remove JWT auth, consolidate on Discord OAuth (BetterAuth) sessions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: dsshimel

attendabot/_devlogs/2026-02-04-001-remove-jwt-auth.md

@@ -0,0 +1,36 @@
+# 2026-02-04-001: Remove JWT Authentication
+
+## Summary
+
+Removed all JWT-based authentication from the attendabot admin panel, consolidating on BetterAuth (Discord OAuth) session cookies as the sole auth method. The password login form has been removed — login is now Discord-only.
+
+## What We Did
+
+### Backend
+
+1. **Simplified `auth.ts` middleware** — removed `jwt` import, `getJwtSecret()`, `generateToken()`, `verifyCredentials()`, `verifyPassword()`, `getValidUsernames()`, and all instructor password logic. `authenticateToken()` now only verifies BetterAuth session cookies.
+2. **Cleaned up `auth.ts` routes** — removed `POST /login` (JWT token issuance) and `GET /usernames` (password login dropdown) endpoints. Only `GET /login-config` remains.
+3. **Simplified `websocket.ts`** — removed JWT token extraction/verification from WebSocket upgrade handler. Now authenticates exclusively via BetterAuth session cookies on the upgrade request.
+
+### Frontend
+
+1. **Stripped JWT from `client.ts`** — removed `getToken()`, `setToken()`, `clearToken()`, `isLoggedIn()`, `verifySession()`, `login()`, `getUsernames()`, `getLoginConfig()`. Renamed `clearToken()` to `clearSession()`. `fetchWithAuth()` now sends `credentials: "include"` instead of Bearer headers.
+2. **Simplified `useWebSocket` hook** — removed `token` parameter entirely. Always connects without token query param; cookies are sent automatically with the upgrade request.
+3. **Simplified `ServerLogs`** — removed `getToken` import, calls `useWebSocket()` with no args.
+4. **Discord-only `Login` component** — removed password form, username dropdown, and related state. Only the Discord OAuth button remains.
+5. **Simplified `App.tsx`** — removed all JWT session checks (`isLoggedIn`, `verifySession`, `getUsername`). Auth state is determined solely by BetterAuth `getSession()`.
+
+### Tests
+
+Rewrote `auth.test.ts` from 21 JWT-focused tests down to 4 BetterAuth session tests covering: no session (401), valid session, email fallback for username, and error handling.
+
+## Files Modified
+- `backend/src/api/middleware/auth.ts` - BetterAuth-only middleware
+- `backend/src/api/routes/auth.ts` - Removed login/usernames endpoints
+- `backend/src/api/websocket.ts` - Cookie-only WebSocket auth
+- `backend/src/test/api/auth.test.ts` - BetterAuth session tests
+- `frontend/src/api/client.ts` - Removed JWT storage/retrieval, cookie-based fetch
+- `frontend/src/hooks/useWebSocket.ts` - No token parameter
+- `frontend/src/components/ServerLogs.tsx` - Removed token usage
+- `frontend/src/components/Login.tsx` - Discord-only login
+- `frontend/src/App.tsx` - BetterAuth-only session management

attendabot/backend/src/api/index.ts

@@ -9,7 +9,6 @@ import path from "path";
 import http from "http";
 import { toNodeHandler } from "better-auth/node";
 import { auth } from "../auth";
-import { authRouter } from "./routes/auth";
 import { statusRouter } from "./routes/status";
 import { messagesRouter } from "./routes/messages";
 import { channelsRouter } from "./routes/channels";
@@ -40,7 +39,6 @@ app.all("/api/auth/better/*", toNodeHandler(auth));
 app.use(express.json());
 
 // API routes
-app.use("/api/auth", authRouter);
 app.use("/api/status", statusRouter);
 app.use("/api/messages", messagesRouter);
 app.use("/api/channels", channelsRouter);

attendabot/backend/src/api/middleware/auth.ts

@@ -1,60 +1,23 @@
 /**
- * @fileoverview JWT authentication middleware and utilities for the admin API.
- * Supports multi-user authentication with predefined instructor accounts.
+ * @fileoverview Authentication middleware for the admin API.
+ * Uses BetterAuth (Discord OAuth) session cookies for authentication.
  */
 
 import { Request, Response, NextFunction } from "express";
-import jwt from "jsonwebtoken";
 import { fromNodeHeaders } from "better-auth/node";
 import { auth } from "../../auth";
-import dotenv from "dotenv";
-
-dotenv.config();
-
-/** Reads JWT secret from environment at call time. */
-function getJwtSecret(): string {
-  return process.env.JWT_SECRET || "default-secret-change-me";
-}
-
-/** Predefined instructor usernames. Passwords are read from env vars at call time. */
-const INSTRUCTOR_NAMES = ["David", "Paris", "Andrew", "Liam"] as const;
-
-/** Reads an instructor's password from the environment at call time. */
-function getInstructorPassword(name: string): string | undefined {
-  if (!(INSTRUCTOR_NAMES as readonly string[]).includes(name)) return undefined;
-  return process.env[`INSTRUCTOR_${name.toUpperCase()}_PASSWORD`];
-}
 
 /** Express Request extended with authenticated user data. */
 export interface AuthRequest extends Request {
   user?: { authenticated: boolean; username: string };
 }
 
-/** Express middleware that validates JWT or BetterAuth session. */
+/** Express middleware that validates a BetterAuth session cookie. */
 export function authenticateToken(
   req: AuthRequest,
   res: Response,
   next: NextFunction,
 ): void {
-  const authHeader = req.headers["authorization"];
-  const token = authHeader && authHeader.split(" ")[1]; // Bearer TOKEN
-
-  // Try JWT first (existing auth)
-  if (token) {
-    try {
-      const decoded = jwt.verify(token, getJwtSecret()) as {
-        authenticated: boolean;
-        username: string;
-      };
-      req.user = decoded;
-      next();
-      return;
-    } catch {
-      // JWT invalid — fall through to try BetterAuth session
-    }
-  }
-
-  // Try BetterAuth session (cookie-based)
   auth.api.getSession({
     headers: fromNodeHeaders(req.headers),
   }).then((session) => {
@@ -64,58 +27,10 @@ export function authenticateToken(
         username: session.user.name || session.user.email || "Discord User",
       };
       next();
-    } else if (!token) {
-      res.status(401).json({ error: "Access token required" });
     } else {
-      res.status(403).json({ error: "Invalid or expired token" });
+      res.status(401).json({ error: "Authentication required" });
     }
   }).catch(() => {
-    if (!token) {
-      res.status(401).json({ error: "Access token required" });
-    } else {
-      res.status(403).json({ error: "Invalid or expired token" });
-    }
+    res.status(401).json({ error: "Authentication required" });
   });
 }
-
-/** Generates a signed JWT valid for 24 hours, including the username. */
-export function generateToken(username: string): string {
-  return jwt.sign({ authenticated: true, username }, getJwtSecret(), {
-    expiresIn: "24h",
-  });
-}
-
-/**
- * Verifies credentials for a given username and password.
- * Checks instructor-specific passwords first, then falls back to admin password.
- */
-export function verifyCredentials(username: string, password: string): boolean {
-  // Check if this is a known instructor with a configured password
-  const instructorPassword = getInstructorPassword(username);
-  if (instructorPassword && password === instructorPassword) {
-    return true;
-  }
-
-  // Fall back to admin password for backwards compatibility
-  const adminPassword = process.env.ADMIN_PASSWORD;
-  if (adminPassword && password === adminPassword) {
-    return true;
-  }
-
-  return false;
-}
-
-/** Returns the list of valid instructor usernames. */
-export function getValidUsernames(): string[] {
-  return [...INSTRUCTOR_NAMES];
-}
-
-/** Checks if the provided password matches the admin password. (Legacy support) */
-export function verifyPassword(password: string): boolean {
-  const adminPassword = process.env.ADMIN_PASSWORD;
-  if (!adminPassword) {
-    console.warn("ADMIN_PASSWORD not set in environment");
-    return false;
-  }
-  return password === adminPassword;
-}

attendabot/backend/src/api/routes/auth.ts

@@ -1,12 +1,12 @@
 /**
  * @fileoverview WebSocket server for real-time log streaming.
- * Handles client connections, JWT authentication, and log broadcasting.
+ * Handles client connections, BetterAuth session authentication, and log broadcasting.
  */
 
-import { Server as HttpServer, IncomingMessage } from "http";
+import { Server as HttpServer } from "http";
 import { WebSocketServer, WebSocket } from "ws";
-import { URL } from "url";
-import jwt from "jsonwebtoken";
+import { fromNodeHeaders } from "better-auth/node";
+import { auth } from "../auth";
 import { subscribeToLogs, getRecentLogs, LogEntry } from "../services/logger";
 
 /** WebSocket message types sent to clients. */
@@ -16,45 +16,6 @@ interface WsMessage {
   log?: LogEntry;
 }
 
-/**
- * Gets the JWT secret from environment variables.
- * Read at runtime to ensure dotenv has been configured.
- */
-function getJwtSecret(): string {
-  return process.env.JWT_SECRET || "default-secret-change-me";
-}
-
-/**
- * Verifies a JWT token from WebSocket query params.
- * @param token - The JWT token to verify.
- * @returns True if the token is valid, false otherwise.
- */
-function verifyToken(token: string): boolean {
-  try {
-    jwt.verify(token, getJwtSecret());
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Extracts the token from a WebSocket upgrade request URL.
- * @param request - The HTTP upgrade request.
- * @returns The token if present, null otherwise.
- */
-function extractToken(request: IncomingMessage): string | null {
-  try {
-    // Build full URL from request
-    const host = request.headers.host || "localhost";
-    const protocol = "http";
-    const fullUrl = new URL(request.url || "/", `${protocol}://${host}`);
-    return fullUrl.searchParams.get("token");
-  } catch {
-    return null;
-  }
-}
-
 /**
  * Initializes the WebSocket server and attaches it to the HTTP server.
  * @param httpServer - The HTTP server instance to attach to.
@@ -72,17 +33,21 @@ export function initializeWebSocket(httpServer: HttpServer): void {
       return;
     }
 
-    // Extract and verify token
-    const token = extractToken(request);
-    if (!token || !verifyToken(token)) {
+    // Verify BetterAuth session (cookie-based)
+    auth.api.getSession({
+      headers: fromNodeHeaders(request.headers),
+    }).then((session) => {
+      if (session?.user) {
+        wss.handleUpgrade(request, socket, head, (ws) => {
+          wss.emit("connection", ws, request);
+        });
+      } else {
+        socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+        socket.destroy();
+      }
+    }).catch(() => {
       socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
       socket.destroy();
-      return;
-    }
-
-    // Upgrade connection
-    wss.handleUpgrade(request, socket, head, (ws) => {
-      wss.emit("connection", ws, request);
     });
   });
 

attendabot/backend/src/api/websocket.ts

@@ -192,11 +192,6 @@ function seedDefaultFeatureFlags(): void {
     1,
     "Include next day's assignment in the EOD reminder message"
   );
-  stmt.run(
-    "password_login_enabled",
-    0,
-    "Show the username/password login form (disable to show Discord login only)"
-  );
 }
 
 /** Seeds default cohorts (Fa2025, Sp2026) if they don't already exist. */