mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 23:41:08 +02:00
8e8b6ac65f
This commit bundles two unrelated changes that were swept together by an
accidental `git add -A` in another working session. Documented here so the
history reflects what's actually inside.
═══════════════════════════════════════════════════════════════════════
1. fix(mana-auth): /api/v1/auth/login mints JWT via auth.handler instead
of api.signInEmail
═══════════════════════════════════════════════════════════════════════
Previous attempt (commit 55cc75e7d) tried to fix the broken JWT mint in
/api/v1/auth/login by switching the cookie name from `mana.session_token`
to `__Secure-mana.session_token` for production. That was necessary but
not sufficient: Better Auth's session cookie value isn't just the raw
session token, it's `<token>.<HMAC>` where the HMAC is derived from the
better-auth secret. Reconstructing the cookie from auth.api.signInEmail's
JSON response only gave us the raw token, so /api/auth/token's
get-session middleware still couldn't validate it and the JWT mint kept
silently failing.
Real fix: do the sign-in via auth.handler (the HTTP path) rather than
auth.api.signInEmail (the SDK path). The handler returns a real fetch
Response with a Set-Cookie header containing the fully signed cookie
envelope. We capture that header verbatim and forward it as the cookie
on the /api/auth/token request, which now passes validation and mints
the JWT correctly.
Verified end-to-end on auth.mana.how:
$ curl -X POST https://auth.mana.how/api/v1/auth/login \
-d '{"email":"...","password":"..."}'
{
"user": {...},
"token": "<session token>",
"accessToken": "eyJhbGciOiJFZERTQSI...", ← real JWT now
"refreshToken": "<session token>"
}
Side benefits:
- Email-not-verified path is now handled by checking
signInResponse.status === 403 directly, no more catching APIError
with the comment-noted async-stream footgun.
- X-Forwarded-For is forwarded explicitly so Better Auth's rate limiter
and our security log see the real client IP.
- The leftover catch block now only handles unexpected exceptions
(network errors etc); the FORBIDDEN-checking logic in it is dead but
harmless and left in for defense in depth.
═══════════════════════════════════════════════════════════════════════
2. chore: remove the entire self-hosted Matrix stack (Synapse, Element,
Manalink, mana-matrix-bot)
═══════════════════════════════════════════════════════════════════════
The Matrix subsystem ran parallel to the main Mana product without any
load-bearing integration: the unified web app never imported matrix-js-sdk,
the chat module uses mana-sync (local-first), and mana-matrix-bot's
plugins duplicated features the unified app already ships natively.
Keeping it alive cost a Synapse + Element + matrix-web + bot container
quartet, three Cloudflare routes, an OIDC provider plugin in mana-auth,
and a steady drip of devlog/dependency churn.
Removed:
- apps/matrix (Manalink web + mobile, ~150 files)
- services/mana-matrix-bot (Go bot with ~20 plugins)
- docker/matrix configs (Synapse + Element)
- synapse/element-web/matrix-web/mana-matrix-bot services in
docker-compose.macmini.yml
- matrix.mana.how/element.mana.how/link.mana.how Cloudflare tunnel routes
- OIDC provider plugin + matrix-synapse trustedClient + matrixUserLinks
table from mana-auth (oauth_* schema definitions also removed)
- MatrixService import path in mana-media (importFromMatrix endpoint)
- Matrix notification channel in mana-notify (worker, metrics, config,
channel_type enum, MatrixOptions handler)
- Matrix entries from shared-branding (mana-apps + app-icons),
notify-client, the i18n bundle, the observatory map, the credits
app-label list, the landing footer/apps page, the prometheus + alerts
+ promtail tier mappings, and the matrix-related deploy paths in
cd-macmini.yml + ci.yml
Devlog/manascore/blueprint entries that mention Matrix are left intact
as historical record. The oauth_* + matrix_user_links Postgres tables
stay on existing prod databases — code can no longer write to them, drop
them in a follow-up migration if you want them gone for real.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5.4 KiB
5.4 KiB
URL Schema - mana.how
This document defines the URL schema for all mana.how subdomains.
Naming Convention
- Landing Pages: Plural form (e.g.,
calendars.mana.how) - Web Apps: Singular form (e.g.,
calendar.mana.how) - APIs: Singular +
-apisuffix (e.g.,calendar-api.mana.how) - Short URLs: Redirect to Web Apps for convenience
Complete URL Mapping
Core Apps (Production)
| App | Web App | API | Status |
|---|---|---|---|
| Calendar | calendar.mana.how | api.mana.how/calendar | Active |
| Clock | clock.mana.how | api.mana.how/clock | Active |
| Todo | todo.mana.how | api.mana.how/todo | Active |
| Contacts | contacts.mana.how | api.mana.how/contacts | Active |
| Chat | chat.mana.how | api.mana.how/chat | Active |
| Storage | storage.mana.how | api.mana.how/storage | Active |
| Zitare | zitare.mana.how | api.mana.how/zitare | Active |
| NutriPhi | nutriphi.mana.how | api.mana.how/nutriphi | Active |
| Presi | presi.mana.how | api.mana.how/presi | Active |
| SkillTree | skilltree.mana.how | api.mana.how/skilltree | Active |
| Photos | photos.mana.how | api.mana.how/photos | Active |
Platform Services
| Service | URL | Description |
|---|---|---|
| Main Dashboard | mana.how | Main landing/dashboard |
| Auth Service | auth.mana.how | Central authentication (mana-auth) |
| API Gateway | api.mana.how | Unified API gateway |
| Media Service | media.mana.how | Image/video processing |
| LLM Service | llm.mana.how | LLM abstraction layer |
| LLM Playground | playground.mana.how | LLM testing interface |
| File Storage | files.mana.how | MinIO/S3 file access |
Automation
| Service | URL | Description |
|---|---|---|
| N8N | n.mana.how | Workflow automation |
Monitoring & Admin
| Service | URL | Description |
|---|---|---|
| Grafana | grafana.mana.how | Metrics dashboards |
| Umami | (internal :8010) | Web analytics |
Umami Tracking (Analytics)
For web analytics, the following apps are tracked in Umami:
| Umami Website ID | Display Name | Domain |
|---|---|---|
mana-webapp |
Dashboard | mana.how |
chat-webapp |
Chat | chat.mana.how |
todo-webapp |
Todo | todo.mana.how |
calendar-webapp |
Calendar | calendar.mana.how |
clock-webapp |
Clock | clock.mana.how |
contacts-webapp |
Contacts | contacts.mana.how |
storage-webapp |
Storage | storage.mana.how |
zitare-webapp |
Zitare | zitare.mana.how |
nutriphi-webapp |
NutriPhi | nutriphi.mana.how |
presi-webapp |
Presi | presi.mana.how |
skilltree-webapp |
SkillTree | skilltree.mana.how |
photos-webapp |
Photos | photos.mana.how |
Short URL Redirects
Convenience redirects for quick access to Web Apps:
| Short URL | Redirects To |
|---|---|
| cal.mana.how | calendar.mana.how |
| clok.mana.how | clock.mana.how |
| con.mana.how | contact.mana.how |
| pic.mana.how | picture.mana.how |
| zit.mana.how | zitare.mana.how |
Hosting
Landing Pages (Astro Static Sites)
Platform: Cloudflare Pages
Landing pages are deployed via Cloudflare Pages using Wrangler CLI:
# Deploy individual landing page
pnpm deploy:landing:calendar
pnpm deploy:landing:clock
pnpm deploy:landing:todo
pnpm deploy:landing:contacts
pnpm deploy:landing:chat
pnpm deploy:landing:picture
pnpm deploy:landing:zitare
# Deploy all landing pages
pnpm deploy:landing:all
Cloudflare Project Names:
| App | Cloudflare Project | Custom Domain |
|---|---|---|
| Calendar | calendars-landing | calendars.mana.how |
| Clock | clocks-landing | clocks.mana.how |
| Todo | todos-landing | todos.mana.how |
| Contacts | contacts-landing | contacts.mana.how |
| Chat | chats-landing | chats.mana.how |
| Picture | pictures-landing | pictures.mana.how |
| Zitare | zitares-landing | zitares.mana.how |
Web Apps & APIs
Platform: Mac Mini (self-hosted) via Docker + Cloudflare Tunnel
DNS Configuration
Web apps and APIs are routed via Cloudflare Tunnel to the Mac Mini. Landing pages use Cloudflare Pages.
Cloudflare Tunnel (Web Apps & APIs)
All *.mana.how subdomains are routed via Cloudflare Tunnel to the Mac Mini Docker containers. No A records needed — Cloudflare manages the DNS.
CNAME Records (Cloudflare - Landing Pages)
calendars.mana.how CNAME calendars-landing.pages.dev
clocks.mana.how CNAME clocks-landing.pages.dev
todos.mana.how CNAME todos-landing.pages.dev
contacts.mana.how CNAME contacts-landing.pages.dev
chats.mana.how CNAME chats-landing.pages.dev
pictures.mana.how CNAME pictures-landing.pages.dev
zitares.mana.how CNAME zitares-landing.pages.dev
Short URL Redirects (Cloudflare Redirect Rules or CNAME)
cal.mana.how → 301 redirect to calendar.mana.how
clok.mana.how → 301 redirect to clock.mana.how
con.mana.how → 301 redirect to contact.mana.how
pic.mana.how → 301 redirect to picture.mana.how
zit.mana.how → 301 redirect to zitare.mana.how
Adding a New App
- Create landing page in
apps/{app}/apps/landing/ - Add
wrangler.tomlwith project name{apps}-landing - Add deploy script to root
package.json - Create Cloudflare Pages project:
npx wrangler pages project create {apps}-landing - Add custom domain in Cloudflare dashboard
- Update this documentation