feat(SW-162): Used token instead of cookie

auth.ts

@@ -1,5 +1,3 @@
-import { encode } from "@auth/core/jwt"
-import { cookies } from "next/headers"
 import NextAuth from "next-auth"
 
 import { env } from "@/env/server"
@@ -22,7 +20,10 @@ function getLoginType(user: User) {
   }
 }
 
-const sharedConfig = {
+const curityProvider = {
+  id: "curity",
+  name: "Curity",
+  type: "oidc",
   clientId: env.CURITY_CLIENT_ID_USER,
   clientSecret: env.CURITY_CLIENT_SECRET_USER,
   // FIXME: This is incorrect. We should not hard code this.
@@ -46,49 +47,11 @@ const sharedConfig = {
       login_with: profile.login_with,
     }
   },
-}
-
-const curityProvider = {
-  ...sharedConfig,
-  id: "curity",
-  name: "Curity",
-  type: "oidc",
-  authorization: {
-    ...sharedConfig.authorization,
-    params: {
-      scope: ["openid", "profile"].join(" "),
-      /**
-       * The `acr_values` param is used to make Curity display the proper login
-       * page for Scandic. Without the parameter Curity presents some choices
-       * to the user which we do not want.
-       */
-      acr_values: "acr",
-    },
-  },
-} satisfies OIDCConfig<User>
-
-const curityMFAProvider = {
-  ...sharedConfig,
-  id: "curity-mfa",
-  name: "Curity MFA",
-  type: "oidc",
-  authorization: {
-    ...sharedConfig.authorization,
-    params: {
-      scope: ["profile_update", "openid", "profile"].join(" "),
-      /**
-       * The below acr value is required as for New Web same Curity Client is used for MFA
-       * while in current web it is being setup using different Curity Client ID and secret
-       */
-      acr_values:
-        "urn:se:curity:authentication:otp-authenticator:OTP-Authenticator_web",
-    },
-  },
 } satisfies OIDCConfig<User>
 
 export const config = {
   debug: env.NEXTAUTH_DEBUG,
-  providers: [curityProvider, curityMFAProvider],
+  providers: [curityProvider],
   redirectProxyUrl: env.NEXTAUTH_REDIRECT_PROXY_URL,
   trustHost: true,
   session: {
@@ -140,23 +103,13 @@ export const config = {
     async authorized({ auth, request }) {
       return true
     },
-    async jwt({ account, session, token, trigger, user }) {
-      if (account?.provider == "curity-mfa") {
-        const cookieStore = cookies()
-        // As new scope/token is added to existing session we will add separate cookie to validate MFA done
-        cookieStore.set({
-          name: "_MFA-validated-cookie",
-          value: "true",
-          httpOnly: true,
-          sameSite: "lax",
-          expires: token.expires_at
-            ? token.expires_at * 1000
-            : Date.now() + 10 * 60 * 1000,
-        })
-      }
-
+    async jwt({ account, token, trigger, user, profile }) {
       const loginType = getLoginType(user)
-      if (account) {
+      if (trigger === "signIn" && account) {
+        const mfa_scope =
+          profile?.amr ==
+          "urn:se:curity:authentication:otp-authenticator:OTP-Authenticator_web"
+        const mfa_expires_at = mfa_scope ? Date.now() + 10 * 60 * 1000 : 0
         return {
           access_token: account.access_token,
           expires_at: account.expires_at
@@ -164,6 +117,8 @@ export const config = {
             : undefined,
           refresh_token: account.refresh_token,
           loginType,
+          mfa_scope: mfa_scope,
+          mfa_expires_at: mfa_expires_at,
         }
       } else if (Date.now() < token.expires_at) {
         return token