feat: better auth plugin structure

Author: riccardoperra

apps/api/package.json

@@ -40,37 +40,38 @@
   "license": "ISC",
   "dependencies": {
     "@codeimage/prisma-models": "workspace:*",
-    "@fastify/auth": "4.4.0",
-    "@fastify/autoload": "^5.7.1",
-    "@fastify/cors": "^8.3.0",
-    "@fastify/env": "^4.2.0",
-    "@fastify/jwt": "^6.7.1",
-    "@fastify/sensible": "^5.2.0",
-    "@fastify/swagger": "^8.5.1",
-    "@fastify/swagger-ui": "^1.8.1",
-    "@fastify/type-provider-typebox": "^3.2.0",
+    "@fastify/auth": "^4.4.0",
+    "@fastify/autoload": "^5.8.0",
+    "@fastify/cors": "^8.4.2",
+    "@fastify/env": "^4.3.0",
+    "@fastify/jwt": "^7.2.4",
+    "@fastify/sensible": "^5.5.0",
+    "@fastify/swagger": "^8.12.1",
+    "@fastify/swagger-ui": "^2.0.1",
+    "@fastify/type-provider-typebox": "^3.5.0",
     "@prisma/client": "^4.15.0",
-    "@sinclair/typebox": "^0.28.15",
-    "@teamhanko/passkeys-sdk": "0.1.8",
+    "@sinclair/typebox": "^0.31.28",
+    "@teamhanko/passkeys-sdk": "^0.1.8",
     "auth0": "4.2.0",
     "close-with-grace": "^1.2.0",
     "dotenv": "^16.1.4",
     "dotenv-cli": "^6.0.0",
-    "fastify": "^4.18.0",
-    "fastify-auth0-verify": "^1.2.0",
-    "fastify-cli": "^5.7.1",
+    "fastify": "^4.25.1",
+    "fastify-auth0-verify": "^1.2.1",
+    "fastify-cli": "^5.9.0",
     "fastify-healthcheck": "^4.4.0",
-    "fastify-jwt-jwks": "1.1.4",
-    "fastify-plugin": "^4.5.0",
-    "fluent-json-schema": "^4.1.0",
+    "fastify-jwt-jwks": "^1.1.4",
+    "fastify-overview": "^3.6.0",
+    "fastify-plugin": "^4.5.1",
+    "fluent-json-schema": "^4.2.1",
     "prisma": "^4.15.0"
   },
   "devDependencies": {
     "@types/node": "^18.16.17",
     "@types/sinon": "^10.0.15",
     "@vitest/ui": "^0.31.4",
     "concurrently": "^7.6.0",
-    "fastify-tsconfig": "^1.0.1",
+    "fastify-tsconfig": "^2.0.0",
     "sinon": "^15.1.2",
     "tsup": "6.7.0",
     "tsx": "3.12.7",

apps/api/src/app.ts

@@ -2,7 +2,6 @@ import AutoLoad, {AutoloadPluginOptions} from '@fastify/autoload';
 import fastifyEnv from '@fastify/env';
 import {Type} from '@sinclair/typebox';
 import {FastifyPluginAsync} from 'fastify';
-import fp from 'fastify-plugin';
 import path, {join} from 'node:path';
 import {fileURLToPath} from 'node:url';
 

apps/api/src/common/auth/auth0.ts

@@ -0,0 +1,100 @@
+import '@fastify/jwt';
+import {
+  FastifyInstance,
+  FastifyPluginAsync,
+  preHandlerHookHandler,
+} from 'fastify';
+import fastifyAuth0Verify, {Authenticate} from 'fastify-auth0-verify';
+import fp from 'fastify-plugin';
+import {AuthorizeOptions} from './authorize.js';
+
+declare module '@fastify/jwt' {
+  interface FastifyJWT {
+    payload: {id: number}; // payload type is used for signing and verifying
+    user: Record<string, unknown>; // user type is return type of `request.user` object
+  }
+}
+
+export function mockAuthProvider(context: {email: string}) {
+  return fp(async (fastify: FastifyInstance) => {
+    const auth0Authenticate: Authenticate = async req => {
+      const email = context.email;
+      const clientClaim = fastify.config.AUTH0_CLIENT_CLAIMS;
+      const emailKey = `${clientClaim}/email`;
+      req.user = {
+        [emailKey]: email,
+      };
+    };
+
+    fastify.decorateRequest('user', null);
+    fastify.decorate('authenticate', auth0Authenticate);
+  });
+}
+
+export const auth0Plugin: FastifyPluginAsync<{
+  authProvider?: FastifyPluginAsync;
+}> = async (fastify, options) => {
+  if (fastify.config.MOCK_AUTH) {
+    await fastify.register(
+      mockAuthProvider({
+        email: fastify.config.MOCK_AUTH_EMAIL as string,
+      }),
+    );
+  } else if (options.authProvider) {
+    await fastify.register(options.authProvider);
+  } else {
+    await fastify.register(fastifyAuth0Verify.default, {
+      domain: fastify.config.DOMAIN_AUTH0,
+      secret: fastify.config.CLIENT_SECRET_AUTH,
+      audience: fastify.config.AUDIENCE_AUTH0,
+    });
+  }
+
+  const authorize: (options?: AuthorizeOptions) => preHandlerHookHandler =
+    (options = {mustBeAuthenticated: true}) =>
+    async (req, reply) => {
+      try {
+        await fastify.authenticate(req, reply);
+      } catch (e) {
+        if (options.mustBeAuthenticated) {
+          throw fastify.httpErrors.unauthorized();
+        }
+      }
+
+      const emailClaim = `${fastify.config.AUTH0_CLIENT_CLAIMS}/email`;
+
+      if (!req.user && options.mustBeAuthenticated) {
+        throw fastify.httpErrors.unauthorized();
+      }
+
+      const email = req.user[emailClaim] as string;
+
+      if (!email) {
+        throw fastify.httpErrors.badRequest('No valid user data');
+      }
+
+      const user = await fastify.prisma.user.findFirst({
+        where: {
+          email,
+        },
+      });
+
+      if (!user) {
+        req.appUser = await fastify.prisma.user.create({
+          data: {
+            email,
+          },
+        });
+      } else {
+        req.appUser = user;
+      }
+    };
+
+  fastify.decorate('verifyAuth0', authorize);
+};
+
+declare module 'fastify' {
+  interface FastifyInstance {
+    verifyAuth0: (options?: AuthorizeOptions) => preHandlerHookHandler;
+  }
+}

apps/api/src/common/auth/authorize.ts

@@ -0,0 +1,3 @@
+export interface AuthorizeOptions {
+  mustBeAuthenticated: boolean;
+}

apps/api/src/plugins/multi-auth.ts renamed to apps/api/src/common/auth/multiAuth.ts

@@ -1,16 +1,13 @@
 import fastifyAuth from '@fastify/auth';
-import {preHandlerHookHandler} from 'fastify';
-import fp from 'fastify-plugin';
+import {FastifyPluginAsync, preHandlerHookHandler} from 'fastify';
+import {AuthorizeOptions} from './authorize.js';
 
-interface AuthorizeOptions {
-  mustBeAuthenticated: boolean;
-}
-export default fp(async fastify => {
+export const multiAuthProviderPlugin: FastifyPluginAsync = async fastify => {
   fastify.register(fastifyAuth);
 
-  const preHookHandler: (options: AuthorizeOptions) => preHandlerHookHandler = (
-    options = {mustBeAuthenticated: true},
-  ) =>
+  const preHookHandler: (
+    options?: AuthorizeOptions,
+  ) => preHandlerHookHandler = (options = {mustBeAuthenticated: true}) =>
     function (request, reply, done) {
       return fastify
         .auth([
@@ -21,7 +18,7 @@ export default fp(async fastify => {
     };
 
   fastify.decorate('authorize', preHookHandler);
-});
+};
 
 declare module 'fastify' {
   interface FastifyInstance {

apps/api/src/plugins/passkeys.ts renamed to apps/api/src/common/auth/passkeys.ts

@@ -1,12 +1,11 @@
 import {tenant} from '@teamhanko/passkeys-sdk';
-import {preHandlerHookHandler} from 'fastify';
-import fp from 'fastify-plugin';
+import {FastifyPluginAsync, preHandlerHookHandler} from 'fastify';
 
 interface AuthorizeOptions {
   mustBeAuthenticated: boolean;
 }
 
-export const passkeysPlugin = fp(async fastify => {
+export const passkeysPlugin: FastifyPluginAsync = async fastify => {
   const passkeysApi = tenant({
     tenantId: fastify.config.HANKO_PASSKEYS_TENANT_ID,
     apiKey: fastify.config.HANKO_PASSKEYS_API_KEY,
@@ -15,9 +14,9 @@ export const passkeysPlugin = fp(async fastify => {
 
   fastify.decorate('passkeysApi', passkeysApi);
 
-  const verify: (options: AuthorizeOptions) => preHandlerHookHandler =
+  const verify: (options?: AuthorizeOptions) => preHandlerHookHandler =
     (options = {mustBeAuthenticated: true}) =>
-    async (req, reply, done) => {
+    async req => {
       const token = req.headers.authorization
         ?.split('Bearer ')[1]
         .split('.')[1] as string;
@@ -31,26 +30,21 @@ export const passkeysPlugin = fp(async fastify => {
       });
 
       if (user) {
-        console.log('augment request with user', user);
         req.appUser = user;
-        req.appUserOptional = user;
-        done();
       } else if (options.mustBeAuthenticated) {
         throw fastify.httpErrors.unauthorized();
       }
     };
 
   fastify.decorate('verifyHankoPasskey', verify);
-});
+};
 
 export default passkeysPlugin;
 
 declare module 'fastify' {
   interface FastifyInstance {
     passkeysApi: ReturnType<typeof tenant>;
 
-    verifyHankoPasskey: (
-      options?: AuthorizeOptions,
-    ) => (req: FastifyRequest, reply: FastifyReply) => void;
+    verifyHankoPasskey: (options?: AuthorizeOptions) => preHandlerHookHandler;
   }
 }

apps/api/src/common/auth/user.ts

@@ -0,0 +1,12 @@
+import {FastifyPluginAsync} from 'fastify';
+import {User} from '@codeimage/prisma-models';
+
+export const appUserPlugin: FastifyPluginAsync = async fastify => {
+  fastify.decorateRequest('appUser', null);
+};
+
+declare module 'fastify' {
+  interface FastifyRequest {
+    appUser: User;
+  }
+}

apps/api/src/plugins/auth0.ts

@@ -0,0 +1,16 @@
+import fp from 'fastify-plugin';
+import {auth0Plugin} from '../common/auth/auth0.js';
+import {multiAuthProviderPlugin} from '../common/auth/multiAuth.js';
+import passkeysPlugin from '../common/auth/passkeys.js';
+import {appUserPlugin} from '../common/auth/user.js';
+
+export default fp(
+  async fastify => {
+    fastify
+      .register(fp(appUserPlugin))
+      .register(fp(passkeysPlugin))
+      .register(fp(auth0Plugin))
+      .register(fp(multiAuthProviderPlugin));
+  },
+  {encapsulate: false},
+);