vibn-frontend/lib/auth/authOptions.ts

import { NextAuthOptions } from "next-auth";
import GoogleProvider from "next-auth/providers/google";
import { PrismaAdapter } from "@next-auth/prisma-adapter";
import { PrismaClient } from "@prisma/client";
import { query } from "@/lib/db-postgres";

const prisma = new PrismaClient();

export const authOptions: NextAuthOptions = {
  adapter: PrismaAdapter(prisma),
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID || "",
      clientSecret: process.env.GOOGLE_CLIENT_SECRET || "",
    }),
  ],
  pages: {
    signIn: "/auth",
    error: "/auth",
  },
  callbacks: {
    async session({ session, user }) {
      if (session.user) {
        session.user.id = user.id;
      }
      return session;
    },
    async signIn({ user }) {
      if (!user?.email) return true;
      try {
        const workspace =
          user.email.split("@")[0].toLowerCase().replace(/[^a-z0-9]+/g, "-") + "-account";
        const data = JSON.stringify({
          email: user.email,
          name: user.name,
          image: user.image,
          workspace,
        });

        // Two-step upsert avoids relying on ON CONFLICT expression matching
        const existing = await query<{ id: string }>(
          `SELECT id FROM fs_users WHERE data->>'email' = $1 LIMIT 1`,
          [user.email]
        );
        if (existing.length === 0) {
          await query(
            `INSERT INTO fs_users (id, user_id, data) VALUES (gen_random_uuid()::text, $1, $2::jsonb)`,
            [user.id, data]
          );
        } else {
          await query(
            `UPDATE fs_users SET user_id = $1, data = data || $2::jsonb, updated_at = NOW() WHERE id = $3`,
            [user.id, data, existing[0].id]
          );
        }
      } catch (e) {
        console.error("[signIn] Failed to upsert fs_user:", e);
      }
      return true;
    },
  },
  session: {
    strategy: "database",
    maxAge: 30 * 24 * 60 * 60, // 30 days
  },
  secret: process.env.NEXTAUTH_SECRET,
  cookies: {
    sessionToken: {
      name: `__Secure-next-auth.session-token`,
      options: {
        httpOnly: true,
        sameSite: "lax",
        path: "/",
        secure: true,
        domain: ".vibnai.com", // share across all subdomains (theia.vibnai.com, etc.)
      },
    },
  },
};