feat: add cookie-based last login tracking for NextAuth #391
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements a cookie-based solution to track the last login timestamp and OAuth provider used, similar to Better Auth's last-login-method plugin but adapted for NextAuth. Changes: - Modified NextAuth handler to intercept OAuth callbacks and set a 'last-login' cookie - Cookie contains JSON with timestamp and provider name (google, github, discord, linkedin, azure-ad) - Cookie is HttpOnly, SameSite=Lax, with 1-year expiration - Added utility functions in src/utils/last-login.ts for reading and formatting the cookie data - Includes helper functions for client-side and server-side cookie access - Added comprehensive documentation in LAST_LOGIN_USAGE.md with usage examples This implementation uses cookies instead of database storage to minimize overhead and complexity.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Greptile OverviewGreptile SummaryImplements cookie-based tracking of last login timestamp and OAuth provider by intercepting NextAuth callbacks and setting a custom cookie. However, the implementation has a critical flaw: the cookie is marked as HttpOnly (for security), which prevents client-side JavaScript from accessing it via Major issues:
Missing from PR description:
The feature needs to either remove the HttpOnly flag (reducing security) or update the documentation to clarify that client-side access is not possible and remove the non-functional Confidence Score: 1/5
Important Files ChangedFile Analysis
Sequence DiagramsequenceDiagram
participant User
participant Browser
participant NextAuthHandler
participant OAuthProvider
participant LastLoginCookie
User->>Browser: Initiate OAuth login
Browser->>NextAuthHandler: Start auth flow
NextAuthHandler->>OAuthProvider: Redirect for authentication
OAuthProvider->>User: Display consent screen
User->>OAuthProvider: Approve access
OAuthProvider->>NextAuthHandler: Callback with credentials
Note over NextAuthHandler: Extract provider from callback URL
NextAuthHandler->>NextAuthHandler: Override setHeader method
NextAuthHandler->>LastLoginCookie: Set HttpOnly cookie with timestamp and provider
NextAuthHandler->>Browser: Redirect with session and cookie
alt Client-side cookie access
Browser->>LastLoginCookie: Attempt document.cookie read
LastLoginCookie-->>Browser: Blocked by HttpOnly flag
end
alt Server-side cookie access
Browser->>NextAuthHandler: Send request with cookies
NextAuthHandler->>LastLoginCookie: Read from req.cookies
LastLoginCookie-->>NextAuthHandler: Return timestamp and provider data
NextAuthHandler->>Browser: Send response with login info
end
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
|
||
| ## Security Notes | ||
|
|
||
| - The cookie is **HttpOnly**, meaning it cannot be accessed via JavaScript on the client side for security purposes. Use the provided utility functions instead. |
Contributor
There was a problem hiding this comment.
logic: HttpOnly cookies cannot be read via document.cookie in JavaScript, which contradicts the client-side function getLastLoginInfo() provided in the docs. Either remove HttpOnly flag from the cookie implementation, or document that client-side access won't work with HttpOnly enabled.
Prompt To Fix With AI
This is a comment left during a code review.
Path: LAST_LOGIN_USAGE.md
Line: 144:144
Comment:
**logic:** HttpOnly cookies cannot be read via `document.cookie` in JavaScript, which contradicts the client-side function `getLastLoginInfo()` provided in the docs. Either remove HttpOnly flag from the cookie implementation, or document that client-side access won't work with HttpOnly enabled.
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+24
to
+28
| signIn({ account }) { | ||
| // This callback runs on successful sign-in | ||
| // We'll set the cookie in the handler below | ||
| return true; | ||
| }, |
Contributor
There was a problem hiding this comment.
style: Empty callback serves no purpose and should be removed.
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/pages/api/auth/[...nextauth].ts
Line: 24:28
Comment:
**style:** Empty callback serves no purpose and should be removed.
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+60
to
+65
| events: { | ||
| async signIn(message) { | ||
| // Store provider and timestamp for cookie setting in handler | ||
| // The actual cookie is set in the custom handler below | ||
| }, | ||
| }, |
Contributor
There was a problem hiding this comment.
style: Empty event handler serves no purpose and should be removed.
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/pages/api/auth/[...nextauth].ts
Line: 60:65
Comment:
**style:** Empty event handler serves no purpose and should be removed.
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+41
to
+56
| export function getLastLoginInfo(): LastLoginInfo | null { | ||
| if (typeof window === "undefined") { | ||
| console.warn("getLastLoginInfo can only be called on the client side"); | ||
| return null; | ||
| } | ||
|
|
||
| const cookies = document.cookie.split(";"); | ||
| const lastLoginCookie = cookies.find((cookie) => | ||
| cookie.trim().startsWith("last-login=") | ||
| ); | ||
|
|
||
| if (!lastLoginCookie) return null; | ||
|
|
||
| const cookieValue = lastLoginCookie.split("=")[1]; | ||
| return parseLastLoginCookie(cookieValue); | ||
| } |
Contributor
There was a problem hiding this comment.
logic: getLastLoginInfo() won't work if cookie has HttpOnly flag (which it does in [...nextauth].ts:108). HttpOnly prevents client-side JavaScript from accessing cookies via document.cookie.
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/utils/last-login.ts
Line: 41:56
Comment:
**logic:** `getLastLoginInfo()` won't work if cookie has HttpOnly flag (which it does in `[...nextauth].ts:108`). HttpOnly prevents client-side JavaScript from accessing cookies via `document.cookie`.
How can I resolve this? If you propose a fix, please make it concise.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements a cookie-based solution to track the last login timestamp and OAuth provider used, similar to Better Auth's last-login-method plugin but adapted for NextAuth.
Changes:
This implementation uses cookies instead of database storage to minimize overhead and complexity.