ec1506dc82
Wire up NextAuth v5 with @auth/pg-adapter, JWT sessions (edge-friendly), and a dev Credentials provider for local testing without Google OAuth. Stack - next-auth@5.0.0-beta.31, @auth/pg-adapter@1.11.2, @types/pg - Google OAuth provider via GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET (falls back to AUTH_GOOGLE_ID / AUTH_GOOGLE_SECRET) - Postgres adapter wired to a single pg.Pool in src/lib/db.ts style — reads DATABASE_URL with SUPABASE_DB_URL / POSTGRES_URL fallbacks - JWT session strategy (edge-safe) so the proxy can verify sessions without a DB round-trip Files - src/auth.config.ts edge-safe config (Google + authorized cb) - src/lib/auth.ts server config (adapter + dev Credentials) - src/proxy.ts Next.js 16 proxy (was middleware.ts) - src/app/api/auth/[...nextauth]/route.ts catch-all handler - src/app/protected-example/page.tsx demo page that renders auth() session - src/actions/auth-signin.ts signInWithGoogle, signInWithDev, signOutAction server actions - src/app/login/LoginClient.tsx added "Sign in with Google" + dev form - supabase/migrations/204_authjs_tables.sql users / accounts / sessions / verification_token schema (UUID-keyed) - .env.example AUTH_SECRET, AUTH_URL, GOOGLE_CLIENT_*, DATABASE_URL, ALLOW_DEV_LOGIN Removed - src/middleware.ts deleted; Next.js 16 only runs one proxy (the new src/proxy.ts is canonical) Routes - /login, /admin, /admin/*, /protected-example proxy matcher - /api/auth/{providers,csrf,signin/<provider>,callback/<provider>, session,signout} standard Auth.js endpoints Local dev - npm run dev (now runs on port 4000) - push migration 204 then visit /login - dev signin works with any non-empty username/password (hidden when ALLOW_DEV_LOGIN=false) - Google signin requires real GOOGLE_CLIENT_ID + redirect URI http://localhost:4000/api/auth/callback/google Verified - tsc --noEmit clean - /admin, /admin/orders, /protected-example → 307 to /login when unauthenticated - /api/auth/session returns user after signin - /protected-example renders session info - /api/auth/providers returns google + dev-login Docs - CLAUDE.md and MEMORY.md updated to reflect the Supabase → Postgres + Auth.js v5 pivot Gradual migration in progress - src/lib/admin-permissions.ts still uses dev_session / rc_auth_uid; the admin shell will show 'Access Denied' for Auth.js-only sessions until each page is flipped over - @supabase/* packages remain in package.json for the same reason - production deployment (AUTH_URL=https://, __Secure- cookies) is out of scope for this pass
83 lines
4.1 KiB
Bash
83 lines
4.1 KiB
Bash
# ============================================================================
|
|
# Route Commerce — Environment variables
|
|
# ============================================================================
|
|
# Copy to `.env.local` and fill in real values for local development.
|
|
# Production: set these in your hosting dashboard (Vercel / Netlify / etc.).
|
|
# ============================================================================
|
|
|
|
# ── App ─────────────────────────────────────────────────────────────────────
|
|
NEXT_PUBLIC_BASE_URL=http://localhost:4000
|
|
NEXT_PUBLIC_SITE_URL=http://localhost:4000
|
|
|
|
# ── Database (Postgres, direct — Supabase is being removed) ────────────────
|
|
# Single connection string used by `pg.Pool` in src/lib/auth.ts and the
|
|
# admin-permissions / data-service layer. Format:
|
|
# postgresql://USER:PASS@HOST:PORT/DBNAME?sslmode=require
|
|
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/route_commerce
|
|
|
|
# ── Auth.js (NextAuth v5) ───────────────────────────────────────────────────
|
|
# Generate with: npx auth secret
|
|
# Or: openssl rand -base64 32
|
|
AUTH_SECRET=replace-me-with-a-32-byte-base64-string
|
|
|
|
# Base URL used to build OAuth callback URLs. In dev:
|
|
AUTH_URL=http://localhost:4000
|
|
# In production, set to https://yourdomain.com
|
|
|
|
# Google OAuth provider.
|
|
# 1. Go to https://console.cloud.google.com/apis/credentials
|
|
# 2. Create an OAuth 2.0 Client ID (type: Web application)
|
|
# 3. Add Authorized redirect URI: http://localhost:3000/api/auth/callback/google
|
|
# 4. Copy client id + client secret below
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
|
|
# Auth.js also reads AUTH_GOOGLE_ID / AUTH_GOOGLE_SECRET if you prefer the
|
|
# default NextAuth variable names. The code in src/auth.config.ts falls
|
|
# back to those names if GOOGLE_CLIENT_ID is unset.
|
|
|
|
# Set to "false" to disable the in-app dev credentials provider even in
|
|
# development. Default: enabled in dev only.
|
|
ALLOW_DEV_LOGIN=true
|
|
|
|
# ── Supabase (legacy, being removed) ────────────────────────────────────────
|
|
# Still used by the existing admin pages, server actions, and the
|
|
# `getAdminUser` flow. Once the auth migration is complete and the
|
|
# @supabase/* packages are removed, these can go away.
|
|
NEXT_PUBLIC_SUPABASE_URL=
|
|
NEXT_PUBLIC_SUPABASE_ANON_KEY=
|
|
SUPABASE_SERVICE_ROLE_KEY=
|
|
|
|
# ── Stripe ─────────────────────────────────────────────────────────────────
|
|
STRIPE_SECRET_KEY=
|
|
STRIPE_WEBHOOK_SECRET=
|
|
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
|
|
STRIPE_PRICE_STARTER=
|
|
STRIPE_PRICE_FARM=
|
|
STRIPE_PRICE_ENTERPRISE=
|
|
STRIPE_PRICE_HARVEST_REACH=
|
|
STRIPE_PRICE_WHOLESALE_PORTAL=
|
|
STRIPE_PRICE_WATER_LOG=
|
|
STRIPE_PRICE_AI_TOOLS=
|
|
STRIPE_PRICE_SQUARE_SYNC=
|
|
STRIPE_PRICE_SMS_CAMPAIGNS=
|
|
|
|
# ── Resend (transactional email) ────────────────────────────────────────────
|
|
RESEND_API_KEY=
|
|
RESEND_WEBHOOK_SECRET=
|
|
|
|
# ── AI providers ────────────────────────────────────────────────────────────
|
|
OPENAI_API_KEY=
|
|
ANTHROPIC_API_KEY=
|
|
GOOGLE_API_KEY=
|
|
XAI_API_KEY=
|
|
MINIMAX_API_KEY=
|
|
MINIMAX_BASE_URL=https://api.minimax.io/v1
|
|
|
|
# ── Square (optional) ───────────────────────────────────────────────────────
|
|
SQUARE_APP_SECRET=
|
|
SQUARE_ENVIRONMENT=sandbox
|
|
|
|
# ── Cron / automation ───────────────────────────────────────────────────────
|
|
CRON_SECRET=replace-me-with-a-random-string
|