38aa5875d3
Server-side authorization-code flow: /v1/auth/google redirects to the consent screen with a CSRF state cookie; /v1/auth/google/callback exchanges the code, validates the ID token (iss/aud/exp/email_verified), and mints a 30-day session via upsertOAuthLogin. /v1/auth/providers lets the login UI hide the button until GOOGLE_OAUTH_ID/SECRET are set. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
36 lines
1.0 KiB
TypeScript
36 lines
1.0 KiB
TypeScript
const API_BASE = process.env.NEXT_PUBLIC_API_URL ?? 'http://localhost:4000';
|
|
|
|
export async function apiFetch<T = unknown>(path: string, init: RequestInit = {}): Promise<T> {
|
|
const res = await fetch(`${API_BASE}${path}`, {
|
|
credentials: 'include',
|
|
cache: 'no-store',
|
|
...init,
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
...(init.headers ?? {}),
|
|
},
|
|
});
|
|
if (!res.ok) {
|
|
let detail: unknown = undefined;
|
|
try {
|
|
detail = await res.json();
|
|
} catch {}
|
|
const err = new Error(`api_error_${res.status}`);
|
|
(err as unknown as { detail?: unknown }).detail = detail;
|
|
(err as unknown as { status?: number }).status = res.status;
|
|
throw err;
|
|
}
|
|
return (await res.json()) as T;
|
|
}
|
|
|
|
/** Absolute API URL for a path — use for full-page navigations (OAuth redirects). */
|
|
export function apiUrl(path: string): string {
|
|
return `${API_BASE}${path}`;
|
|
}
|
|
|
|
export function apiWebSocketURL(path: string): string {
|
|
const httpBase = API_BASE;
|
|
const wsBase = httpBase.replace(/^http/, 'ws');
|
|
return `${wsBase}${path}`;
|
|
}
|