BE_10 - NextAuth.js and Shibboleth Authentication Integration

[notjackl3]

Summary

Set up NextAuth.js v5 with Shibboleth SAML provider for UofT single sign-on authentication.
[Estimated hours: 5-6]

Objectives

• Install and configure NextAuth.js v5
• Integrate Shibboleth SAML provider
• Configure Prisma adapter for session storage
• Implement JWT token generation
• Create protected route middleware
• Add user role assignment logic

Description

Authentication is critical for AskEasy. We're using UofT's Shibboleth SSO (SAML-based) so users don't need separate passwords. NextAuth.js handles the complex SAML flow and provides JWT tokens for API/WebSocket auth.

Authentication Flow

User → Click "Sign in with UofT"
     → Redirect to Shibboleth
     → User logs in with UTORid
     → Redirect back with SAML assertion
     → NextAuth validates and creates session
     → JWT token issued
     → User can access app

Technical Details

File Structure

src/
├── app/api/auth/[...nextauth]/
│   └── route.ts
├── lib/
│   └── auth.ts         # Auth config
├── middleware.ts        # Route protection
└── types/
    └── next-auth.d.ts  # Type extensions

Acceptance Criteria

• User can click "Sign in with UofT" button
• Redirects to Shibboleth login page
• After login, redirects back to app
• User record created in database with UTORid
• JWT contains user ID, role, and UTORid
• Protected API routes reject unauthenticated requests (401)
• User can sign out and session is cleared
• Tokens expire after 24 hours
• Can refresh token to extend session

Resources

• NextAuth.js v5 Docs
• SAML Provider Setup
• UofT Shibboleth Documentation