feat(auth): implement cross-subdomain SSO for all web apps

Add Single Sign-On (SSO) support across all mana.how subdomains: - Add trySSO() method to @manacore/shared-auth that exchanges session cookies for JWT tokens - Add /api/v1/auth/session-to-token endpoint to mana-core-auth service - Update all 15 web apps to try SSO during auth initialization SSO Flow: 1. User logs in on any app (e.g., calendar.mana.how) 2. Session cookie is set with Domain=.mana.how 3. When visiting another app (e.g., todo.mana.how), it checks for local tokens first 4. If no local tokens, tries SSO via session cookie 5. Session cookie is exchanged for JWT tokens via new endpoint 6. User is automatically authenticated Apps updated: calendar, chat, clock, contacts, manacore, manadeck, nutriphi, picture, planta, presi, questions, skilltree, storage, todo, zitare Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-22 20:46:42 +02:00 · 2026-02-02 13:17:04 +01:00 · 2026-02-02 13:17:04 +01:00 · feaf27dd14
commit feaf27dd14
parent 352070fb2f
19 changed files with 491 additions and 16 deletions
--- a/services/mana-core-auth/src/auth/auth.controller.ts
+++ b/services/mana-core-auth/src/auth/auth.controller.ts
@ -9,7 +9,10 @@ import {
 	Headers,
 	HttpCode,
 	HttpStatus,
+	Req,
+	Res,
 } from '@nestjs/common';
+import type { Request, Response } from 'express';
 import { Throttle, ThrottlerGuard } from '@nestjs/throttler';
 import { ApiTags, ApiOperation, ApiResponse, ApiBearerAuth, ApiBody } from '@nestjs/swagger';
 import { BetterAuthService } from './services/better-auth.service';
@ -181,6 +184,51 @@ export class AuthController {
 		return this.betterAuthService.validateToken(body.token);
 	}

+	/**
+	 * Exchange session cookie for JWT tokens (SSO)
+	 *
+	 * This endpoint enables cross-domain Single Sign-On (SSO).
+	 * If the user has a valid session cookie (from logging in on another app),
+	 * this returns JWT tokens that the app can use for API calls.
+	 *
+	 * The session cookie is set on .mana.how domain, so it's shared across:
+	 * - calendar.mana.how
+	 * - todo.mana.how
+	 * - contacts.mana.how
+	 * - etc.
+	 */
+	@Post('session-to-token')
+	@HttpCode(HttpStatus.OK)
+	@ApiOperation({
+		summary: 'Exchange session cookie for JWT tokens',
+		description:
+			'SSO endpoint: If user has a valid session cookie, returns JWT access and refresh tokens.',
+	})
+	@ApiResponse({
+		status: 200,
+		description: 'Tokens generated successfully',
+		schema: {
+			type: 'object',
+			properties: {
+				user: {
+					type: 'object',
+					properties: {
+						id: { type: 'string' },
+						email: { type: 'string' },
+						name: { type: 'string' },
+					},
+				},
+				accessToken: { type: 'string' },
+				refreshToken: { type: 'string' },
+				expiresIn: { type: 'number', example: 900 },
+			},
+		},
+	})
+	@ApiResponse({ status: 401, description: 'No valid session cookie' })
+	async sessionToToken(@Req() req: Request, @Res({ passthrough: true }) res: Response) {
+		return this.betterAuthService.sessionToToken(req, res);
+	}
+
 	/**
 	 * Get JWKS (JSON Web Key Set)
 	 *