Update auth

Author: sanex3339

docker-compose.yml

@@ -11,7 +11,6 @@ services:
       MB_JWT_SHARED_SECRET: "${METABASE_JWT_SHARED_SECRET}"
       MB_SETUP_TOKEN: "${PREMIUM_EMBEDDING_TOKEN}"
       MB_PREMIUM_EMBEDDING_TOKEN: "${PREMIUM_EMBEDDING_TOKEN}"
-      MB_JWT_IDENTITY_PROVIDER_URI: "http://localhost:${CLIENT_PORT_APP_ROUTER}/api/metabase/auth"
     healthcheck:
       test: curl --fail -X GET -I "http://localhost:${MB_PORT}/api/health" || exit 1
       interval: 15s

next-sample-app-router/src/app/api/metabase/auth/route.ts

@@ -1,4 +1,5 @@
 import jwt from "jsonwebtoken";
+import { NextResponse } from 'next/server';
 
 if (!process.env.METABASE_JWT_SHARED_SECRET) {
   throw new Error("Missing METABASE_JWT_SHARED_SECRET");
@@ -10,7 +11,7 @@ if (!process.env.NEXT_PUBLIC_METABASE_INSTANCE_URL) {
 const METABASE_JWT_SHARED_SECRET = process.env.METABASE_JWT_SHARED_SECRET;
 const METABASE_INSTANCE_URL = process.env.METABASE_INSTANCE_URL;
 
-export async function GET(req) {
+export async function GET(request: Request) {
   // this should come from the session
   const user = {
     email: "[email protected]",
@@ -30,8 +31,11 @@ export async function GET(req) {
     METABASE_JWT_SHARED_SECRET
   );
 
-  if (req.query.response === "json") {
-    return new Response({ jwt: token });
+  const url = new URL(request.url)
+  const wantsJson = url.searchParams.get('response') === 'json'
+
+  if (wantsJson) {
+    return NextResponse.json({ jwt: token })
   }
 
   const ssoUrl = `${METABASE_INSTANCE_URL}/auth/sso?jwt=${token}`;

next-sample-app-router/src/app/app-provider.tsx

@@ -13,6 +13,14 @@ if (!process.env.NEXT_PUBLIC_METABASE_INSTANCE_URL) {
 
 const authConfig = defineMetabaseAuthConfig({
   metabaseInstanceUrl: process.env.NEXT_PUBLIC_METABASE_INSTANCE_URL,
+  fetchRequestToken: async () => {
+    const response = await fetch('/api/metabase/auth?response=json', {
+      method: "GET",
+      credentials: "include",
+    });
+
+    return await response.json();
+  },
 });
 
 const theme = defineMetabaseTheme({

next-sample-pages-router/src/components/app-provider.tsx

@@ -11,6 +11,14 @@ if (!process.env.NEXT_PUBLIC_METABASE_INSTANCE_URL) {
 
 const authConfig = defineMetabaseAuthConfig({
   metabaseInstanceUrl: process.env.NEXT_PUBLIC_METABASE_INSTANCE_URL,
+  fetchRequestToken: async () => {
+    const response = await fetch('/api/metabase/auth?response=json', {
+      method: "GET",
+      credentials: "include",
+    });
+
+    return await response.json();
+  },
 });
 
 const theme = defineMetabaseTheme({

next-sample-pages-router/src/pages/api/metabase/auth.ts

@@ -1,63 +1,58 @@
+// pages/api/auth/sso.ts
+
 import type { NextApiRequest, NextApiResponse } from "next";
 import jwt from "jsonwebtoken";
 
 if (!process.env.METABASE_JWT_SHARED_SECRET) {
   throw new Error("Missing METABASE_JWT_SHARED_SECRET");
 }
-if (!process.env.NEXT_PUBLIC_METABASE_INSTANCE_URL) {
-  throw new Error("Missing NEXT_PUBLIC_METABASE_INSTANCE_URL");
+if (!process.env.METABASE_INSTANCE_URL) {
+  throw new Error("Missing METABASE_INSTANCE_URL");
 }
 
 const METABASE_JWT_SHARED_SECRET = process.env.METABASE_JWT_SHARED_SECRET;
 const METABASE_INSTANCE_URL = process.env.METABASE_INSTANCE_URL;
 
-type MetabaseSession = {
-  id: string;
-};
+type JsonResponse = { jwt: string };
 
 export default async function handler(
   req: NextApiRequest,
-  res: NextApiResponse<MetabaseSession>
+  res: NextApiResponse<JsonResponse | string>
 ) {
-  // this should come from the session
+  // In a real app you'd pull this from your session/cookie
   const user = {
     email: "[email protected]",
     firstName: "John",
     lastName: "Doe",
     group: "admin",
   };
 
+  // Sign a Metabase SSO JWT (10min expiration)
   const token = jwt.sign(
     {
       email: user.email,
       first_name: user.firstName,
       last_name: user.lastName,
       groups: [user.group],
-      exp: Math.round(Date.now() / 1000) + 60 * 10, // 10 minutes expiration
+      exp: Math.floor(Date.now() / 1000) + 60 * 10,
     },
-    // This is the JWT signing secret in your Metabase JWT authentication setting
     METABASE_JWT_SHARED_SECRET
   );
 
+  // If ?response=json, return { jwt }
   if (req.query.response === "json") {
-    res.write({ jwt: token });
-    return res.end();
+    return res.status(200).json({ jwt: token });
   }
-
+  // Otherwise proxy the SSO request to Metabase
   const ssoUrl = `${METABASE_INSTANCE_URL}/auth/sso?jwt=${token}`;
+
   try {
-    const response = await fetch(ssoUrl, { method: "GET" });
-    const session = await response.text();
-
-    res.write(session);
-    return res.end();
-  } catch (error) {
-    console.log("error", error);
-    if (error instanceof Error) {
-      res.write(error.message);
-      return res.end();
-    }
-    res.write("unknown error");
-    return res.end();
+    const mbRes = await fetch(ssoUrl);
+    const html = await mbRes.text();
+    return res.status(mbRes.status).send(html);
+  } catch (err) {
+    console.error("Metabase SSO error:", err);
+    const msg = err instanceof Error ? err.message : "Unknown error";
+    return res.status(500).send(msg);
   }
 }