Initial commit: MOPC platform with Docker deployment setup

Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 13:41:32 +01:00
commit a606292aaa
290 changed files with 70691 additions and 0 deletions
--- a/src/lib/auth.config.ts
+++ b/src/lib/auth.config.ts
@@ -0,0 +1,87 @@
+import type { NextAuthConfig } from 'next-auth'
+import type { UserRole } from '@prisma/client'
+
+// Extend the built-in session types
+declare module 'next-auth' {
+  interface Session {
+    user: {
+      id: string
+      email: string
+      name?: string | null
+      role: UserRole
+      mustSetPassword?: boolean
+    }
+  }
+
+  interface User {
+    role?: UserRole
+    mustSetPassword?: boolean
+  }
+}
+
+declare module '@auth/core/jwt' {
+  interface JWT {
+    id: string
+    role: UserRole
+    mustSetPassword?: boolean
+  }
+}
+
+// Edge-compatible auth config (no Node.js-only modules)
+// This is used by middleware and can be extended in auth.ts for full functionality
+export const authConfig: NextAuthConfig = {
+  providers: [], // Providers are added in auth.ts
+  callbacks: {
+    authorized({ auth, request: { nextUrl } }) {
+      const isLoggedIn = !!auth?.user
+      const { pathname } = nextUrl
+
+      // Public paths that don't require authentication
+      const publicPaths = [
+        '/login',
+        '/verify-email',
+        '/auth-error',
+        '/api/auth',
+      ]
+
+      // Check if it's a public path
+      if (publicPaths.some((path) => pathname.startsWith(path))) {
+        return true
+      }
+
+      // If not logged in, redirect to login
+      if (!isLoggedIn) {
+        return false // Will redirect to signIn page
+      }
+
+      // Check if user needs to set password
+      const mustSetPassword = auth?.user?.mustSetPassword
+      const passwordSetupAllowedPaths = [
+        '/set-password',
+        '/api/auth',
+        '/api/trpc',
+      ]
+
+      if (mustSetPassword) {
+        // Allow access to password setup related paths
+        if (passwordSetupAllowedPaths.some((path) => pathname.startsWith(path))) {
+          return true
+        }
+        // Redirect to set-password page
+        return Response.redirect(new URL('/set-password', nextUrl))
+      }
+
+      return true
+    },
+  },
+  pages: {
+    signIn: '/login',
+    verifyRequest: '/verify-email',
+    error: '/auth-error',
+    newUser: '/set-password',
+  },
+  session: {
+    strategy: 'jwt',
+    maxAge: parseInt(process.env.SESSION_MAX_AGE || '86400'), // 24 hours
+  },
+}