Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | 1x 1x 1x 1x 1x 1x 1x 1x 2x 1x 2x | /**
* Amplify Server-Side Utilities
* Helpers for running Amplify operations in Next.js server context
*
* @see JCN-29 - Proper typing for Amplify server context
*/
import { createServerRunner } from "@aws-amplify/adapter-nextjs";
import { fetchAuthSession } from "aws-amplify/auth/server";
import { NextResponse } from "next/server";
import { cookies } from "next/headers";
import outputs from "../../amplify_outputs.json";
export const { runWithAmplifyServerContext } = createServerRunner({
config: outputs,
});
/**
* Authorization result from checking user session
*/
export interface AuthResult {
authorized: boolean;
userId?: string;
email?: string;
platformRole?: string;
tenantId?: string;
userType?: string;
role?: string;
error?: string;
}
/**
* Check if request is from an authenticated super admin
* Uses the cookies pattern for proper Amplify type safety
*
* @returns AuthResult with authorization status and user info
* @see JCN-29 - Replaced unsafe type assertion with proper typing
*/
export async function requireSuperAdmin(): Promise<AuthResult> {
try {
const cookieStore = await cookies();
return await runWithAmplifyServerContext({
nextServerContext: { cookies: async () => cookieStore },
operation: async (contextSpec) => {
const session = await fetchAuthSession(contextSpec);
if (!session.tokens?.idToken) {
return { authorized: false, error: "Not authenticated" };
}
const payload = session.tokens.idToken.payload;
const platformRole = payload["custom:platform_role"] as string | undefined;
if (platformRole !== "super_admin") {
return { authorized: false, error: "Requires super admin privileges" };
}
return {
authorized: true,
userId: payload.sub as string,
email: payload.email as string,
platformRole,
tenantId: payload["custom:tenant_id"] as string | undefined,
userType: payload["custom:user_type"] as string | undefined,
};
},
});
} catch (error) {
return { authorized: false, error: "Authentication failed" };
}
}
/**
* Helper to return 403 Forbidden response
*/
export function forbiddenResponse(message: string = "Forbidden"): NextResponse {
return NextResponse.json({ error: message }, { status: 403 });
}
/**
* Helper to return 401 Unauthorized response
*/
export function unauthorizedResponse(message: string = "Unauthorized"): NextResponse {
return NextResponse.json({ error: message }, { status: 401 });
}
|