feat: migrate to ory/elements and replace nextauth logic

Author: drankou

.env.example

@@ -5,22 +5,23 @@
 ### Dashboard API admin token used for user bootstrap and creator email hydration
 DASHBOARD_API_ADMIN_TOKEN=your_dashboard_api_admin_token
 
-### Auth.js configuration
-### Generate with `npx auth secret` or `openssl rand -hex 32`.
-AUTH_SECRET=your_auth_secret
+### JWE key for the encrypted e2b_session cookie (carries the Hydra OIDC tokens).
+### Generate with `openssl rand -hex 32`.
+E2B_SESSION_SECRET=your_e2b_session_secret
 
 ### Ory Network configuration
 ORY_SDK_URL=https://your-project.projects.oryapis.com
+### OIDC issuer for the OAuth client. Falls back to ORY_SDK_URL on Ory Network;
+### set explicitly for self-hosted Hydra (e.g. http://localhost:4444).
+# ORY_HYDRA_PUBLIC_URL=http://localhost:4444
 ORY_OAUTH2_CLIENT_ID=your_ory_oauth2_client_id
 ORY_OAUTH2_CLIENT_SECRET=your_ory_oauth2_client_secret
 ### Access-token audience requested from Ory. Must match the backend JWT audience configuration.
 ORY_OAUTH2_AUDIENCE=https://api.e2b.dev
 ### Ory project admin API token used for IdentityApi lookups
 ORY_PROJECT_API_TOKEN=your_ory_project_api_token
 
-### Custom Ory UI: "true" on Preview/Staging, unset on Production.
-# NEXT_PUBLIC_ORY_CUSTOM_UI=true
-### Kratos public URL for the custom UI (self-hosted :4433; falls back to ORY_SDK_URL).
+### Browser-facing Kratos public URL for the Elements UI (self-hosted :4433; falls back to ORY_SDK_URL).
 # NEXT_PUBLIC_ORY_SDK_URL=http://localhost:4433
 
 ### Domain for the E2B cluster
@@ -41,8 +42,6 @@ NEXT_PUBLIC_E2B_DOMAIN=e2b.dev
 ### Set both when running self-hosted; leave unset to use Ory Network with the PAT above.
 # ORY_KRATOS_ADMIN_URL=http://localhost:4434
 # ORY_HYDRA_ADMIN_URL=http://localhost:4445
-### Set to 1 outside Vercel-hosted production to allow Auth.js to trust the Host header
-# AUTH_TRUST_HOST=1
 
 # ENABLE_USER_BOOTSTRAP=0
 

bun.lock

@@ -108,14 +108,15 @@
     "fast-xml-parser": "^5.3.5",
     "immer": "^10.1.1",
     "input-otp": "^1.4.2",
+    "jose": "^6.2.3",
     "micromatch": "^4.0.8",
     "motion": "^12.23.25",
     "nanoid": "^5.0.9",
     "next": "^16.2.7",
-    "next-auth": "^5.0.0-beta.31",
     "next-safe-action": "^8.0.11",
     "next-themes": "^0.4.6",
     "nuqs": "^2.7.0",
+    "oauth4webapi": "^3.8.6",
     "openapi-fetch": "^0.14.0",
     "pathe": "^2.0.3",
     "pino": "^9.7.0",

package.json

@@ -0,0 +1,107 @@
+import 'server-only'
+
+import { type NextRequest, NextResponse } from 'next/server'
+import { PROTECTED_URLS } from '@/configs/urls'
+import { ensureOryUserBootstrapped } from '@/core/server/auth/ory/dashboard-bootstrap'
+import { exchangeOryCallback } from '@/core/server/auth/ory/oauth-client'
+import {
+  E2B_OAUTH_FLOW_COOKIE,
+  OAUTH_CALLBACK_PATH,
+  parseOryFlowState,
+} from '@/core/server/auth/ory/oauth-flow'
+import {
+  E2B_SESSION_COOKIE,
+  orySessionCookieOptions,
+  sealOrySession,
+} from '@/core/server/auth/ory/session-cookie'
+import {
+  buildOryLogoutUrl,
+  ORY_POST_LOGOUT_PATH,
+} from '@/core/server/auth/ory/signout'
+import { ORY_SIGNUP_METADATA_COOKIE } from '@/core/server/auth/ory/signup-metadata'
+import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
+
+// Failures land on the recover route, whose one-shot guard retries the flow
+// once (via /sign-in → /start, which mints a fresh flow cookie) before bailing
+// to home — so a stale/invalid callback can't loop.
+const ORY_RECOVER_PATH = '/api/auth/oauth/recover'
+
+// Hydra redirects here with ?code after Kratos created the session. We exchange
+// the code (validating state/nonce/PKCE), provision the dashboard user from the
+// id_token, then seal the OIDC tokens into e2b_session. Kratos already owns the
+// session at this point — this cookie only carries tokens for API access.
+export async function GET(request: NextRequest) {
+  const origin = request.nextUrl.origin
+  const flow = parseOryFlowState(
+    request.cookies.get(E2B_OAUTH_FLOW_COOKIE)?.value
+  )
+
+  if (!flow) {
+    l.warn(
+      { key: 'oauth_callback:missing_flow_state' },
+      'Ory callback hit without a valid flow-state cookie'
+    )
+    return finalize(NextResponse.redirect(new URL(ORY_RECOVER_PATH, origin)))
+  }
+
+  let tokens: Awaited<ReturnType<typeof exchangeOryCallback>>
+  try {
+    tokens = await exchangeOryCallback({
+      // A genuine global URL — oauth4webapi rejects NextURL (not `instanceof URL`).
+      currentUrl: new URL(request.url),
+      expectedState: flow.state,
+      expectedNonce: flow.nonce,
+      codeVerifier: flow.codeVerifier,
+      redirectUri: new URL(OAUTH_CALLBACK_PATH, origin).toString(),
+    })
+  } catch (error) {
+    l.error(
+      {
+        key: 'oauth_callback:exchange_failed',
+        error: serializeErrorForLog(error),
+      },
+      'Ory authorization code exchange failed'
+    )
+    return finalize(NextResponse.redirect(new URL(ORY_RECOVER_PATH, origin)))
+  }
+
+  const bootstrapped = await ensureOryUserBootstrapped({
+    accessToken: tokens.accessToken,
+    idToken: tokens.idToken,
+    provider: 'ory',
+  })
+
+  if (!bootstrapped) {
+    l.error(
+      { key: 'oauth_callback:bootstrap_failed' },
+      'dashboard bootstrap failed; ending the Ory session without a dashboard cookie'
+    )
+    // Don't strand the user with a half-provisioned login: end the Ory + Kratos
+    // session via RP-logout (falling back to home if no id_token is available).
+    const logoutUrl = tokens.idToken
+      ? buildOryLogoutUrl({ idToken: tokens.idToken, origin })
+      : null
+    return finalize(
+      NextResponse.redirect(logoutUrl ?? new URL(ORY_POST_LOGOUT_PATH, origin))
+    )
+  }
+
+  const sealed = await sealOrySession({
+    accessToken: tokens.accessToken,
+    refreshToken: tokens.refreshToken,
+    idToken: tokens.idToken,
+    expiresAt: tokens.expiresAt,
+  })
+
+  const destination = flow.returnTo ?? PROTECTED_URLS.DASHBOARD
+  const response = finalize(NextResponse.redirect(new URL(destination, origin)))
+  response.cookies.set(E2B_SESSION_COOKIE, sealed, orySessionCookieOptions())
+  return response
+}
+
+// Clears the one-shot transient cookies on every exit path.
+function finalize(response: NextResponse): NextResponse {
+  response.cookies.delete(E2B_OAUTH_FLOW_COOKIE)
+  response.cookies.delete(ORY_SIGNUP_METADATA_COOKIE)
+  return response
+}

src/app/api/auth/oauth/[...nextauth]/route.ts

@@ -12,10 +12,10 @@ export async function GET(request: NextRequest) {
 
   l.error(
     {
-      key: 'oauth_recover:auth_js_error',
+      key: 'oauth_recover:flow_failed',
       context: { error_code: errorCode, already_attempted: alreadyAttempted },
     },
-    'Auth.js OAuth flow failed; recovering user'
+    'OAuth flow failed; recovering user once before bailing to home'
   )
 
   const destination = alreadyAttempted ? '/' : AUTH_URLS.SIGN_IN