mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 22:01:09 +02:00
61ee1ae269
Rewrite the central authentication service from NestJS to Hono + Bun.
Uses Better Auth's native fetch-based handler — no Express conversion.
Key architecture changes:
- Better Auth handler mounted directly on Hono (app.all('/api/auth/*'))
- No NestJS DI, modules, guards, decorators — plain TypeScript
- JWT validation via jose (same as extracted services)
- Email via nodemailer (simplified, German templates)
- ~1,400 LOC vs ~11,500 LOC in NestJS (88% reduction)
Service structure:
- auth/better-auth.config.ts — copied from mana-core-auth (framework-agnostic)
- auth/stores.ts — in-memory stores for email redirect URLs
- email/send.ts — nodemailer email functions
- middleware/ — JWT auth, service auth, error handler (shared pattern)
- db/schema/ — copied from mana-core-auth (Drizzle, framework-agnostic)
Port: 3001 (same as mana-core-auth — drop-in replacement)
Database: mana_auth (same DB, same schemas)
Better Auth plugins: Organization, JWT (EdDSA), OIDC Provider,
Two-Factor (TOTP), Magic Link
Note: This is the initial version. Guilds, API keys, Me (GDPR),
security (lockout/audit), and admin endpoints will be added
incrementally. The old mana-core-auth remains until fully replaced.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2.2 KiB
2.2 KiB
mana-auth
Central authentication service for the ManaCore ecosystem. Rewritten from NestJS (mana-core-auth) to Hono + Bun.
Tech Stack
| Layer | Technology |
|---|---|
| Runtime | Bun |
| Framework | Hono |
| Auth | Better Auth (native Hono handler) |
| Database | PostgreSQL + Drizzle ORM |
| JWT | EdDSA via Better Auth JWT plugin |
| Nodemailer + Brevo SMTP |
Port: 3001 (same as mana-core-auth — drop-in replacement)
Better Auth Plugins
- Organization — B2B multi-tenant with RBAC
- JWT — EdDSA tokens with minimal claims (sub, email, role, sid)
- OIDC Provider — Matrix/Synapse SSO
- Two-Factor — TOTP with backup codes
- Magic Link — Passwordless email login
Key Endpoints
Better Auth Native (/api/auth/*)
Handled directly by Better Auth — includes sign-in, sign-up, session, 2FA, magic links, org management.
Custom Auth (/api/v1/auth/*)
| Method | Path | Description |
|---|---|---|
| POST | /register |
Register + init credits |
| POST | /login |
Login (returns JWT + sets SSO cookie) |
| POST | /logout |
Logout |
| POST | /validate |
Validate JWT token |
| GET | /session |
Get current session |
OIDC (/.well-known/*, /api/auth/oauth2/*)
OpenID Connect provider for Matrix/Synapse SSO.
Internal (/api/v1/internal/*)
| Method | Path | Description |
|---|---|---|
| GET | /org/:orgId/member/:userId |
Check membership (for mana-credits) |
Cross-Domain SSO
Session cookies shared across *.mana.how via COOKIE_DOMAIN=.mana.how.
Environment Variables
PORT=3001
DATABASE_URL=postgresql://...
BASE_URL=https://auth.mana.how
COOKIE_DOMAIN=.mana.how
NODE_ENV=production
MANA_CORE_SERVICE_KEY=...
MANA_CREDITS_URL=http://mana-credits:3061
SMTP_HOST=smtp-relay.brevo.com
SMTP_PORT=587
SMTP_USER=...
SMTP_PASS=...
SYNAPSE_OIDC_CLIENT_SECRET=...
Critical Rules
- ALWAYS use Better Auth — no custom auth implementation
- EdDSA algorithm only for JWT (Better Auth manages JWKS)
- Minimal JWT claims — sub, email, role, sid only
- jose library for JWT validation (NOT jsonwebtoken)