mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-16 19:59:40 +02:00
61ee1ae269
Rewrite the central authentication service from NestJS to Hono + Bun.
Uses Better Auth's native fetch-based handler — no Express conversion.
Key architecture changes:
- Better Auth handler mounted directly on Hono (app.all('/api/auth/*'))
- No NestJS DI, modules, guards, decorators — plain TypeScript
- JWT validation via jose (same as extracted services)
- Email via nodemailer (simplified, German templates)
- ~1,400 LOC vs ~11,500 LOC in NestJS (88% reduction)
Service structure:
- auth/better-auth.config.ts — copied from mana-core-auth (framework-agnostic)
- auth/stores.ts — in-memory stores for email redirect URLs
- email/send.ts — nodemailer email functions
- middleware/ — JWT auth, service auth, error handler (shared pattern)
- db/schema/ — copied from mana-core-auth (Drizzle, framework-agnostic)
Port: 3001 (same as mana-core-auth — drop-in replacement)
Database: mana_auth (same DB, same schemas)
Better Auth plugins: Organization, JWT (EdDSA), OIDC Provider,
Two-Factor (TOTP), Magic Link
Note: This is the initial version. Guilds, API keys, Me (GDPR),
security (lockout/audit), and admin endpoints will be added
incrementally. The old mana-core-auth remains until fully replaced.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
74 lines
2.2 KiB
Markdown
74 lines
2.2 KiB
Markdown
# mana-auth
|
|
|
|
Central authentication service for the ManaCore ecosystem. Rewritten from NestJS (mana-core-auth) to Hono + Bun.
|
|
|
|
## Tech Stack
|
|
|
|
| Layer | Technology |
|
|
|-------|------------|
|
|
| **Runtime** | Bun |
|
|
| **Framework** | Hono |
|
|
| **Auth** | Better Auth (native Hono handler) |
|
|
| **Database** | PostgreSQL + Drizzle ORM |
|
|
| **JWT** | EdDSA via Better Auth JWT plugin |
|
|
| **Email** | Nodemailer + Brevo SMTP |
|
|
|
|
## Port: 3001 (same as mana-core-auth — drop-in replacement)
|
|
|
|
## Better Auth Plugins
|
|
|
|
1. **Organization** — B2B multi-tenant with RBAC
|
|
2. **JWT** — EdDSA tokens with minimal claims (sub, email, role, sid)
|
|
3. **OIDC Provider** — Matrix/Synapse SSO
|
|
4. **Two-Factor** — TOTP with backup codes
|
|
5. **Magic Link** — Passwordless email login
|
|
|
|
## Key Endpoints
|
|
|
|
### Better Auth Native (`/api/auth/*`)
|
|
Handled directly by Better Auth — includes sign-in, sign-up, session, 2FA, magic links, org management.
|
|
|
|
### Custom Auth (`/api/v1/auth/*`)
|
|
| Method | Path | Description |
|
|
|--------|------|-------------|
|
|
| POST | `/register` | Register + init credits |
|
|
| POST | `/login` | Login (returns JWT + sets SSO cookie) |
|
|
| POST | `/logout` | Logout |
|
|
| POST | `/validate` | Validate JWT token |
|
|
| GET | `/session` | Get current session |
|
|
|
|
### OIDC (`/.well-known/*`, `/api/auth/oauth2/*`)
|
|
OpenID Connect provider for Matrix/Synapse SSO.
|
|
|
|
### Internal (`/api/v1/internal/*`)
|
|
| Method | Path | Description |
|
|
|--------|------|-------------|
|
|
| GET | `/org/:orgId/member/:userId` | Check membership (for mana-credits) |
|
|
|
|
## Cross-Domain SSO
|
|
|
|
Session cookies shared across `*.mana.how` via `COOKIE_DOMAIN=.mana.how`.
|
|
|
|
## Environment Variables
|
|
|
|
```env
|
|
PORT=3001
|
|
DATABASE_URL=postgresql://...
|
|
BASE_URL=https://auth.mana.how
|
|
COOKIE_DOMAIN=.mana.how
|
|
NODE_ENV=production
|
|
MANA_CORE_SERVICE_KEY=...
|
|
MANA_CREDITS_URL=http://mana-credits:3061
|
|
SMTP_HOST=smtp-relay.brevo.com
|
|
SMTP_PORT=587
|
|
SMTP_USER=...
|
|
SMTP_PASS=...
|
|
SYNAPSE_OIDC_CLIENT_SECRET=...
|
|
```
|
|
|
|
## Critical Rules
|
|
|
|
- **ALWAYS use Better Auth** — no custom auth implementation
|
|
- **EdDSA algorithm only** for JWT (Better Auth manages JWKS)
|
|
- **Minimal JWT claims** — sub, email, role, sid only
|
|
- **jose library** for JWT validation (NOT jsonwebtoken)
|