till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-19 04:41:24 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
managarten/services/mana-media/packages/client/src/index.ts
Till JS 8e8b6ac65f fix(mana-auth) + chore: rewrite /api/v1/auth/login JWT mint, remove Matrix stack 
This commit bundles two unrelated changes that were swept together by an
accidental `git add -A` in another working session. Documented here so the
history reflects what's actually inside.

═══════════════════════════════════════════════════════════════════════
1. fix(mana-auth): /api/v1/auth/login mints JWT via auth.handler instead
   of api.signInEmail
═══════════════════════════════════════════════════════════════════════

Previous attempt (commit 55cc75e7d) tried to fix the broken JWT mint in
/api/v1/auth/login by switching the cookie name from `mana.session_token`
to `__Secure-mana.session_token` for production. That was necessary but
not sufficient: Better Auth's session cookie value isn't just the raw
session token, it's `<token>.<HMAC>` where the HMAC is derived from the
better-auth secret. Reconstructing the cookie from auth.api.signInEmail's
JSON response only gave us the raw token, so /api/auth/token's
get-session middleware still couldn't validate it and the JWT mint kept
silently failing.

Real fix: do the sign-in via auth.handler (the HTTP path) rather than
auth.api.signInEmail (the SDK path). The handler returns a real fetch
Response with a Set-Cookie header containing the fully signed cookie
envelope. We capture that header verbatim and forward it as the cookie
on the /api/auth/token request, which now passes validation and mints
the JWT correctly.

Verified end-to-end on auth.mana.how:

  $ curl -X POST https://auth.mana.how/api/v1/auth/login \
      -d '{"email":"...","password":"..."}'
  {
    "user": {...},
    "token": "<session token>",
    "accessToken": "eyJhbGciOiJFZERTQSI...",   ← real JWT now
    "refreshToken": "<session token>"
  }

Side benefits:
- Email-not-verified path is now handled by checking
  signInResponse.status === 403 directly, no more catching APIError
  with the comment-noted async-stream footgun.
- X-Forwarded-For is forwarded explicitly so Better Auth's rate limiter
  and our security log see the real client IP.
- The leftover catch block now only handles unexpected exceptions
  (network errors etc); the FORBIDDEN-checking logic in it is dead but
  harmless and left in for defense in depth.

═══════════════════════════════════════════════════════════════════════
2. chore: remove the entire self-hosted Matrix stack (Synapse, Element,
   Manalink, mana-matrix-bot)
═══════════════════════════════════════════════════════════════════════

The Matrix subsystem ran parallel to the main Mana product without any
load-bearing integration: the unified web app never imported matrix-js-sdk,
the chat module uses mana-sync (local-first), and mana-matrix-bot's
plugins duplicated features the unified app already ships natively.
Keeping it alive cost a Synapse + Element + matrix-web + bot container
quartet, three Cloudflare routes, an OIDC provider plugin in mana-auth,
and a steady drip of devlog/dependency churn.

Removed:
- apps/matrix (Manalink web + mobile, ~150 files)
- services/mana-matrix-bot (Go bot with ~20 plugins)
- docker/matrix configs (Synapse + Element)
- synapse/element-web/matrix-web/mana-matrix-bot services in
  docker-compose.macmini.yml
- matrix.mana.how/element.mana.how/link.mana.how Cloudflare tunnel routes
- OIDC provider plugin + matrix-synapse trustedClient + matrixUserLinks
  table from mana-auth (oauth_* schema definitions also removed)
- MatrixService import path in mana-media (importFromMatrix endpoint)
- Matrix notification channel in mana-notify (worker, metrics, config,
  channel_type enum, MatrixOptions handler)
- Matrix entries from shared-branding (mana-apps + app-icons),
  notify-client, the i18n bundle, the observatory map, the credits
  app-label list, the landing footer/apps page, the prometheus + alerts
  + promtail tier mappings, and the matrix-related deploy paths in
  cd-macmini.yml + ci.yml

Devlog/manascore/blueprint entries that mention Matrix are left intact
as historical record. The oauth_* + matrix_user_links Postgres tables
stay on existing prod databases — code can no longer write to them, drop
them in a follow-up migration if you want them gone for real.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 16:32:13 +02:00

224 lines
5.2 KiB
TypeScript
Raw Blame History

export interface MediaResult {
id: string;
status: 'uploading' | 'processing' | 'ready' | 'failed';
originalName: string | null;
mimeType: string;
size: number;
hash: string;
urls: {
original: string;
thumbnail?: string;
medium?: string;
large?: string;
};
createdAt: Date;
}
export interface UploadOptions {
app?: string;
userId?: string;
skipProcessing?: boolean;
}
export interface SearchOptions {
type?: 'image' | 'video' | 'audio' | 'document';
app?: string;
limit?: number;
}
export interface TransformOptions {
width?: number;
height?: number;
fit?: 'cover' | 'contain' | 'fill' | 'inside' | 'outside';
format?: 'webp' | 'jpeg' | 'png' | 'avif';
quality?: number;
}
export class MediaClient {
private baseUrl: string;
private apiKey?: string;
constructor(baseUrl: string, apiKey?: string) {
this.baseUrl = baseUrl.replace(/\/$/, '');
this.apiKey = apiKey;
}
/**
* Upload a file to the media service
*/
async upload(
file: File | Blob | ArrayBuffer,
options?: UploadOptions & { filename?: string }
): Promise<MediaResult> {
const formData = new FormData();
if (file instanceof ArrayBuffer) {
// ArrayBuffer (works in both Node.js and browser)
const blob = new Blob([file]);
formData.append('file', blob, options?.filename || 'file');
} else {
// Browser File/Blob
formData.append('file', file, options?.filename);
}
if (options?.app) formData.append('app', options.app);
if (options?.userId) formData.append('userId', options.userId);
if (options?.skipProcessing) formData.append('skipProcessing', 'true');
const response = await fetch(`${this.baseUrl}/api/v1/media/upload`, {
method: 'POST',
headers: this.getHeaders(),
body: formData,
});
if (!response.ok) {
throw new Error(`Upload failed: ${response.statusText}`);
}
return response.json();
}
/**
* Get media by content hash (SHA-256)
* Useful for checking if a file already exists before uploading
*/
async getByHash(hash: string): Promise<MediaResult | null> {
const response = await fetch(`${this.baseUrl}/api/v1/media/hash/${hash}`, {
headers: this.getHeaders(),
});
if (response.status === 404) {
return null;
}
if (!response.ok) {
throw new Error(`Get by hash failed: ${response.statusText}`);
}
return response.json();
}
/**
* Get media by ID
*/
async get(id: string): Promise<MediaResult> {
const response = await fetch(`${this.baseUrl}/api/v1/media/${id}`, {
headers: this.getHeaders(),
});
if (!response.ok) {
throw new Error(`Get failed: ${response.statusText}`);
}
return response.json();
}
/**
* List media
*/
async list(options?: { app?: string; userId?: string; limit?: number }): Promise<MediaResult[]> {
const params = new URLSearchParams();
if (options?.app) params.append('app', options.app);
if (options?.userId) params.append('userId', options.userId);
if (options?.limit) params.append('limit', options.limit.toString());
const response = await fetch(`${this.baseUrl}/api/v1/media?${params}`, {
headers: this.getHeaders(),
});
if (!response.ok) {
throw new Error(`List failed: ${response.statusText}`);
}
return response.json();
}
/**
* Delete media
*/
async delete(id: string): Promise<boolean> {
const response = await fetch(`${this.baseUrl}/api/v1/media/${id}`, {
method: 'DELETE',
headers: this.getHeaders(),
});
return response.ok;
}
/**
* Get URL for original file
*/
getOriginalUrl(id: string): string {
return `${this.baseUrl}/api/v1/media/${id}/file`;
}
/**
* Get URL for thumbnail
*/
getThumbnailUrl(id: string): string {
return `${this.baseUrl}/api/v1/media/${id}/file/thumb`;
}
/**
* Get URL for medium variant
*/
getMediumUrl(id: string): string {
return `${this.baseUrl}/api/v1/media/${id}/file/medium`;
}
/**
* Get URL for large variant
*/
getLargeUrl(id: string): string {
return `${this.baseUrl}/api/v1/media/${id}/file/large`;
}
/**
* Get URL for custom transform
*/
getTransformUrl(id: string, options: TransformOptions): string {
const params = new URLSearchParams();
if (options.width) params.append('w', options.width.toString());
if (options.height) params.append('h', options.height.toString());
if (options.fit) params.append('fit', options.fit);
if (options.format) params.append('format', options.format);
if (options.quality) params.append('q', options.quality.toString());
return `${this.baseUrl}/api/v1/media/${id}/transform?${params}`;
}
/**
* Wait for media processing to complete
*/
async waitForReady(id: string, timeoutMs = 30000, pollIntervalMs = 1000): Promise<MediaResult> {
const startTime = Date.now();
while (Date.now() - startTime < timeoutMs) {
const result = await this.get(id);
if (result.status === 'ready') {
return result;
}
if (result.status === 'failed') {
throw new Error('Media processing failed');
}
await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
}
throw new Error('Timeout waiting for media to be ready');
}
private getHeaders(): Record<string, string> {
const headers: Record<string, string> = {};
if (this.apiKey) {
headers['Authorization'] = `Bearer ${this.apiKey}`;
}
return headers;
}
}
export default MediaClient;
Reference in a new issue View git blame Copy permalink