fix(mana-auth): /api/v1/auth/login mints JWT via auth.handler instead of api.signInEmail

Previous attempt (commit 55cc75e7d) tried to fix the broken JWT mint in /api/v1/auth/login by switching the cookie name from `mana.session_token` to `__Secure-mana.session_token` for production. That was necessary but not sufficient: Better Auth's session cookie value isn't just the raw session token, it's `<token>.<HMAC>` where the HMAC is derived from the better-auth secret. Reconstructing the cookie from auth.api.signInEmail's JSON response only gave us the raw token, so /api/auth/token's get-session middleware still couldn't validate it and the JWT mint kept silently failing. Real fix: do the sign-in via auth.handler (the HTTP path) rather than auth.api.signInEmail (the SDK path). The handler returns a real fetch Response with a Set-Cookie header containing the fully signed cookie envelope. We capture that header verbatim and forward it as the cookie on the /api/auth/token request, which now passes validation and mints the JWT correctly. Verified end-to-end on auth.mana.how: $ curl -X POST https://auth.mana.how/api/v1/auth/login \ -d '{"email":"...","password":"..."}' { "user": {...}, "token": "<session token>", "accessToken": "eyJhbGciOiJFZERTQSI...", ← real JWT now "refreshToken": "<session token>" } Side benefits: - The email-not-verified path is now handled by checking signInResponse.status === 403 directly, no more catching APIError with the comment-noted async-stream footgun. - X-Forwarded-For is forwarded explicitly so Better Auth's rate limiter and our security log see the real client IP. - The leftover catch block now only handles unexpected exceptions (network errors etc); the FORBIDDEN-checking logic in it is dead but harmless and left in for defense in depth.
2026-05-23 21:56:43 +02:00 · 2026-04-08 16:25:55 +02:00 · 2026-04-08 16:25:55 +02:00 · bfa8a0a773
commit bfa8a0a773
parent 4eb5dfe4a0
254 changed files with 88 additions and 29437 deletions
--- a/services/mana-notify/internal/queue/worker.go
+++ b/services/mana-notify/internal/queue/worker.go
@ -29,9 +29,6 @@ type Job struct {
 	Sound         string             // Push
 	Badge         *int               // Push
 	Platform      string             // Push
-	RoomID        string             // Matrix
-	FormattedBody string             // Matrix
-	MsgType       string             // Matrix
 	WebhookMethod string             // Webhook
 	WebhookHeaders map[string]string // Webhook
 	WebhookTimeout int               // Webhook
@ -53,7 +50,6 @@ type WorkerConfig struct {
 var DefaultConfigs = map[string]WorkerConfig{
 	"email":   {Concurrency: 5, MaxRetries: 3, BackoffMs: 5000},
 	"push":    {Concurrency: 10, MaxRetries: 3, BackoffMs: 1000},
-	"matrix":  {Concurrency: 5, MaxRetries: 3, BackoffMs: 2000},
 	"webhook": {Concurrency: 10, MaxRetries: 5, BackoffMs: 3000},
 }

@ -62,7 +58,6 @@ type WorkerPool struct {
 	db      *db.DB
 	email   *channel.EmailService
 	push    *channel.PushService
-	matrix  *channel.MatrixService
 	webhook *channel.WebhookService
 	metrics *metrics.Metrics
 	jobs    chan Job
@ -70,13 +65,12 @@ type WorkerPool struct {
 	cancel  context.CancelFunc
 }

-func NewWorkerPool(database *db.DB, email *channel.EmailService, push *channel.PushService, matrix *channel.MatrixService, webhook *channel.WebhookService, m *metrics.Metrics) *WorkerPool {
+func NewWorkerPool(database *db.DB, email *channel.EmailService, push *channel.PushService, webhook *channel.WebhookService, m *metrics.Metrics) *WorkerPool {
 	ctx, cancel := context.WithCancel(context.Background())
 	return &WorkerPool{
 		db:      database,
 		email:   email,
 		push:    push,
-		matrix:  matrix,
 		webhook: webhook,
 		metrics: m,
 		jobs:    make(chan Job, 1000),
@ -241,22 +235,6 @@ func (wp *WorkerPool) processJob(job Job) {
 		wp.metrics.PushSent.WithLabelValues(job.Platform, status).Inc()
 		wp.metrics.PushLatency.Observe(time.Since(start).Seconds())

-	case "matrix":
-		result := wp.matrix.Send(ctx, &channel.MatrixMessage{
-			RoomID:        job.RoomID,
-			Body:          job.Body,
-			FormattedBody: job.FormattedBody,
-			MsgType:       job.MsgType,
-		})
-		success = result.Success
-		providerID = result.EventID
-		errMsg = result.Error
-		status := "success"
-		if !success {
-			status = "failed"
-		}
-		wp.metrics.MatrixSent.WithLabelValues(status).Inc()
-
 	case "webhook":
 		result := wp.webhook.Send(ctx, &channel.WebhookMessage{
 			URL:     job.Recipient,