till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 19:21:10 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/AUTH_QUICK_REFERENCE.md
Wuesteon 4d15d9e764 🔒 security(auth): migrate to EdDSA JWT and add automated monitoring 
BREAKING: JWT keys are now auto-managed by Better Auth (EdDSA/Ed25519)
- Remove all JWT_PRIVATE_KEY, JWT_PUBLIC_KEY, JWT_SECRET references
- Keys stored in auth.jwks database table (auto-generated on first run)
- Delete obsolete generate-keys.sh and generate-staging-secrets.sh scripts
- Clean up legacy AUTH_*.md analysis files from root

Security Improvements:
- Add security_events table for audit logging
- Add SecurityEventsService for tracking auth events
- Enhanced security headers (HSTS, CSP, X-Frame-Options)
- Rate limiting configuration

Monitoring Setup:
- Add auth-health-check.sh for automated testing
- Add generate-dashboard.sh for HTML status dashboard
- Tests: health endpoint, JWKS (EdDSA), security headers, response time
- Ready for Hetzner cron deployment

Documentation:
- Update deployment docs with Better Auth notes
- Update environment variable references
- Add security improvements documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-18 21:42:47 +01:00

335 lines
6.4 KiB
Markdown
Raw Blame History

# Mana Core Authentication - Quick Reference Guide
**Fast lookup guide for common authentication patterns in Mana Universe.**
---
## Core Service
**Service:** mana-core-auth
**Port:** 3001
**Prefix:** `/api/v1`
**URL:** `http://localhost:3001/api/v1`
---
## Essential Endpoints
### Auth Operations
| Operation | Endpoint | Method |
|-----------|----------|--------|
| Register | `/auth/register` | POST |
| Login | `/auth/login` | POST |
| Logout | `/auth/logout` | POST |
| Refresh | `/auth/refresh` | POST |
| Validate | `/auth/validate` | POST |
| JWKS | `/auth/jwks` | GET |
### Organization (B2B)
| Operation | Endpoint | Method |
|-----------|----------|--------|
| Register B2B | `/auth/register/b2b` | POST |
| List Orgs | `/auth/organizations` | GET |
| Get Org | `/auth/organizations/:id` | GET |
| Invite | `/auth/organizations/:id/invite` | POST |
| Accept | `/auth/organizations/accept-invitation` | POST |
---
## Backend Integration
### Quick Setup (5 minutes)
#### 1. Install Package
```bash
# Choose ONE:
pnpm add @manacore/shared-nestjs-auth # No credits
pnpm add @mana-core/nestjs-integration # With credits
```
#### 2. Add Environment
```env
MANA_CORE_AUTH_URL=http://localhost:3001
NODE_ENV=development
DEV_BYPASS_AUTH=true
```
#### 3. Import Guard (main.ts)
```typescript
import { JwtAuthGuard } from '@manacore/shared-nestjs-auth';
const app = await NestFactory.create(AppModule);
app.useGlobalGuards(new JwtAuthGuard(app.get(ConfigService)));
```
#### 4. Use Decorator
```typescript
import { CurrentUser, CurrentUserData } from '@manacore/shared-nestjs-auth';
@Controller('api')
@UseGuards(JwtAuthGuard)
export class MyController {
@Get('profile')
profile(@CurrentUser() user: CurrentUserData) {
return { userId: user.userId };
}
}
```
---
## JWT Token Structure
### Claims (Minimal)
```json
{
"sub": "user-id",
"email": "user@example.com",
"role": "user",
"sid": "session-id",
"iat": 1733040000,
"exp": 1733040900,
"iss": "manacore",
"aud": "manacore"
}
```
### Header Format
```
Authorization: Bearer eyJhbGciOiJFZERTQSI...
```
### Expiration
- **Access Token:** 15 minutes
- **Refresh Token:** 7 days
---
## Common Requests
### Register User
```bash
curl -X POST http://localhost:3001/api/v1/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "password123",
"name": "John Doe"
}'
```
### Login
```bash
curl -X POST http://localhost:3001/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "password123"
}'
```
### Use Token
```bash
TOKEN="eyJhbGciOiJFZERTQSI..."
curl http://localhost:3007/api/favorites \
-H "Authorization: Bearer $TOKEN"
```
### Refresh Token
```bash
curl -X POST http://localhost:3001/api/v1/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refreshToken": "nanoid-64-chars..."}'
```
### Validate Token
```bash
curl -X POST http://localhost:3001/api/v1/auth/validate \
-H "Content-Type: application/json" \
-d '{"token": "eyJhbGciOiJFZERTQSI..."}'
```
---
## Guard Usage Patterns
### Simple Auth
```typescript
// No credits needed
import { JwtAuthGuard } from '@manacore/shared-nestjs-auth';
@UseGuards(JwtAuthGuard)
getProfile(@CurrentUser() user: CurrentUserData) { }
```
### With Credits
```typescript
// Credits needed
import { AuthGuard, CreditClientService } from '@mana-core/nestjs-integration';
@UseGuards(AuthGuard)
async generate(@CurrentUser() user: any) {
await this.credits.consumeCredits(user.sub, 'generation', 10);
}
```
### Public Routes
```typescript
import { Public } from '@mana-core/nestjs-integration';
@Get('health')
@Public()
health() { }
```
---
## Environment Variables
### All Backends (Required)
```env
MANA_CORE_AUTH_URL=http://localhost:3001
```
### Development (Optional)
```env
NODE_ENV=development
DEV_BYPASS_AUTH=true
DEV_USER_ID=test-user-uuid
```
### With Credits (Optional)
```env
APP_ID=zitare
MANA_CORE_SERVICE_KEY=key...
```
---
## Token Inspection
### Decode Token
```bash
TOKEN="eyJhbGciOiJFZERTQSI..."
echo $TOKEN | cut -d'.' -f2 | base64 -d | jq '.'
```
### Check JWKS
```bash
curl http://localhost:3001/api/v1/auth/jwks | jq '.'
```
### Quick Decode (Browser)
```javascript
const payload = JSON.parse(atob(token.split('.')[1]));
console.log(payload);
```
---
## Error Codes
| Code | Meaning | Action |
|------|---------|--------|
| 200 | Success | Proceed |
| 400 | Bad Request | Check input format |
| 401 | Unauthorized | Get new token or login |
| 403 | Forbidden | Insufficient permissions |
| 404 | Not Found | Wrong endpoint/resource |
| 409 | Conflict | Email/resource already exists |
---
## Development Bypass
### Enable (Testing)
```bash
export NODE_ENV=development
export DEV_BYPASS_AUTH=true
export DEV_USER_ID=test-123
```
### Use Without Token
```bash
# Returns mock user - no token required
curl http://localhost:3007/api/profile
```
### Disable (Production)
```bash
unset DEV_BYPASS_AUTH
```
---
## Troubleshooting
### No Token Error
```typescript
// WRONG
Authorization: eyJhbGciOiJFZERTQSI...
// RIGHT
Authorization: Bearer eyJhbGciOiJFZERTQSI...
```
### Invalid Token
- Token expired? Use refresh endpoint
- Wrong service? Use same MANA_CORE_AUTH_URL
- Tampered? Reject and re-login
### Validation Fails
```bash
# Check service running
curl http://localhost:3001/api/v1/auth/jwks
# Check URL
echo $MANA_CORE_AUTH_URL
# Check env vars
env | grep MANA_CORE
```
---
## File Locations
| File | Purpose |
|------|---------|
| `services/mana-core-auth/` | Auth service source |
| `packages/shared-nestjs-auth/` | Lightweight guard |
| `packages/mana-core-nestjs-integration/` | Full integration |
| `AUTH_ARCHITECTURE_REPORT.md` | Detailed patterns |
| `AUTH_VALIDATION_CHECKLIST.md` | Implementation checklist |
---
## Related Packages
### For Web/Mobile Clients
- `@manacore/shared-auth` - Client auth service
### For Backends
- `@manacore/shared-nestjs-auth` - Lightweight JWT guard
- `@mana-core/nestjs-integration` - Full integration with credits
### Utilities
- `@manacore/shared-utils` - Common utilities
- `@manacore/shared-types` - TypeScript types
---
## Useful Links
- **Better Auth Docs:** https://www.better-auth.com/docs
- **JWT Decoder:** https://jwt.io
- **EdDSA Info:** https://en.wikipedia.org/wiki/EdDSA
---
**Last Updated:** 2024-12-01
**Status:** Source of Truth
See `AUTH_ARCHITECTURE_REPORT.md` for comprehensive documentation.
Reference in a new issue View git blame Copy permalink