feat: SW-162 MFA for Profile implemented

app/[lang]/(live)/(protected)/logout/route.ts

@@ -1,5 +1,5 @@
 import { createActionURL } from "@auth/core"
-import { headers as nextHeaders } from "next/headers"
+import { cookies,headers as nextHeaders } from "next/headers"
 import { NextRequest, NextResponse } from "next/server"
 import { AuthError } from "next-auth"
 
@@ -63,6 +63,8 @@ export async function GET(
     console.log({ logout_NEXTAUTH_URL: process.env.NEXTAUTH_URL })
     console.log({ logout_env: process.env })
 
+    const cookieStore = cookies()
+    cookieStore.set("_SecureMFA-token", "", { maxAge: 0 })
     const headers = new Headers(nextHeaders())
     const signOutURL = createActionURL(
       "signout",

app/[lang]/(live)/(protected)/mfa-login/route.ts

@@ -0,0 +1,81 @@
+import { NextRequest, NextResponse } from "next/server"
+import { AuthError } from "next-auth"
+
+import { Lang } from "@/constants/languages"
+import { env } from "@/env/server"
+import { internalServerError } from "@/server/errors/next"
+
+import { signIn } from "@/auth"
+
+export async function GET(
+  request: NextRequest,
+  context: { params: { lang: Lang } }
+) {
+  let redirectHeaders: Headers | undefined = undefined
+  let redirectTo: string
+
+  const returnUrl = request.headers.get("x-returnurl")
+
+  if (returnUrl) {
+    // Seamless login request from Current web
+    redirectTo = returnUrl
+  } else {
+    // Normal login request from New web
+    redirectTo =
+      request.cookies.get("redirectTo")?.value || // Cookie gets set by authRequired middleware
+      request.nextUrl.searchParams.get("redirectTo") ||
+      "/"
+
+    // Make relative URL to absolute URL
+    if (redirectTo.startsWith("/")) {
+      if (!env.PUBLIC_URL) {
+        throw internalServerError("No value for env.PUBLIC_URL")
+      }
+      redirectTo = new URL(redirectTo, env.PUBLIC_URL).href
+    }
+
+    // Clean up cookie from authRequired middleware
+    redirectHeaders = new Headers()
+    redirectHeaders.append(
+      "set-cookie",
+      "redirectTo=; Expires=Thu, 01 Jan 1970 00:00:00 UTC; Path=/; HttpOnly; SameSite=Lax"
+    )
+  }
+
+  try {
+    /**
+     * Passing `redirect: false` to `signIn` will return the URL instead of
+     * automatically redirecting to it inside of `signIn`.
+     * https://github.com/nextauthjs/next-auth/blob/3c035ec/packages/next-auth/src/lib/actions.ts#L76
+     */
+    const redirectUrl = await signIn(
+      "curity",
+      {
+        redirectTo,
+        redirect: false,
+      },
+      {
+        ui_locales: context.params.lang,
+        scope: "profile_update openid",
+        // The below acr value is required as for New Web same Curity Client is used for MFA
+        // while in current web it is being setup using different Curity Client ID and secret
+        acr_values:
+          "urn:se:curity:authentication:otp-authenticator:OTP-Authenticator_web",
+      }
+    )
+
+    if (redirectUrl) {
+      return NextResponse.redirect(redirectUrl, {
+        headers: redirectHeaders,
+      })
+    }
+  } catch (error) {
+    if (error instanceof AuthError) {
+      console.error({ signInAuthError: error })
+    } else {
+      console.error({ signInError: error })
+    }
+  }
+
+  return internalServerError()
+}