
|
|
return refreshAccessToken(token as Record<string, unknown>);
|
|
}
|
|
|
|
return token;
|
|
},
|
|
async session({ session, token }) {
|
|
session.accessToken = token.accessToken as string;
|
|
session.refreshToken = token.refreshToken as string;
|
|
// 将 refresh 失败错误传递给前端,以便触发重新登录
|
|
session.error = token.error as string | undefined;
|
|
if (session.user) {
|
|
session.user.id = token.id as string;
|
|
session.user.is_admin = token.is_admin as boolean;
|
|
}
|
|
return session;
|
|
},
|
|
},
|
|
pages: {
|
|
signIn: "/login",
|
|
},
|
|
};
|