feat(api): replace JWT auth with Better-Auth session validation (GRO-118)
- Replace jose/jwtVerify with auth.api.getSession() - Session token validated via cookie/header, DB-backed - jwtPayload.sub now = Better-Auth user ID (not OIDC sub) - Dev mode bypass preserved; production guard against AUTH_DISABLED preserved - rbac.ts and tests updated in subsequent tasks Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Paperclip
@@ -1,34 +1,18 @@
|
|||||||
import type { MiddlewareHandler } from "hono";
|
import type { MiddlewareHandler } from "hono";
|
||||||
import { createRemoteJWKSet, jwtVerify } from "jose";
|
import { auth } from "../lib/auth.js";
|
||||||
|
|
||||||
// Authentik OIDC configuration — loaded from env at startup
|
export interface AuthUser {
|
||||||
const OIDC_ISSUER = process.env.OIDC_ISSUER;
|
id: string;
|
||||||
const OIDC_AUDIENCE = process.env.OIDC_AUDIENCE;
|
email: string;
|
||||||
|
name: string;
|
||||||
let jwks: ReturnType<typeof createRemoteJWKSet> | null = null;
|
|
||||||
|
|
||||||
function getJwks() {
|
|
||||||
if (!OIDC_ISSUER) throw new Error("OIDC_ISSUER is not set");
|
|
||||||
if (!jwks) {
|
|
||||||
jwks = createRemoteJWKSet(
|
|
||||||
new URL(`${OIDC_ISSUER}/application/o/groombook/jwks/`)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
return jwks;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
export interface JwtPayload {
|
// Guard: refuse to start with AUTH_DISABLED in production.
|
||||||
sub: string;
|
|
||||||
email?: string;
|
|
||||||
name?: string;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Guard: refuse to start with AUTH_DISABLED in production (fixes #22).
|
|
||||||
if (process.env.AUTH_DISABLED === "true") {
|
if (process.env.AUTH_DISABLED === "true") {
|
||||||
if (process.env.NODE_ENV === "production") {
|
if (process.env.NODE_ENV === "production") {
|
||||||
console.error(
|
console.error(
|
||||||
"[FATAL] AUTH_DISABLED=true is not allowed in production. " +
|
"[FATAL] AUTH_DISABLED=true is not allowed in production. " +
|
||||||
"Remove AUTH_DISABLED from your environment and configure OIDC_ISSUER."
|
"Remove AUTH_DISABLED from your environment and configure Better-Auth."
|
||||||
);
|
);
|
||||||
process.exit(1);
|
process.exit(1);
|
||||||
}
|
}
|
||||||
@@ -42,27 +26,24 @@ export const authMiddleware: MiddlewareHandler = async (c, next) => {
|
|||||||
if (process.env.AUTH_DISABLED === "true") {
|
if (process.env.AUTH_DISABLED === "true") {
|
||||||
const devUserId = c.req.header("X-Dev-User-Id");
|
const devUserId = c.req.header("X-Dev-User-Id");
|
||||||
const sub = devUserId ?? "dev-user";
|
const sub = devUserId ?? "dev-user";
|
||||||
c.set("jwtPayload", { sub } as JwtPayload);
|
c.set("jwtPayload", { sub } as { sub: string });
|
||||||
await next();
|
await next();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
const authorization = c.req.header("Authorization");
|
const session = await auth.api.getSession({
|
||||||
if (!authorization?.startsWith("Bearer ")) {
|
headers: c.req.raw.headers,
|
||||||
|
});
|
||||||
|
|
||||||
|
if (!session) {
|
||||||
return c.json({ error: "Unauthorized" }, 401);
|
return c.json({ error: "Unauthorized" }, 401);
|
||||||
}
|
}
|
||||||
|
|
||||||
const token = authorization.slice(7);
|
// Set jwtPayload with sub = Better-Auth user ID for backward compat with resolveStaffMiddleware
|
||||||
|
c.set("jwtPayload", {
|
||||||
try {
|
sub: session.user.id,
|
||||||
const { payload } = await jwtVerify(token, getJwks(), {
|
email: session.user.email,
|
||||||
issuer: OIDC_ISSUER,
|
name: session.user.name,
|
||||||
audience: OIDC_AUDIENCE,
|
});
|
||||||
});
|
await next();
|
||||||
|
|
||||||
c.set("jwtPayload", payload as JwtPayload);
|
|
||||||
await next();
|
|
||||||
} catch {
|
|
||||||
return c.json({ error: "Invalid or expired token" }, 401);
|
|
||||||
}
|
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user