diff --git a/pages/api/auth/[...nextauth].ts b/pages/api/auth/[...nextauth].ts index 5059177..15b5db2 100644 --- a/pages/api/auth/[...nextauth].ts +++ b/pages/api/auth/[...nextauth].ts @@ -1,6 +1,7 @@ import { NextApiRequest, NextApiResponse } from 'next' import NextAuth from 'next-auth' import EmailProvider from 'next-auth/providers/email' +import GitHubProvider from "next-auth/providers/github"; import { MongoDBAdapter } from '@next-auth/mongodb-adapter' import { MONGO_URI } from '../../../db' @@ -8,6 +9,9 @@ import { MongoClient } from 'mongodb' let client: MongoClient +const ADMIN_EMAIL = process.env.ADMIN_EMAIL +const GITHUB_USERS_GRANTED = ['111471']; + async function getMongoClient() { if (!client) { client = new MongoClient(MONGO_URI) @@ -22,6 +26,10 @@ export default async function auth(req: NextApiRequest, res: NextApiResponse) { secret: process.env.NEXTAUTH_SECRET, adapter: MongoDBAdapter(getMongoClient()), providers: [ + GitHubProvider({ + clientId: process.env.GITHUB_CLIENT_ID, + clientSecret: process.env.GITHUB_CLIENT_SECRET + }), EmailProvider({ server: { host: 'smtp.sendgrid.net', @@ -34,5 +42,23 @@ export default async function auth(req: NextApiRequest, res: NextApiResponse) { from: process.env.FROM_EMAIL, }), ], + callbacks: { + async signIn({ account, email }) { + // if user sigin requested magic link via EmailProvider + if (account.provider === 'email') { + if (email.verificationRequest) { + // only allow admins by email entered + return account.providerAccountId === ADMIN_EMAIL; + } + + // if user accesses with magic link, also only allow admin + return account.providerAccountId === ADMIN_EMAIL + } else if (account.provider === 'github') { + // only one and only one user + return GITHUB_USERS_GRANTED.includes(account.providerAccountId); + } + return false; + } + } }) }