Magic-link sign in UI and APIs

app/api/auth/magic-link/request/route.ts

@@ -0,0 +1,120 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "../../../../../lib/server/db";
+import {
+  getSessionPepper,
+  isDatabaseConfigured,
+} from "../../../../../lib/server/env";
+import {
+  hashSessionToken,
+  newSessionToken,
+} from "../../../../../lib/server/hash";
+import { sendMagicLinkEmail } from "../../../../../lib/server/mail";
+import { rateLimitKey } from "../../../../../lib/server/rateLimit";
+import { dbUnavailable } from "../../../../../lib/server/responses";
+import { logger } from "../../../../../lib/logger";
+import { safeInternalPath } from "../../../../../lib/safeInternalPath";
+
+const MAGIC_LINK_TTL_MS = 15 * 60 * 1000;
+const EMAIL_MIN_INTERVAL_MS = 60 * 1000;
+const IP_MIN_INTERVAL_MS = 20 * 1000;
+
+function normalizeEmail(raw: unknown): string | null {
+  if (typeof raw !== "string") return null;
+  const email = raw.trim().toLowerCase();
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) return null;
+  return email;
+}
+
+function readNextPath(body: unknown): string | null {
+  if (!body || typeof body !== "object" || !("next" in body)) return null;
+  const n = (body as { next: unknown }).next;
+  if (typeof n !== "string") return null;
+  return safeInternalPath(n);
+}
+
+export async function POST(request: NextRequest) {
+  if (!isDatabaseConfigured()) {
+    return dbUnavailable();
+  }
+
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+
+  const email = normalizeEmail(
+    body && typeof body === "object" && "email" in body
+      ? (body as { email: unknown }).email
+      : null,
+  );
+  if (!email) {
+    return NextResponse.json(
+      { error: "Valid email required" },
+      { status: 400 },
+    );
+  }
+
+  const ip =
+    request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+    request.headers.get("x-real-ip") ??
+    "unknown";
+
+  const rlEmail = rateLimitKey(`magic-email:${email}`, EMAIL_MIN_INTERVAL_MS);
+  if (rlEmail.ok === false) {
+    return NextResponse.json(
+      { error: "Too many requests", retryAfterMs: rlEmail.retryAfterMs },
+      { status: 429 },
+    );
+  }
+
+  const rlIp = rateLimitKey(`magic-ip:${ip}`, IP_MIN_INTERVAL_MS);
+  if (rlIp.ok === false) {
+    return NextResponse.json(
+      { error: "Too many requests", retryAfterMs: rlIp.retryAfterMs },
+      { status: 429 },
+    );
+  }
+
+  let pepper: string;
+  try {
+    pepper = getSessionPepper();
+  } catch {
+    return NextResponse.json(
+      { error: "Server misconfiguration" },
+      { status: 500 },
+    );
+  }
+
+  const token = newSessionToken();
+  const tokenHash = hashSessionToken(token, pepper);
+  const expiresAt = new Date(Date.now() + MAGIC_LINK_TTL_MS);
+  const nextPath = readNextPath(body);
+
+  await prisma.magicLinkToken.deleteMany({ where: { email } });
+  await prisma.magicLinkToken.create({
+    data: {
+      email,
+      tokenHash,
+      expiresAt,
+      nextPath: nextPath ?? undefined,
+    },
+  });
+
+  const origin = request.nextUrl.origin;
+  const verifyUrl = `${origin}/api/auth/magic-link/verify?token=${encodeURIComponent(token)}`;
+
+  try {
+    await sendMagicLinkEmail(email, verifyUrl);
+  } catch (err) {
+    logger.error("sendMagicLinkEmail failed:", err);
+    await prisma.magicLinkToken.deleteMany({ where: { email } });
+    return NextResponse.json(
+      { error: "Could not send email" },
+      { status: 502 },
+    );
+  }
+
+  return NextResponse.json({ ok: true });
+}

app/api/auth/magic-link/verify/route.ts

@@ -0,0 +1,61 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "../../../../../lib/server/db";
+import {
+  getSessionPepper,
+  isDatabaseConfigured,
+} from "../../../../../lib/server/env";
+import { hashSessionToken } from "../../../../../lib/server/hash";
+import {
+  createSessionForUser,
+  setSessionCookie,
+} from "../../../../../lib/server/session";
+import { dbUnavailable } from "../../../../../lib/server/responses";
+import { safeInternalPath } from "../../../../../lib/safeInternalPath";
+
+export async function GET(request: NextRequest) {
+  if (!isDatabaseConfigured()) {
+    return dbUnavailable();
+  }
+
+  const token = request.nextUrl.searchParams.get("token");
+  if (!token || token.length < 10) {
+    return NextResponse.redirect(
+      new URL("/login?error=invalid_link", request.url),
+    );
+  }
+
+  let pepper: string;
+  try {
+    pepper = getSessionPepper();
+  } catch {
+    return NextResponse.redirect(new URL("/login?error=server", request.url));
+  }
+
+  const tokenHash = hashSessionToken(token, pepper);
+
+  const row = await prisma.magicLinkToken.findUnique({
+    where: { tokenHash },
+  });
+
+  if (!row || row.expiresAt < new Date()) {
+    return NextResponse.redirect(
+      new URL("/login?error=expired_link", request.url),
+    );
+  }
+
+  await prisma.magicLinkToken.delete({ where: { id: row.id } });
+
+  const user = await prisma.user.upsert({
+    where: { email: row.email },
+    create: { email: row.email },
+    update: {},
+  });
+
+  const { token: sessionToken, expiresAt } = await createSessionForUser(
+    user.id,
+  );
+  await setSessionCookie(sessionToken, expiresAt);
+
+  const dest = safeInternalPath(row.nextPath);
+  return NextResponse.redirect(new URL(dest, request.url));
+}