import type { NextAuthOptions } from "next-auth"; import CredentialsProvider from "next-auth/providers/credentials"; export const authOptions: NextAuthOptions = { providers: [ CredentialsProvider({ name: "credentials", credentials: { email: { label: "Email", type: "email" }, password: { label: "Password", type: "password" }, }, async authorize(credentials) { if (!credentials?.email || !credentials?.password) return null; const adminEmail = process.env.ADMIN_EMAIL; const adminPassword = process.env.ADMIN_PASSWORD; if (!adminEmail || !adminPassword) { throw new Error("ADMIN_EMAIL and ADMIN_PASSWORD env vars must be set"); } if ( credentials.email === adminEmail && credentials.password === adminPassword ) { // Return minimal session user — no DB lookup needed return { id: "admin", email: adminEmail, name: "Admin" }; } return null; // null = unauthorized (NextAuth returns 401) }, }), ], session: { strategy: "jwt", // stateless JWT — no DB session table (per D-03) maxAge: 7 * 24 * 60 * 60, // 7 days (reduced from 30 for security) updateAge: 24 * 60 * 60, // rotate token daily on active use }, pages: { signIn: "/admin/login", // custom login page (per D-07) }, callbacks: { async jwt({ token, user }) { if (user) { token.id = user.id; } return token; }, async session({ session, token }) { if (session.user) { (session.user as { id?: string }).id = token.id as string; } return session; }, }, };