till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-15 17:39:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/services/mana-auth/CLAUDE.md
Till JS cb85fba820 feat(todo/web, shared-i18n): complete i18n for Todo web app + add missing common translations 
Extract ~120 hardcoded German strings from 14 Svelte components into i18n locale
files using svelte-i18n $t() calls. Add new translation sections (taskForm, filters,
tags, subtasks, durationPicker, kanban, toolbar) across all 5 languages (de/en/fr/es/it).

Also add missing shared common translations for Spanish, French, and Italian
(150+ keys each) in packages/shared-i18n.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 14:19:48 +02:00

3.2 KiB
Raw Blame History

mana-auth

Central authentication service for the ManaCore ecosystem. Rewritten from NestJS (mana-core-auth) to Hono + Bun.

Tech Stack

Layer Technology
Runtime Bun
Framework Hono
Auth Better Auth (native Hono handler)
Database PostgreSQL + Drizzle ORM
JWT EdDSA via Better Auth JWT plugin
Email Nodemailer + Brevo SMTP

Port: 3001 (same as mana-core-auth — drop-in replacement)

Better Auth Plugins

  1. Organization — B2B multi-tenant with RBAC
  2. JWT — EdDSA tokens with minimal claims (sub, email, role, sid)
  3. OIDC Provider — Matrix/Synapse SSO
  4. Two-Factor — TOTP with backup codes
  5. Magic Link — Passwordless email login

Key Endpoints

Better Auth Native (/api/auth/*)

Handled directly by Better Auth — includes sign-in, sign-up, session, 2FA, magic links, org management.

Custom Auth (/api/v1/auth/*)

Method Path Description
POST /register Register + init credits
POST /login Login (returns JWT + sets SSO cookie)
POST /logout Logout
POST /validate Validate JWT token
GET /session Get current session

OIDC (/.well-known/*, /api/auth/oauth2/*)

OpenID Connect provider for Matrix/Synapse SSO.

Me — GDPR Self-Service (/api/v1/me/*)

Method Path Description
GET /data Full user data summary (auth, credits, project entities)
GET /data/export Download all data as JSON file
DELETE /data Delete all user data across all services (right to be forgotten)

Aggregates data from 3 sources: auth DB (sessions, accounts, 2FA, passkeys), mana-credits (balance, transactions), mana-sync DB (entity counts per app).

Admin (/api/v1/admin/*)

Method Path Description
GET /users Paginated user list with search (?page=1&limit=20&search=)
GET /users/:id/data Aggregated user data summary (same as /me/data)
DELETE /users/:id/data Delete all user data (admin)
GET /users/:id/tier Get user's access tier
PUT /users/:id/tier Update user's access tier

Internal (/api/v1/internal/*)

Method Path Description
GET /org/:orgId/member/:userId Check membership (for mana-credits)

Cross-Domain SSO

Session cookies shared across *.mana.how via COOKIE_DOMAIN=.mana.how.

Environment Variables

PORT=3001
DATABASE_URL=postgresql://...
SYNC_DATABASE_URL=postgresql://.../mana_sync  # mana-sync DB for entity counts (GDPR data view)
BASE_URL=https://auth.mana.how
COOKIE_DOMAIN=.mana.how
NODE_ENV=production
MANA_CORE_SERVICE_KEY=...
MANA_CREDITS_URL=http://mana-credits:3061
MANA_SUBSCRIPTIONS_URL=http://mana-subscriptions:3063
SMTP_HOST=smtp-relay.brevo.com
SMTP_PORT=587
SMTP_USER=...
SMTP_PASS=...
SYNAPSE_OIDC_CLIENT_SECRET=...

Critical Rules

  • ALWAYS use Better Auth — no custom auth implementation
  • EdDSA algorithm only for JWT (Better Auth manages JWKS)
  • Minimal JWT claims — sub, email, role, sid only
  • jose library for JWT validation (NOT jsonwebtoken)