feat: auth flow via same-origin ory elements (#438)

## Summary

Replaces the NextAuth (Auth.js) layer with a first-party, same-origin
auth flow built directly on Ory. The dashboard now acts as Hydra's
OAuth2 client **and** its consent/logout provider, drives an
authorization-code + PKCE flow, and carries the resulting OIDC tokens in
a single JWE-encrypted `e2b_session` cookie. Kratos owns the session;
the cookie is just a token cache, never the auth gate.

This removes `next-auth` / `@auth/core` entirely and the Auth.js
request-wrapping that had been fighting our sign-out and tRPC code
paths.

## Why

- Auth.js wrapped every request and re-issued a JWT session cookie on
the way out, which clobbered our sign-out cookie deletion and forced
awkward boundary shims (`authjs-boundary`, `authjs-session-boundary`,
`authjs-callbacks`).
- The OAuth2 redirect/PKCE/state handling was opaque inside the Auth.js
provider, making the Hydra ⇄ Kratos consent/logout dance hard to reason
about.

## What changed

**Auth flow (new routes)**
- `GET /api/auth/oauth/start` — builds the Hydra authorization request
(PKCE S256, state, nonce), stashes the verifier/state/nonce in a
short-lived httpOnly flow cookie, and 307-redirects to `/oauth2/auth`.
- `GET /api/auth/oauth/callback/ory` — validates state/nonce/PKCE,
exchanges the code, bootstraps the dashboard user from the id_token,
seals tokens into `e2b_session`. Failures route to the one-shot
`recover` guard so a stale callback can't loop.
- `GET /consent` — dashboard is Hydra's consent provider; accepts the
consent challenge and folds the identity's profile traits into the
id_token (without this, tokens carry `sub`/`iss` but no email/name and
bootstrap rejects the login).
- `GET /logout` — dashboard is Hydra's logout provider; accepts the
logout challenge, routes through Kratos' own logout first so
`ory_kratos_session` is cleared before Hydra finalizes.
- `sign-out` route now reads the id_token from `e2b_session` to build
the Hydra RP-logout URL and clears the cookie on the redirect.

**Session / tokens**
- New `e2b_session` cookie: JWE (`dir` + `A256GCM`) via `jose`, carrying
access/refresh/id tokens. Keyed by new `E2B_SESSION_SECRET` (replaces
`AUTH_SECRET`); domain-scoped so it works across the cluster's
subdomains.
- New `token-refresh` module refreshes the Hydra access token edge-side
(direct token-endpoint call, refresh skew, dead/unchanged/refreshed
states).
- New `kratos-session-edge` helper does an edge-safe Kratos `whoami` for
the middleware redirect gate; authoritative enforcement stays in
`getAuthContext`.

**UI**
- Ory Elements auth pages (`/login`, `/registration`, `/recovery`,
`/verification`) are now always same-origin — the
`NEXT_PUBLIC_ORY_CUSTOM_UI` flag and the legacy redirect fallbacks are
gone.
- Auth footer links switched from `next/link` to plain `<a>` so the
cross-origin start redirect stays a top-level document navigation (a
soft nav would turn it into a CORS request Hydra rejects).

**Plumbing**
- tRPC handler no longer wrapped by `auth()`; auth is resolved
per-procedure by the auth middleware (Kratos whoami + `e2b_session`).
- Deleted: `src/auth.ts`, the Auth.js boundary/callback shims,
`next-auth.d.ts`, and the `[...nextauth]` / `bootstrap-failed` routes.

**Dependencies**
- Removed `next-auth` (+ `@auth/core` and its transitive `@panva/hkdf`,
`preact*`).
- Added `jose` and `oauth4webapi` (direct, version-pinned).

**Env**
- Added `E2B_SESSION_SECRET`, optional `ORY_HYDRA_PUBLIC_URL`
(self-hosted Hydra issuer).
- Removed `AUTH_SECRET`, `AUTH_TRUST_HOST`, `NEXT_PUBLIC_ORY_CUSTOM_UI`.

## Testing

New unit + integration coverage for the rewritten flow: `oauth-client`,
`session-cookie`, `token-refresh`, `kratos-session-edge` (unit) and
`auth-ory-callback`, `auth-ory-consent`, `auth-ory-logout`, plus the
retained entrypoints/account-security suites (integration). The Auth.js
session-boundary test was removed with its module.

## Notes for reviewers

- **Env / deploy:** set `E2B_SESSION_SECRET` (`openssl rand -hex 32`) in
every environment before merge — `AUTH_SECRET` is no longer read.
- This is auth-critical; worth a careful pass on the callback
failure/recover paths and the logout ordering (Kratos before Hydra
finalize).

---------

Co-authored-by: ben-fornefeld <ben.fornefeld@gmail.com>
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Author: 3 people

.env.example

@@ -5,22 +5,23 @@
 ### Dashboard API admin token used for user bootstrap and creator email hydration
 DASHBOARD_API_ADMIN_TOKEN=your_dashboard_api_admin_token
 
-### Auth.js configuration
-### Generate with `npx auth secret` or `openssl rand -hex 32`.
-AUTH_SECRET=your_auth_secret
+### JWE key for the encrypted e2b_session cookie (carries the Hydra OIDC tokens).
+### Generate with `openssl rand -hex 32`.
+E2B_SESSION_SECRET=your_e2b_session_secret
 
 ### Ory Network configuration
 ORY_SDK_URL=https://your-project.projects.oryapis.com
+### OIDC issuer for the OAuth client. Falls back to ORY_SDK_URL on Ory Network;
+### set explicitly for self-hosted Hydra (e.g. http://localhost:4444).
+# ORY_HYDRA_PUBLIC_URL=http://localhost:4444
 ORY_OAUTH2_CLIENT_ID=your_ory_oauth2_client_id
 ORY_OAUTH2_CLIENT_SECRET=your_ory_oauth2_client_secret
 ### Access-token audience requested from Ory. Must match the backend JWT audience configuration.
 ORY_OAUTH2_AUDIENCE=https://api.e2b.dev
 ### Ory project admin API token used for IdentityApi lookups
 ORY_PROJECT_API_TOKEN=your_ory_project_api_token
 
-### Custom Ory UI: "true" on Preview/Staging, unset on Production.
-# NEXT_PUBLIC_ORY_CUSTOM_UI=true
-### Kratos public URL for the custom UI (self-hosted :4433; falls back to ORY_SDK_URL).
+### Browser-facing Kratos public URL for the Elements UI (self-hosted :4433; falls back to ORY_SDK_URL).
 # NEXT_PUBLIC_ORY_SDK_URL=http://localhost:4433
 
 ### Domain for the E2B cluster
@@ -41,8 +42,13 @@ NEXT_PUBLIC_E2B_DOMAIN=e2b.dev
 ### Set both when running self-hosted; leave unset to use Ory Network with the PAT above.
 # ORY_KRATOS_ADMIN_URL=http://localhost:4434
 # ORY_HYDRA_ADMIN_URL=http://localhost:4445
-### Set to 1 outside Vercel-hosted production to allow Auth.js to trust the Host header
-# AUTH_TRUST_HOST=1
+
+### Fixed host whose OAuth callback/logout relays are registered in Hydra. Set on
+### preview deployments only (dynamic preview hosts can't register their own
+### redirect URIs); leave unset on staging/production/local, where sign-in stays
+### host-direct. The relay paths (/api/auth/oauth/relay, /api/auth/oauth/logout-relay)
+### must be added to the OAuth2 client's redirect_uris / post_logout_redirect_uris.
+# ORY_OAUTH_RELAY_ORIGIN=https://e2b-staging.dev
 
 # ENABLE_USER_BOOTSTRAP=0
 

.github/workflows/test.yml

@@ -45,7 +45,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: unit-tests
     env:
-      AUTH_SECRET: test-auth-secret
+      E2B_SESSION_SECRET: test-session-secret
       ORY_SDK_URL: https://test-ory.projects.oryapis.com
       ORY_OAUTH2_CLIENT_ID: test-ory-client-id
       ORY_OAUTH2_CLIENT_SECRET: test-ory-client-secret

bun.lock

@@ -110,14 +110,15 @@
     "fast-xml-parser": "^5.3.5",
     "immer": "^10.1.1",
     "input-otp": "^1.4.2",
+    "jose": "^6.2.3",
     "micromatch": "^4.0.8",
     "motion": "^12.23.25",
     "nanoid": "^5.0.9",
     "next": "^16.2.7",
-    "next-auth": "^5.0.0-beta.31",
     "next-safe-action": "^8.0.11",
     "next-themes": "^0.4.6",
     "nuqs": "^2.7.0",
+    "oauth4webapi": "^3.8.6",
     "openapi-fetch": "^0.14.0",
     "pathe": "^2.0.3",
     "pino": "^9.7.0",

package.json

@@ -1,11 +1,5 @@
 import { redirect } from 'next/navigation'
-import { buildOryStartURL } from '@/core/server/auth/ory/build-start-url'
 
-type PageProps = {
-  searchParams: Promise<{ returnTo?: string }>
-}
-
-export default async function Page({ searchParams }: PageProps) {
-  const { returnTo } = await searchParams
-  redirect(buildOryStartURL('signin', returnTo))
+export default function Page() {
+  redirect('/recovery')
 }

src/app/(auth)/forgot-password/page.tsx

@@ -0,0 +1,115 @@
+import 'server-only'
+
+import { type NextRequest, NextResponse } from 'next/server'
+import { PROTECTED_URLS } from '@/configs/urls'
+import { ensureOryUserBootstrapped } from '@/core/server/auth/ory/dashboard-bootstrap'
+import { exchangeOryCallback } from '@/core/server/auth/ory/oauth-client'
+import {
+  E2B_OAUTH_FLOW_COOKIE,
+  ORY_RECOVER_PATH,
+  openOryFlowState,
+} from '@/core/server/auth/ory/oauth-flow'
+import { resolveOryRedirectUri } from '@/core/server/auth/ory/oauth-relay'
+import {
+  E2B_SESSION_COOKIE,
+  ORY_SIGNUP_METADATA_COOKIE,
+  sealSessionCookie,
+  sessionCookieOptions,
+} from '@/core/server/auth/ory/session-cookie'
+import {
+  buildOryLogoutUrl,
+  ORY_POST_LOGOUT_PATH,
+} from '@/core/server/auth/ory/signout'
+import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
+import { relativeUrlSchema } from '@/core/shared/schemas/url'
+
+// Hydra redirects here with ?code after Kratos created the session. We exchange
+// the code (validating state/nonce/PKCE), provision the dashboard user from the
+// id_token, then seal the OIDC tokens into e2b_session. Kratos already owns the
+// session at this point — this cookie only carries tokens for API access.
+export async function GET(request: NextRequest) {
+  const origin = request.nextUrl.origin
+  const flow = await openOryFlowState(
+    request.cookies.get(E2B_OAUTH_FLOW_COOKIE)?.value
+  )
+
+  if (!flow) {
+    l.warn(
+      { key: 'oauth_callback:missing_flow_state' },
+      'Ory callback hit without a valid flow-state cookie'
+    )
+    return finalize(NextResponse.redirect(new URL(ORY_RECOVER_PATH, origin)))
+  }
+
+  let tokens: Awaited<ReturnType<typeof exchangeOryCallback>>
+  try {
+    tokens = await exchangeOryCallback({
+      // A genuine global URL — oauth4webapi rejects NextURL (not `instanceof URL`).
+      currentUrl: new URL(request.url),
+      expectedState: flow.state,
+      expectedNonce: flow.nonce,
+      codeVerifier: flow.codeVerifier,
+      // Must be byte-identical to the authorize-time value (the registered
+      // relay URI on previews), not the host the code was delivered to.
+      redirectUri: resolveOryRedirectUri(origin).redirectUri,
+    })
+  } catch (error) {
+    l.error(
+      {
+        key: 'oauth_callback:exchange_failed',
+        error: serializeErrorForLog(error),
+      },
+      'Ory authorization code exchange failed'
+    )
+    return finalize(NextResponse.redirect(new URL(ORY_RECOVER_PATH, origin)))
+  }
+
+  const bootstrapped = await ensureOryUserBootstrapped({
+    accessToken: tokens.accessToken,
+    idToken: tokens.idToken,
+    provider: 'ory',
+  })
+
+  if (!bootstrapped) {
+    l.error(
+      { key: 'oauth_callback:bootstrap_failed' },
+      'dashboard bootstrap failed; ending the Ory session without a dashboard cookie'
+    )
+    // Don't strand the user with a half-provisioned login: end the Ory + Kratos
+    // session via RP-logout (falling back to home if no id_token is available).
+    const logoutUrl = tokens.idToken
+      ? await buildOryLogoutUrl({ idToken: tokens.idToken, origin })
+      : null
+    return finalize(
+      NextResponse.redirect(logoutUrl ?? new URL(ORY_POST_LOGOUT_PATH, origin))
+    )
+  }
+
+  const sealed = await sealSessionCookie({
+    accessToken: tokens.accessToken,
+    refreshToken: tokens.refreshToken,
+    idToken: tokens.idToken,
+    expiresAt: tokens.expiresAt,
+  })
+
+  // Re-validate here too: the flow cookie is read back as a raw string, and
+  // `new URL()` would otherwise escape the origin on a crafted returnTo.
+  const parsedReturnTo = relativeUrlSchema.safeParse(flow.returnTo)
+  const destination = parsedReturnTo.success
+    ? parsedReturnTo.data
+    : PROTECTED_URLS.DASHBOARD
+  const response = finalize(NextResponse.redirect(new URL(destination, origin)))
+  response.cookies.set(
+    E2B_SESSION_COOKIE,
+    sealed,
+    sessionCookieOptions(request.nextUrl.host)
+  )
+  return response
+}
+
+// Clears the one-shot transient cookies on every exit path.
+function finalize(response: NextResponse): NextResponse {
+  response.cookies.delete(E2B_OAUTH_FLOW_COOKIE)
+  response.cookies.delete(ORY_SIGNUP_METADATA_COOKIE)
+  return response
+}

src/app/api/auth/oauth/[...nextauth]/route.ts

@@ -0,0 +1,29 @@
+import 'server-only'
+
+import { type NextRequest, NextResponse } from 'next/server'
+import {
+  isAllowedRelayTarget,
+  openRelayState,
+} from '@/core/server/auth/ory/oauth-relay'
+import { ORY_POST_LOGOUT_PATH } from '@/core/server/auth/ory/signout'
+import { l } from '@/core/shared/clients/logger/logger'
+
+// Fixed-host post-logout relay (mirror of the login relay). Hydra returns here
+// after ending the session, with the sealed `state` carrying the preview origin;
+// we bounce the browser back to that preview's home. The sign-out route already
+// cleared the cookies on the preview before the Hydra hop, so this is a pure
+// redirect. See oauth-relay.ts.
+export async function GET(request: NextRequest) {
+  const origin = request.nextUrl.origin
+  const target = await openRelayState(request.nextUrl.searchParams.get('state'))
+
+  if (!target || !isAllowedRelayTarget(target)) {
+    l.warn(
+      { key: 'oauth_logout_relay:invalid_target' },
+      'Ory logout relay hit without a valid sealed target'
+    )
+    return NextResponse.redirect(new URL(ORY_POST_LOGOUT_PATH, origin))
+  }
+
+  return NextResponse.redirect(new URL(ORY_POST_LOGOUT_PATH, target))
+}

src/app/api/auth/oauth/bootstrap-failed/route.ts

@@ -12,10 +12,10 @@ export async function GET(request: NextRequest) {
 
   l.error(
     {
-      key: 'oauth_recover:auth_js_error',
+      key: 'oauth_recover:flow_failed',
       context: { error_code: errorCode, already_attempted: alreadyAttempted },
     },
-    'Auth.js OAuth flow failed; recovering user'
+    'OAuth flow failed; recovering user once before bailing to home'
   )
 
   const destination = alreadyAttempted ? '/' : AUTH_URLS.SIGN_IN