till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-20 06:33:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

fix(mana-auth): /api/v1/auth/login mints JWT via auth.handler instead of api.signInEmail

Browse source 
Previous attempt (commit 55cc75e7d) tried to fix the broken JWT mint
in /api/v1/auth/login by switching the cookie name from
`mana.session_token` to `__Secure-mana.session_token` for production.
That was necessary but not sufficient: Better Auth's session cookie
value isn't just the raw session token, it's `<token>.<HMAC>` where
the HMAC is derived from the better-auth secret. Reconstructing the
cookie from auth.api.signInEmail's JSON response only gave us the raw
token, so /api/auth/token's get-session middleware still couldn't
validate it and the JWT mint kept silently failing.

Real fix: do the sign-in via auth.handler (the HTTP path) rather than
auth.api.signInEmail (the SDK path). The handler returns a real fetch
Response with a Set-Cookie header containing the fully signed cookie
envelope. We capture that header verbatim and forward it as the cookie
on the /api/auth/token request, which now passes validation and mints
the JWT correctly.

Verified end-to-end on auth.mana.how:

  $ curl -X POST https://auth.mana.how/api/v1/auth/login \
      -d '{"email":"...","password":"..."}'
  {
    "user": {...},
    "token": "<session token>",
    "accessToken": "eyJhbGciOiJFZERTQSI...",   ← real JWT now
    "refreshToken": "<session token>"
  }

Side benefits:
- The email-not-verified path is now handled by checking
  signInResponse.status === 403 directly, no more catching APIError
  with the comment-noted async-stream footgun.
- X-Forwarded-For is forwarded explicitly so Better Auth's rate limiter
  and our security log see the real client IP.
- The leftover catch block now only handles unexpected exceptions
  (network errors etc); the FORBIDDEN-checking logic in it is dead but
  harmless and left in for defense in depth.
This commit is contained in:
Till JS 2026-04-08 16:25:55 +02:00
parent 4eb5dfe4a0
commit bfa8a0a773
254 changed files with 88 additions and 29437 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/mac-mini/memory-baseline.sh
View file

@ -79,17 +79,15 @@ get_category_mem() {
infra=$(get_category_mem "mana-infra")
core=$(get_category_mem "mana-core\|mana-auth\|mana-credits\|mana-user\|mana-subscriptions\|mana-analytics\|mana-api-gateway\|mana-crawler\|mana-service")
matrix=$(get_category_mem "mana-matrix")
apps=$(get_category_mem "mana-app")
monitoring=$(get_category_mem "mana-mon")
games=$(get_category_mem "mana-game")
auto=$(get_category_mem "mana-auto")
total=$((infra + core + matrix + apps + monitoring + games + auto))
total=$((infra + core + apps + monitoring + games + auto))
printf "%-25s %8s MiB\n" "Infrastructure:" "$infra"
printf "%-25s %8s MiB\n" "Core Services:" "$core"
printf "%-25s %8s MiB\n" "Matrix Stack:" "$matrix"
printf "%-25s %8s MiB\n" "Web Apps:" "$apps"
printf "%-25s %8s MiB\n" "Monitoring:" "$monitoring"
printf "%-25s %8s MiB\n" "Games:" "$games"