feat: add optional Google OAuth authentication

Gate dashboard access behind Google sign-in when AUTH_SECRET is set.
Uses Auth.js v5 with JWT sessions (no DB changes), Next.js 16 proxy,
domain/email restriction, and sign-out menu in nav bar.

Made-with: Cursor

Author: ofershap

.env.example

@@ -11,6 +11,14 @@ ALERT_EMAIL_TO=team-lead@yourcompany.com
 
 CRON_SECRET=your-secret-for-cron-endpoint
 
-DASHBOARD_PASSWORD=
+# Authentication (optional — dashboard is open when these are not set)
+# Setting AUTH_SECRET enables Google OAuth sign-in
+AUTH_SECRET=                               # openssl rand -base64 32
+AUTH_GOOGLE_ID=                            # Google OAuth client ID
+AUTH_GOOGLE_SECRET=                        # Google OAuth client secret
+AUTH_ALLOWED_DOMAIN=                       # e.g. yourcompany.com (only this domain can sign in)
+AUTH_ALLOWED_EMAILS=                       # comma-separated allowlist, e.g. admin@example.com,viewer@example.com
+AUTH_TRUST_HOST=true                       # required when behind a reverse proxy (Fly.io, Vercel, etc.)
+AUTH_URL=                                  # public URL, e.g. https://your-app.fly.dev (auto-detected locally)
 
 ELEVENLABS_API_KEY=

README.md

@@ -193,7 +193,6 @@ DASHBOARD_URL=http://localhost:3000
 
 # Optional
 CRON_SECRET=your_secret_here                  # protects the cron endpoint
-DASHBOARD_PASSWORD=your_password              # optional basic auth for the dashboard
 
 # Email alerts via Resend (optional)
 RESEND_API_KEY=re_xxxxxxxxxxxx
@@ -376,6 +375,44 @@ The import uses HiBob's `Group` and `Team` columns (falling back to `Department`
 
 ---
 
+## Authentication
+
+Authentication is **fully optional**. When no auth environment variables are set, the dashboard is open (the default behavior). Setting `AUTH_SECRET` enables Google OAuth sign-in.
+
+### Setup
+
+1. Create a [Google OAuth app](https://console.cloud.google.com/apis/credentials) with redirect URI:
+   - Local: `http://localhost:3000/api/auth/callback/google`
+   - Production: `https://your-domain.com/api/auth/callback/google`
+
+2. Add to your `.env`:
+
+```bash
+AUTH_SECRET=$(openssl rand -base64 32)       # encryption key for sessions
+AUTH_GOOGLE_ID=your-client-id.apps.google... # Google OAuth client ID
+AUTH_GOOGLE_SECRET=GOCSPX-...               # Google OAuth client secret
+AUTH_TRUST_HOST=true                         # required behind a reverse proxy
+AUTH_URL=https://your-domain.com             # public URL (auto-detected locally)
+```
+
+3. Optionally restrict access by domain or specific emails:
+
+```bash
+AUTH_ALLOWED_DOMAIN=yourcompany.com          # only @yourcompany.com emails
+AUTH_ALLOWED_EMAILS=admin@example.com,cto@example.com  # or specific emails
+```
+
+When both are set, either match grants access. When neither is set, any Google account can sign in.
+
+### How It Works
+
+- Sessions use encrypted JWT cookies — no database tables needed
+- The `/api/cron` endpoint is excluded from auth (it uses its own `CRON_SECRET`)
+- Sign-in page appears automatically when auth is enabled
+- User avatar and sign-out menu appear in the nav bar
+
+---
+
 ## API Endpoints
 
 | Endpoint              | Method  | Description                                         |

package-lock.json

@@ -73,6 +73,7 @@
     "@tailwindcss/postcss": "^4.1.18",
     "better-sqlite3": "^12.6.2",
     "next": "^16.1.6",
+    "next-auth": "^5.0.0-beta.30",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "recharts": "^3.7.0",

package.json

@@ -0,0 +1,3 @@
+import { handlers } from "@/auth";
+
+export const { GET, POST } = handlers;

src/app/api/auth/[...nextauth]/route.ts

@@ -3,6 +3,8 @@ import Image from "next/image";
 import Link from "next/link";
 import { NavLinks } from "@/components/nav-links";
 import { UpgradeBanner } from "@/components/upgrade-banner";
+import { UserMenu } from "@/components/user-menu";
+import { auth, signOut } from "@/auth";
 import "./globals.css";
 
 export const metadata: Metadata = {
@@ -11,7 +13,9 @@ export const metadata: Metadata = {
   icons: { icon: "/favicon.png" },
 };
 
-export default function RootLayout({ children }: { children: React.ReactNode }) {
+export default async function RootLayout({ children }: { children: React.ReactNode }) {
+  const session = process.env.AUTH_SECRET ? await auth() : null;
+
   return (
     <html lang="en" className="dark">
       <body className="min-h-screen">
@@ -25,7 +29,20 @@ export default function RootLayout({ children }: { children: React.ReactNode })
                 </Link>
                 <NavLinks />
               </div>
-              <UpgradeBanner />
+              <div className="flex items-center gap-2">
+                <UpgradeBanner />
+                {session?.user && (
+                  <UserMenu
+                    name={session.user.name ?? session.user.email ?? "User"}
+                    email={session.user.email ?? ""}
+                    image={session.user.image ?? undefined}
+                    signOutAction={async () => {
+                      "use server";
+                      await signOut({ redirectTo: "/login" });
+                    }}
+                  />
+                )}
+              </div>
             </div>
           </div>
         </nav>

src/app/layout.tsx

@@ -0,0 +1,69 @@
+import { redirect } from "next/navigation";
+import { auth, signIn } from "@/auth";
+import Image from "next/image";
+
+export default async function LoginPage({
+  searchParams,
+}: {
+  searchParams: Promise<{ callbackUrl?: string }>;
+}) {
+  const session = await auth();
+  if (session?.user) redirect("/");
+
+  const { callbackUrl } = await searchParams;
+
+  return (
+    <div className="min-h-[80vh] flex items-center justify-center">
+      <div className="w-full max-w-sm mx-4 rounded-2xl border border-zinc-800 bg-zinc-950 shadow-2xl overflow-hidden">
+        <div className="h-1 w-full bg-gradient-to-r from-blue-500 via-blue-400 to-cyan-500" />
+
+        <div className="px-8 pt-8 pb-6 text-center">
+          <Image
+            src="/logo.png"
+            alt=""
+            width={40}
+            height={40}
+            className="mx-auto mb-4"
+            aria-hidden
+          />
+          <h1 className="text-xl font-bold text-white mb-1">Cursor Usage Tracker</h1>
+          <p className="text-sm text-zinc-400">Sign in to access the dashboard</p>
+        </div>
+
+        <div className="px-8 pb-8">
+          <form
+            action={async () => {
+              "use server";
+              await signIn("google", { redirectTo: callbackUrl ?? "/" });
+            }}
+          >
+            <button
+              type="submit"
+              className="w-full flex items-center justify-center gap-3 rounded-xl py-3 px-4 text-sm font-medium text-white bg-zinc-800 border border-zinc-700 hover:bg-zinc-700 hover:border-zinc-600 transition-all cursor-pointer"
+            >
+              <svg width="18" height="18" viewBox="0 0 24 24">
+                <path
+                  d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z"
+                  fill="#4285F4"
+                />
+                <path
+                  d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"
+                  fill="#34A853"
+                />
+                <path
+                  d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"
+                  fill="#FBBC05"
+                />
+                <path
+                  d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"
+                  fill="#EA4335"
+                />
+              </svg>
+              Sign in with Google
+            </button>
+          </form>
+        </div>
+      </div>
+    </div>
+  );
+}

src/app/login/page.tsx

@@ -0,0 +1,23 @@
+import NextAuth from "next-auth";
+import Google from "next-auth/providers/google";
+
+const allowedDomain = process.env.AUTH_ALLOWED_DOMAIN?.toLowerCase().trim();
+const allowedEmails = process.env.AUTH_ALLOWED_EMAILS?.split(",")
+  .map((e) => e.toLowerCase().trim())
+  .filter(Boolean);
+
+export const { handlers, auth, signIn, signOut } = NextAuth({
+  providers: [Google],
+  pages: { signIn: "/login" },
+  session: { strategy: "jwt" },
+  callbacks: {
+    signIn({ profile }) {
+      const email = profile?.email?.toLowerCase();
+      if (!email) return false;
+      if (allowedEmails?.length && allowedEmails.includes(email)) return true;
+      if (allowedDomain && email.endsWith(`@${allowedDomain}`)) return true;
+      if (!allowedEmails?.length && !allowedDomain) return true;
+      return false;
+    },
+  },
+});