feat(auth): Kratos-only dashboard (drop Auth.js), same-origin + preview-capable

.env.example

@@ -5,23 +5,20 @@
 ### Dashboard API admin token used for user bootstrap and creator email hydration
 DASHBOARD_API_ADMIN_TOKEN=your_dashboard_api_admin_token
 
-### Auth.js configuration
-### Generate with `npx auth secret` or `openssl rand -hex 32`.
-AUTH_SECRET=your_auth_secret
-
-### Ory Network configuration
+### Ory (Kratos + Hydra) configuration
 ORY_SDK_URL=https://your-project.projects.oryapis.com
 ORY_OAUTH2_CLIENT_ID=your_ory_oauth2_client_id
 ORY_OAUTH2_CLIENT_SECRET=your_ory_oauth2_client_secret
 ### Access-token audience requested from Ory. Must match the backend JWT audience configuration.
 ORY_OAUTH2_AUDIENCE=https://api.e2b.dev
-### Ory project admin API token used for IdentityApi lookups
+### Ory project admin API token used for IdentityApi lookups + silent-grant challenges
 ORY_PROJECT_API_TOKEN=your_ory_project_api_token
 
-### Custom Ory UI: "true" on Preview/Staging, unset on Production.
-# NEXT_PUBLIC_ORY_CUSTOM_UI=true
-### Kratos public URL for the custom UI (self-hosted :4433; falls back to ORY_SDK_URL).
+### Kratos public URL for the same-origin Elements UI (self-hosted :4433; falls back to ORY_SDK_URL).
 # NEXT_PUBLIC_ORY_SDK_URL=http://localhost:4433
+### Override for the silent-grant redirect_uri (notably local dev, where Hydra
+### registers http://localhost:<port>/...). Falls back to NEXT_PUBLIC_E2B_DOMAIN.
+# ORY_OAUTH2_REDIRECT_URI=http://localhost:3000/api/auth/oauth/callback/ory
 
 ### Domain for the E2B cluster
 # Resolves Infrastructure and Dashboard API + E2B SDK configuration 
@@ -41,8 +38,6 @@ NEXT_PUBLIC_E2B_DOMAIN=e2b.dev
 ### Set both when running self-hosted; leave unset to use Ory Network with the PAT above.
 # ORY_KRATOS_ADMIN_URL=http://localhost:4434
 # ORY_HYDRA_ADMIN_URL=http://localhost:4445
-### Set to 1 outside Vercel-hosted production to allow Auth.js to trust the Host header
-# AUTH_TRUST_HOST=1
 
 # ENABLE_USER_BOOTSTRAP=0
 

package.json

@@ -110,7 +110,6 @@
     "motion": "^12.23.25",
     "nanoid": "^5.0.9",
     "next": "^16.2.7",
-    "next-auth": "^5.0.0-beta.31",
     "next-safe-action": "^8.0.11",
     "next-themes": "^0.4.6",
     "nuqs": "^2.7.0",

src/app/(auth)/forgot-password/page.tsx

@@ -1,11 +1,13 @@
 import { redirect } from 'next/navigation'
-import { buildOryStartURL } from '@/core/server/auth/ory/build-start-url'
 
 type PageProps = {
   searchParams: Promise<{ returnTo?: string }>
 }
 
+// Legacy entry path: forward to the same-origin Kratos recovery flow page,
+// preserving the post-login destination as Ory's `return_to`.
 export default async function Page({ searchParams }: PageProps) {
   const { returnTo } = await searchParams
-  redirect(buildOryStartURL('signin', returnTo))
+  const query = returnTo ? `?return_to=${encodeURIComponent(returnTo)}` : ''
+  redirect(`/recovery${query}`)
 }

src/app/(auth)/sign-in/page.tsx

@@ -1,11 +1,13 @@
 import { redirect } from 'next/navigation'
-import { buildOryStartURL } from '@/core/server/auth/ory/build-start-url'
 
 type PageProps = {
   searchParams: Promise<{ returnTo?: string }>
 }
 
+// Legacy entry path: forward to the same-origin Kratos login flow page,
+// preserving the post-login destination as Ory's `return_to`.
 export default async function Page({ searchParams }: PageProps) {
   const { returnTo } = await searchParams
-  redirect(buildOryStartURL('signin', returnTo))
+  const query = returnTo ? `?return_to=${encodeURIComponent(returnTo)}` : ''
+  redirect(`/login${query}`)
 }

src/app/(auth)/sign-up/page.tsx

@@ -1,11 +1,13 @@
 import { redirect } from 'next/navigation'
-import { buildOryStartURL } from '@/core/server/auth/ory/build-start-url'
 
 type PageProps = {
   searchParams: Promise<{ returnTo?: string }>
 }
 
+// Legacy entry path: forward to the same-origin Kratos registration flow page,
+// preserving the post-login destination as Ory's `return_to`.
 export default async function Page({ searchParams }: PageProps) {
   const { returnTo } = await searchParams
-  redirect(buildOryStartURL('signup', returnTo))
+  const query = returnTo ? `?return_to=${encodeURIComponent(returnTo)}` : ''
+  redirect(`/registration${query}`)
 }

src/app/api/auth/sign-out/route.ts

@@ -3,14 +3,11 @@ import 'server-only'
 import { type NextRequest, NextResponse } from 'next/server'
 import { signOut } from '@/core/server/auth'
 
-// Sign-out lives in a plain route handler, deliberately NOT wrapped by the
-// Auth.js `auth()` helper. When sign-out runs inside an auth()-wrapped request,
-// the wrapper re-issues a refreshed JWT session cookie at the end of the
-// request, which clobbers the session-cookie deletion that signOut() emits and
-// leaves the user logged in. Here nothing re-wraps the request, so the deletion
-// sticks. The client hard-navigates to this route, so the logout overlay stays
-// up until the document unloads (no soft RSC redirect re-rendering the
-// signed-out dashboard underneath it).
+// Sign-out is a plain GET route handler the client hard-navigates to. signOut()
+// returns the same-origin Kratos self-service logout URL; redirecting there as a
+// real document navigation lets Kratos clear its session cookie and bounce back.
+// The hard navigation also keeps the logout overlay up until the document
+// unloads (no soft RSC redirect re-rendering the signed-out dashboard under it).
 export async function GET(request: NextRequest) {
   const { redirectTo } = await signOut({ origin: request.nextUrl.origin })
   return NextResponse.redirect(new URL(redirectTo, request.nextUrl.origin))