Authentication in Sourcebot

Sourcebot's authentication system is built on NextAuth.js with a JWT-based session strategy and uses an encrypted Prisma adapter for database persistence. The core configuration lives in auth.ts.

Core NextAuth Configuration

The main NextAuth() call exports handlers, signIn, signOut, and auth auth.ts:147-253. Key settings include:

Session strategy: JWT (strategy: "jwt") auth.ts:150-152
Database adapter: EncryptedPrismaAdapter which wraps the standard Prisma adapter to automatically encrypt OAuth tokens (access, refresh, id tokens) before storage encryptedPrismaAdapter.ts:21-30
Custom login page: /login auth.ts:248-252

Authentication Providers

Providers are assembled via the getProviders() function auth.ts:52-145. There are two built-in provider types:

Email/Magic Link – enabled when SMTP_CONNECTION_URL, EMAIL_FROM_ADDRESS, and AUTH_EMAIL_CODE_LOGIN_ENABLED are set. Sends a 6-digit OTP code via email using Nodemailer auth.ts:55-83
Credentials (email + password) – enabled when AUTH_CREDENTIALS_LOGIN_ENABLED is true. On first login for an unknown email, it auto-creates the user with a bcrypt-hashed password. For existing users, it verifies the password via bcrypt.compareSync auth.ts:85-141

Enterprise SSO Providers (EE)

When the sso entitlement is present, enterprise identity providers are loaded from the config file via getEEIdentityProviders() sso.ts:22-119. Supported providers include:

GitHub (including GitHub Enterprise) sso.ts:121-144
GitLab (including self-hosted) sso.ts:146-174
Google sso.ts:176-182
Okta sso.ts:184-191
Keycloak sso.ts:193-200
Microsoft Entra ID sso.ts:202-209
Authentik sso.ts:211-218
GCP IAP (verifies x-goog-iap-jwt-assertion header) sso.ts:220-294

Each provider has a purpose of either "sso" (for login) or "account_linking" (for linking additional accounts), and can optionally be required auth.ts:28-32.

JWT & Session Callbacks

JWT callback: Caches the userId in the JWT token on sign-in, and refreshes linked account tokens if the permission-syncing entitlement is present auth.ts:214-229
Session callback: Propagates the userId and any linkedAccountProviderErrors from the JWT to the session object (which is sent to the client) auth.ts:230-245

Token Encryption

OAuth tokens are encrypted before database storage via encryptAccountTokens in the adapter encryptedPrismaAdapter.ts:9-16 and via encryptAccountData during re-authentication updates in the signIn event auth.ts:156-178.

Request-Level Authentication (`withAuthV2`)

Server actions and API endpoints use withAuthV2 to authenticate requests withAuthV2.ts:27-41. The getAuthenticatedUser function supports two authentication methods withAuthV2.ts:101-154:

JWT session – calls auth() from NextAuth to check for a valid session withAuthV2.ts:103-116
API Key – if no session, checks the X-Sourcebot-Api-Key header. API keys are formatted as sourcebot-<secret>, hashed, and looked up in the database withAuthV2.ts:119-151

There's also withOptionalAuthV2 for routes that support anonymous access (when the org has it enabled and the anonymous-access entitlement is present) withAuthV2.ts:43-67.

Role-Based Authorization

Authorization is organization-based with three roles: GUEST, MEMBER, and OWNER. The withMinimumOrgRole helper enforces role-level checks with a numeric precedence system withAuthV2.ts:179-207.

User Creation & Organization Assignment

When a new user signs up, the onCreateUser callback authUtils.ts:19-126:

Makes the first user the OWNER of the default organization authUtils.ts:76-109
Subsequent users are added as MEMBER if the org doesn't require member approval and has available seats authUtils.ts:110-124

Audit Logging

Sign-in and sign-out events are logged via the audit service auth.ts:180-211.