geo/frontend/lib/auth.ts

113 lines
3.5 KiB
TypeScript

import { NextAuthOptions } from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";
import { api } from "@/lib/api";
/** 尝试使用 refresh token 获取新的 access token */
async function refreshAccessToken(token: Record<string, unknown>) {
try {
const backendUrl = process.env.NEXT_PUBLIC_API_URL || "http://localhost:8000";
const res = await fetch(`${backendUrl}/api/v1/auth/refresh`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ refresh_token: token.refreshToken }),
});
if (!res.ok) {
throw new Error(`Refresh failed: ${res.status}`);
}
const data = await res.json();
return {
...token,
accessToken: data.access_token,
refreshToken: data.refresh_token, // 滑动过期:更新为新 refresh token
// 新 access token 有效期 1 小时
expires_at: Date.now() + 60 * 60 * 1000,
error: undefined,
};
} catch (error) {
// 刷新失败:标记错误,让前端展示重新登录
return {
...token,
error: "RefreshAccessTokenError",
};
}
}
export const authOptions: NextAuthOptions = {
providers: [
CredentialsProvider({
name: "credentials",
credentials: {
email: { label: "邮箱", type: "email" },
password: { label: "密码", type: "password" },
},
async authorize(credentials) {
if (!credentials?.email || !credentials?.password) {
return null;
}
try {
const res = await api.auth.login({
email: credentials.email,
password: credentials.password,
});
if (res.access_token) {
const user = {
id: res.user?.id || credentials.email,
name: res.user?.name,
email: res.user?.email,
accessToken: res.access_token,
refreshToken: res.refresh_token,
is_admin: res.user?.is_admin || false,
};
return user;
}
return null;
} catch (error) {
return null;
}
},
}),
],
session: {
strategy: "jwt",
},
callbacks: {
async jwt({ token, user }) {
// 初次登录:将用户信息写入 token
if (user) {
token.sub = user.id;
token.accessToken = user.accessToken;
token.refreshToken = (user as unknown as Record<string, unknown>).refreshToken as string;
token.id = user.id;
token.is_admin = (user as unknown as Record<string, unknown>).is_admin as boolean;
// access token 有效期 1 小时
token.expires_at = Date.now() + 60 * 60 * 1000;
return token;
}
// 后续请求:检查 access token 是否即将过期(提前 5 分钟刷新)
const expiresAt = token.expires_at as number | undefined;
if (expiresAt && expiresAt < Date.now() + 5 * 60 * 1000) {
return refreshAccessToken(token as Record<string, unknown>);
}
return token;
},
async session({ session, token }) {
session.accessToken = token.accessToken as string;
session.refreshToken = token.refreshToken as string;
// 将 refresh 失败错误传递给前端,以便触发重新登录
session.error = token.error as string | undefined;
if (session.user) {
session.user.id = token.id as string;
session.user.is_admin = token.is_admin as boolean;
}
return session;
},
},
pages: {
signIn: "/login",
},
};