From 56478632e5b5f3d57e252db6d3f6c4159cf0c019 Mon Sep 17 00:00:00 2001
From: Thomas Ruoff <truoff@brandwatch.com>
Date: Sat, 2 Apr 2022 00:07:55 +0200
Subject: [PATCH] Tighten down sign in

Email: only from ADMIN_EMAIL
Github: only user tomru
---
 pages/api/auth/[...nextauth].ts | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/pages/api/auth/[...nextauth].ts b/pages/api/auth/[...nextauth].ts
index 5059177..15b5db2 100644
--- a/pages/api/auth/[...nextauth].ts
+++ b/pages/api/auth/[...nextauth].ts
@@ -1,6 +1,7 @@
 import { NextApiRequest, NextApiResponse } from 'next'
 import NextAuth from 'next-auth'
 import EmailProvider from 'next-auth/providers/email'
+import GitHubProvider from "next-auth/providers/github";
 
 import { MongoDBAdapter } from '@next-auth/mongodb-adapter'
 import { MONGO_URI } from '../../../db'
@@ -8,6 +9,9 @@ import { MongoClient } from 'mongodb'
 
 let client: MongoClient
 
+const ADMIN_EMAIL = process.env.ADMIN_EMAIL
+const GITHUB_USERS_GRANTED = ['111471'];
+
 async function getMongoClient() {
   if (!client) {
     client = new MongoClient(MONGO_URI)
@@ -22,6 +26,10 @@ export default async function auth(req: NextApiRequest, res: NextApiResponse) {
     secret: process.env.NEXTAUTH_SECRET,
     adapter: MongoDBAdapter(getMongoClient()),
     providers: [
+      GitHubProvider({
+        clientId: process.env.GITHUB_CLIENT_ID,
+        clientSecret: process.env.GITHUB_CLIENT_SECRET
+      }),
       EmailProvider({
         server: {
           host: 'smtp.sendgrid.net',
@@ -34,5 +42,23 @@ export default async function auth(req: NextApiRequest, res: NextApiResponse) {
         from: process.env.FROM_EMAIL,
       }),
     ],
+    callbacks: {
+      async signIn({ account, email }) {
+        // if user sigin requested magic link via EmailProvider
+        if (account.provider === 'email') {
+          if (email.verificationRequest) {
+            // only allow admins by email entered
+            return account.providerAccountId === ADMIN_EMAIL;
+          }
+
+          // if user accesses with magic link, also only allow admin
+          return account.providerAccountId === ADMIN_EMAIL
+        } else if (account.provider === 'github') {
+          // only one and only one user
+          return GITHUB_USERS_GRANTED.includes(account.providerAccountId);
+        }
+        return false;
+      }
+    }
   })
 }