feat: SW-162 Updated as per review comments

2024-07-17 16:12:18 +02:00
parent 77feefb1dd
commit 8ab77a5522
5 changed files with 59 additions and 38 deletions
@@ -1,4 +1,4 @@
-import { decode,encode } from "@auth/core/jwt"
+import { encode } from "@auth/core/jwt"
 import { cookies } from "next/headers"
 import NextAuth from "next-auth"

@@ -22,18 +22,39 @@ function getLoginType(user: User) {
  }
 }

-const customProvider = {
+const sharedConfig = {
  clientId: env.CURITY_CLIENT_ID_USER,
  clientSecret: env.CURITY_CLIENT_SECRET_USER,
-  id: "curity",
-  name: "Curity",
-  type: "oidc",
  // FIXME: This is incorrect. We should not hard code this.
  //        It should be ${env.CURITY_ISSUER_USER}.
  //        This change requires sync between Curity deploy and CurrentWeb and NewWeb.
  issuer: "https://scandichotels.com",
  authorization: {
    url: `${env.CURITY_ISSUER_USER}/oauth/v2/authorize`,
+  },
+  token: {
+    url: `${env.CURITY_ISSUER_USER}/oauth/v2/token`,
+  },
+  userinfo: {
+    url: `${env.CURITY_ISSUER_USER}/oauth/v2/userinfo`,
+  },
+  profile(profile: User) {
+    return {
+      id: profile.id,
+      sub: profile.sub,
+      given_name: profile.given_name,
+      login_with: profile.login_with,
+    }
+  },
+}
+
+const curityProvider = {
+  ...sharedConfig,
+  id: "curity",
+  name: "Curity",
+  type: "oidc",
+  authorization: {
+    ...sharedConfig.authorization,
    params: {
      scope: ["openid", "profile"].join(" "),
      /**
@@ -44,27 +65,30 @@ const customProvider = {
      acr_values: "acr",
    },
  },
-  token: {
-    url: `${env.CURITY_ISSUER_USER}/oauth/v2/token`,
-  },
-  userinfo: {
-    url: `${env.CURITY_ISSUER_USER}/oauth/v2/userinfo`,
-  },
+} satisfies OIDCConfig<User>

-  profile(profile) {
-    return {
-      id: profile.id,
-      sub: profile.sub,
-      given_name: profile.given_name,
-      login_with: profile.login_with,
-      acr: profile.acr,
-    }
+const curityMFAProvider = {
+  ...sharedConfig,
+  id: "curity-mfa",
+  name: "Curity MFA",
+  type: "oidc",
+  authorization: {
+    ...sharedConfig.authorization,
+    params: {
+      scope: ["profile_update", "openid"].join(" "),
+      /**
+       * The below acr value is required as for New Web same Curity Client is used for MFA
+       * while in current web it is being setup using different Curity Client ID and secret
+       */
+      acr_values:
+        "urn:se:curity:authentication:otp-authenticator:OTP-Authenticator_web",
+    },
  },
 } satisfies OIDCConfig<User>

 export const config = {
  debug: env.NEXTAUTH_DEBUG,
-  providers: [customProvider],
+  providers: [curityProvider, curityMFAProvider],
  redirectProxyUrl: env.NEXTAUTH_REDIRECT_PROXY_URL,
  trustHost: true,
  session: {
@@ -117,10 +141,7 @@ export const config = {
      return true
    },
    async jwt({ account, session, token, trigger, user }) {
-      if (
-        user?.acr ==
-        "urn:se:curity:authentication:otp-authenticator:OTP-Authenticator_web"
-      ) {
+      if (account?.provider == "curity-mfa") {
        const cookieStore = cookies()
        const value = token.access_token
        const secret = env.NEXTAUTH_SECRET
@@ -135,6 +156,7 @@ export const config = {
        cookieStore.set("_SecureMFA-token", mfaCookie.toString(), {
          maxAge: maxAge,
        })
+        return null
      }

      const loginType = getLoginType(user)