fix: OIDC auth flow, Vite proxy, and PostgreSQL query compat

- Add auth redirect in root layout for unauthenticated users
- Proxy OIDC routes (/login, /callback, /logout) through Vite dev server
- Strip Secure flag from OIDC cookies in dev mode (HTTP localhost)
- Disable retry on auth query to prevent stale cookie loops
- Fix SQLite .get()/.all()/.run() calls in category and global-item
  services for PostgreSQL compatibility
- Add userId scoping to category service functions
- Add OIDC error logging in auth middleware
- Apply linter auto-formatting across affected files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-05 18:25:31 +02:00
parent f7588827b1
commit 574a12e6fa
32 changed files with 315 additions and 253 deletions

View File

@@ -1,11 +1,11 @@
import { Hono } from "hono";
import { serveStatic } from "hono/bun";
import { cors } from "hono/cors";
import {
oidcAuthMiddleware,
processOAuthCallback,
revokeSession,
} from "@hono/oidc-auth";
import { Hono } from "hono";
import { serveStatic } from "hono/bun";
import { cors } from "hono/cors";
import { db as prodDb } from "../db/index.ts";
import { seedDefaults } from "../db/seed.ts";
import { mcpRoutes } from "./mcp/index.ts";
@@ -15,8 +15,8 @@ import { categoryRoutes } from "./routes/categories.ts";
import { imageRoutes } from "./routes/images.ts";
import { itemRoutes } from "./routes/items.ts";
import { oauthRoutes, wellKnownRoute } from "./routes/oauth.ts";
import { settingsRoutes } from "./routes/settings.ts";
import { profileRoutes } from "./routes/profiles.ts";
import { settingsRoutes } from "./routes/settings.ts";
import { setupRoutes } from "./routes/setups.ts";
import { threadRoutes } from "./routes/threads.ts";
import { totalRoutes } from "./routes/totals.ts";
@@ -42,6 +42,24 @@ app.get("/api/health", (c) => {
});
// ── OIDC Browser Auth (top-level, before /api/* middleware) ───────────
// In dev mode, strip Secure flag from OIDC cookies so they work over HTTP
if (process.env.NODE_ENV !== "production") {
app.use("*", async (c, next) => {
await next();
const setCookies = c.res.headers.getSetCookie?.() ?? [];
if (setCookies.length > 0) {
c.res.headers.delete("Set-Cookie");
for (const cookie of setCookies) {
c.res.headers.append(
"Set-Cookie",
cookie.replace(/;\s*Secure/gi, ""),
);
}
}
});
}
app.get("/login", oidcAuthMiddleware(), async (c) => c.redirect("/"));
app.get("/callback", async (c) => processOAuthCallback(c));
app.get("/logout", async (c) => {

View File

@@ -39,7 +39,8 @@ export async function requireAuth(c: Context, next: Next) {
c.set("userId", user.id);
return next();
}
} catch {
} catch (err) {
console.error("[auth] OIDC auth failed:", err);
// OIDC not configured or session invalid — fall through
}

View File

@@ -1,7 +1,8 @@
import { zValidator } from "@hono/zod-validator";
import { getAuth } from "@hono/oidc-auth";
import { zValidator } from "@hono/zod-validator";
import { Hono } from "hono";
import { z } from "zod";
import { updateProfileSchema } from "../../shared/schemas.ts";
import { parseId } from "../lib/params.ts";
import { requireAuth } from "../middleware/auth.ts";
import {
@@ -10,7 +11,6 @@ import {
listApiKeys,
} from "../services/auth.service.ts";
import { updateProfile } from "../services/profile.service.ts";
import { updateProfileSchema } from "../../shared/schemas.ts";
type Env = { Variables: { db?: any; userId?: number } };

View File

@@ -7,7 +7,6 @@ import {
updateSetupSchema,
} from "../../shared/schemas.ts";
import { parseId } from "../lib/params.ts";
import { withImageUrls } from "../services/storage.service.ts";
import { getPublicSetupWithItems } from "../services/profile.service.ts";
import {
createSetup,
@@ -19,6 +18,7 @@ import {
updateItemClassification,
updateSetup,
} from "../services/setup.service.ts";
import { withImageUrls } from "../services/storage.service.ts";
type Env = { Variables: { db?: any; userId?: number } };

View File

@@ -9,10 +9,7 @@ import {
updateThreadSchema,
} from "../../shared/schemas.ts";
import { parseId } from "../lib/params.ts";
import {
deleteImage,
withImageUrls,
} from "../services/storage.service.ts";
import { deleteImage, withImageUrls } from "../services/storage.service.ts";
import {
createCandidate,
createThread,

View File

@@ -1,6 +1,6 @@
import { randomBytes } from "node:crypto";
import { and, eq } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import type { db as prodDb } from "../../db/index.ts";
import { apiKeys, users } from "../../db/schema.ts";
type Db = typeof prodDb;
@@ -24,11 +24,7 @@ export async function getOrCreateUser(
// ── API Key Management ───────────────────────────────────────────────
export async function createApiKey(
db: Db,
userId: number,
name: string,
) {
export async function createApiKey(db: Db, userId: number, name: string) {
const rawKey = randomBytes(32).toString("hex");
const keyHash = await Bun.password.hash(rawKey);
const keyPrefix = rawKey.slice(0, 8);

View File

@@ -20,76 +20,85 @@ export async function getOrCreateUncategorized(db: Db, userId: number) {
return created;
}
export function getAllCategories(db: Db = prodDb) {
return db.select().from(categories).orderBy(asc(categories.name)).all();
export async function getAllCategories(db: Db, userId: number) {
return db
.select()
.from(categories)
.where(eq(categories.userId, userId))
.orderBy(asc(categories.name));
}
export function createCategory(
db: Db = prodDb,
export async function createCategory(
db: Db,
userId: number,
data: { name: string; icon?: string },
) {
return db
const [row] = await db
.insert(categories)
.values({
name: data.name,
userId,
...(data.icon ? { icon: data.icon } : {}),
})
.returning()
.get();
.returning();
return row;
}
export function updateCategory(
db: Db = prodDb,
export async function updateCategory(
db: Db,
userId: number,
id: number,
data: { name?: string; icon?: string },
) {
const existing = db
const [existing] = await db
.select({ id: categories.id })
.from(categories)
.where(eq(categories.id, id))
.get();
.where(and(eq(categories.id, id), eq(categories.userId, userId)));
if (!existing) return null;
return db
const [row] = await db
.update(categories)
.set(data)
.where(eq(categories.id, id))
.returning()
.get();
.where(and(eq(categories.id, id), eq(categories.userId, userId)))
.returning();
return row;
}
export function deleteCategory(
db: Db = prodDb,
export async function deleteCategory(
db: Db,
userId: number,
id: number,
): { success: boolean; error?: string } {
// Guard: cannot delete Uncategorized (id=1)
if (id === 1) {
): Promise<{ success: boolean; error?: string }> {
// Check if category exists and belongs to user
const [existing] = await db
.select({ id: categories.id, name: categories.name })
.from(categories)
.where(and(eq(categories.id, id), eq(categories.userId, userId)));
if (!existing) {
return { success: false, error: "Category not found" };
}
// Guard: cannot delete Uncategorized
if (existing.name === "Uncategorized") {
return {
success: false,
error: "Cannot delete the Uncategorized category",
};
}
// Check if category exists
const existing = db
.select({ id: categories.id })
.from(categories)
.where(eq(categories.id, id))
.get();
// Get the user's Uncategorized category for reassignment
const uncategorized = await getOrCreateUncategorized(db, userId);
if (!existing) {
return { success: false, error: "Category not found" };
}
// Reassign items to Uncategorized, then delete atomically
await db.transaction(async (tx) => {
await tx
.update(items)
.set({ categoryId: uncategorized.id })
.where(eq(items.categoryId, id));
// Reassign items to Uncategorized (id=1), then delete atomically
db.transaction(() => {
db.update(items)
.set({ categoryId: 1 })
.where(eq(items.categoryId, id))
.run();
db.delete(categories).where(eq(categories.id, id)).run();
await tx.delete(categories).where(eq(categories.id, id));
});
return { success: true };

View File

@@ -1,5 +1,5 @@
import { and, eq } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import type { db as prodDb } from "../../db/index.ts";
import { categories, items } from "../../db/schema.ts";
import { getOrCreateUncategorized } from "./category.service.ts";

View File

@@ -5,12 +5,12 @@ import { globalItems, itemGlobalLinks } from "../../db/schema.ts";
type Db = typeof prodDb;
/**
* Search global items by brand or model. SQLite LIKE is case-insensitive for ASCII.
* Search global items by brand or model. LIKE is case-insensitive for ASCII.
* Escapes % and _ wildcard characters in user input.
*/
export function searchGlobalItems(db: Db = prodDb, query?: string) {
export async function searchGlobalItems(db: Db = prodDb, query?: string) {
if (!query) {
return db.select().from(globalItems).all();
return db.select().from(globalItems);
}
// Escape SQL LIKE wildcards
@@ -21,31 +21,28 @@ export function searchGlobalItems(db: Db = prodDb, query?: string) {
.select()
.from(globalItems)
.where(
or(
like(globalItems.brand, pattern),
like(globalItems.model, pattern),
),
)
.all();
or(like(globalItems.brand, pattern), like(globalItems.model, pattern)),
);
}
/**
* Get a single global item by ID with the count of user items linked to it.
*/
export function getGlobalItemWithOwnerCount(db: Db = prodDb, id: number) {
const item = db
export async function getGlobalItemWithOwnerCount(
db: Db = prodDb,
id: number,
) {
const [item] = await db
.select()
.from(globalItems)
.where(eq(globalItems.id, id))
.get();
.where(eq(globalItems.id, id));
if (!item) return null;
const result = db
const [result] = await db
.select({ ownerCount: count() })
.from(itemGlobalLinks)
.where(eq(itemGlobalLinks.globalItemId, id))
.get();
.where(eq(itemGlobalLinks.globalItemId, id));
return { ...item, ownerCount: result?.ownerCount ?? 0 };
}
@@ -53,27 +50,26 @@ export function getGlobalItemWithOwnerCount(db: Db = prodDb, id: number) {
/**
* Link a user's item to a global item. Throws on duplicate (unique constraint on itemId).
*/
export function linkItemToGlobal(
export async function linkItemToGlobal(
db: Db = prodDb,
itemId: number,
globalItemId: number,
) {
return db
const [row] = await db
.insert(itemGlobalLinks)
.values({ itemId, globalItemId })
.returning()
.get();
.returning();
return row;
}
/**
* Remove the link between a user's item and any global item.
*/
export function unlinkItemFromGlobal(db: Db = prodDb, itemId: number) {
const result = db
export async function unlinkItemFromGlobal(db: Db = prodDb, itemId: number) {
const result = await db
.delete(itemGlobalLinks)
.where(eq(itemGlobalLinks.itemId, itemId))
.returning()
.all();
.returning();
return result.length;
}

View File

@@ -1,5 +1,5 @@
import { and, eq } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import type { db as prodDb } from "../../db/index.ts";
import { categories, items } from "../../db/schema.ts";
import type { CreateItem } from "../../shared/types.ts";
@@ -146,9 +146,7 @@ export async function deleteItem(db: Db, userId: number, id: number) {
if (!item) return null;
await db
.delete(items)
.where(and(eq(items.id, id), eq(items.userId, userId)));
await db.delete(items).where(and(eq(items.id, id), eq(items.userId, userId)));
return item;
}

View File

@@ -86,10 +86,7 @@ export async function exchangeCode(
if (computedChallenge !== record.codeChallenge) return null;
// Mark code as used
await db
.update(oauthCodes)
.set({ used: 1 })
.where(eq(oauthCodes.code, code));
await db.update(oauthCodes).set({ used: 1 }).where(eq(oauthCodes.code, code));
return generateTokens(db, clientId, userId);
}

View File

@@ -1,5 +1,5 @@
import { and, eq, sql } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import type { db as prodDb } from "../../db/index.ts";
import {
categories,
items,
@@ -16,10 +16,7 @@ export async function updateProfile(
userId: number,
data: UpdateProfile,
) {
const [existing] = await db
.select()
.from(users)
.where(eq(users.id, userId));
const [existing] = await db.select().from(users).where(eq(users.id, userId));
if (!existing) return null;
// If no fields to update, return existing user

View File

@@ -1,15 +1,11 @@
import { and, eq, inArray, sql } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import type { db as prodDb } from "../../db/index.ts";
import { categories, items, setupItems, setups } from "../../db/schema.ts";
import type { CreateSetup, UpdateSetup } from "../../shared/types.ts";
type Db = typeof prodDb;
export async function createSetup(
db: Db,
userId: number,
data: CreateSetup,
) {
export async function createSetup(db: Db, userId: number, data: CreateSetup) {
const [row] = await db
.insert(setups)
.values({ name: data.name, userId, isPublic: data.isPublic ?? false })
@@ -110,11 +106,7 @@ export async function updateSetup(
return row;
}
export async function deleteSetup(
db: Db,
userId: number,
setupId: number,
) {
export async function deleteSetup(db: Db, userId: number, setupId: number) {
const [existing] = await db
.select({ id: setups.id })
.from(setups)
@@ -197,9 +189,7 @@ export async function updateItemClassification(
await db
.update(setupItems)
.set({ classification })
.where(
and(eq(setupItems.setupId, setupId), eq(setupItems.itemId, itemId)),
);
.where(and(eq(setupItems.setupId, setupId), eq(setupItems.itemId, itemId)));
}
export async function removeSetupItem(
@@ -217,7 +207,5 @@ export async function removeSetupItem(
await db
.delete(setupItems)
.where(
and(eq(setupItems.setupId, setupId), eq(setupItems.itemId, itemId)),
);
.where(and(eq(setupItems.setupId, setupId), eq(setupItems.itemId, itemId)));
}

View File

@@ -62,9 +62,9 @@ export async function getImageUrl(filename: string): Promise<string> {
* Enrich a record that has an imageFilename with a presigned imageUrl.
* Returns null imageUrl when imageFilename is null.
*/
export async function withImageUrl<
T extends { imageFilename: string | null },
>(record: T): Promise<T & { imageUrl: string | null }> {
export async function withImageUrl<T extends { imageFilename: string | null }>(
record: T,
): Promise<T & { imageUrl: string | null }> {
return {
...record,
imageUrl: record.imageFilename
@@ -76,8 +76,8 @@ export async function withImageUrl<
/**
* Batch version of withImageUrl. Uses Promise.all for parallelism.
*/
export async function withImageUrls<
T extends { imageFilename: string | null },
>(records: T[]): Promise<(T & { imageUrl: string | null })[]> {
export async function withImageUrls<T extends { imageFilename: string | null }>(
records: T[],
): Promise<(T & { imageUrl: string | null })[]> {
return Promise.all(records.map((record) => withImageUrl(record)));
}

View File

@@ -1,5 +1,5 @@
import { and, asc, desc, eq, max, sql } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import type { db as prodDb } from "../../db/index.ts";
import {
categories,
items,
@@ -15,11 +15,7 @@ import { getOrCreateUncategorized } from "./category.service.ts";
type Db = typeof prodDb;
export async function createThread(
db: Db,
userId: number,
data: CreateThread,
) {
export async function createThread(db: Db, userId: number, data: CreateThread) {
const [row] = await db
.insert(threads)
.values({ name: data.name, categoryId: data.categoryId, userId })
@@ -258,9 +254,7 @@ export async function deleteCandidate(
const [thread] = await db
.select({ id: threads.id })
.from(threads)
.where(
and(eq(threads.id, candidate.threadId), eq(threads.userId, userId)),
);
.where(and(eq(threads.id, candidate.threadId), eq(threads.userId, userId)));
if (!thread) return null;
await db.delete(threadCandidates).where(eq(threadCandidates.id, candidateId));

View File

@@ -1,5 +1,5 @@
import { and, eq, sql } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import type { db as prodDb } from "../../db/index.ts";
import { categories, items } from "../../db/schema.ts";
type Db = typeof prodDb;