Fix Session.id type and restore nested passkey routes

- Change Session.id from number to string to match DB bigint type - Restore me.passkeys.{list,rename,delete} nested route structure - Remove unnecessary String() conversion in logout procedure - Auto-formatted procedure files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 15:44:45 +08:00
parent 1858ea9783
commit 617fa78046
7 changed files with 285 additions and 213 deletions
--- a/apps/api-server/src/procedures/base.ts
+++ b/apps/api-server/src/procedures/base.ts
@@ -111,13 +111,13 @@ export const authMiddleware = os.middleware(async ({ context, next }) => {

  const sessionInfo: Session = session
    ? {
-        id: Number(session.id),
+        id: session.id,
        trustedMode: session.trusted_mode,
        createdAt: session.created_at,
      }
    : {
        // For API token auth, create a synthetic session object
-        id: 0,
+        id: "0",
        trustedMode: true,
        createdAt: apiToken?.created_at ?? new Date(),
      };
@@ -133,69 +133,71 @@ export const authMiddleware = os.middleware(async ({ context, next }) => {
 /**
 * Login request middleware - validates login request token from cookie
 */
-export const loginRequestMiddleware = os.middleware(async ({ context, next }) => {
-  const { db, reqHeaders } = context;
+export const loginRequestMiddleware = os.middleware(
+  async ({ context, next }) => {
+    const { db, reqHeaders } = context;

-  // Read login request token from cookie
-  const loginRequestToken = getCookie(
-    reqHeaders,
-    COOKIE_NAMES.LOGIN_REQUEST_TOKEN,
-  );
+    // Read login request token from cookie
+    const loginRequestToken = getCookie(
+      reqHeaders,
+      COOKIE_NAMES.LOGIN_REQUEST_TOKEN,
+    );

-  if (!loginRequestToken) {
-    throw new ORPCError("BAD_REQUEST", {
-      message: "No login request found",
+    if (!loginRequestToken) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: "No login request found",
+      });
+    }
+
+    // Check if token is a valid login request ID (numeric)
+    const num = Number(loginRequestToken);
+    if (Number.isNaN(num) || !Number.isInteger(num) || num <= 0) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: "Invalid login request",
+      });
+    }
+
+    const loginRequestId = loginRequestToken;
+
+    // Fetch login request with user data
+    const result = await db
+      .selectFrom("login_requests")
+      .innerJoin("users", "users.id", "login_requests.user_id")
+      .select([
+        "login_requests.id",
+        "login_requests.user_id",
+        "login_requests.expires_at",
+        "users.email",
+        "users.display_name",
+        "users.email_verified_at",
+        "users.is_superuser",
+      ])
+      .where("login_requests.id", "=", loginRequestId)
+      .where("login_requests.expires_at", ">", new Date())
+      .executeTakeFirst();
+
+    if (!result) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: "Login request expired or not found",
+      });
+    }
+
+    const sessionUser: SessionUser = {
+      id: result.user_id,
+      email: result.email,
+      displayName: result.display_name,
+      emailVerifiedAt: result.email_verified_at,
+      isSuperuser: result.is_superuser,
+    };
+
+    return next({
+      context: {
+        loginRequestId: Number(result.id),
+        user: sessionUser,
+      },
    });
-  }
-
-  // Check if token is a valid login request ID (numeric)
-  const num = Number(loginRequestToken);
-  if (Number.isNaN(num) || !Number.isInteger(num) || num <= 0) {
-    throw new ORPCError("BAD_REQUEST", {
-      message: "Invalid login request",
-    });
-  }
-
-  const loginRequestId = loginRequestToken;
-
-  // Fetch login request with user data
-  const result = await db
-    .selectFrom("login_requests")
-    .innerJoin("users", "users.id", "login_requests.user_id")
-    .select([
-      "login_requests.id",
-      "login_requests.user_id",
-      "login_requests.expires_at",
-      "users.email",
-      "users.display_name",
-      "users.email_verified_at",
-      "users.is_superuser",
-    ])
-    .where("login_requests.id", "=", loginRequestId)
-    .where("login_requests.expires_at", ">", new Date())
-    .executeTakeFirst();
-
-  if (!result) {
-    throw new ORPCError("BAD_REQUEST", {
-      message: "Login request expired or not found",
-    });
-  }
-
-  const sessionUser: SessionUser = {
-    id: result.user_id,
-    email: result.email,
-    displayName: result.display_name,
-    emailVerifiedAt: result.email_verified_at,
-    isSuperuser: result.is_superuser,
-  };
-
-  return next({
-    context: {
-      loginRequestId: Number(result.id),
-      user: sessionUser,
-    },
-  });
-});
+  },
+);

 /**
 * Superuser middleware - requires admin access (must be used after authMiddleware)