import { createHash, randomBytes } from 'node:crypto' import NextAuth from 'next-auth' import CredentialsProvider from 'next-auth/providers/credentials' import GitHubProvider from 'next-auth/providers/github' import TwitterProvider from 'next-auth/providers/twitter' import EmailProvider from 'next-auth/providers/email' import prisma from '@/api/models' import nodemailer from 'nodemailer' import { PrismaAdapter } from '@auth/prisma-adapter' import { NodeNextRequest, NodeNextResponse } from 'next/dist/server/base-http/node' import { getToken, encode as encodeJWT } from 'next-auth/jwt' import { datePivot } from '@/lib/time' import { schnorr } from '@noble/curves/secp256k1' import { notifyReferral } from '@/lib/webPush' import { hashEmail } from '@/lib/crypto' import * as cookie from 'cookie' import { multiAuthMiddleware } from '@/pages/api/graphql' import { BECH32_CHARSET } from '@/lib/constants' /** * Stores userIds in user table * @returns {Partial} * */ function getEventCallbacks () { return { async linkAccount ({ user, profile, account }) { if (account.provider === 'github') { await prisma.user.update({ where: { id: }, data: { githubId: } }) } else if (account.provider === 'twitter') { await prisma.user.update({ where: { id: }, data: { twitterId: } }) } }, async signIn ({ user, profile, account, isNewUser }) { if (account.provider === 'github') { await prisma.user.update({ where: { id: }, data: { githubId: } }) } else if (account.provider === 'twitter') { await prisma.user.update({ where: { id: }, data: { twitterId: } }) } } } } async function getReferrerFromCookie (referrer) { let referrerId let type let typeId try { if (referrer.startsWith('item-')) { const item = await prisma.item.findUnique({ where: { id: parseInt(referrer.slice(5)) } }) type = item?.parentId ? 'COMMENT' : 'POST' referrerId = item?.userId typeId = item?.id } else if (referrer.startsWith('profile-')) { const user = await prisma.user.findUnique({ where: { name: referrer.slice(8) } }) type = 'PROFILE' referrerId = user?.id typeId = user?.id } else if (referrer.startsWith('territory-')) { type = 'TERRITORY' typeId = referrer.slice(10) const sub = await prisma.sub.findUnique({ where: { name: typeId } }) referrerId = sub?.userId } else { return { referrerId: (await prisma.user.findUnique({ where: { name: referrer } }))?.id } } } catch (error) { console.error('error getting referrer id', error) return } return { referrerId, type, typeId: String(typeId) } } async function getReferrerData (referrer, landing) { const referrerData = await getReferrerFromCookie(referrer) if (landing) { const landingData = await getReferrerFromCookie(landing) // explicit referrer takes precedence over landing referrer return { ...landingData, ...referrerData } } return referrerData } /** @returns {Partial} */ function getCallbacks (req, res) { return { /** * @param {object} token Decrypted JSON Web Token * @param {object} user User object (only available on sign in) * @param {object} account Provider account (only available on sign in) * @param {object} profile Provider profile (only available on sign in) * @param {boolean} isNewUser True if new user (only available on sign in) * @return {object} JSON Web Token that will be saved */ async jwt ({ token, user, account, profile, isNewUser }) { if (user) { // token won't have an id on it for new logins, we add it // note: token is what's kept in the jwt = Number( // if referrer exists, set on user // isNewUser doesn't work for nostr/lightning auth because we create the user before nextauth can // this means users can update their referrer if they don't have one, which is fine if (req.cookies.sn_referrer && user?.id) { const referrerData = await getReferrerData(req.cookies.sn_referrer, req.cookies.sn_referee_landing) if (referrerData?.referrerId && referrerData.referrerId !== parseInt(user?.id)) { // if user doesn't have a referrer, record it in the db const { count } = await prisma.user.updateMany({ where: { id:, referrerId: null }, data: { referrerId: referrerData.referrerId } }) if (count > 0) { // if user has an associated landing, record it in the db if (referrerData.type && referrerData.typeId) { await prisma.oneDayReferral.create({ data: { ...referrerData, refereeId:, landing: true } }) } notifyReferral(referrerData.referrerId) } } } } if (token?.id) { // HACK token.sub is used by nextjs v4 internally and is used like a userId // setting it here allows us to link multiple auth method to an account // ... in v3 this linking field was token.sub = Number( } // add multi_auth cookie for user that just logged in if (user && req && res) { const secret = process.env.NEXTAUTH_SECRET const jwt = await encodeJWT({ token, secret }) const me = await prisma.user.findUnique({ where: { id: } }) setMultiAuthCookies(new NodeNextRequest(req), new NodeNextResponse(res), {, jwt }) } return token }, async session ({ session, token }) { // note: this function takes the current token (result of running jwt above) // and returns a new object session that's returned whenever get|use[Server]Session is called = return session } } } function setMultiAuthCookies (req, res, { id, jwt, name, photoId }) { const b64Encode = obj => Buffer.from(JSON.stringify(obj)).toString('base64') const b64Decode = s => JSON.parse(Buffer.from(s, 'base64')) // default expiration for next-auth JWTs is in 1 month const expiresAt = datePivot(new Date(), { months: 1 }) const secure = process.env.NODE_ENV === 'production' const cookieOptions = { path: '/', httpOnly: true, secure, sameSite: 'lax', expires: expiresAt } // add JWT to **httpOnly** cookie res.appendHeader('Set-Cookie', cookie.serialize(`multi_auth.${id}`, jwt, cookieOptions)) // switch to user we just added res.appendHeader('Set-Cookie', cookie.serialize('multi_auth.user-id', id, { ...cookieOptions, httpOnly: false })) let newMultiAuth = [{ id, name, photoId }] if (req.cookies.multi_auth) { const oldMultiAuth = b64Decode(req.cookies.multi_auth) // make sure we don't add duplicates if (oldMultiAuth.some(({ id: id_ }) => id_ === id)) return newMultiAuth = [...oldMultiAuth, ...newMultiAuth] } res.appendHeader('Set-Cookie', cookie.serialize('multi_auth', b64Encode(newMultiAuth), { ...cookieOptions, httpOnly: false })) } async function pubkeyAuth (credentials, req, res, pubkeyColumnName) { const { k1, pubkey } = credentials // are we trying to add a new account for switching between? const { body } = req.body const multiAuth = typeof body.multiAuth === 'string' ? body.multiAuth === 'true' : !!body.multiAuth try { // does the given challenge (k1) exist in our db? const lnauth = await prisma.lnAuth.findUnique({ where: { k1 } }) // delete challenge to prevent replay attacks await prisma.lnAuth.delete({ where: { k1 } }) // does the given pubkey match the one for which we verified the signature? if (lnauth.pubkey === pubkey) { // does the pubkey already exist in our db? let user = await prisma.user.findUnique({ where: { [pubkeyColumnName]: pubkey } }) // make following code aware of cookie pointer for account switching req = multiAuthMiddleware(req) // token will be undefined if we're not logged in at all or if we switched to anon const token = await getToken({ req }) if (!user) { // we have not seen this pubkey before // only update our pubkey if we're logged in (token exists) // and we're not currently trying to add a new account if (token?.id && !multiAuth) { user = await prisma.user.update({ where: { id: }, data: { [pubkeyColumnName]: pubkey } }) } else { // we're not logged in: create new user with that pubkey user = await prisma.user.create({ data: { name: pubkey.slice(0, 10), [pubkeyColumnName]: pubkey } }) } } return user } } catch (error) { console.log(error) } return null } async function nostrEventAuth (event) { // parse event const e = JSON.parse(event) // is the event id a hash of this event const id = createHash('sha256').update( JSON.stringify( [0, e.pubkey, e.created_at, e.kind, e.tags, e.content] ) ).digest('hex') if (id !== { throw new Error('invalid event id') } // is the signature valid if (!(await schnorr.verify(e.sig,, e.pubkey))) { throw new Error('invalid signature') } // is the challenge present in the event if (!(e.tags[0].length === 2 && e.tags[0][0] === 'challenge')) { throw new Error('expected tags = [["challenge", ]]') } const pubkey = e.pubkey const k1 = e.tags[0][1] await prisma.lnAuth.update({ data: { pubkey }, where: { k1 } }) return { k1, pubkey } } /** @type {import('next-auth/providers').Provider[]} */ const getProviders = res => [ CredentialsProvider({ id: 'lightning', name: 'Lightning', credentials: { pubkey: { label: 'publickey', type: 'text' }, k1: { label: 'k1', type: 'text' } }, authorize: async (credentials, req) => { return await pubkeyAuth(credentials, new NodeNextRequest(req), new NodeNextResponse(res), 'pubkey') } }), CredentialsProvider({ id: 'nostr', name: 'Nostr', credentials: { event: { label: 'event', type: 'text' } }, authorize: async ({ event }, req) => { const credentials = await nostrEventAuth(event) return await pubkeyAuth(credentials, new NodeNextRequest(req), new NodeNextResponse(res), 'nostrAuthPubkey') } }), GitHubProvider({ clientId: process.env.GITHUB_ID, clientSecret: process.env.GITHUB_SECRET, authorization: { url: '', params: { scope: '' } }, profile (profile) { return { id:, name: profile.login } } }), TwitterProvider({ clientId: process.env.TWITTER_ID, clientSecret: process.env.TWITTER_SECRET, profile (profile) { return { id:, name: profile.screen_name } } }), EmailProvider({ server: process.env.LOGIN_EMAIL_SERVER, from: process.env.LOGIN_EMAIL_FROM, maxAge: 5 * 60, // expires in 5 minutes generateVerificationToken: generateRandomString, sendVerificationRequest }) ] /** @returns {import('next-auth').AuthOptions} */ export const getAuthOptions = (req, res) => ({ callbacks: getCallbacks(req, res), providers: getProviders(res), adapter: { ...PrismaAdapter(prisma), createUser: data => { // replace email with email hash in new user payload if ( { const { email } = data data.emailHash = hashEmail({ email }) delete // used to be used for name of new accounts. since it's missing, let's generate a new name = data.emailHash.substring(0, 10) // sign them up for the newsletter // don't await it, let it run async enrollInNewsletter({ email }) } return prisma.user.create({ data }) }, getUserByEmail: async email => { const hashedEmail = hashEmail({ email }) let user = await prisma.user.findUnique({ where: { // lookup by email hash since we don't store plaintext emails any more emailHash: hashedEmail } }) if (!user) { user = await prisma.user.findUnique({ where: { // lookup by email as a fallback in case a user attempts to login by email during the migration // and their email hasn't been migrated yet email } }) } // HACK! // Email HTML body
const html = ({ url, token, site, email }) => {
  const escapedEmail = `${email.replace(/\./g, '​.')}`
  const escapedSite = `${site.replace(/\./g, '​.')}`
  const backgroundColor = '#f5f5f5'
  const textColor = '#212529'
  const mainBackgroundColor = '#ffffff'
  return `
login with ${escapedEmail}
copy this magic code
Expires in 5 minutes
If you did not request this email you can safely ignore it.
// Email text body –fallback for email clients that don't render HTML
const text = ({ url, token, site }) => `Sign in to ${site}\ncopy this code: ${token}\n\n\nExpires in 5 minutes`

const newUserHtml = ({ url, token, site, email }) => {
  const escapedEmail = `${email.replace(/\./g, '​.')}`
  const dailyUrl = new URL('/daily', process.env.NEXT_PUBLIC_URL).href
  const guideUrl = new URL('/guide', process.env.NEXT_PUBLIC_URL).href
  const faqUrl = new URL('/faq', process.env.NEXT_PUBLIC_URL).href
  const topUrl = new URL('/top/stackers/forever', process.env.NEXT_PUBLIC_URL).href
  const postUrl = new URL('/post', process.env.NEXT_PUBLIC_URL).href
  const backgroundColor = '#f5f5f5'
  const textColor = '#212529'
  const mainBackgroundColor = '#ffffff'
  return `
Welcome to Stacker News!
If you know how Stacker News works, copy the magic code below.
If you want to learn how Stacker News works, keep reading.
login with ${escapedEmail}
copy this magic code
Expires in 5 minutes
Stacker News is like Reddit or Hacker News, but it pays you Bitcoin. Instead of giving posts or comments "upvotes," Stacker News users (aka stackers) send you small amounts of Bitcoin called sats.
In fact, some stackers have already stacked millions of sats just for posting and starting thoughtful conversations.
To start earning sats, click here to make your first post. You can share links, discussion questions, polls, or even bounties with other stackers. This guide offers some useful tips and best practices for sharing content on Stacker News.
If you're not sure what to share, click here to introduce yourself to the community with a comment on the daily discussion thread.
If you still have questions, click here to learn more about Stacker News by reading our FAQ.
If anything isn't clear, comment on the FAQ post and we'll answer your question.
Stacker News
P.S. We're thrilled you're joinin' the posse!
If you did not request this email you can safely ignore it.
` }