|
1 | 1 | 'use server'; |
2 | 2 |
|
| 3 | +import * as Sentry from '@sentry/nextjs'; |
| 4 | +import { z } from 'zod/v4'; |
3 | 5 | import { createClient } from '@/utils/supabase/server'; |
4 | 6 | import { AUTH_CALLBACK_PATH } from '@/lib/constants'; |
| 7 | +import { validateNext } from '@/lib/auth-redirect'; |
5 | 8 |
|
6 | 9 | const appUrl = process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3001'; |
7 | 10 |
|
8 | | -function validateNext(next: string | null): string { |
9 | | - const allowedPrefixes = ['/dashboard', '/aluno'] as const; |
10 | | - if (next && allowedPrefixes.some((p) => next.startsWith(p)) && !next.startsWith('//')) { |
11 | | - return next; |
12 | | - } |
13 | | - return '/login'; |
14 | | -} |
15 | | - |
16 | 11 | function callbackUrl(next?: string | null): string { |
17 | | - const safeNext = validateNext(next ?? null); |
| 12 | + const validated = validateNext(next); |
| 13 | + // validateNext's inert fallback is '/'; for the OAuth callback we need a |
| 14 | + // concrete post-login destination, so map the inert '/' → '/login' the same |
| 15 | + // way callback/route.ts does. |
| 16 | + const safeNext = validated === '/' ? '/login' : validated; |
18 | 17 | return `${appUrl}${AUTH_CALLBACK_PATH}?next=${encodeURIComponent(safeNext)}`; |
19 | 18 | } |
20 | 19 |
|
| 20 | +const MagicLinkSchema = z.object({ |
| 21 | + email: z.email({ error: 'Email is required' }), |
| 22 | +}); |
| 23 | + |
21 | 24 | export async function signInWithMagicLink(formData: FormData): Promise<{ error?: string }> { |
22 | | - const email = formData.get('email') as string; |
23 | | - if (!email) return { error: 'Email is required' }; |
| 25 | + const parsed = MagicLinkSchema.safeParse({ email: formData.get('email') }); |
| 26 | + if (!parsed.success) return { error: parsed.error.issues[0]?.message ?? 'Email is required' }; |
24 | 27 |
|
25 | 28 | const supabase = await createClient(); |
26 | 29 | const { error } = await supabase.auth.signInWithOtp({ |
27 | | - email, |
| 30 | + email: parsed.data.email, |
28 | 31 | options: { |
29 | 32 | emailRedirectTo: callbackUrl('/aluno/dashboard'), |
30 | 33 | shouldCreateUser: true, |
31 | 34 | }, |
32 | 35 | }); |
33 | 36 |
|
34 | | - if (error) return { error: error.message }; |
| 37 | + if (error) { |
| 38 | + Sentry.captureException(error, { tags: { auth: 'magic-link' } }); |
| 39 | + return { error: error.message }; |
| 40 | + } |
35 | 41 | return {}; |
36 | 42 | } |
37 | 43 |
|
38 | | -export async function signInWithGoogle(next?: string): Promise<{ error?: string }> { |
| 44 | +/** |
| 45 | + * Shared OAuth sign-in. `data.url` is the provider authorize URL; tunnel it |
| 46 | + * through `error` (existing public API contract) so the client can |
| 47 | + * `window.location.href = result.error` when it starts with `http`. |
| 48 | + */ |
| 49 | +async function signInWithOAuth(provider: 'google' | 'github' | 'apple', next?: string) { |
39 | 50 | const supabase = await createClient(); |
40 | 51 | const { data, error } = await supabase.auth.signInWithOAuth({ |
41 | | - provider: 'google', |
42 | | - options: { |
43 | | - redirectTo: callbackUrl(next), |
44 | | - }, |
| 52 | + provider, |
| 53 | + options: { redirectTo: callbackUrl(next) }, |
45 | 54 | }); |
46 | 55 |
|
47 | | - if (error) return { error: error.message }; |
| 56 | + if (error) { |
| 57 | + Sentry.captureException(error, { tags: { auth: provider } }); |
| 58 | + return { error: error.message }; |
| 59 | + } |
48 | 60 | if (data.url) return { error: data.url }; |
49 | 61 | return { error: 'No redirect URL returned' }; |
50 | 62 | } |
51 | 63 |
|
52 | | -export async function signInWithGitHub(next?: string): Promise<{ error?: string }> { |
53 | | - const supabase = await createClient(); |
54 | | - const { data, error } = await supabase.auth.signInWithOAuth({ |
55 | | - provider: 'github', |
56 | | - options: { |
57 | | - redirectTo: callbackUrl(next), |
58 | | - }, |
59 | | - }); |
| 64 | +export async function signInWithGoogle(next?: string): Promise<{ error?: string }> { |
| 65 | + return signInWithOAuth('google', next); |
| 66 | +} |
60 | 67 |
|
61 | | - if (error) return { error: error.message }; |
62 | | - if (data.url) return { error: data.url }; |
63 | | - return { error: 'No redirect URL returned' }; |
| 68 | +export async function signInWithGitHub(next?: string): Promise<{ error?: string }> { |
| 69 | + return signInWithOAuth('github', next); |
64 | 70 | } |
65 | 71 |
|
66 | 72 | export async function signInWithApple(next?: string): Promise<{ error?: string }> { |
67 | | - const supabase = await createClient(); |
68 | | - const { data, error } = await supabase.auth.signInWithOAuth({ |
69 | | - provider: 'apple', |
70 | | - options: { |
71 | | - redirectTo: callbackUrl(next), |
72 | | - }, |
73 | | - }); |
74 | | - |
75 | | - if (error) return { error: error.message }; |
76 | | - if (data.url) return { error: data.url }; |
77 | | - return { error: 'No redirect URL returned' }; |
| 73 | + return signInWithOAuth('apple', next); |
78 | 74 | } |
0 commit comments