till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-15 17:19:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/packages/shared-hono/src/auth.ts
Till JS 32939fbfb5 refactor(infra): remove zitare + clock NestJS backends, add shared-hono package 
Both apps are fully local-first via Dexie.js + mana-sync. Their NestJS
backends were pure CRUD wrappers (20 + 31 source files) that are no
longer needed.

Changes:
- Add packages/shared-hono: JWT auth via JWKS (jose), Drizzle DB factory,
  health route, generic GDPR admin handler, error middleware
- Migrate zitare lists page from fetch() to listsStore (local-first)
- Rewrite clock timers store from API-based to timerCollection (Dexie)
- Update clock +layout.svelte CommandBar search to use local collections
- Remove zitare-backend + clock-backend from docker-compose, CI/CD,
  Prometheus, env generation, setup scripts
- Add docs/TECHNOLOGY_AUDIT_2026_03.md with full repo analysis

Net result: -2 Docker containers, -2 ports, -2728 lines of code

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 22:43:46 +01:00

122 lines
3.6 KiB
TypeScript
Raw Blame History

/**
* JWT authentication middleware for Hono servers.
*
* Verifies EdDSA JWTs from mana-core-auth via JWKS (cached).
* Drop-in replacement for @manacore/shared-nestjs-auth JwtAuthGuard.
*
* Sets `userId`, `userEmail`, `userRole` on Hono context.
*/
import type { Context, Next } from 'hono';
import { HTTPException } from 'hono/http-exception';
import { createRemoteJWKSet, jwtVerify } from 'jose';
const AUTH_URL = () => process.env.MANA_CORE_AUTH_URL ?? 'http://localhost:3001';
const SERVICE_KEY = () => process.env.MANA_CORE_SERVICE_KEY ?? '';
/** Cached JWKS - jose handles refetch cooldown (~10 min) */
let cachedJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;
let cachedJWKSUrl: string | null = null;
function getJWKS(): ReturnType<typeof createRemoteJWKSet> {
const jwksUrl = `${AUTH_URL()}/api/v1/auth/jwks`;
if (cachedJWKS && cachedJWKSUrl === jwksUrl) {
return cachedJWKS;
}
cachedJWKS = createRemoteJWKSet(new URL(jwksUrl));
cachedJWKSUrl = jwksUrl;
return cachedJWKS;
}
/**
* Build the issuer allowlist — accepts auth service URL variants
* (internal Docker URL, public URL, localhost).
*/
function getIssuers(): string[] {
const issuers = new Set<string>();
const jwtIssuer = process.env.JWT_ISSUER;
const authUrl = process.env.MANA_CORE_AUTH_URL;
if (jwtIssuer) issuers.add(jwtIssuer);
if (authUrl) issuers.add(authUrl);
issuers.add('https://auth.mana.how');
issuers.add('http://localhost:3001');
return [...issuers];
}
/**
* JWT auth middleware — verifies Bearer token via JWKS.
*
* Usage:
* ```ts
* const app = new Hono();
* app.use('/api/*', authMiddleware());
* app.get('/api/profile', (c) => {
* const userId = c.get('userId');
* return c.json({ userId });
* });
* ```
*/
export function authMiddleware() {
return async (c: Context, next: Next) => {
// Dev bypass
if (process.env.NODE_ENV === 'development' && process.env.DEV_BYPASS_AUTH === 'true') {
c.set('userId', process.env.DEV_USER_ID ?? '00000000-0000-0000-0000-000000000000');
c.set('userEmail', 'dev@example.com');
c.set('userRole', 'user');
return next();
}
const auth = c.req.header('Authorization');
if (!auth?.startsWith('Bearer ')) {
throw new HTTPException(401, { message: 'Missing authorization header' });
}
const token = auth.slice(7);
try {
const jwks = getJWKS();
const audience = process.env.JWT_AUDIENCE ?? 'manacore';
const { payload } = await jwtVerify(token, jwks, {
issuer: getIssuers(),
audience,
});
if (!payload.sub) {
throw new HTTPException(401, { message: 'Token missing subject claim' });
}
c.set('userId', payload.sub);
c.set('userEmail', (payload as Record<string, unknown>).email ?? '');
c.set('userRole', (payload as Record<string, unknown>).role ?? 'user');
c.set('sessionId', (payload as Record<string, unknown>).sid ?? '');
return next();
} catch (err) {
if (err instanceof HTTPException) throw err;
console.error('[auth] Token verification failed:', err instanceof Error ? err.message : err);
throw new HTTPException(401, { message: 'Invalid or expired token' });
}
};
}
/**
* Service key auth middleware — validates X-Service-Key header.
* Used for admin/GDPR endpoints called by mana-core-auth.
*
* Usage:
* ```ts
* app.use('/api/v1/admin/*', serviceAuthMiddleware());
* ```
*/
export function serviceAuthMiddleware() {
return async (c: Context, next: Next) => {
const key = c.req.header('X-Service-Key');
const expected = SERVICE_KEY();
if (!key || !expected || key !== expected) {
throw new HTTPException(401, { message: 'Invalid service key' });
}
return next();
};
}
Reference in a new issue View git blame Copy permalink