Neah/app/api/auth/[...nextauth]/route.ts

import NextAuth, { NextAuthOptions } from "next-auth";
import KeycloakProvider from "next-auth/providers/keycloak";
import { prisma } from '@/lib/prisma';

declare module "next-auth" {
  interface Session {
    user: {
      id: string;
      name?: string | null;
      email?: string | null;
      image?: string | null;
      username: string;
      first_name: string;
      last_name: string;
      role: string[];
    };
    accessToken: string;
  }

  interface JWT {
    accessToken: string;
    refreshToken: string;
    accessTokenExpires: number;
    role: string[];
    username: string;
    first_name: string;
    last_name: string;
  }
}

function getRequiredEnvVar(name: string): string {
  const value = process.env[name];
  if (!value) {
    throw new Error(`Missing required environment variable: ${name}`);
  }
  return value;
}

export const authOptions: NextAuthOptions = {
  providers: [
    KeycloakProvider({
      clientId: getRequiredEnvVar("KEYCLOAK_CLIENT_ID"),
      clientSecret: getRequiredEnvVar("KEYCLOAK_CLIENT_SECRET"),
      issuer: getRequiredEnvVar("KEYCLOAK_ISSUER"),
      profile(profile) {
        return {
          id: profile.sub,
          name: profile.name ?? profile.preferred_username,
          email: profile.email,
          first_name: profile.given_name ?? '',
          last_name: profile.family_name ?? '',
          username: profile.preferred_username ?? profile.email?.split('@')[0] ?? '',
          role: profile.groups ?? [],
        }
      },
    }),
  ],
  session: {
    strategy: "jwt",
    maxAge: 30 * 24 * 60 * 60, // 30 days
  },
  cookies: {
    sessionToken: {
      name: process.env.NODE_ENV === 'production' 
        ? `__Secure-next-auth.session-token`
        : `next-auth.session-token`,
      options: {
        httpOnly: true,
        sameSite: 'lax',
        path: '/',
        secure: process.env.NODE_ENV === 'production'
      }
    },
    callbackUrl: {
      name: process.env.NODE_ENV === 'production'
        ? `__Secure-next-auth.callback-url`
        : `next-auth.callback-url`,
      options: {
        httpOnly: true,
        sameSite: 'lax',
        path: '/',
        secure: process.env.NODE_ENV === 'production'
      }
    },
    csrfToken: {
      name: process.env.NODE_ENV === 'production'
        ? `__Host-next-auth.csrf-token`
        : `next-auth.csrf-token`,
      options: {
        httpOnly: true,
        sameSite: 'lax',
        path: '/',
        secure: process.env.NODE_ENV === 'production'
      }
    }
  },
  callbacks: {
    async signIn({ user, account, profile }) {
      if (!user.email) return false;

      try {
        // Create or update user in local database
        await prisma.user.upsert({
          where: { id: user.id },
          update: {
            email: user.email,
            password: '', // We don't store password for Keycloak users
          },
          create: {
            id: user.id,
            email: user.email,
            password: '', // We don't store password for Keycloak users
          },
        });
        return true;
      } catch (error) {
        console.error('Error creating/updating user:', error);
        return false;
      }
    },
    async jwt({ token, account, profile }) {
      if (account && profile) {
        token.accessToken = account.access_token ?? '';
        token.refreshToken = account.refresh_token ?? '';
        token.accessTokenExpires = (account.expires_at ?? 0) * 1000;
        token.role = (profile as any).groups ?? [];
        token.username = (profile as any).preferred_username ?? profile.email?.split('@')[0] ?? '';
        token.first_name = (profile as any).given_name ?? '';
        token.last_name = (profile as any).family_name ?? '';
      }

      // Return previous token if not expired
      if (Date.now() < (token.accessTokenExpires as number)) {
        return token;
      }

      try {
        const clientId = getRequiredEnvVar("KEYCLOAK_CLIENT_ID");
        const clientSecret = getRequiredEnvVar("KEYCLOAK_CLIENT_SECRET");

        const response = await fetch(
          `${process.env.KEYCLOAK_BASE_URL}/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/token`,
          {
            method: "POST",
            headers: {
              "Content-Type": "application/x-www-form-urlencoded",
            },
            body: new URLSearchParams({
              grant_type: "refresh_token",
              client_id: clientId,
              client_secret: clientSecret,
              refresh_token: token.refreshToken as string,
            }),
          }
        );

        const tokens = await response.json();

        if (!response.ok) {
          throw new Error("RefreshAccessTokenError");
        }

        return {
          ...token,
          accessToken: tokens.access_token,
          refreshToken: tokens.refresh_token ?? token.refreshToken,
          accessTokenExpires: Date.now() + tokens.expires_in * 1000,
        };
      } catch (error) {
        return {
          ...token,
          error: "RefreshAccessTokenError",
        };
      }
    },
    async session({ session, token }) {
      if (token.error) {
        throw new Error("RefreshAccessTokenError");
      }

      session.accessToken = token.accessToken;
      session.user = {
        id: token.sub as string,
        name: token.name,
        email: token.email,
        image: null,
        username: token.username ?? '',
        first_name: token.first_name ?? '',
        last_name: token.last_name ?? '',
        role: token.role ?? [],
      };

      return session;
    }
  },
  pages: {
    signIn: '/signin',
    error: '/signin',
  },
  debug: process.env.NODE_ENV === 'development',
};

const handler = NextAuth(authOptions);
export { handler as GET, handler as POST };