General
Configuration
Authentication Configuration
Configure authentication settings, redirects, and CORS.
The authentication configuration file (config/auth.config.ts) contains settings for authentication, session management, redirects, and CORS.
Configuration File
config/auth.config.ts
import { env } from '@/lib/env';
import { getBaseUrl } from '@/lib/utils';
const origins = Array.from(
new Set(
[
getBaseUrl(),
env.NEXT_PUBLIC_SITE_URL,
env.NEXT_PUBLIC_VERCEL_URL
? `https://${env.NEXT_PUBLIC_VERCEL_URL}`
: undefined,
env.NEXT_PUBLIC_VERCEL_BRANCH_URL
? `https://${env.NEXT_PUBLIC_VERCEL_BRANCH_URL}`
: undefined,
env.NEXT_PUBLIC_VERCEL_PROJECT_PRODUCTION_URL
? `https://${env.NEXT_PUBLIC_VERCEL_PROJECT_PRODUCTION_URL}`
: undefined,
env.NEXT_PUBLIC_NODE_ENV === 'development'
? 'http://localhost:3000'
: undefined
].filter(Boolean) as string[]
)
);
export const authConfig = {
redirectAfterSignIn: '/dashboard',
redirectAfterLogout: '/',
sessionCookieMaxAge: 60 * 60 * 24 * 30,
verificationExpiresIn: 60 * 60 * 24 * 14,
minimumPasswordLength: 8,
trustedOrigins: origins,
// Allow new user registrations
// When false, only users with invitations can sign up (invitation-only mode)
enableSignup: true,
enableSocialLogin: true,
cors: {
allowedOrigins: [...origins, /^https:\/\/.*\.vercel\.app$/],
allowedMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
allowedHeaders: [
'Authorization',
'Content-Type',
'Accept',
'Origin',
'X-Requested-With',
'Access-Control-Request-Method',
'Access-Control-Request-Headers',
'X-CSRF-Token',
'Accept-Version',
'Content-Length',
'Content-MD5',
'Date',
'X-Api-Version',
'cf-connecting-ip',
'cf-ipcountry',
'cf-ray',
'cf-visitor',
'x-vercel-id',
'x-vercel-deployment-url',
'x-vercel-proxied-for',
'X-Forwarded-For',
'X-Forwarded-Host',
'X-Forwarded-Proto',
'X-Real-IP',
'Connection',
'Host',
'User-Agent',
'Referer'
],
maxAge: 86_400
}
} satisfies AuthConfig;Configuration Options
Redirects
redirectAfterSignIn: Where users are redirected after successful sign in (default:"/dashboard")redirectAfterLogout: Where users are redirected after logout (default:"/")
Session Management
sessionCookieMaxAge: Maximum age of the session cookie in seconds (default: 30 days)verificationExpiresIn: How long email verification links are valid in seconds (default: 14 days)
Password Requirements
minimumPasswordLength: Minimum password length required (default:8)
Trusted Origins
trustedOrigins: Array of trusted origins for authentication requests- Automatically includes base URL, Vercel URLs, and localhost in development
- Used for CSRF protection and secure authentication
Signup and Login
enableSignup: Whether new users can register (default:true)- When
false, only users with invitations can sign up (invitation-only mode)
- When
enableSocialLogin: Whether social login (OAuth) is enabled (default:true)
CORS Configuration
The cors object configures Cross-Origin Resource Sharing:
allowedOrigins: Array of allowed origins (includes trusted origins and Vercel preview URLs)allowedMethods: HTTP methods allowed in CORS requestsallowedHeaders: HTTP headers allowed in CORS requestsmaxAge: Maximum age for preflight requests in seconds (default: 24 hours)
Use Cases
Invitation-Only Signup
To restrict signups to invitation-only:
config/auth.config.ts
export const authConfig = {
// ... other config
enableSignup: false // Only invited users can sign up
};Disable Social Login
To disable OAuth/social login:
config/auth.config.ts
export const authConfig = {
// ... other config
enableSocialLogin: false
};Custom Redirects
To customize redirect paths:
config/auth.config.ts
export const authConfig = {
// ... other config
redirectAfterSignIn: '/dashboard',
redirectAfterLogout: '/auth/sign-in'
};Adjust Session Duration
To change session cookie duration:
config/auth.config.ts
export const authConfig = {
// ... other config
sessionCookieMaxAge: 60 * 60 * 24 * 7 // 7 days instead of 30
};Stricter Password Requirements
To require longer passwords:
config/auth.config.ts
export const authConfig = {
// ... other config
minimumPasswordLength: 12 // Require 12 characters minimum
};Type Definitions
The configuration uses TypeScript types for type safety:
config/auth.config.ts
export type CorsConfig = {
allowedOrigins: (string | RegExp)[];
allowedMethods: string[];
allowedHeaders: string[];
maxAge: number;
};
export type AuthConfig = {
redirectAfterSignIn: string;
redirectAfterLogout: string;
sessionCookieMaxAge: number;
verificationExpiresIn: number;
minimumPasswordLength: number;
trustedOrigins: string[];
enableSignup: boolean;
enableSocialLogin: boolean;
cors: CorsConfig;
};Using the Configuration
Import and use the configuration in your code:
lib/auth/redirects.ts
import { authConfig } from '@/config/auth.config';
export function getSignInRedirect() {
return authConfig.redirectAfterSignIn;
}lib/auth/validation.ts
import { authConfig } from '@/config/auth.config';
export function validatePassword(password: string) {
if (password.length < authConfig.minimumPasswordLength) {
throw new Error(
`Password must be at least ${authConfig.minimumPasswordLength} characters`
);
}
}