feat(auth): add NextAuth.js with credentials provider

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/web/lib/auth.ts

@@ -0,0 +1,121 @@
+import { NextAuthOptions } from 'next-auth';
+import CredentialsProvider from 'next-auth/providers/credentials';
+import { compare } from 'bcryptjs';
+import { db } from '@/lib/db';
+
+export const authOptions: NextAuthOptions = {
+  session: {
+    strategy: 'jwt',
+    maxAge: 30 * 24 * 60 * 60, // 30 days
+  },
+  pages: {
+    signIn: '/login',
+    error: '/login',
+  },
+  providers: [
+    CredentialsProvider({
+      name: 'credentials',
+      credentials: {
+        email: { label: 'Email', type: 'email' },
+        password: { label: 'Password', type: 'password' },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password) {
+          throw new Error('Email and password are required');
+        }
+
+        const user = await db.user.findFirst({
+          where: {
+            email: credentials.email,
+            isActive: true,
+          },
+          include: {
+            organization: {
+              select: {
+                id: true,
+                name: true,
+              },
+            },
+            sites: {
+              where: {
+                isActive: true,
+              },
+              select: {
+                id: true,
+                name: true,
+              },
+              take: 1,
+            },
+          },
+        });
+
+        if (!user) {
+          throw new Error('Invalid email or password');
+        }
+
+        const isPasswordValid = await compare(credentials.password, user.password);
+
+        if (!isPasswordValid) {
+          throw new Error('Invalid email or password');
+        }
+
+        // Update last login
+        await db.user.update({
+          where: { id: user.id },
+          data: { lastLogin: new Date() },
+        });
+
+        // Get the first site if available
+        const primarySite = user.sites[0];
+
+        return {
+          id: user.id,
+          email: user.email,
+          name: `${user.firstName} ${user.lastName}`,
+          role: user.role,
+          organizationId: user.organizationId,
+          organizationName: user.organization.name,
+          siteId: primarySite?.id ?? null,
+          siteName: primarySite?.name ?? null,
+        };
+      },
+    }),
+  ],
+  callbacks: {
+    async jwt({ token, user, trigger, session }) {
+      if (user) {
+        token.id = user.id;
+        token.role = user.role;
+        token.organizationId = user.organizationId;
+        token.organizationName = user.organizationName;
+        token.siteId = user.siteId;
+        token.siteName = user.siteName;
+      }
+
+      // Handle session update (e.g., when user changes site)
+      if (trigger === 'update' && session) {
+        if (session.siteId !== undefined) {
+          token.siteId = session.siteId;
+        }
+        if (session.siteName !== undefined) {
+          token.siteName = session.siteName;
+        }
+      }
+
+      return token;
+    },
+    async session({ session, token }) {
+      if (token) {
+        session.user.id = token.id as string;
+        session.user.role = token.role as string;
+        session.user.organizationId = token.organizationId as string;
+        session.user.organizationName = token.organizationName as string;
+        session.user.siteId = token.siteId as string | null;
+        session.user.siteName = token.siteName as string | null;
+      }
+      return session;
+    },
+  },
+};
+
+export default authOptions;