Accept OATs in the whoami v2 endpoint

Author: myftija

apps/webapp/app/routes/api.v2.whoami.ts

@@ -1,97 +1,200 @@
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { json } from "@remix-run/server-runtime";
-import { WhoAmIResponse } from "@trigger.dev/core/v3";
+import { json, type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { type WhoAmIResponse } from "@trigger.dev/core/v3";
 import { prisma } from "~/db.server";
 import { env } from "~/env.server";
-import { logger } from "~/services/logger.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
 import { v3ProjectPath } from "~/utils/pathBuilder";
+import { authenticateRequest } from "~/services/apiAuth.server";
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  logger.info("whoami v2", { url: request.url });
-  try {
-    const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-    if (!authenticationResult) {
+  const authenticationResult = await authenticateRequest(request, {
+    personalAccessToken: true,
+    organizationAccessToken: true,
+    apiKey: false,
+  });
+
+  if (!authenticationResult) {
+    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+  }
+
+  const url = new URL(request.url);
+  const projectRef = url.searchParams.get("projectRef") ?? undefined;
+
+  switch (authenticationResult.type) {
+    case "personalAccessToken": {
+      const result = await getIdentityFromPAT(authenticationResult.result.userId, projectRef);
+      if (!result.success) {
+        if (result.error === "user_not_found") {
+          return json({ error: "User not found" }, { status: 404 });
+        }
+
+        return json({ error: result.error }, { status: 401 });
+      }
+      return json(result.result);
+    }
+    case "organizationAccessToken": {
+      const result = await getIdentityFromOAT(
+        authenticationResult.result.organizationId,
+        projectRef
+      );
+      return json(result.result);
+    }
+    default: {
+      authenticationResult satisfies never;
       return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
     }
+  }
+}
+
+async function getIdentityFromPAT(
+  userId: string,
+  projectRef: string | undefined
+): Promise<
+  { success: true; result: WhoAmIResponse } | { success: false; error: "user_not_found" }
+> {
+  const user = await prisma.user.findFirst({
+    select: {
+      email: true,
+    },
+    where: {
+      id: userId,
+    },
+  });
+
+  if (!user) {
+    return { success: false, error: "user_not_found" };
+  }
+
+  const userDetails = {
+    userId,
+    email: user.email,
+    dashboardUrl: env.APP_ORIGIN,
+  } satisfies WhoAmIResponse;
+
+  if (!projectRef) {
+    return {
+      success: true,
+      result: userDetails,
+    };
+  }
+
+  const orgs = await prisma.organization.findMany({
+    select: {
+      id: true,
+    },
+    where: {
+      members: {
+        some: {
+          userId,
+        },
+      },
+    },
+  });
 
-    const user = await prisma.user.findUnique({
-      select: {
-        email: true,
+  if (orgs.length === 0) {
+    return {
+      success: true,
+      result: userDetails,
+    };
+  }
+
+  const project = await prisma.project.findFirst({
+    select: {
+      externalRef: true,
+      name: true,
+      slug: true,
+      organization: {
+        select: {
+          slug: true,
+          title: true,
+        },
       },
-      where: {
-        id: authenticationResult.userId,
+    },
+    where: {
+      externalRef: projectRef,
+      organizationId: {
+        in: orgs.map((org) => org.id),
       },
-    });
+    },
+  });
 
-    if (!user) {
-      return json({ error: "User not found" }, { status: 404 });
-    }
+  if (!project) {
+    return {
+      success: true,
+      result: userDetails,
+    };
+  }
+
+  const projectPath = v3ProjectPath({ slug: project.organization.slug }, { slug: project.slug });
 
-    const url = new URL(request.url);
-    const projectRef = url.searchParams.get("projectRef");
+  return {
+    success: true,
+    result: {
+      ...userDetails,
+      project: {
+        url: new URL(projectPath, env.APP_ORIGIN).href,
+        name: project.name,
+        orgTitle: project.organization.title,
+      },
+    },
+  };
+}
 
-    let projectDetails: WhoAmIResponse["project"];
+async function getIdentityFromOAT(
+  organizationId: string,
+  projectRef: string | undefined
+): Promise<{ success: true; result: WhoAmIResponse }> {
+  // Organization auth tokens are currently only used internally for the build server.
+  // We will eventually expose them in the application as well, as they are useful beyond the build server.
+  // At that point we will need a v3 whoami endpoint that properly handles org auth tokens.
+  // For now, we just return a dummy user id and email and keep using the existing v2 whoami endpoint.
+  const orgDetails = {
+    userId: `org_${organizationId}`,
+    email: "[email protected]",
+    dashboardUrl: env.APP_ORIGIN,
+  } satisfies WhoAmIResponse;
 
-    if (projectRef) {
-      const orgs = await prisma.organization.findMany({
+  if (!projectRef) {
+    return {
+      success: true,
+      result: orgDetails,
+    };
+  }
+
+  const project = await prisma.project.findFirst({
+    select: {
+      externalRef: true,
+      name: true,
+      slug: true,
+      organization: {
         select: {
-          id: true,
+          slug: true,
+          title: true,
         },
-        where: {
-          members: {
-            some: {
-              userId: authenticationResult.userId,
-            },
-          },
-        },
-      });
-
-      if (orgs.length > 0) {
-        const project = await prisma.project.findFirst({
-          select: {
-            externalRef: true,
-            name: true,
-            slug: true,
-            organization: {
-              select: {
-                slug: true,
-                title: true,
-              },
-            },
-          },
-          where: {
-            externalRef: projectRef,
-            organizationId: {
-              in: orgs.map((org) => org.id),
-            },
-          },
-        });
-
-        if (project) {
-          const projectPath = v3ProjectPath(
-            { slug: project.organization.slug },
-            { slug: project.slug }
-          );
-          projectDetails = {
-            url: new URL(projectPath, env.APP_ORIGIN).href,
-            name: project.name,
-            orgTitle: project.organization.title,
-          };
-        }
-      }
-    }
+      },
+    },
+    where: {
+      externalRef: projectRef,
+      organizationId,
+    },
+  });
 
-    const result: WhoAmIResponse = {
-      userId: authenticationResult.userId,
-      email: user.email,
-      dashboardUrl: env.APP_ORIGIN,
-      project: projectDetails,
+  if (!project) {
+    return {
+      success: true,
+      result: orgDetails,
     };
-    return json(result);
-  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : "Something went wrong";
-    logger.error("Error in whoami v2", { error: errorMessage });
-    return json({ error: errorMessage }, { status: 400 });
   }
+
+  const projectPath = v3ProjectPath({ slug: project.organization.slug }, { slug: project.slug });
+  return {
+    success: true,
+    result: {
+      ...orgDetails,
+      project: {
+        url: new URL(projectPath, env.APP_ORIGIN).href,
+        name: project.name,
+        orgTitle: project.organization.title,
+      },
+    },
+  };
 }