wip on updating access_token

2025-12-11 20:05:25 +00:00 · 2025-11-28 21:47:09 -08:00 · 2025-11-28 21:47:09 -08:00 · d022066529
commit d022066529
parent cbc2cfc190
2 changed files with 114 additions and 77 deletions
--- a/packages/web/src/app/components/authMethodSelector.tsx
+++ b/packages/web/src/app/components/authMethodSelector.tsx
@ -29,9 +29,20 @@ export const AuthMethodSelector = ({
        // Call the optional analytics callback first
        onProviderClick?.(provider);

-        signIn(provider, {
-            redirectTo: callbackUrl ?? "/"
-        });
+        // @nocheckin
+        signIn(
+            provider,
+            {
+                redirectTo: callbackUrl ?? "/",
+            },
+            // @see: https://github.com/nextauthjs/next-auth/issues/2066
+            // @see: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+            // @see: https://next-auth.js.org/getting-started/client#additional-parameters
+            {
+                prompt: 'consent',
+                scope: 'read:user user:email repo'
+            }
+        );
    }, [callbackUrl, onProviderClick]);

    // Separate OAuth providers from special auth methods
--- a/packages/web/src/auth.ts
+++ b/packages/web/src/auth.ts
@ -60,7 +60,8 @@ export const getProviders = () => {
    const providers: IdentityProvider[] = eeIdentityProviders;

    if (env.SMTP_CONNECTION_URL && env.EMAIL_FROM_ADDRESS && env.AUTH_EMAIL_CODE_LOGIN_ENABLED === 'true') {
-        providers.push({ provider: EmailProvider({
+        providers.push({
+            provider: EmailProvider({
                server: env.SMTP_CONNECTION_URL,
                from: env.EMAIL_FROM_ADDRESS,
                maxAge: 60 * 10,
@ -84,11 +85,13 @@ export const getProviders = () => {
                        throw new Error(`Email(s) (${failed.join(", ")}) could not be sent`);
                    }
                }
-        }), purpose: "sso"});
+            }), purpose: "sso"
+        });
    }

    if (env.AUTH_CREDENTIALS_LOGIN_ENABLED === 'true') {
-        providers.push({ provider: Credentials({
+        providers.push({
+            provider: Credentials({
                credentials: {
                    email: {},
                    password: {}
@ -141,7 +144,8 @@ export const getProviders = () => {
                        };
                    }
                }
-        }), purpose: "sso"});
+            }), purpose: "sso"
+        });
    }

    return providers;
@ -156,7 +160,29 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
    trustHost: true,
    events: {
        createUser: onCreateUser,
-        signIn: async ({ user }) => {
+        signIn: async ({ user, account }) => {
+            // Explicitly update the Account record with the OAuth token details.
+            // This is necessary to update the access token when the user
+            // re-authenticates.
+            if (account && account.provider && account.providerAccountId) {
+                await prisma.account.update({
+                    where: {
+                        provider_providerAccountId: {
+                            provider: account.provider,
+                            providerAccountId: account.providerAccountId,
+                        },
+                    },
+                    data: {
+                        refresh_token: account.refresh_token,
+                        access_token: account.access_token,
+                        expires_at: account.expires_at,
+                        token_type: account.token_type,
+                        scope: account.scope,
+                        id_token: account.id_token,
+                    }
+                })
+            }
+
            if (user.id) {
                await auditService.createAudit({
                    action: "user.signed_in",