refactor: clean up

Author: pan93412

app/(admin)/layout.tsx

@@ -1,22 +1,25 @@
 import { AppSidebar } from "@/components/app-sidebar";
 import { SidebarInset, SidebarProvider } from "@/components/ui/sidebar";
+import { UserProvider } from "@/providers/use-user";
 
 export default function AdminLayout({
   children,
 }: Readonly<{
   children: React.ReactNode;
 }>) {
   return (
-    <SidebarProvider
-      style={{
-        "--sidebar-width": "calc(var(--spacing) * 72)",
-        "--header-height": "calc(var(--spacing) * 12)",
-      } as React.CSSProperties}
-    >
-      <AppSidebar variant="inset" />
-      <SidebarInset>
-        {children}
-      </SidebarInset>
-    </SidebarProvider>
+    <UserProvider>
+      <SidebarProvider
+        style={{
+          "--sidebar-width": "calc(var(--spacing) * 72)",
+          "--header-height": "calc(var(--spacing) * 12)",
+        } as React.CSSProperties}
+      >
+        <AppSidebar variant="inset" />
+        <SidebarInset>
+          {children}
+        </SidebarInset>
+      </SidebarProvider>
+    </UserProvider>
   );
 }

app/api/auth/login/route.ts

@@ -4,9 +4,9 @@ import {
   generateCodeVerifier,
   generateState,
   OAUTH_CONFIG,
-  redirectIfAuthenticated,
   setOAuthState,
 } from "@/lib/auth";
+import { redirectIfAuthenticated } from "@/lib/auth.rsc";
 
 /**
  * OAuth 2.0 Authorization Code Flow with PKCE - Login Initiation

components/auth-guard/forbidden.tsx renamed to app/forbidden/page.tsx

@@ -1,11 +1,15 @@
+import { Logo } from "@/components/logo";
 import { Button } from "@/components/ui/button";
 import { Card, CardContent, CardDescription, CardFooter, CardHeader, CardTitle } from "@/components/ui/card";
-import type { BasicUserInfo } from "@/lib/user";
+import { redirectIfAuthenticated } from "@/lib/auth.rsc";
 import { AlertTriangle } from "lucide-react";
 import Link from "next/link";
-import { Logo } from "../logo";
 
-export default function Forbidden({ user }: { user: BasicUserInfo }) {
+export default async function ForbiddenPage({ searchParams }: { searchParams: Promise<{ name?: string; email?: string }> }) {
+  await redirectIfAuthenticated();
+
+  const { name, email } = await searchParams;
+
   return (
     <div
       className={`
@@ -38,14 +42,14 @@ export default function Forbidden({ user }: { user: BasicUserInfo }) {
         </CardHeader>
         <CardContent className="flex flex-col items-center gap-4">
           <Button asChild variant="outline">
-            <Link href="/">回到主程式</Link>
+            <Link href="/login">重新登入</Link>
           </Button>
         </CardContent>
         <CardFooter
           className={`justify-center text-center text-xs text-muted-foreground`}
         >
           <section className="flex flex-col items-center gap-1">
-            <p>您目前登入的帳號是：{user.name} ({user.email})</p>
+            <p>您目前登入的帳號是：{name} ({email})</p>
             <p>如果這不是您想登入的帳號，請切換 Google 帳號後重新登入</p>
           </section>
         </CardFooter>

app/layout.tsx

@@ -44,9 +44,7 @@ export default function RootLayout({
         `}
       >
         <ApolloWrapper>
-          <UserProvider>
-            {children}
-          </UserProvider>
+          {children}
         </ApolloWrapper>
         <Toaster />
       </body>

app/login/page.tsx

@@ -1,6 +1,6 @@
 import { LoginForm } from "@/components/login-form";
 import { Logo } from "@/components/logo";
-import { redirectIfAuthenticated } from "@/lib/auth";
+import { redirectIfAuthenticated } from "@/lib/auth.rsc";
 import Link from "next/link";
 
 interface LoginPageProps {

components/auth-guard/index.tsx

@@ -86,6 +86,8 @@ function getErrorMessage(error: string, description?: string): string {
       return "認證過程中發生錯誤，請重新登入。";
     case "logout_failed":
       return "登出時發生錯誤，但您的本地工作階段已清除。";
+    case "forbidden":
+      return "您沒有權限存取此應用程式。";
     default:
       return "登入時發生未知錯誤，請重試。";
   }

components/login-form.tsx

@@ -1,14 +1,9 @@
 import { HttpLink } from "@apollo/client";
 import { ApolloClient, InMemoryCache } from "@apollo/client-integration-nextjs";
+import buildUri from "./build-uri";
 
 /**
  * Creates an Apollo Client instance that uses the GraphQL proxy API.
- * 
- * This implementation follows the Backend for Frontend (BFF) pattern:
- * - All GraphQL requests go through /api/graphql proxy
- * - The proxy automatically handles authentication by adding Authorization headers
- * - Works consistently for both SSR and CSR without exposing tokens to the client
- * - Removes the need for client-side token management
  */
 export function makeClient() {
   const httpLink = new HttpLink({
@@ -22,3 +17,22 @@ export function makeClient() {
     link: httpLink,
   });
 }
+
+/**
+ * Create an Apollo Client instance that uses the upstream GraphQL API.
+ *
+ * You should add the token to the headers of the request.
+ */
+export function makeUpstreamClient({ token }: { token?: string | null }) {
+  const httpLink = new HttpLink({
+    uri: buildUri("/query"),
+    headers: {
+      Authorization: token ? `Bearer ${token}` : "",
+    },
+  });
+
+  return new ApolloClient({
+    cache: new InMemoryCache(),
+    link: httpLink,
+  });
+}

lib/apollo.ts

@@ -0,0 +1,9 @@
+import { redirect } from "next/navigation";
+import { getAuthStatus } from "./auth";
+
+export async function redirectIfAuthenticated(): Promise<void> {
+    const isAuthenticated = await getAuthStatus();
+    if (isAuthenticated.role === 'admin') {
+        redirect("/");
+    }
+}

lib/auth.rsc.ts

@@ -1,7 +1,9 @@
 import { cookies } from "next/headers";
-import { redirect } from "next/navigation";
 import { getIronSession } from "iron-session";
 import buildUri from "./build-uri";
+import { makeUpstreamClient } from "./apollo";
+import { BASIC_USER_INFO_QUERY, isAdmin, type BasicUserInfo } from "./user";
+import { CombinedGraphQLErrors } from "@apollo/client";
 
 // Constants for OAuth 2.0 PKCE flow
 export const OAUTH_CONFIG = {
@@ -20,7 +22,6 @@ export interface SessionData {
   access_token?: string;
   token_type?: string;
   expires_in?: number;
-  isLoggedIn: boolean;
 }
 
 if (!process.env.AUTH_SECRET) {
@@ -83,15 +84,14 @@ export async function setAuthToken(
   session.access_token = token;
   session.token_type = tokenType;
   session.expires_in = expiresIn;
-  session.isLoggedIn = true;
 
   await session.save();
 }
 
 export async function getAuthToken(): Promise<string | null> {
   const session = await getSession();
 
-  if (!session.isLoggedIn || !session.access_token) {
+  if (!session.access_token) {
     return null;
   }
 
@@ -221,19 +221,49 @@ export async function revokeToken(token: string): Promise<void> {
 }
 
 // Auth validation
-export async function validateAuth(): Promise<boolean> {
-  const token = await getAuthToken();
-  return token !== null;
+export interface AuthStatus {
+  loggedIn: boolean;
+  
+  role?: "admin" | "user";
+  user?: BasicUserInfo;
 }
 
-// Redirect helpers
-export async function requireAuth(): Promise<never> {
-  redirect("/login");
-}
+export async function getAuthStatus(): Promise<AuthStatus> {
+  const token = await getAuthToken();
+  if (!token) {
+    return {
+      loggedIn: false,
+    };
+  }
+
+  // get user info
+  const client = makeUpstreamClient({ token });
+
+  try {
+    const { data } = await client.query({
+      query: BASIC_USER_INFO_QUERY,
+    });
+    if (!data) {
+      return {
+        loggedIn: true,
+      };
+    }
+
+    return {
+      role: isAdmin(data?.me) ? "admin" : "user",
+      user: data.me,
+      loggedIn: true,
+    };
+  } catch (error) {
+    if (CombinedGraphQLErrors.is(error) && error.message === 'require authentication') {
+      return {
+        loggedIn: false,
+      };
+    }
 
-export async function redirectIfAuthenticated(): Promise<void> {
-  const isAuthenticated = await validateAuth();
-  if (isAuthenticated) {
-    redirect("/");
+    console.log("Error validating auth:", error);
+    return {
+      loggedIn: false,
+    };
   }
 }