Handling First-Time Sign-In with Approval Logic and Redirects in NextAuth Using Prisma Adapter

[BenBktech]

Hello,

I’m using NextAuth with the PrismaAdapter and Google/Email providers to manage authentication in my Next.js app. My goal is to implement the following logic for user sign-in:

First-time sign-in:

• If the user signs in for the first time, their account should be created in the database with an isApproved field set to false.
• They should then be redirected to an error page (/auth/error) informing them their account is pending approval.

Subsequent sign-ins (when isApproved = false):

• If the user tries to sign in again while their account is still unapproved (isApproved = false), they should again be redirected to the error page (/auth/error).

Subsequent sign-ins (when isApproved = true):

• If the user is approved (isApproved = true), they should be successfully logged in and redirected to the /dashboard page as expected.

I’ve attempted to implement this in the signIn callback, but I’m encountering issues where:

• On first-time sign-in, since the user isn’t already in the database, the logic checks isApproved and fails.
• I’m unsure of the best way to conditionally create the user on first-time sign-in while maintaining this approval flow. Because when I update my code to put the user in the database first, it redirects the user to my /dashboard even if the isApproved is false.

Here’s my current [...nextauth].ts file:

import NextAuth, { NextAuthOptions } from "next-auth";
import { PrismaAdapter } from "@auth/prisma-adapter";
import prisma from "../../../src/lib/prisma"
//import GitHubProvider from "next-auth/providers/github";
import GoogleProvider from "next-auth/providers/google";
import EmailProvider from "next-auth/providers/email";
import sgMail from "@sendgrid/mail";


const githubId = process.env.GITHUB_CLIENT_ID;
const githubSecret = process.env.GITHUB_CLIENT_SECRET;
const googleId = process.env.GOOGLE_CLIENT_ID;
const googleSecret = process.env.GOOGLE_CLIENT_SECRET;

if (!githubId || !githubSecret || !googleId || !googleSecret) {
  throw new Error("Missing Environment Variables");
}

sgMail.setApiKey(process.env.SENDGRID_API_KEY!);

export const authConfig = {
  providers: [
    // GitHubProvider({
    //     clientId: githubId,
    //     clientSecret: githubSecret
    // }),
    GoogleProvider({
      clientId: googleId,
      clientSecret: googleSecret,
      authorization: {
        params: {
          prompt: "consent",
          access_type: "offline",
          response_type: "code"
        }
      }
    }),
    EmailProvider({
      from: process.env.EMAIL_FROM,
      sendVerificationRequest: async ({ identifier, url, provider }) => {
        const msg = {
          to: identifier,
          from: provider.from,
          subject: 'Sign in to Your App',
          text: `Click here to sign in: ${url}`,
          html: `<p>Click <a href="${url}">here</a> to sign in.</p>`
        };
        try {
          await sgMail.send(msg);
        } catch (error) {
          console.error('Error sending email', error);
          throw new Error('Error sending email');
        }
      },
    })
  ],
  callbacks: {
    session: async ({ session, user }) => {
      if(session.user) {  
        session.user.id = user.id;
      }
      return session;
    },
    signIn: async ({ user }) => {
      try {
        const dbUser = await prisma.user.findUnique({
          where: { email: user.email! }
        });

        if (!dbUser?.isApproved) {
          return '/auth/error?code=account_pending_approval';
        }

        return true;
      } catch {
        return '/auth/error?code=unknown_error';
      }
    },
  },
  adapter: PrismaAdapter(prisma),
  pages: {
    signIn: '/auth/signin',
    error: '/auth/error',
  },
} satisfies NextAuthOptions;

export default NextAuth(authConfig);

Thank you for your help 💯