magricambi/src/auth.ts

import bcrypt from "bcrypt";
import NextAuth from "next-auth";
import Credentials from "next-auth/providers/credentials";
import type { ResultSetHeader, RowDataPacket } from "mysql2";

import { db } from "@/src/lib/db";
import type { DbUser, UserRole } from "@/src/types/user";

type DbUserRow = DbUser & RowDataPacket;

function maskIdentifier(identifier: string): string {
  if (identifier.includes("@")) {
    const [name = "", domain = ""] = identifier.split("@");
    const visibleName = name.slice(0, 2);

    return `${visibleName}${"*".repeat(Math.max(name.length - 2, 1))}@${domain}`;
  }

  if (identifier.length <= 2) {
    return "*".repeat(identifier.length);
  }

  return `${identifier.slice(0, 2)}${"*".repeat(identifier.length - 2)}`;
}

function authLog(message: string, details?: Record<string, unknown>): void {
  console.log(`[auth] ${message}`, details ?? "");
}

function authError(message: string, error: unknown, details?: Record<string, unknown>): void {
  console.error(`[auth] ${message}`, {
    ...details,
    error: error instanceof Error ? error.message : String(error),
  });
}

function isUserRole(value: string): value is UserRole {
  return ["admin", "manager", "user", "sviluppo"].includes(value);
}

async function findActiveUser(identifier: string): Promise<DbUser | null> {
  let rows: DbUserRow[];

  try {
    [rows] = await db.execute<DbUserRow[]>(
      `SELECT id, utente, mail, password, ruolo, attivo, last_login
       FROM utenti
       WHERE attivo = 1
         AND (utente = :identifier OR mail = :identifier)
       LIMIT 1`,
      { identifier },
    );
  } catch (error) {
    authError("Errore durante la query utente attivo", error, {
      identifier: maskIdentifier(identifier),
    });
    throw error;
  }

  const user = rows[0];

  if (!user) {
    authLog("Nessun utente attivo trovato", {
      identifier: maskIdentifier(identifier),
    });
    return null;
  }

  if (!isUserRole(user.ruolo)) {
    authLog("Utente trovato con ruolo non valido", {
      userId: user.id,
      ruolo: user.ruolo,
    });
    return null;
  }

  authLog("Utente attivo trovato", {
    userId: user.id,
    utente: user.utente,
    ruolo: user.ruolo,
  });

  return user;
}

async function updateLastLogin(userId: number): Promise<void> {
  try {
    await db.execute<ResultSetHeader>(
      "UPDATE utenti SET last_login = NOW() WHERE id = :userId",
      { userId },
    );
    authLog("last_login aggiornato", { userId });
  } catch (error) {
    authError("Errore durante aggiornamento last_login", error, { userId });
    throw error;
  }
}

export const { handlers, auth, signIn, signOut } = NextAuth({
  session: {
    strategy: "jwt",
  },
  pages: {
    signIn: "/login",
  },
  providers: [
    Credentials({
      name: "Credenziali",
      credentials: {
        identifier: { label: "Utente o email", type: "text" },
        password: { label: "Password", type: "password" },
      },
      async authorize(credentials) {
        const startedAt = Date.now();
        const identifier = String(credentials?.identifier ?? "").trim();
        const password = String(credentials?.password ?? "");
        const maskedIdentifier = maskIdentifier(identifier);

        authLog("Tentativo login ricevuto", {
          identifier: maskedIdentifier,
          hasIdentifier: Boolean(identifier),
          hasPassword: Boolean(password),
        });

        if (!identifier || !password) {
          authLog("Login respinto: campi mancanti", {
            identifier: maskedIdentifier,
            hasIdentifier: Boolean(identifier),
            hasPassword: Boolean(password),
          });
          return null;
        }

        const user = await findActiveUser(identifier);

        if (!user) {
          authLog("Login respinto: utente non trovato o non valido", {
            identifier: maskedIdentifier,
            durationMs: Date.now() - startedAt,
          });
          return null;
        }

        let passwordMatches = false;

        try {
          passwordMatches = await bcrypt.compare(password, user.password);
        } catch (error) {
          authError("Errore durante confronto password bcrypt", error, {
            userId: user.id,
            durationMs: Date.now() - startedAt,
          });
          throw error;
        }

        if (!passwordMatches) {
          authLog("Login respinto: password non valida", {
            userId: user.id,
            durationMs: Date.now() - startedAt,
          });
          return null;
        }

        await updateLastLogin(user.id);

        authLog("Login riuscito", {
          userId: user.id,
          ruolo: user.ruolo,
          durationMs: Date.now() - startedAt,
        });

        return {
          id: String(user.id),
          name: user.utente,
          email: user.mail,
          ruolo: user.ruolo,
          utente: user.utente,
        };
      },
    }),
  ],
  callbacks: {
    jwt({ token, user }) {
      if (user) {
        token.id = user.id;
        token.ruolo = user.ruolo;
        token.utente = user.utente;
      }

      return token;
    },
    session({ session, token }) {
      session.user.id = token.id ?? "";
      session.user.ruolo = token.ruolo ?? "user";
      session.user.utente = token.utente ?? session.user.name ?? "";

      return session;
    },
  },
});
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`import bcrypt from "bcrypt";`
			`import NextAuth from "next-auth";`
			`import Credentials from "next-auth/providers/credentials";`
			`import type { ResultSetHeader, RowDataPacket } from "mysql2";`

			`import { db } from "@/src/lib/db";`
			`import type { DbUser, UserRole } from "@/src/types/user";`

			`type DbUserRow = DbUser & RowDataPacket;`

inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`function maskIdentifier(identifier: string): string {`
			`if (identifier.includes("@")) {`
			`const [name = "", domain = ""] = identifier.split("@");`
			`const visibleName = name.slice(0, 2);`

			return `${visibleName}${"*".repeat(Math.max(name.length - 2, 1))}@${domain}`;
			`}`

			`if (identifier.length <= 2) {`
			`return "*".repeat(identifier.length);`
			`}`

			return `${identifier.slice(0, 2)}${"*".repeat(identifier.length - 2)}`;
			`}`

			`function authLog(message: string, details?: Record<string, unknown>): void {`
			console.log(`[auth] ${message}`, details ?? "");
			`}`

			`function authError(message: string, error: unknown, details?: Record<string, unknown>): void {`
			console.error(`[auth] ${message}`, {
			`...details,`
			`error: error instanceof Error ? error.message : String(error),`
			`});`
			`}`

implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`function isUserRole(value: string): value is UserRole {`
			`return ["admin", "manager", "user", "sviluppo"].includes(value);`
			`}`

			`async function findActiveUser(identifier: string): Promise<DbUser \| null> {`
inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`let rows: DbUserRow[];`

			`try {`
			`[rows] = await db.execute<DbUserRow[]>(`
			`SELECT id, utente, mail, password, ruolo, attivo, last_login
			`FROM utenti`
			`WHERE attivo = 1`
			`AND (utente = :identifier OR mail = :identifier)`
			LIMIT 1`,
			`{ identifier },`
			`);`
			`} catch (error) {`
			`authError("Errore durante la query utente attivo", error, {`
			`identifier: maskIdentifier(identifier),`
			`});`
			`throw error;`
			`}`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00
			`const user = rows[0];`

inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`if (!user) {`
			`authLog("Nessun utente attivo trovato", {`
			`identifier: maskIdentifier(identifier),`
			`});`
			`return null;`
			`}`

			`if (!isUserRole(user.ruolo)) {`
			`authLog("Utente trovato con ruolo non valido", {`
			`userId: user.id,`
			`ruolo: user.ruolo,`
			`});`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`return null;`
			`}`

inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`authLog("Utente attivo trovato", {`
			`userId: user.id,`
			`utente: user.utente,`
			`ruolo: user.ruolo,`
			`});`

implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`return user;`
			`}`

			`async function updateLastLogin(userId: number): Promise<void> {`
inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`try {`
			`await db.execute<ResultSetHeader>(`
			`"UPDATE utenti SET last_login = NOW() WHERE id = :userId",`
			`{ userId },`
			`);`
			`authLog("last_login aggiornato", { userId });`
			`} catch (error) {`
			`authError("Errore durante aggiornamento last_login", error, { userId });`
			`throw error;`
			`}`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`}`

			`export const { handlers, auth, signIn, signOut } = NextAuth({`
			`session: {`
			`strategy: "jwt",`
			`},`
			`pages: {`
			`signIn: "/login",`
			`},`
			`providers: [`
			`Credentials({`
			`name: "Credenziali",`
			`credentials: {`
			`identifier: { label: "Utente o email", type: "text" },`
			`password: { label: "Password", type: "password" },`
			`},`
			`async authorize(credentials) {`
inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`const startedAt = Date.now();`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`const identifier = String(credentials?.identifier ?? "").trim();`
			`const password = String(credentials?.password ?? "");`
inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`const maskedIdentifier = maskIdentifier(identifier);`

			`authLog("Tentativo login ricevuto", {`
			`identifier: maskedIdentifier,`
			`hasIdentifier: Boolean(identifier),`
			`hasPassword: Boolean(password),`
			`});`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00
			`if (!identifier \|\| !password) {`
inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`authLog("Login respinto: campi mancanti", {`
			`identifier: maskedIdentifier,`
			`hasIdentifier: Boolean(identifier),`
			`hasPassword: Boolean(password),`
			`});`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`return null;`
			`}`

			`const user = await findActiveUser(identifier);`

			`if (!user) {`
inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`authLog("Login respinto: utente non trovato o non valido", {`
			`identifier: maskedIdentifier,`
			`durationMs: Date.now() - startedAt,`
			`});`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`return null;`
			`}`

inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`let passwordMatches = false;`

			`try {`
			`passwordMatches = await bcrypt.compare(password, user.password);`
			`} catch (error) {`
			`authError("Errore durante confronto password bcrypt", error, {`
			`userId: user.id,`
			`durationMs: Date.now() - startedAt,`
			`});`
			`throw error;`
			`}`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00
			`if (!passwordMatches) {`
inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`authLog("Login respinto: password non valida", {`
			`userId: user.id,`
			`durationMs: Date.now() - startedAt,`
			`});`
implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`return null;`
			`}`

			`await updateLastLogin(user.id);`

inseriti log per verifica login 2026-05-27 15:24:29 +02:00			`authLog("Login riuscito", {`
			`userId: user.id,`
			`ruolo: user.ruolo,`
			`durationMs: Date.now() - startedAt,`
			`});`

implementato modulo Auth.js e pagina Login 2026-05-27 13:05:32 +02:00			`return {`
			`id: String(user.id),`
			`name: user.utente,`
			`email: user.mail,`
			`ruolo: user.ruolo,`
			`utente: user.utente,`
			`};`
			`},`
			`}),`
			`],`
			`callbacks: {`
			`jwt({ token, user }) {`
			`if (user) {`
			`token.id = user.id;`
			`token.ruolo = user.ruolo;`
			`token.utente = user.utente;`
			`}`

			`return token;`
			`},`
			`session({ session, token }) {`
			`session.user.id = token.id ?? "";`
			`session.user.ruolo = token.ruolo ?? "user";`
			`session.user.utente = token.utente ?? session.user.name ?? "";`

			`return session;`
			`},`
			`},`
			`});`