feat: website auth middleware

Author: izadoesdev

apps/api/src/index.ts

@@ -1,3 +1,5 @@
+const UNAUTHORIZED_RE = /unauthorized/i;
+const FORBIDDEN_RE = /forbidden/i;
 import './polyfills/compression';
 import { auth } from '@databuddy/auth';
 import { appRouter, createTRPCContext } from '@databuddy/rpc';
@@ -6,7 +8,6 @@ import { fetchRequestHandler } from '@trpc/server/adapters/fetch';
 import { autumnHandler } from 'autumn-js/elysia';
 import { Elysia } from 'elysia';
 import { logger } from './lib/logger';
-import { createAuthMiddleware } from './middleware/auth';
 import { assistant } from './routes/assistant';
 import { health } from './routes/health';
 import { query } from './routes/query';
@@ -23,7 +24,6 @@ const app = new Elysia()
 			],
 		})
 	)
-	.use(createAuthMiddleware())
 	.use(
 		autumnHandler({
 			identify: async ({ request }) => {
@@ -57,7 +57,10 @@ const app = new Elysia()
 		const errorMessage = error instanceof Error ? error.message : String(error);
 		logger.error(errorMessage, { error });
 
-		if (error instanceof Error && error.message === 'Unauthorized') {
+		if (
+			error instanceof Error &&
+			(UNAUTHORIZED_RE.test(error.message) || error.message === 'Unauthorized')
+		) {
 			return new Response(
 				JSON.stringify({
 					success: false,
@@ -71,7 +74,45 @@ const app = new Elysia()
 			);
 		}
 
-		return { success: false, code };
+		if (
+			error instanceof Error &&
+			(FORBIDDEN_RE.test(error.message) || error.message === 'Forbidden')
+		) {
+			return new Response(
+				JSON.stringify({
+					success: false,
+					error: 'Insufficient permissions',
+					code: 'FORBIDDEN',
+				}),
+				{
+					status: 403,
+					headers: { 'Content-Type': 'application/json' },
+				}
+			);
+		}
+
+		if (error instanceof Error && error.message === 'Website not found') {
+			return new Response(
+				JSON.stringify({
+					success: false,
+					error: 'Website not found',
+					code: 'NOT_FOUND',
+				}),
+				{
+					status: 404,
+					headers: { 'Content-Type': 'application/json' },
+				}
+			);
+		}
+
+		return new Response(
+			JSON.stringify({
+				success: false,
+				error: errorMessage,
+				code: code ?? 'INTERNAL_SERVER_ERROR',
+			}),
+			{ status: 500, headers: { 'Content-Type': 'application/json' } }
+		);
 	});
 
 export default {

apps/api/src/lib/api-key.ts

@@ -0,0 +1,100 @@
+import type { InferSelectModel } from '@databuddy/db';
+import { and, apikey, apikeyAccess, db, eq, isNull } from '@databuddy/db';
+import { cacheable } from '@databuddy/redis';
+
+export type ApiKeyRow = InferSelectModel<typeof apikey>;
+export type ApiScope = InferSelectModel<typeof apikey>['scopes'][number];
+
+const getCachedApiKeyBySecret = cacheable(
+	async (secret: string): Promise<ApiKeyRow | null> => {
+		try {
+			const key = await db.query.apikey.findFirst({
+				where: and(
+					eq(apikey.key, secret),
+					eq(apikey.enabled, true),
+					isNull(apikey.revokedAt)
+				),
+			});
+			return key ?? null;
+		} catch {
+			return null;
+		}
+	},
+	{
+		expireInSec: 60,
+		prefix: 'api-key-by-secret',
+		staleWhileRevalidate: true,
+		staleTime: 30,
+	}
+);
+
+const getCachedAccessEntries = cacheable(
+	async (keyId: string) => {
+		try {
+			return await db
+				.select()
+				.from(apikeyAccess)
+				.where(eq(apikeyAccess.apikeyId, keyId));
+		} catch {
+			return [] as InferSelectModel<typeof apikeyAccess>[];
+		}
+	},
+	{
+		expireInSec: 60,
+		prefix: 'api-key-access-entries',
+		staleWhileRevalidate: true,
+		staleTime: 30,
+	}
+);
+
+export async function getApiKeyFromHeader(
+	headers: Headers
+): Promise<ApiKeyRow | null> {
+	const secret = headers.get('x-api-key');
+	if (!secret) {
+		return null;
+	}
+	const key = await getCachedApiKeyBySecret(secret);
+	if (!key) {
+		return null;
+	}
+	if (key.expiresAt && new Date(key.expiresAt) <= new Date()) {
+		return null;
+	}
+	return key;
+}
+
+export async function resolveEffectiveScopesForWebsite(
+	key: ApiKeyRow,
+	websiteId: string
+): Promise<Set<ApiScope>> {
+	const effective = new Set<ApiScope>();
+	for (const s of key.scopes) {
+		effective.add(s as ApiScope);
+	}
+
+	const entries = await getCachedAccessEntries(key.id);
+	for (const entry of entries) {
+		const isGlobal = entry.resourceType === 'global';
+		const isWebsiteMatch =
+			entry.resourceType === 'website' && entry.resourceId === websiteId;
+		if (isGlobal || isWebsiteMatch) {
+			for (const s of entry.scopes) {
+				effective.add(s as ApiScope);
+			}
+		}
+	}
+	return effective;
+}
+
+export async function hasWebsiteScope(
+	key: ApiKeyRow,
+	websiteId: string,
+	required: ApiScope
+): Promise<boolean> {
+	if ((key.scopes || []).includes(required)) {
+		return true;
+	}
+	const effective = await resolveEffectiveScopesForWebsite(key, websiteId);
+	return effective.has(required);
+}

apps/api/src/lib/website-utils.ts

@@ -3,6 +3,7 @@ import { db, userPreferences, websites } from '@databuddy/db';
 import { cacheable } from '@databuddy/redis';
 import type { Website } from '@databuddy/shared';
 import { eq } from 'drizzle-orm';
+import { getApiKeyFromHeader, hasWebsiteScope } from './api-key';
 
 export interface WebsiteContext {
 	user: unknown;
@@ -93,19 +94,7 @@ const userPreferencesCache = cacheable(
 	}
 );
 
-const getCachedSession = cacheable(
-	async (headers: Headers) => {
-		return await auth.api.getSession({
-			headers,
-		});
-	},
-	{
-		expireInSec: 60,
-		prefix: 'auth-session',
-		staleWhileRevalidate: true,
-		staleTime: 30,
-	}
-);
+// Removed unused cached session helper to satisfy linter rules
 
 export async function getTimezone(
 	request: Request,
@@ -126,39 +115,79 @@ export async function getTimezone(
 }
 
 export async function deriveWebsiteContext({ request }: { request: Request }) {
+	const apiKeyPresent = request.headers.get('x-api-key') != null;
+	if (apiKeyPresent) {
+		return await deriveWithApiKey(request);
+	}
+	return await deriveWithSession(request);
+}
+
+async function deriveWithApiKey(request: Request) {
 	const url = new URL(request.url);
-	const website_id = url.searchParams.get('website_id');
+	const siteId = url.searchParams.get('website_id');
+
+	const key = await getApiKeyFromHeader(request.headers);
+	if (!key) {
+		throw new Error('Unauthorized');
+	}
 
-	const session = await getCachedSession(request.headers);
+	if (!siteId) {
+		const timezoneNoSite = await getTimezone(request, null);
+		return { user: null, session: null, timezone: timezoneNoSite } as const;
+	}
+
+	const [site, timezone] = await Promise.all([
+		getCachedWebsite(siteId),
+		getTimezone(request, null),
+	]);
 
-	if (!website_id) {
+	if (!site) {
+		throw new Error('Website not found');
+	}
+
+	if (site.isPublic) {
+		return { user: null, session: null, website: site, timezone } as const;
+	}
+
+	const canRead = await hasWebsiteScope(key, siteId, 'read:data');
+	if (!canRead) {
+		throw new Error('Forbidden');
+	}
+
+	return { user: null, session: null, website: site, timezone } as const;
+}
+
+async function deriveWithSession(request: Request) {
+	const url = new URL(request.url);
+	const websiteId = url.searchParams.get('website_id');
+	const session = await auth.api.getSession({ headers: request.headers });
+
+	if (!websiteId) {
 		if (!session?.user) {
 			throw new Error('Unauthorized');
 		}
-		const timezone = await getTimezone(request, session);
-		return { user: session.user, session, timezone };
+		const tz = await getTimezone(request, session);
+		return { user: session.user, session, timezone: tz } as const;
 	}
 
-	const [website, timezone] = await Promise.all([
-		getCachedWebsite(website_id),
-		website_id && session?.user
-			? getTimezone(request, session)
-			: getTimezone(request, null),
-	]);
+	const tz = session?.user
+		? await getTimezone(request, session)
+		: await getTimezone(request, null);
+	const site = await getCachedWebsite(websiteId);
 
-	if (!website) {
+	if (!site) {
 		throw new Error('Website not found');
 	}
 
-	if (website.isPublic) {
-		return { user: null, session: null, website, timezone };
+	if (site.isPublic) {
+		return { user: null, session: null, website: site, timezone: tz } as const;
 	}
 
 	if (!session?.user) {
 		throw new Error('Unauthorized');
 	}
 
-	return { user: session.user, session, website, timezone };
+	return { user: session.user, session, website: site, timezone: tz } as const;
 }
 
 export async function validateWebsite(