shad0w/pelagia-portal
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pelagia-portal/App/app/(portal)/profile/actions.ts
Hardik 56817a7d86 feat(auth): add Microsoft 365 SSO via Azure Entra ID 
Adds the Microsoft Entra ID provider to NextAuth alongside the existing
credentials provider. Sign-in is restricted to Pelagia Marine's M365
tenant via the issuer URL; access is further gated by requiring a
matching active user record in the DB (DB-managed roles remain unchanged).

- auth.ts: add MicrosoftEntra provider, signIn callback (DB lookup),
  async jwt callback to populate id/role on first SSO sign-in
- login-form.tsx: add primary "Sign in with Microsoft 365" button with
  Microsoft logo; credentials form kept as a fallback below a divider
- prisma: make passwordHash nullable (migration applied) to allow
  SSO-only users without a local password
- admin/users: password is now optional when creating a user — leave
  blank for SSO-only accounts
- profile/actions: return a clear error if an SSO user (no passwordHash)
  attempts to use the change-password form
- .env.example: document AZURE_AD_CLIENT_ID/SECRET/TENANT_ID

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-28 22:48:37 +05:30

126 lines
4.6 KiB
TypeScript
Raw Blame History

"use server";
import { auth } from "@/auth";
import { db } from "@/lib/db";
import { buildSignatureKey, uploadBuffer } from "@/lib/storage";
import { revalidatePath } from "next/cache";
import bcrypt from "bcryptjs";
import { z } from "zod";
type Result = { ok: true } | { error: string };
// ── Change password ───────────────────────────────────────────────────────────
const changePasswordSchema = z.object({
currentPassword: z.string().min(1, "Current password is required"),
newPassword: z.string().min(8, "New password must be at least 8 characters"),
});
export async function changePassword(formData: FormData): Promise<Result> {
const session = await auth();
if (!session?.user) return { error: "Unauthorized" };
const parsed = changePasswordSchema.safeParse({
currentPassword: formData.get("currentPassword"),
newPassword: formData.get("newPassword"),
});
if (!parsed.success) return { error: parsed.error.errors[0]?.message ?? "Validation failed" };
const user = await db.user.findUnique({
where: { id: session.user.id },
select: { passwordHash: true },
});
if (!user) return { error: "User not found" };
if (!user.passwordHash) return { error: "Password change is not available for accounts that sign in via Microsoft 365." };
const valid = await bcrypt.compare(parsed.data.currentPassword, user.passwordHash);
if (!valid) return { error: "Current password is incorrect" };
const newHash = await bcrypt.hash(parsed.data.newPassword, 12);
await db.user.update({
where: { id: session.user.id },
data: { passwordHash: newHash },
});
return { ok: true };
}
// ── Upload signature ──────────────────────────────────────────────────────────
export async function saveSignature(formData: FormData): Promise<Result> {
const session = await auth();
if (!session?.user) return { error: "Unauthorized" };
if (session.user.role !== "MANAGER" && session.user.role !== "SUPERUSER") {
return { error: "Only managers and superusers can upload a signature" };
}
const file = formData.get("signature") as File | null;
if (!file || file.size === 0) return { error: "No file provided" };
if (file.size > 2 * 1024 * 1024) return { error: "Signature must be under 2 MB" };
const allowed = ["image/png", "image/jpeg", "image/jpg", "image/webp"];
if (!allowed.includes(file.type)) {
return { error: "Signature must be a PNG, JPG, or WebP image" };
}
const ext = file.type === "image/png" ? "png" : file.type === "image/webp" ? "webp" : "jpg";
const key = buildSignatureKey(session.user.id, ext);
const buffer = Buffer.from(await file.arrayBuffer());
await uploadBuffer(key, buffer, file.type);
await db.user.update({
where: { id: session.user.id },
data: { signatureKey: key },
});
revalidatePath("/profile");
revalidatePath("/approvals");
return { ok: true };
}
// ── Remove signature ──────────────────────────────────────────────────────────
export async function removeSignature(): Promise<Result> {
const session = await auth();
if (!session?.user) return { error: "Unauthorized" };
await db.user.update({
where: { id: session.user.id },
data: { signatureKey: null },
});
revalidatePath("/profile");
revalidatePath("/approvals");
return { ok: true };
}
// ── Request SuperUser access ──────────────────────────────────────────────────
export async function requestSuperUser(formData: FormData): Promise<Result> {
const session = await auth();
if (!session?.user) return { error: "Unauthorized" };
if (session.user.role === "SUPERUSER" || session.user.role === "ADMIN") {
return { error: "You already have elevated access" };
}
const reason = (formData.get("reason") as string | null)?.trim() ?? "";
// Check for an existing pending request
const existing = await db.superUserRequest.findFirst({
where: { userId: session.user.id, status: "PENDING" },
});
if (existing) return { error: "You already have a pending SuperUser request" };
await db.superUserRequest.create({
data: {
userId: session.user.id,
reason: reason || null,
},
});
revalidatePath("/profile");
return { ok: true };
}
Reference in a new issue View git blame Copy permalink