Auth flows: update sign-in links to /auth/signin/user; allow org signup via signup_intent cookie; unknown emails redirect to signup error; prevent /restricted redirects on /auth/*; org sign-in routes through signup start

Author: mxy680

app/auth/signin/SignInClient.tsx

@@ -9,7 +9,6 @@ export default function SignInClient() {
   const [loading, setLoading] = React.useState(false)
 
   const cb = params.get("callbackUrl") || "/"
-  const from = params.get("from") || undefined
   const mode = params.get("mode") || undefined
 
   return (
@@ -46,9 +45,6 @@ export default function SignInClient() {
           </span>
           {loading ? "Redirecting…" : "Continue with Google"}
         </button>
-        {from && (
-          <p className="mt-2 text-[11px] text-muted-foreground">After sign-in you’ll be returned to: {from}</p>
-        )}
         <p className="mt-4 text-[11px] text-muted-foreground">
           By continuing, you agree to our Terms and acknowledge our Privacy Policy.
         </p>

app/auth/signin/organization/page.tsx

@@ -12,7 +12,7 @@ export default function Page() {
           <Link href="/auth/signup/organization">Sign up</Link>
         </Button>
         <Button asChild variant="default">
-          <Link href="/auth/signin">Sign in</Link>
+          <Link href="/auth/signin/user">Sign in</Link>
         </Button>
       </header>
 
@@ -24,7 +24,16 @@ export default function Page() {
               <p className="text-sm text-foreground/70">Continue with Google</p>
             </CardHeader>
             <CardContent>
-              <Button className="w-full" onClick={() => signIn("google", { callbackUrl: "/org/dashboard" })}>
+              <Button
+                className="w-full"
+                onClick={() => {
+                  try {
+                    // Allow account creation when starting from org sign-in
+                    document.cookie = "signup_intent=1; Max-Age=600; Path=/; SameSite=Lax";
+                  } catch {}
+                  return signIn("google", { callbackUrl: "/auth/signup/organization/start" });
+                }}
+              >
                 Continue with Google
               </Button>
               <p className="mt-3 text-xs text-center text-foreground/60">

app/auth/signup/organization/page.tsx

@@ -33,7 +33,7 @@ export default function Page() {
           <Link href="/auth/signup/organization">Sign up</Link>
         </Button>
         <Button asChild variant="default">
-          <Link href="/auth/signin">Sign in</Link>
+          <Link href="/auth/signin/user">Sign in</Link>
         </Button>
       </header>
 
@@ -52,7 +52,13 @@ export default function Page() {
                 type="button"
                 variant="outline"
                 className="w-full flex items-center justify-center gap-2 bg-orange-500 hover:bg-orange-600 text-white hover:text-white focus:text-white active:text-white border-transparent"
-                onClick={() => signIn("google", { callbackUrl: "/auth/signup/organization/start" })}
+                onClick={() => {
+                  try {
+                    // Allow unknown emails during signup flow only
+                    document.cookie = "signup_intent=1; Max-Age=600; Path=/; SameSite=Lax"
+                  } catch {}
+                  return signIn("google", { callbackUrl: "/auth/signup/organization/start" })
+                }}
               >
                 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48" width="18" height="18" aria-hidden="true" className="text-white">
                   <path fill="currentColor" d="M43.611,20.083H42V20H24v8h11.303c-1.649,4.657-6.08,8-11.303,8c-6.627,0-12-5.373-12-12 s5.373-12,12-12c3.059,0,5.842,1.154,7.961,3.039l5.657-5.657C33.691,6.053,29.082,4,24,4C12.955,4,4,12.955,4,24 s8.955,20,20,20s20-8.955,20-20C44,22.659,43.862,21.35,43.611,20.083z"/>

app/auth/signup/user/page.tsx

@@ -50,7 +50,7 @@ export default function Page() {
     <main className="min-h-[calc(100vh-4rem)] p-6 bg-gradient-to-b from-primary/20 via-transparent to-transparent">
       <header className="mb-6 flex justify-end gap-2">
         <Button asChild variant="outline">
-          <Link href="/auth/signin">Sign in</Link>
+          <Link href="/auth/signin/user">Sign in</Link>
         </Button>
         <Button asChild variant="default">
           <Link href="/auth/signup/user">Sign up</Link>

app/auth/signup/user/school/cwru/page.tsx

@@ -13,7 +13,7 @@ export default function Page() {
             <Link href="/auth/signup/user">Sign up</Link>
           </Button>
           <Button asChild variant="default">
-            <Link href="/auth/signin">Sign in</Link>
+            <Link href="/auth/signin/user">Sign in</Link>
           </Button>
         </div>
       </header>

lib/auth.ts

@@ -3,6 +3,7 @@ import type { Adapter } from "next-auth/adapters";
 import { PrismaAdapter } from "@auth/prisma-adapter";
 import GoogleProvider from "next-auth/providers/google";
 import { prisma } from "@/lib/prisma";
+import { cookies } from "next/headers";
 import type { Session } from "next-auth";
 import type { JWT } from "next-auth/jwt";
 
@@ -32,7 +33,13 @@ export const authOptions: NextAuthOptions = {
         if (email) {
           const existing = await prisma.user.findUnique({ where: { email } })
           if (!existing) {
-            // Abort sign-in and redirect to signup with error message
+            // If user came from signup, allow account creation
+            const c = await cookies()
+            const allowSignup = c.get("signup_intent")?.value === "1"
+            if (allowSignup) {
+              return true
+            }
+            // Otherwise send back to signup with a clear error
             return "/auth/signup/organization?error=no_account"
           }
           // Best-effort: sync Google avatar for existing users lacking image

middleware.ts

@@ -91,6 +91,7 @@ export async function middleware(req: NextRequest) {
   if (
     isAuthed &&
     !onOrgPaths &&
+    !onAuthPages &&
     role === "VOLUNTEER" &&
     typeof token?.email === "string" &&
     !token.email.toLowerCase().endsWith("@case.edu") &&