feat: secure KYC storage, Google OAuth, terms gating

2026-04-28 23:10:21 +07:00
parent 58da4608ac
commit 05d0929f7a
41 changed files with 3087 additions and 262 deletions
@@ -1,10 +1,22 @@
 import { AuthOptions } from "next-auth";
 import CredentialsProvider from "next-auth/providers/credentials";
+import GoogleProvider from "next-auth/providers/google";
+import { PrismaAdapter } from "@next-auth/prisma-adapter";
 import bcrypt from "bcryptjs";
 import { prisma } from "@/lib/prisma";

+// Adapter dipakai untuk persist User + Account saat OAuth (Google).
+// Session tetap pakai JWT supaya kompatibel dengan CredentialsProvider.
 export const authOptions: AuthOptions = {
+  adapter: PrismaAdapter(prisma),
  providers: [
+    GoogleProvider({
+      clientId: process.env.GOOGLE_CLIENT_ID!,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+      // Auto-link kalau email Google sama dengan email user yang sudah register
+      // via Credentials. Aman karena Google selalu memverifikasi email pemilik akun.
+      allowDangerousEmailAccountLinking: true,
+    }),
    CredentialsProvider({
      name: "credentials",
      credentials: {
@@ -24,6 +36,10 @@ export const authOptions: AuthOptions = {
          throw new Error("Email tidak ditemukan");
        }

+        if (!user.password) {
+          throw new Error("Akun ini terdaftar via Google. Silakan login dengan Google.");
+        }
+
        const isPasswordValid = await bcrypt.compare(
          credentials.password,
          user.password
@@ -46,15 +62,25 @@ export const authOptions: AuthOptions = {
    strategy: "jwt",
  },
  callbacks: {
-    async jwt({ token, user }) {
+    async jwt({ token, user, trigger }) {
      if (user) {
        token.id = user.id;
      }
+      // Hidrasi `acceptedTermsAndPrivacy` dari DB pada login pertama dan setiap
+      // kali client memanggil `useSession().update()` (setelah user accept).
+      if (token.id && (trigger === "update" || token.acceptedTermsAndPrivacy === undefined)) {
+        const dbUser = await prisma.user.findUnique({
+          where: { id: token.id as string },
+          select: { acceptedTermsAndPrivacy: true },
+        });
+        token.acceptedTermsAndPrivacy = dbUser?.acceptedTermsAndPrivacy ?? false;
+      }
      return token;
    },
    async session({ session, token }) {
      if (session.user) {
        session.user.id = token.id as string;
+        session.user.acceptedTermsAndPrivacy = token.acceptedTermsAndPrivacy ?? false;
      }
      return session;
    },