-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathauth.ts
More file actions
136 lines (121 loc) · 3.66 KB
/
auth.ts
File metadata and controls
136 lines (121 loc) · 3.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
import { captureError } from '@repo/error/node'
import { eq } from 'drizzle-orm'
import type { FastifyPluginAsync } from 'fastify'
import fp from 'fastify-plugin'
import { getDb } from '../db/index.js'
import { sessions, users } from '../db/schema/index.js'
import { authenticateWithApiKey } from '../lib/api-key-auth.js'
declare module 'fastify' {
interface FastifyRequest {
session?: {
user: {
id: string
email?: string | null
name?: string | null
username?: string | null
wallet?: { chain: string; address: string }
}
session: {
id: string
userId: string
expiresAt: Date
}
} | null
}
}
const authPlugin: FastifyPluginAsync = async fastify => {
// Session validation hook - JWT Bearer or API key (Bearer bask_... or X-API-Key)
fastify.addHook('onRequest', async request => {
try {
const apiKeyHeader = request.headers['x-api-key']
const authHeader = request.headers.authorization
// X-API-Key header takes precedence for explicit API key usage
const apiKeyToken =
typeof apiKeyHeader === 'string'
? apiKeyHeader.trim()
: authHeader?.startsWith('Bearer ')
? authHeader.substring(7).trim().startsWith('bask_')
? authHeader.substring(7).trim()
: null
: null
if (apiKeyToken) {
const db = await getDb()
const session = await authenticateWithApiKey(apiKeyToken, db)
request.session = session
return
}
if (!authHeader?.startsWith('Bearer ')) {
request.session = null
return
}
const token = authHeader.substring(7).trim()
// Verify JWT
const decoded = fastify.jwt.verify<{
typ?: string
sub?: string
sid?: string
exp?: number
}>(token)
// Only accept access tokens
if (decoded.typ !== 'access' || !decoded.sub || !decoded.sid) {
request.session = null
return
}
// Load session from DB to verify it exists and is not expired
const db = await getDb()
const [session] = await db.select().from(sessions).where(eq(sessions.id, decoded.sid))
if (!session || session.expiresAt < new Date()) {
request.session = null
return
}
// Load user
const [user] = await db.select().from(users).where(eq(users.id, decoded.sub))
if (!user) {
request.session = null
return
}
const wallet =
session.walletChain && session.walletAddress
? { chain: session.walletChain, address: session.walletAddress }
: undefined
request.session = {
user: {
id: user.id,
email: user.email ?? null,
name: user.name ?? null,
username: user.username ?? null,
...(wallet && { wallet }),
},
session: {
id: session.id,
userId: session.userId,
expiresAt: session.expiresAt,
},
}
} catch (error) {
// JWT verification errors are expected for invalid tokens
// Only log unexpected errors
if (error instanceof Error && !error.message.includes('jwt'))
captureError({
code: 'INTERNAL_ERROR',
error,
logger: request.log,
label: 'auth.api.getSession failed',
data: {
method: request.method,
url: request.url,
},
tags: {
app: 'api',
module: 'auth-service',
route: request.url,
},
})
request.session = null
}
})
}
export default fp(authPlugin, {
name: 'auth',
dependencies: ['jwt'],
})