A multi-seat license auth server with revokable sessions, webhook control, and email support. Written in TypeScript using Next.js, Prisma, and a touch of Tailwind for the password reset form flow.
This is a work in progress template app that I use to scaffold new projects.
- Clone the repo and run
npm i
- Add a database, such as sqlite
touch ./prisma/auth.db
or update the prisma schema file to connect to postgres - Add jwt tokens to a .env file
// Generate random string
node -e "console.log(require('crypto').randomBytes(256).toString('base64'));"
After that you have a basic Next.js app. Your next steps should be the following:
- Update
lib/email.ts
with custom messages, or use a different service like Postmark - Error messages were kept relatively generic. You may want to iterate on those
- Decide the rate limiting strategy for the auth routes. Check out the Upstash setup from Next.js (I may integrate this into the repo as a starter if requested)
You first need to create a user manually.
npm run create-admin email@example.com "Your Name"
Then you want to visit /reset-password
to receive an email with a link to the password reset page.
Next you would design your application to send the email and password to /api/auth/login
and receive a long-lived refresh token in the cookie (and response), and a 10 minute access token that you will keep in the browser's memory (don't store these in local storage or session storage). If not using a browser-based app, store the refresh token securly depending on the context of your application.
Logging in will check against available licenses * seats
, and if no remaining licenses exist, the token will be set to limited: true
so your resource server can possibly show different (trial?) data. If a license is changed or deleted, the user will be asked to log in again.
Your application should request a new refresh token every 10 minutes from /api/auth/refresh-token
which confirms the session is still active. This allows the session to be revoked (via a webhook). You also need to run the scripts/prune-sessions
to delete sessions where the license has expired.
Webhooks are available to admins by requesting one on /api/webhooks/create
by a user with an ADMIN
role. This is a long-lived token that gives access to pre defined commands. See lib/webhooks
for the basic commands I added. Sending a POST request to /api/webhooks
with the function name in kebab case action: create-user
and the required payload will result in a successful execution.
You can create users with a license from your main application, for example, after a sucessful item is purchased from your store. the access token can be then used on a 3rd server to provice access to resources.