nodeops-auth

NodeOps Auth Setup

Add NodeOps PKCE OAuth to an existing Next.js (App Router) project.

Prerequisites

Before starting, verify the project is compatible:

• App Router required: Check if app/ directory exists. If only pages/ exists, stop and tell the user: "This skill only supports Next.js App Router. Your project uses Pages Router."
• Next.js required: Check package.json for next in dependencies. If missing, stop and tell the user this is a Next.js-only package.

Idempotency

Before each step, check if the work is already done. Skip steps that are already complete:

• If @nodeops-createos/integration-oauth is already in package.json dependencies, skip install.
• If app/api/auth/me/route.ts and app/api/auth/token/route.ts already exist, skip route creation.
• If AuthProvider from @nodeops-createos/integration-oauth is already imported in the layout, skip wrapping.
• If app/callback/page.tsx (or .jsx) already exists, skip callback page creation.
• If .env.example already exists and contains NODEOPS_, skip env file creation.

Steps

1. Detect project setup — read package.json and check for lock files:

   • Package manager: if pnpm-lock.yaml exists → pnpm, if yarn.lock exists → yarn, else → npm
   • TypeScript: if tsconfig.json exists use .ts/.tsx extensions, else .js/.jsx
   • Confirm app/ directory exists (App Router). If only pages/ exists, stop.
   • Confirm next is in dependencies. If not, stop.

2. Install the package — run the appropriate install command:

   • npm: npm install @nodeops-createos/integration-oauth
   • pnpm: pnpm add @nodeops-createos/integration-oauth
   • yarn: yarn add @nodeops-createos/integration-oauth
   • If install fails: check if the user has network access and the registry is reachable. Suggest running the command manually if it keeps failing.

3. Create the API routes — create two separate route files, creating directories as needed:

   app/api/auth/me/route.ts (or .js):

   export { GET } from '@nodeops-createos/integration-oauth/server/me';
   

   app/api/auth/token/route.ts (or .js):

   export { POST } from '@nodeops-createos/integration-oauth/server/token';
   

4. Wrap layout with AuthProvider — read the root layout file. It could be app/layout.tsx, app/layout.jsx, app/layout.js, or app/layout.ts. Find whichever exists.

   • Add the import at the top of the file:

     import { AuthProvider } from '@nodeops-createos/integration-oauth';
     

   • Find {children} inside the <body> tag. Wrap it with <AuthProvider>:

     <AuthProvider>{children}</AuthProvider>
     

   • Do NOT add "use client" to the layout. AuthProvider is already marked "use client" internally — it works fine when imported from a Server Component layout.
   • If the layout already has other providers (e.g., ThemeProvider, QueryClientProvider), nest <AuthProvider> alongside them. Do NOT remove or replace existing providers.
   • If {children} is not directly inside <body> (e.g., it's inside a wrapper div or fragment), wrap wherever {children} appears.
   • If no layout file exists, stop and tell the user to create a root layout first.

5. Create the callback page — ask the user: "Where should users be redirected after login? (default: /dashboard)". Use their answer as the redirectTo value. Then create app/callback/page.tsx (or .jsx):

   "use client";
   import { useCallbackHandler } from "@nodeops-createos/integration-oauth";
   
   export default function Callback() {
     const { loading, error } = useCallbackHandler({ redirectTo: "/dashboard" });
   
     if (loading) return (
       <div style={{ display: "flex", justifyContent: "center", alignItems: "center", height: "100vh" }}>
         <p>Signing in...</p>
       </div>
     );
     if (error) return <p>Login failed: {error}</p>;
     return null;
   }
   

6. Create .env.example — create this file at the project root:

   # ── Client-side (exposed to browser via NEXT_PUBLIC_ prefix) ──────────────────
   NEXT_PUBLIC_NODEOPS_AUTH_URL=https://id.nodeops.network/oauth2/auth
   NEXT_PUBLIC_NODEOPS_CLIENT_ID=your_client_id_here
   NEXT_PUBLIC_NODEOPS_REDIRECT_URI=http://localhost:3000/callback
   NEXT_PUBLIC_NODEOPS_SCOPES=offline_access offline openid
   
   # ── Server-side only (never sent to browser) ──────────────────────────────────
   NODEOPS_CLIENT_SECRET=your_client_secret_here
   NODEOPS_TOKEN_URL=https://id.nodeops.network/oauth2/token
   NODEOPS_USERINFO_URL=https://autogen-v2-api.nodeops.network/v1/users/me
   

7. Create .env.local — if .env.local does not already exist, copy .env.example to .env.local and remind the user to fill in NEXT_PUBLIC_NODEOPS_CLIENT_ID and NODEOPS_CLIENT_SECRET with their credentials from the NodeOps developer portal. If .env.local already exists, append the missing NODEOPS_ vars only — do NOT overwrite existing values.

8. Check .gitignore — read .gitignore (if it exists). If .env.local is NOT listed, add it to prevent leaking secrets. Also ensure .env is listed. If no .gitignore exists, create one with at least:

   .env
   .env.local
   

9. Docker/container deployment — check if a Dockerfile exists in the project root. If it does, verify it handles NodeOps env vars correctly and warn the user if not. If the user asks about Docker or deployment, create or update the Dockerfile.

   Critical: NEXT_PUBLIC_* vars are baked into the JS bundle at build time by Next.js. They must be set as ENV or ARG in the Dockerfile before RUN npm run build. Setting them only at runtime does nothing — the bundle will contain undefined.

   The two categories of vars:

   Variable	When needed	Why
   NEXT_PUBLIC_NODEOPS_AUTH_URL	Build time	Inlined into client JS bundle
   NEXT_PUBLIC_NODEOPS_CLIENT_ID	Build time	Inlined into client JS bundle
   NEXT_PUBLIC_NODEOPS_REDIRECT_URI	Build time	Inlined into client JS bundle
   NEXT_PUBLIC_NODEOPS_SCOPES	Build time	Inlined into client JS bundle
   NODEOPS_CLIENT_SECRET	Runtime only	Read by API route on each request
   NODEOPS_TOKEN_URL	Runtime only	Read by API route on each request
   NODEOPS_USERINFO_URL	Runtime only	Read by API route on each request

   CreateOS note: CreateOS uses the Dockerfile when one is present. Use a single-stage Dockerfile only — multi-stage builds with COPY --from=builder fail on this platform. Remove the Dockerfile entirely to fall back to CreateOS's default install/run commands. See the CreateOS section (step 10) for the runtime config workaround for NEXT_PUBLIC_* vars.

   Example Dockerfile (single-stage, compatible with CreateOS):

   FROM node:20-alpine
   WORKDIR /app
   COPY package*.json ./
   RUN npm ci
   
   COPY . .
   
   # NEXT_PUBLIC_* must be present at build time — they get baked into the JS bundle
   ARG NEXT_PUBLIC_NODEOPS_AUTH_URL=https://id.nodeops.network/oauth2/auth
   ARG NEXT_PUBLIC_NODEOPS_CLIENT_ID
   ARG NEXT_PUBLIC_NODEOPS_REDIRECT_URI
   ARG NEXT_PUBLIC_NODEOPS_SCOPES=offline_access offline openid
   
   ENV NEXT_PUBLIC_NODEOPS_AUTH_URL=$NEXT_PUBLIC_NODEOPS_AUTH_URL
   ENV NEXT_PUBLIC_NODEOPS_CLIENT_ID=$NEXT_PUBLIC_NODEOPS_CLIENT_ID
   ENV NEXT_PUBLIC_NODEOPS_REDIRECT_URI=$NEXT_PUBLIC_NODEOPS_REDIRECT_URI
   ENV NEXT_PUBLIC_NODEOPS_SCOPES=$NEXT_PUBLIC_NODEOPS_SCOPES
   
   # Server-side vars — only needed at runtime, read per-request by API routes
   ENV NODEOPS_CLIENT_SECRET=""
   ENV NODEOPS_TOKEN_URL=https://id.nodeops.network/oauth2/token
   ENV NODEOPS_USERINFO_URL=https://autogen-v2-api.nodeops.network/v1/users/me
   
   RUN npm run build
   
   EXPOSE 3000
   CMD ["npm", "start"]
   

   Also ensure .dockerignore excludes .env.local:

   .env
   .env.local
   node_modules
   .next
   

   If the project deploys to Vercel or similar: no Dockerfile is needed — those platforms inject env vars before building automatically. Just remind the user to add the vars in their platform's dashboard.

10. CreateOS / build-then-inject platforms — CreateOS uses the Dockerfile when one is present, but injects env vars after the build step. This means NEXT_PUBLIC_* vars are undefined at build time even with ARG/ENV in the Dockerfile. Use the runtime config workaround below, or remove the Dockerfile entirely to fall back to CreateOS's default install/run commands.

    What the package handles automatically (v1.x+)

    AuthProvider from @nodeops-createos/integration-oauth v1.x+ auto-fetches /api/config at runtime if NEXT_PUBLIC_* vars are missing from the bundle. No extra setup is needed — just make sure the API route exists (step 10a below).

    If using an older package version, add manually:

    10a. Create app/api/config/route.ts (or .js):

    import { NextResponse } from 'next/server';
    
    export const dynamic = 'force-dynamic';
    
    export async function GET() {
      return NextResponse.json({
        NEXT_PUBLIC_NODEOPS_AUTH_URL:     process.env.NEXT_PUBLIC_NODEOPS_AUTH_URL     || 'https://id.nodeops.network/oauth2/auth',
        NEXT_PUBLIC_NODEOPS_CLIENT_ID:    process.env.NEXT_PUBLIC_NODEOPS_CLIENT_ID    || '',
        NEXT_PUBLIC_NODEOPS_REDIRECT_URI: process.env.NEXT_PUBLIC_NODEOPS_REDIRECT_URI || '',
        NEXT_PUBLIC_NODEOPS_SCOPES:       process.env.NEXT_PUBLIC_NODEOPS_SCOPES       || 'offline_access offline openid',
      });
    }
    

    This route reads NEXT_PUBLIC_* vars from the server environment at runtime (where they ARE available) and exposes them to the client via a JSON endpoint.

    10b. Create components/EnvBootstrap.tsx (or .jsx):

    "use client";
    import { useEffect, useState } from "react";
    
    export default function EnvBootstrap({ children }: { children: React.ReactNode }) {
      const [ready, setReady] = useState(
        // If vars are already baked in (e.g. local dev), skip the fetch
        typeof window !== "undefined" && !!process.env.NEXT_PUBLIC_NODEOPS_CLIENT_ID
      );
    
      useEffect(() => {
        if (ready) return;
        fetch("/api/config")
          .then((r) => r.json())
          .then((env) => {
            // Patch process.env so AuthProvider picks them up
            Object.assign(process.env, env);
            setReady(true);
          })
          .catch((err) => {
            console.error("Failed to load runtime config:", err);
            setReady(true); // render anyway so error states show
          });
      }, [ready]);
    
      if (!ready) return null;
      return <>{children}</>;
    }
    

    10c. Update the root layout to wrap AuthProvider with EnvBootstrap:

    import { AuthProvider } from '@nodeops-createos/integration-oauth';
    import EnvBootstrap from '@/components/EnvBootstrap';
    
    // inside <body>:
    <EnvBootstrap>
      <AuthProvider>{children}</AuthProvider>
    </EnvBootstrap>
    

    This ensures env vars are fetched from the server and patched into process.env before AuthProvider initializes on the client.

11. Show a summary — print a clear summary:

    • Files created/modified (list each one)
    • Files skipped (if any were already present)
    • Remind user to fill in the 2 required env vars: NEXT_PUBLIC_NODEOPS_CLIENT_ID and NODEOPS_CLIENT_SECRET
    • If a Dockerfile exists, remind that NEXT_PUBLIC_* vars must be set before npm run build in the Dockerfile
    • Show how to use the hooks in any page:

      import { useAuth, useUser } from '@nodeops-createos/integration-oauth';
      
      const { isAuthenticated, login, logout, loading, authError } = useAuth();
      const { user } = useUser();