refactor(server): auth

.eslintrc.js

@@ -31,17 +31,6 @@ const createPattern = packageName => [
     message: 'Use `useNavigateHelper` instead',
     importNames: ['useNavigate'],
   },
-  {
-    group: ['next-auth/react'],
-    message: "Import hooks from 'use-current-user.tsx'",
-    // useSession is type unsafe
-    importNames: ['useSession'],
-  },
-  {
-    group: ['next-auth/react'],
-    message: "Import hooks from 'cloud-utils.ts'",
-    importNames: ['signIn', 'signOut'],
-  },
   {
     group: ['yjs'],
     message: 'Do not use this API because it has a bug',
@@ -179,17 +168,6 @@ const config = {
             message: 'Use `useNavigateHelper` instead',
             importNames: ['useNavigate'],
           },
-          {
-            group: ['next-auth/react'],
-            message: "Import hooks from 'use-current-user.tsx'",
-            // useSession is type unsafe
-            importNames: ['useSession'],
-          },
-          {
-            group: ['next-auth/react'],
-            message: "Import hooks from 'cloud-utils.ts'",
-            importNames: ['signIn', 'signOut'],
-          },
           {
             group: ['yjs'],
             message: 'Do not use this API because it has a bug',

.github/workflows/build-test.yml

@@ -335,17 +335,11 @@ jobs:
         env:
           PGPASSWORD: affine
 
-      - name: Generate prisma client
+      - name: Run init-db script
         run: |
           yarn workspace @affine/server exec prisma generate
           yarn workspace @affine/server exec prisma db push
-        env:
-          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-
-      - name: Run init-db script
-        run: |
           yarn workspace @affine/server data-migration run
-          yarn workspace @affine/server exec node --loader ts-node/esm/transpile-only ./scripts/init-db.ts
         env:
           DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
 
@@ -433,17 +427,11 @@ jobs:
         env:
           PGPASSWORD: affine
 
-      - name: Generate prisma client
+      - name: Run init-db script
         run: |
           yarn workspace @affine/server exec prisma generate
           yarn workspace @affine/server exec prisma db push
-        env:
-          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-
-      - name: Run init-db script
-        run: |
           yarn workspace @affine/server data-migration run
-          yarn workspace @affine/server exec node --loader ts-node/esm/transpile-only ./scripts/init-db.ts
 
       - name: ${{ matrix.tests.name }}
         run: |

package.json

@@ -167,7 +167,6 @@
     "unbox-primitive": "npm:@nolyfill/unbox-primitive@latest",
     "which-boxed-primitive": "npm:@nolyfill/which-boxed-primitive@latest",
     "which-typed-array": "npm:@nolyfill/which-typed-array@latest",
-    "next-auth@^4.24.5": "patch:next-auth@npm%3A4.24.5#~/.yarn/patches/next-auth-npm-4.24.5-8428e11927.patch",
     "@reforged/maker-appimage/@electron-forge/maker-base": "7.3.0",
     "macos-alias": "npm:@napi-rs/macos-alias@latest",
     "fs-xattr": "npm:@napi-rs/xattr@latest",

packages/backend/server/migrations/20240228065558_new_auth/migration.sql

@@ -0,0 +1,70 @@
+-- DropForeignKey
+ALTER TABLE "accounts" DROP CONSTRAINT "accounts_user_id_fkey";
+
+-- DropForeignKey
+ALTER TABLE "sessions" DROP CONSTRAINT "sessions_user_id_fkey";
+
+-- CreateTable
+CREATE TABLE "user_connected_accounts" (
+    "id" VARCHAR(36) NOT NULL,
+    "user_id" VARCHAR(36) NOT NULL,
+    "provider" VARCHAR NOT NULL,
+    "provider_account_id" VARCHAR NOT NULL,
+    "scope" TEXT,
+    "access_token" TEXT,
+    "refresh_token" TEXT,
+    "expires_at" TIMESTAMPTZ(6),
+    "created_at" TIMESTAMPTZ(6) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMPTZ(6) NOT NULL,
+
+    CONSTRAINT "user_connected_accounts_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "multiple_users_sessions" (
+    "id" VARCHAR(36) NOT NULL,
+    "expires_at" TIMESTAMPTZ(6),
+    "created_at" TIMESTAMPTZ(6) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "multiple_users_sessions_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "user_sessions" (
+    "id" VARCHAR(36) NOT NULL,
+    "session_id" VARCHAR(36) NOT NULL,
+    "user_id" VARCHAR(36) NOT NULL,
+    "expires_at" TIMESTAMPTZ(6),
+    "created_at" TIMESTAMPTZ(6) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "user_sessions_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "verification_tokens" (
+    "token" VARCHAR(36) NOT NULL,
+    "type" SMALLINT NOT NULL,
+    "credential" TEXT,
+    "expiresAt" TIMESTAMPTZ(6) NOT NULL
+);
+
+-- CreateIndex
+CREATE INDEX "user_connected_accounts_user_id_idx" ON "user_connected_accounts"("user_id");
+
+-- CreateIndex
+CREATE INDEX "user_connected_accounts_provider_account_id_idx" ON "user_connected_accounts"("provider_account_id");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "user_sessions_session_id_user_id_key" ON "user_sessions"("session_id", "user_id");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "verification_tokens_type_token_key" ON "verification_tokens"("type", "token");
+
+-- AddForeignKey
+ALTER TABLE "user_connected_accounts" ADD CONSTRAINT "user_connected_accounts_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "user_sessions" ADD CONSTRAINT "user_sessions_session_id_fkey" FOREIGN KEY ("session_id") REFERENCES "multiple_users_sessions"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "user_sessions" ADD CONSTRAINT "user_sessions_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/backend/server/package.json

@@ -74,7 +74,6 @@
     "nanoid": "^5.0.6",
     "nest-commander": "^3.12.5",
     "nestjs-throttler-storage-redis": "^0.4.1",
-    "next-auth": "^4.24.5",
     "nodemailer": "^6.9.10",
     "on-headers": "^1.0.2",
     "parse-duration": "^1.1.0",

packages/backend/server/schema.prisma

@@ -10,28 +10,80 @@ datasource db {
 }
 
 model User {
-  id            String    @id @default(uuid()) @db.VarChar
-  name          String
-  email         String    @unique
-  emailVerified DateTime? @map("email_verified")
-  // image field is for the next-auth
-  avatarUrl     String?   @map("avatar_url") @db.VarChar
-  createdAt     DateTime  @default(now()) @map("created_at") @db.Timestamptz(6)
+  id              String    @id @default(uuid()) @db.VarChar
+  name            String
+  email           String    @unique
+  emailVerifiedAt DateTime? @map("email_verified")
+  avatarUrl       String?   @map("avatar_url") @db.VarChar
+  createdAt       DateTime  @default(now()) @map("created_at") @db.Timestamptz(6)
   /// Not available if user signed up through OAuth providers
-  password      String?   @db.VarChar
+  password        String?   @db.VarChar
 
-  accounts             Account[]
-  sessions             Session[]
   features             UserFeatures[]
   customer             UserStripeCustomer?
   subscription         UserSubscription?
   invoices             UserInvoice[]
   workspacePermissions WorkspaceUserPermission[]
   pagePermissions      WorkspacePageUserPermission[]
+  connectedAccounts    ConnectedAccount[]
+  sessions             UserSession[]
 
   @@map("users")
 }
 
+model ConnectedAccount {
+  id                String    @id @default(uuid()) @db.VarChar(36)
+  userId            String    @map("user_id") @db.VarChar(36)
+  provider          String    @db.VarChar
+  providerAccountId String    @map("provider_account_id") @db.VarChar
+  scope             String?   @db.Text
+  accessToken       String?   @map("access_token") @db.Text
+  refreshToken      String?   @map("refresh_token") @db.Text
+  expiresAt         DateTime? @map("expires_at") @db.Timestamptz(6)
+  createdAt         DateTime  @default(now()) @map("created_at") @db.Timestamptz(6)
+  updatedAt         DateTime  @updatedAt @map("updated_at") @db.Timestamptz(6)
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([providerAccountId])
+  @@map("user_connected_accounts")
+}
+
+model Session {
+  id        String    @id @default(uuid()) @db.VarChar(36)
+  expiresAt DateTime? @map("expires_at") @db.Timestamptz(6)
+  createdAt DateTime  @default(now()) @map("created_at") @db.Timestamptz(6)
+
+  userSessions UserSession[]
+
+  @@map("multiple_users_sessions")
+}
+
+model UserSession {
+  id        String    @id @default(uuid()) @db.VarChar(36)
+  sessionId String    @map("session_id") @db.VarChar(36)
+  userId    String    @map("user_id") @db.VarChar(36)
+  expiresAt DateTime? @map("expires_at") @db.Timestamptz(6)
+  createdAt DateTime  @default(now()) @map("created_at") @db.Timestamptz(6)
+
+  session Session @relation(fields: [sessionId], references: [id], onDelete: Cascade)
+  user    User    @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([sessionId, userId])
+  @@map("user_sessions")
+}
+
+model VerificationToken {
+  token      String   @db.VarChar(36)
+  type       Int      @db.SmallInt
+  credential String?  @db.Text
+  expiresAt  DateTime @db.Timestamptz(6)
+
+  @@unique([type, token])
+  @@map("verification_tokens")
+}
+
 model Workspace {
   id        String   @id @default(uuid()) @db.VarChar
   public    Boolean
@@ -186,7 +238,7 @@ model Features {
   @@map("features")
 }
 
-model Account {
+model DeprecatedNextAuthAccount {
   id                String  @id @default(cuid())
   userId            String  @map("user_id")
   type              String
@@ -200,23 +252,20 @@ model Account {
   id_token          String? @db.Text
   session_state     String?
 
-  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
-
   @@unique([provider, providerAccountId])
   @@map("accounts")
 }
 
-model Session {
+model DeprecatedNextAuthSession {
   id           String   @id @default(cuid())
   sessionToken String   @unique @map("session_token")
   userId       String   @map("user_id")
   expires      DateTime
-  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
 
   @@map("sessions")
 }
 
-model VerificationToken {
+model DeprecatedNextAuthVerificationToken {
   identifier String
   token      String   @unique
   expires    DateTime

packages/backend/server/src/app.module.ts

@@ -1,13 +1,13 @@
 import { join } from 'node:path';
 
 import { Logger, Module } from '@nestjs/common';
-import { APP_INTERCEPTOR } from '@nestjs/core';
+import { APP_GUARD, APP_INTERCEPTOR } from '@nestjs/core';
 import { ScheduleModule } from '@nestjs/schedule';
 import { ServeStaticModule } from '@nestjs/serve-static';
 import { get } from 'lodash-es';
 
 import { AppController } from './app.controller';
-import { AuthModule } from './core/auth';
+import { AuthGuard, AuthModule } from './core/auth';
 import { ADD_ENABLED_FEATURES, ServerConfigModule } from './core/config';
 import { DocModule } from './core/doc';
 import { FeatureModule } from './core/features';
@@ -25,14 +25,14 @@ import {
 } from './fundamentals/config';
 import { EventModule } from './fundamentals/event';
 import { GqlModule } from './fundamentals/graphql';
+import { HelpersModule } from './fundamentals/helpers';
 import { MailModule } from './fundamentals/mailer';
 import { MetricsModule } from './fundamentals/metrics';
 import { PrismaModule } from './fundamentals/prisma';
-import { SessionModule } from './fundamentals/session';
 import { StorageProviderModule } from './fundamentals/storage';
 import { RateLimiterModule } from './fundamentals/throttler';
 import { WebSocketModule } from './fundamentals/websocket';
-import { pluginsMap } from './plugins';
+import { REGISTERED_PLUGINS } from './plugins';
 
 export const FunctionalityModules = [
   ConfigModule.forRoot(),
@@ -42,9 +42,9 @@ export const FunctionalityModules = [
   PrismaModule,
   MetricsModule,
   RateLimiterModule,
-  SessionModule,
   MailModule,
   StorageProviderModule,
+  HelpersModule,
 ];
 
 export class AppModuleBuilder {
@@ -109,6 +109,10 @@ export class AppModuleBuilder {
           provide: APP_INTERCEPTOR,
           useClass: CacheInterceptor,
         },
+        {
+          provide: APP_GUARD,
+          useClass: AuthGuard,
+        },
       ],
       imports: this.modules,
       controllers: this.config.isSelfhosted ? [] : [AppController],
@@ -157,7 +161,7 @@ function buildAppModule() {
 
   // plugin modules
   AFFiNE.plugins.enabled.forEach(name => {
-    const plugin = pluginsMap.get(name as AvailablePlugins);
+    const plugin = REGISTERED_PLUGINS.get(name as AvailablePlugins);
     if (!plugin) {
       throw new Error(`Unknown plugin ${name}`);
     }