feat(auth): finally better auth working as i wanted it to

2025-09-22 22:40:44 -05:00
parent 4ab43d91b9
commit 8f1375ab7b
50 changed files with 7939 additions and 5909 deletions
--- a/app/src/pkg/auth/auth.ts
+++ b/app/src/pkg/auth/auth.ts
@@ -20,20 +20,26 @@ export const auth = betterAuth({
        provider: "pg",
        schema,
    }),
+    trustedOrigins: [
+        "*.alpla.net",
+        "http://localhost:5173",
+        "http://localhost:5500",
+    ],
    appName: "lst",
    emailAndPassword: {
        enabled: true,
        minPasswordLength: 8, // optional config
    },
    plugins: [
-        jwt({ jwt: { expirationTime: "1h" } }),
+        //jwt({ jwt: { expirationTime: "1h" } }),
        apiKey(),
        admin(),
        username(),
    ],
    session: {
        expiresIn: 60 * 60,
-        updateAge: 60 * 1,
+        updateAge: 60 * 5,
+        freshAge: 60 * 2,
        cookieCache: {
            enabled: true,
            maxAge: 5 * 60, // Cache duration in seconds
--- a/app/src/pkg/db/schema/user_roles.ts
+++ b/app/src/pkg/db/schema/user_roles.ts
@@ -1,8 +1,8 @@
 import { pgTable, text, uuid, uniqueIndex } from "drizzle-orm/pg-core";
 import { user } from "./auth-schema.js";

-export const userRole = pgTable(
-    "user_role",
+export const userRoles = pgTable(
+    "user_roles",
    {
        userRoleId: uuid("user_role_id").defaultRandom().primaryKey(),
        userId: text("user_id")
@@ -15,3 +15,4 @@ export const userRole = pgTable(
        uniqueIndex("unique_user_module").on(table.userId, table.module),
    ]
 );
+export type UserRole = typeof userRoles.$inferSelect;
--- a/app/src/pkg/middleware/authMiddleware.ts
+++ b/app/src/pkg/middleware/authMiddleware.ts
@@ -0,0 +1,90 @@
+import type { Request, Response, NextFunction } from "express";
+import { auth } from "../auth/auth.js";
+import { userRoles, type UserRole } from "../db/schema/user_roles.js";
+import { db } from "../db/db.js";
+import { eq } from "drizzle-orm";
+
+declare global {
+    namespace Express {
+        interface Request {
+            user?: {
+                id: string;
+                email?: string;
+                roles: Record<string, string[]>;
+            };
+        }
+    }
+}
+function toWebHeaders(nodeHeaders: Request["headers"]): Headers {
+    const h = new Headers();
+    for (const [key, value] of Object.entries(nodeHeaders)) {
+        if (Array.isArray(value)) {
+            value.forEach((v) => h.append(key, v));
+        } else if (value !== undefined) {
+            h.set(key, value);
+        }
+    }
+    return h;
+}
+
+export const requireAuth = (moduleName?: string, requiredRoles?: string[]) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const headers = toWebHeaders(req.headers);
+
+            // Get session
+            const session = await auth.api.getSession({
+                headers,
+                query: { disableCookieCache: true },
+            });
+
+            if (!session) {
+                return res.status(401).json({ error: "No active session" });
+            }
+
+            const userId = session.user.id;
+
+            // Get roles
+            const roles = await db
+                .select()
+                .from(userRoles)
+                .where(eq(userRoles.userId, userId));
+
+            // Organize roles by module
+            const rolesByModule: Record<string, string[]> = {};
+            for (const r of roles) {
+                if (!rolesByModule[r.module]) rolesByModule[r.module] = [];
+                rolesByModule[r.module].push(r.role);
+            }
+
+            req.user = {
+                id: userId,
+                email: session.user.email,
+                roles: rolesByModule,
+            };
+
+            // SystemAdmin override
+            const hasSystemAdmin = Object.values(rolesByModule)
+                .flat()
+                .includes("systemAdmin");
+
+            // Role check (skip if systemAdmin)
+            if (requiredRoles?.length && !hasSystemAdmin) {
+                const moduleRoles = moduleName
+                    ? rolesByModule[moduleName] ?? []
+                    : Object.values(rolesByModule).flat();
+                const hasAccess = moduleRoles.some((role) =>
+                    requiredRoles.includes(role)
+                );
+                if (!hasAccess) {
+                    return res.status(403).json({ error: "Forbidden" });
+                }
+            }
+
+            next();
+        } catch (err) {
+            console.error("Auth middleware error:", err);
+            res.status(500).json({ error: "Auth check failed" });
+        }
+    };
+};