feat(15-02): rewrite auth routes for OIDC login/callback/logout

- Add top-level /login, /callback, /logout OIDC routes in index.ts - Strip auth.ts to /me (OIDC claims) and API key CRUD only - Remove credential-based login, setup, password change routes - Remove all cookie/session handling from auth routes
2026-04-04 20:44:46 +02:00
parent 259dc2bc8c
commit 1b6a65b4d5
2 changed files with 27 additions and 142 deletions
--- a/src/server/routes/auth.ts
+++ b/src/server/routes/auth.ts
@@ -1,165 +1,37 @@
 import { zValidator } from "@hono/zod-validator";
-import { eq } from "drizzle-orm";
+import { getAuth } from "@hono/oidc-auth";
 import { Hono } from "hono";
-import { deleteCookie, getCookie, setCookie } from "hono/cookie";
 import { z } from "zod";
-import { users } from "../../db/schema.ts";
 import { parseId } from "../lib/params.ts";
 import { requireAuth } from "../middleware/auth.ts";
-import { rateLimit } from "../middleware/rateLimit.ts";
 import {
-	changePassword,
 	createApiKey,
-	createSession,
-	createUser,
 	deleteApiKey,
-	deleteSession,
-	getSession,
-	getUserCount,
 	listApiKeys,
-	verifyPassword,
 } from "../services/auth.service.ts";

 type Env = { Variables: { db?: any } };

-const loginSchema = z.object({
-	username: z.string().min(1),
-	password: z.string().min(1),
-});
-const setupSchema = z.object({
-	username: z.string().min(1),
-	password: z.string().min(6),
-});
-const changePasswordSchema = z.object({
-	currentPassword: z.string().min(1),
-	newPassword: z.string().min(6),
-});
 const createKeySchema = z.object({ name: z.string().min(1) });

-const COOKIE_NAME = "gearbox_session";
-const COOKIE_MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
-
 const app = new Hono<Env>();

-// ── Public routes ───────────────────────────────────────────────────
+// ── Auth Status ──────────────────────────────────────────────────────

-app.get("/me", (c) => {
-	const db = c.get("db");
-	const sessionId = getCookie(c, COOKIE_NAME);
-
-	if (sessionId) {
-		const session = getSession(db, sessionId);
-		if (session) {
-			return c.json({
-				user: { id: session.userId },
-				setupRequired: false,
-			});
-		}
+app.get("/me", async (c) => {
+	const auth = await getAuth(c);
+	if (auth) {
+		return c.json({
+			user: { id: auth.sub, email: auth.email },
+			authenticated: true,
+		});
 	}
-
-	const setupRequired = getUserCount(db) === 0;
-	return c.json({ user: null, setupRequired });
+	return c.json({ user: null, authenticated: false });
 });

-app.post("/setup", rateLimit, zValidator("json", setupSchema), async (c) => {
-	const db = c.get("db");
+// ── API Key Management (protected) ───────────────────────────────────

-	if (getUserCount(db) > 0) {
-		return c.json({ error: "Setup already completed" }, 403);
-	}
-
-	const { username, password } = c.req.valid("json");
-	const user = await createUser(db, username, password);
-	const session = createSession(db, user.id);
-
-	setCookie(c, COOKIE_NAME, session.id, {
-		httpOnly: true,
-		sameSite: "Lax",
-		path: "/",
-		maxAge: COOKIE_MAX_AGE,
-	});
-
-	return c.json({ username: user.username }, 201);
-});
-
-app.post("/login", rateLimit, zValidator("json", loginSchema), async (c) => {
-	const db = c.get("db");
-	const { username, password } = c.req.valid("json");
-
-	const user = await verifyPassword(db, username, password);
-	if (!user) {
-		return c.json({ error: "Invalid credentials" }, 401);
-	}
-
-	const session = createSession(db, user.id);
-
-	setCookie(c, COOKIE_NAME, session.id, {
-		httpOnly: true,
-		sameSite: "Lax",
-		path: "/",
-		maxAge: COOKIE_MAX_AGE,
-	});
-
-	return c.json({ username: user.username });
-});
-
-app.post("/logout", (c) => {
-	const db = c.get("db");
-	const sessionId = getCookie(c, COOKIE_NAME);
-
-	if (sessionId) {
-		deleteSession(db, sessionId);
-	}
-
-	deleteCookie(c, COOKIE_NAME, { path: "/" });
-	return c.json({ ok: true });
-});
-
-// ── Protected routes ────────────────────────────────────────────────
-
-app.put(
-	"/password",
-	requireAuth,
-	zValidator("json", changePasswordSchema),
-	async (c) => {
-		const db = c.get("db");
-		const sessionId = getCookie(c, COOKIE_NAME);
-		if (!sessionId) {
-			return c.json({ error: "Session required for password change" }, 401);
-		}
-		const session = getSession(db, sessionId);
-
-		if (!session) {
-			return c.json({ error: "Session required for password change" }, 401);
-		}
-
-		const userRecord = db
-			.select()
-			.from(users)
-			.where(eq(users.id, session.userId))
-			.get();
-
-		if (!userRecord) {
-			return c.json({ error: "User not found" }, 404);
-		}
-
-		const { currentPassword, newPassword } = c.req.valid("json");
-		const changed = await changePassword(
-			db,
-			userRecord.username,
-			currentPassword,
-			newPassword,
-		);
-
-		if (!changed) {
-			return c.json({ error: "Invalid current password" }, 401);
-		}
-
-		return c.json({ ok: true });
-	},
-);
-
-app.get("/keys", requireAuth, (c) => {
+app.get("/keys", requireAuth, async (c) => {
 	const db = c.get("db");
 	const keys = listApiKeys(db);
 	return c.json(keys);
@@ -186,11 +58,11 @@ app.post(
 	},
 );

-app.delete("/keys/:id", requireAuth, (c) => {
+app.delete("/keys/:id", requireAuth, async (c) => {
 	const db = c.get("db");
 	const id = parseId(c.req.param("id"));
 	if (!id) return c.json({ error: "Invalid key ID" }, 400);
-	deleteApiKey(db, id);
+	await deleteApiKey(db, id);
 	return c.json({ ok: true });
 });