till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-19 11:01:24 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
managarten/services/mana-auth/src/routes/auth.ts
Till JS 9276d9a212 feat: GPU offload, signup limit, load tests & capacity planning 
- Route all AI workloads (Ollama, STT, TTS, Image Gen) to GPU server
  (192.168.178.11) via LAN instead of host.docker.internal
- Upgrade default model to gemma3:12b and max concurrent to 5
- Add daily signup limit service (MAX_DAILY_SIGNUPS env var)
- Add GET /api/v1/auth/signup-status public endpoint
- Add k6 load test suite (web-apps, auth, sync-websocket, ollama)
- Add capacity planning documentation
- Fix: add eslint-config to sveltekit-base and calendar Dockerfiles

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 21:14:24 +01:00

259 lines
8.2 KiB
TypeScript
Raw Blame History

/**
* Auth routes — Custom endpoints wrapping Better Auth
*
* Adds business logic (security events, lockout, credit init)
* around Better Auth's native sign-in/sign-up.
*/
import { Hono } from 'hono';
import type { AuthUser } from '../middleware/jwt-auth';
import type { BetterAuthInstance } from '../auth/better-auth.config';
import type { SecurityEventsService, AccountLockoutService } from '../services/security';
import type { SignupLimitService } from '../services/signup-limit';
import type { Config } from '../config';
import { sourceAppStore, passwordResetRedirectStore } from '../auth/stores';
export function createAuthRoutes(
auth: BetterAuthInstance,
config: Config,
security: SecurityEventsService,
lockout: AccountLockoutService,
signupLimit: SignupLimitService
) {
const app = new Hono<{ Variables: { user: AuthUser } }>();
// ─── Registration ────────────────────────────────────────
// ─── Signup Status (public) ─────────────────────────────
app.get('/signup-status', async (c) => {
const status = await signupLimit.getStatus();
return c.json(status);
});
app.post('/register', async (c) => {
const body = await c.req.json();
// Check daily signup limit
const limitCheck = await signupLimit.checkLimit();
if (!limitCheck.allowed) {
return c.json(
{
error: 'Registration limit reached',
message: 'Das tägliche Registrierungslimit ist erreicht. Versuche es morgen wieder.',
spotsRemaining: 0,
resetsAt: limitCheck.resetsAt,
},
429
);
}
// Store source app URL for email verification redirect
if (body.sourceAppUrl && body.email) {
sourceAppStore.set(body.email, body.sourceAppUrl);
}
const response = await auth.api.signUpEmail({
body: {
email: body.email,
password: body.password,
name: body.name || body.email.split('@')[0],
},
headers: c.req.raw.headers,
});
if (response?.user?.id) {
security.logEvent({ userId: response.user.id, eventType: 'REGISTER' });
// Init credits (fire-and-forget)
fetch(`${config.manaCreditsUrl}/api/v1/internal/credits/init`, {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'X-Service-Key': config.serviceKey },
body: JSON.stringify({ userId: response.user.id }),
}).catch(() => {});
// Redeem pending gifts
fetch(`${config.manaCreditsUrl}/api/v1/internal/gifts/redeem-pending`, {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'X-Service-Key': config.serviceKey },
body: JSON.stringify({ userId: response.user.id, email: body.email }),
}).catch(() => {});
}
return c.json(response);
});
// ─── Login ───────────────────────────────────────────────
app.post('/login', async (c) => {
const body = await c.req.json();
// Check lockout
const lockoutStatus = await lockout.checkLockout(body.email);
if (lockoutStatus.locked) {
return c.json(
{ error: 'Account locked', remainingSeconds: lockoutStatus.remainingSeconds },
429
);
}
const ip = c.req.header('x-forwarded-for') || 'unknown';
try {
const response = await auth.api.signInEmail({
body: { email: body.email, password: body.password },
headers: c.req.raw.headers,
});
if (response?.user?.id) {
security.logEvent({ userId: response.user.id, eventType: 'LOGIN_SUCCESS', ipAddress: ip });
lockout.clearAttempts(body.email);
}
return c.json(response);
} catch (error) {
security.logEvent({
eventType: 'LOGIN_FAILURE',
ipAddress: ip,
metadata: { email: body.email },
});
lockout.recordAttempt(body.email, false, ip);
return c.json({ error: 'Invalid credentials' }, 401);
}
});
// ─── Token Validation ────────────────────────────────────
app.post('/validate', async (c) => {
const { token } = await c.req.json();
if (!token) return c.json({ valid: false }, 400);
try {
const { jwtVerify, createRemoteJWKSet } = await import('jose');
const jwks = createRemoteJWKSet(new URL('/api/auth/jwks', config.baseUrl));
const { payload } = await jwtVerify(token, jwks, {
issuer: config.baseUrl,
audience: 'manacore',
});
return c.json({ valid: true, payload });
} catch {
return c.json({ valid: false }, 401);
}
});
// ─── Session & Logout ────────────────────────────────────
app.post('/logout', async (c) => {
return auth.handler(
new Request(new URL('/api/auth/sign-out', config.baseUrl), {
method: 'POST',
headers: c.req.raw.headers,
})
);
});
app.get('/session', async (c) => {
return auth.handler(
new Request(new URL('/api/auth/get-session', config.baseUrl), {
method: 'GET',
headers: c.req.raw.headers,
})
);
});
app.post('/refresh', async (c) => {
const body = await c.req.json();
// Better Auth handles refresh via session cookies
return auth.handler(
new Request(new URL('/api/auth/get-session', config.baseUrl), {
method: 'GET',
headers: c.req.raw.headers,
})
);
});
// ─── Password Management ─────────────────────────────────
app.post('/forgot-password', async (c) => {
const body = await c.req.json();
if (body.redirectTo && body.email) {
passwordResetRedirectStore.set(body.email, body.redirectTo);
}
await auth.api.forgetPassword({ body: { email: body.email, redirectTo: body.redirectTo } });
security.logEvent({ eventType: 'PASSWORD_RESET_REQUESTED', metadata: { email: body.email } });
return c.json({ success: true });
});
app.post('/reset-password', async (c) => {
const body = await c.req.json();
await auth.api.resetPassword({ body: { newPassword: body.newPassword, token: body.token } });
security.logEvent({ eventType: 'PASSWORD_RESET_COMPLETED' });
return c.json({ success: true });
});
app.post('/resend-verification', async (c) => {
const body = await c.req.json();
if (body.sourceAppUrl && body.email) {
sourceAppStore.set(body.email, body.sourceAppUrl);
}
await auth.api.sendVerificationEmail({ body: { email: body.email } });
return c.json({ success: true });
});
// ─── Profile ─────────────────────────────────────────────
app.get('/profile', async (c) => {
return auth.handler(
new Request(new URL('/api/auth/get-session', config.baseUrl), {
method: 'GET',
headers: c.req.raw.headers,
})
);
});
app.post('/profile', async (c) => {
const body = await c.req.json();
const result = await auth.api.updateUser({ body, headers: c.req.raw.headers });
security.logEvent({ eventType: 'PROFILE_UPDATED' });
return c.json(result);
});
app.post('/change-password', async (c) => {
const body = await c.req.json();
await auth.api.changePassword({
body: { currentPassword: body.currentPassword, newPassword: body.newPassword },
headers: c.req.raw.headers,
});
security.logEvent({ eventType: 'PASSWORD_CHANGED' });
return c.json({ success: true });
});
app.delete('/account', async (c) => {
const body = await c.req.json();
await auth.api.deleteUser({
body: { password: body.password },
headers: c.req.raw.headers,
});
security.logEvent({ eventType: 'ACCOUNT_DELETED' });
return c.json({ success: true });
});
// ─── Security Events ─────────────────────────────────────
app.get('/security-events', async (c) => {
const user = c.get('user');
const events = await security.getUserEvents(user.userId);
return c.json(events);
});
// ─── JWKS ────────────────────────────────────────────────
app.get('/jwks', async (c) => {
return auth.handler(
new Request(new URL('/api/auth/jwks', config.baseUrl), {
method: 'GET',
headers: c.req.raw.headers,
})
);
});
return app;
}
Reference in a new issue View git blame Copy permalink