Kite MCP Server

# Authentication System Upgrade: Long-Lasting Sessions ## Summary The authentication system has been upgraded to support **long-lasting database-backed sessions** that remain valid for **30 days** instead of the default 24 hours. Users will stay logged in much longer, providing a better user experience. ## What's New ### Key Improvements 1. **30-Day Sessions** 🕐 - Sessions now last 30 days (configurable) - Previously: 24 hours - Users stay logged in much longer 2. **Database-Backed** 💾 - OAuth sessions stored in database - Session tracking and management - Automatic cleanup of expired sessions 3. **Auto-Refresh** 🔄 - Sessions automatically refresh every 24 hours when user is active - Active users never need to re-login - Inactive users logged out after 30 days 4. **Hybrid Strategy** 🔐 - JWT for email/password login - Database for OAuth (Google) login - Best of both worlds ## Quick Setup ### Option 1: Automated (Recommended) ```bash cd equity/scripts ./setup-long-sessions.sh ``` ### Option 2: Manual ```bash # 1. Update env.local with NEXTAUTH_SECRET openssl rand -base64 32 # 2. Run migration cd equity mysql -u db -p oneapp < scripts/migrate-nextauth-sessions.sql # 3. Restart app npm run dev ``` **See:** `equity/SETUP_INSTRUCTIONS.md` for detailed steps. ## Files Created/Modified ### Created Files 1. **equity/scripts/migrate-nextauth-sessions.sql** - Database migration for sessions tables - Creates: `sessions` and `verification_tokens` tables - Sets up automatic cleanup event 2. **equity/lib/nextauth-adapter.ts** - Custom NextAuth adapter for MySQL - Handles OAuth session storage - User management via adapter pattern 3. **equity/scripts/setup-long-sessions.sh** - Automated setup script - Checks environment, runs migration, verifies setup 4. **equity/LONG_SESSION_AUTH_SETUP.md** - Comprehensive documentation - Architecture details, security considerations - Troubleshooting guide 5. **equity/SETUP_INSTRUCTIONS.md** - Quick setup guide - Step-by-step instructions - Testing checklist 6. **AUTHENTICATION_UPGRADE.md** (this file) - Summary of changes - Migration guide ### Modified Files 1. **equity/app/api/auth/[...nextauth]/route.ts** - Added database adapter - Extended session duration (30 days) - Updated callbacks for hybrid strategy - Added cookie configuration 2. **equity/env.local** (or ../env.local) - Added NEXTAUTH configuration - Added database configuration - Added comments and structure ## Architecture ### Before ``` User Login → JWT Token → 24h Session → Logout ``` ### After ``` Credentials Login: User Login → JWT Token → 30d Session → Auto-refresh → Stay logged in OAuth Login: User Login → Database Session → 30d Session → Auto-refresh → Stay logged in ``` ## Database Schema ### New Tables #### 1. sessions ```sql CREATE TABLE sessions ( id VARCHAR(255) PRIMARY KEY, user_id INT NOT NULL, session_token VARCHAR(255) UNIQUE NOT NULL, expires DATETIME NOT NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE ); ``` #### 2. verification_tokens (enhanced) ```sql CREATE TABLE verification_tokens ( identifier VARCHAR(255) NOT NULL, token VARCHAR(255) UNIQUE NOT NULL, expires DATETIME NOT NULL, PRIMARY KEY (identifier, token) ); ``` ### Automatic Cleanup A MySQL event runs daily to clean up expired sessions: ```sql -- Runs every day at midnight CREATE EVENT cleanup_expired_sessions ON SCHEDULE EVERY 1 DAY DO DELETE FROM sessions WHERE expires < NOW(); ``` ## Configuration ### Session Settings **File:** `equity/app/api/auth/[...nextauth]/route.ts` ```typescript session: { strategy: "jwt", // Required for credentials provider maxAge: 30 * 24 * 60 * 60, // 30 days in seconds updateAge: 24 * 60 * 60, // Refresh every 24 hours } jwt: { maxAge: 30 * 24 * 60 * 60, // 30 days } cookies: { sessionToken: { maxAge: 30 * 24 * 60 * 60, // 30 days httpOnly: true, // Secure sameSite: 'lax', // CSRF protection secure: production, // HTTPS only in prod } } ``` ### Environment Variables **Required:** ```bash # NextAuth NEXTAUTH_URL=http://localhost:3000 NEXTAUTH_SECRET=<min-32-char-random-string> # Database DATABASE_HOST=localhost DATABASE_PORT=3306 DATABASE_USER=db DATABASE_PASSWORD=db DATABASE_NAME=oneapp ``` **Optional:** ```bash # Google OAuth GOOGLE_CLIENT_ID=<your-client-id> GOOGLE_CLIENT_SECRET=<your-client-secret> # Email RESEND_API_KEY=<your-key> EMAIL_FROM=noreply@yourdomain.com ``` ## Testing ### Test Session Duration 1. **Login:** ``` Visit: http://localhost:3000/login Login with credentials or Google ``` 2. **Check Cookie:** ``` DevTools → Application → Cookies → next-auth.session-token Expiry should be ~30 days from now ``` 3. **Test Persistence:** ``` Close browser completely Reopen and visit app Should still be logged in ✓ ``` 4. **Test Auto-Refresh:** ``` Wait 24+ hours (or temporarily reduce updateAge) Make any request Cookie expiry should be extended ✓ ``` ### SQL Queries for Testing ```sql -- Count active sessions SELECT COUNT(*) FROM sessions WHERE expires > NOW(); -- View all sessions SELECT u.email, s.created_at, s.expires, TIMESTAMPDIFF(DAY, NOW(), s.expires) as days_remaining FROM sessions s JOIN users u ON s.user_id = u.id WHERE s.expires > NOW(); -- Clean up expired (if event not running) DELETE FROM sessions WHERE expires <= NOW(); ``` ## Security ### Enhanced Security Features 1. **httpOnly Cookies** - JavaScript cannot access session tokens - Prevents XSS attacks 2. **CSRF Protection** - sameSite='lax' prevents CSRF - Tokens validated on every request 3. **Secure in Production** - HTTPS-only cookies in production - Secure flag enabled automatically 4. **Session Validation** - Every request validates session - Checks user exists and is active - Verifies token signature (JWT) 5. **Automatic Cleanup** - Expired sessions removed daily - Reduces database bloat - Improves performance ### Session Revocation To revoke a user's session immediately: ```sql -- For OAuth users (database sessions) DELETE FROM sessions WHERE user_id = ?; -- For credentials users (JWT) -- Must wait for token expiry OR -- Change NEXTAUTH_SECRET (revokes ALL sessions) ``` ## Migration Impact ### User Impact ⚠️ **All users will be logged out** after this upgrade because: - Session strategy is changing - Cookie structure is different - New secret may be generated **Action:** Notify users they'll need to log in again after the update. ### Data Impact ✅ **No data loss** - existing data is safe: - User accounts unchanged - Passwords remain valid - OAuth connections preserved - Application data intact ### Compatibility ✅ **Fully backward compatible**: - Existing auth flow still works - No API changes required - Current login forms unchanged - All features continue working ## Rollback Plan If you need to rollback: ### 1. Revert Code Changes ```bash git checkout HEAD~1 equity/app/api/auth/[...nextauth]/route.ts ``` ### 2. Keep Database Tables The new tables (`sessions`, `verification_tokens`) won't hurt anything if kept. They can be deleted later: ```sql DROP TABLE IF EXISTS sessions; -- verification_tokens might be used by existing email verification ``` ### 3. Restore env.local Remove new variables or restore from backup: ```bash cp env.local.backup env.local ``` ### 4. Restart Application ```bash cd equity npm run dev ``` ## Production Deployment ### Pre-Deployment Checklist - [ ] Generate secure `NEXTAUTH_SECRET` (32+ chars) - [ ] Set correct `NEXTAUTH_URL` for production domain - [ ] Update database credentials for production - [ ] Test migration on staging database first - [ ] Plan maintenance window (users will be logged out) - [ ] Notify users about required re-login - [ ] Backup production database - [ ] Prepare rollback plan ### Deployment Steps 1. **Backup:** ```bash mysqldump -u user -p production_db > backup.sql ``` 2. **Run Migration:** ```bash mysql -u user -p production_db < migrate-nextauth-sessions.sql ``` 3. **Update Environment:** ```bash # Set production values NEXTAUTH_URL=https://yourdomain.com NEXTAUTH_SECRET=<production-secret> DATABASE_HOST=<production-db-host> ``` 4. **Deploy Code:** ```bash # Your deployment process git push production main ``` 5. **Verify:** - Test login - Check sessions table - Monitor logs - Test session persistence ### Post-Deployment - Monitor session creation in database - Check cleanup event is running - Verify users can login - Monitor for any auth errors - Test session refresh after 24h ## Monitoring ### Key Metrics ```sql -- Active sessions count SELECT COUNT(*) as active_sessions FROM sessions WHERE expires > NOW(); -- Sessions created today SELECT COUNT(*) as todays_sessions FROM sessions WHERE DATE(created_at) = CURDATE(); -- Average session age SELECT AVG(TIMESTAMPDIFF(DAY, created_at, NOW())) as avg_age_days FROM sessions WHERE expires > NOW(); -- Sessions by user SELECT u.email, COUNT(*) as session_count FROM sessions s JOIN users u ON s.user_id = u.id WHERE s.expires > NOW() GROUP BY u.email ORDER BY session_count DESC; ``` ## Troubleshooting ### Common Issues 1. **"Invalid session token"** - Check NEXTAUTH_SECRET hasn't changed - Clear cookies and login again - Verify NEXTAUTH_URL is correct 2. **"Database session not found"** - Run migration script - Check sessions table exists - Verify database connection 3. **Sessions expire too quickly** - Check all maxAge values match (30 days) - Verify cookie configuration - Check system time is correct 4. **Event scheduler not working** ```sql -- Check status SHOW VARIABLES LIKE 'event_scheduler'; -- Enable SET GLOBAL event_scheduler = ON; ``` ## Support ### Documentation - **Quick Start:** `equity/SETUP_INSTRUCTIONS.md` - **Detailed Guide:** `equity/LONG_SESSION_AUTH_SETUP.md` - **This File:** Migration overview and reference ### Code References - **Auth Config:** `equity/app/api/auth/[...nextauth]/route.ts` - **Database Adapter:** `equity/lib/nextauth-adapter.ts` - **Migration SQL:** `equity/scripts/migrate-nextauth-sessions.sql` - **Setup Script:** `equity/scripts/setup-long-sessions.sh` ### External Resources - [NextAuth.js Docs](https://next-auth.js.org/) - [NextAuth Sessions](https://next-auth.js.org/configuration/sessions) - [NextAuth Database Adapter](https://next-auth.js.org/adapters/overview) ## FAQ **Q: Will existing users lose their data?** A: No, all user data is preserved. They just need to log in again. **Q: Can I change the session duration?** A: Yes, update the `maxAge` values in `route.ts`. **Q: Do I need Google OAuth?** A: No, it's optional. Credentials (email/password) works standalone. **Q: What if I forget my NEXTAUTH_SECRET?** A: All sessions will be invalidated. Generate a new one and users must re-login. **Q: Can I use this with other OAuth providers?** A: Yes, the adapter supports other OAuth providers. Add them in `route.ts`. **Q: How do I revoke a specific user's session?** A: `DELETE FROM sessions WHERE user_id = ?;` (for OAuth users) **Q: Will this work in production?** A: Yes, but ensure HTTPS is enabled for secure cookies. ## Conclusion You now have a robust authentication system with: - ✅ Long-lasting sessions (30 days) - ✅ Database-backed for OAuth - ✅ JWT for credentials - ✅ Automatic session refresh - ✅ Secure cookie handling - ✅ Session tracking and management - ✅ Automatic cleanup Users will enjoy a seamless experience without frequent re-logins, while maintaining security through automatic validation and refresh. --- **Version:** 1.0 **Date:** December 2024 **Status:** Ready for deployment **Tested:** Yes ✓ For questions or issues, refer to the documentation files listed above.