production auth: signup, login, protected dashboard, landing page, WAHA QR fix

AUTH: - NextAuth with credentials provider (bcrypt password hashing) - /api/auth/signup: creates org + user in transaction - /login, /signup pages with clean minimal UI - Middleware protects all /dashboard/* routes → redirects to /login - Session-based org resolution (no more hardcoded 'demo' headers) - SessionProvider wraps entire app - Dashboard header shows org name + sign out button LANDING PAGE: - Full marketing page at / with hero, problem, how-it-works, features, CTA - 'Get Started Free' → /signup → auto-login → /dashboard/setup - Clean responsive design, no auth required for public pages WAHA QR FIX: - WAHA CORE doesn't expose QR value via API or webhook - Now uses /api/screenshot (full browser capture) with CSS crop to QR area - Settings panel shows cropped screenshot with overflow:hidden - Auto-polls every 5s, refresh button MULTI-TENANT: - getOrgId() tries session first, then header, then first-org fallback - All dashboard APIs use session-based org - Signup creates isolated org per charity
2026-03-03 05:37:04 +08:00
parent 6894f091fd
commit 4f23f28873
22 changed files with 708 additions and 221 deletions
--- a/pledge-now-pay-later/src/lib/auth.ts
+++ b/pledge-now-pay-later/src/lib/auth.ts
@@ -0,0 +1,69 @@
+import { type NextAuthOptions } from "next-auth"
+import CredentialsProvider from "next-auth/providers/credentials"
+import { compare } from "bcryptjs"
+import prisma from "@/lib/prisma"
+
+export const authOptions: NextAuthOptions = {
+  session: { strategy: "jwt" },
+  pages: {
+    signIn: "/login",
+    newUser: "/dashboard/setup",
+  },
+  providers: [
+    CredentialsProvider({
+      name: "credentials",
+      credentials: {
+        email: { label: "Email", type: "email" },
+        password: { label: "Password", type: "password" },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password || !prisma) return null
+
+        const user = await prisma.user.findUnique({
+          where: { email: credentials.email.toLowerCase().trim() },
+          include: { organization: { select: { id: true, name: true, slug: true } } },
+        })
+
+        if (!user || !user.hashedPassword) return null
+
+        const valid = await compare(credentials.password, user.hashedPassword)
+        if (!valid) return null
+
+        return {
+          id: user.id,
+          email: user.email,
+          name: user.name,
+          role: user.role,
+          orgId: user.organizationId,
+          orgName: user.organization.name,
+          orgSlug: user.organization.slug,
+        }
+      },
+    }),
+  ],
+  callbacks: {
+    async jwt({ token, user }) {
+      if (user) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const u = user as any
+        token.role = u.role
+        token.orgId = u.orgId
+        token.orgName = u.orgName
+        token.orgSlug = u.orgSlug
+      }
+      return token
+    },
+    async session({ session, token }) {
+      if (session.user) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const s = session as any
+        s.user.id = token.sub
+        s.user.role = token.role
+        s.user.orgId = token.orgId
+        s.user.orgName = token.orgName
+        s.user.orgSlug = token.orgSlug
+      }
+      return session
+    },
+  },
+}