Fix Session.id type and restore nested passkey routes

- Change Session.id from number to string to match DB bigint type - Restore me.passkeys.{list,rename,delete} nested route structure - Remove unnecessary String() conversion in logout procedure - Auto-formatted procedure files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 15:44:45 +08:00
parent 1858ea9783
commit 617fa78046
7 changed files with 285 additions and 213 deletions
--- a/apps/api-server/src/middleware/auth.ts
+++ b/apps/api-server/src/middleware/auth.ts
@@ -113,14 +113,14 @@ export const createAuthMiddleware = () => {
    const sessionInfo: Session = session
      ? {
-          id: Number(session.id),
+          id: session.id,
          trustedMode: session.trusted_mode,
          createdAt: session.created_at,
        }
      : {
          // For API token auth, create a synthetic session object
          // We know apiToken exists because userId came from it
-          id: 0,
+          id: "0",
          trustedMode: true,
          createdAt: apiToken?.created_at ?? new Date(),
        };
--- a/apps/api-server/src/procedures/auth/login-password.ts
+++ b/apps/api-server/src/procedures/auth/login-password.ts
@@ -110,7 +110,11 @@ export const loginPassword = os.auth.loginPassword.handler(
    // Password is valid - check if device is trusted
    // If no device fingerprint, treat as untrusted
    const deviceTrusted = result.device_fingerprint
-      ? await isDeviceTrusted(context.db, result.user_id, result.device_fingerprint)
+      ? await isDeviceTrusted(
          context.db,
          result.user_id,
          result.device_fingerprint,
        )
      : false;
    if (deviceTrusted) {
--- a/apps/api-server/src/procedures/auth/logout.ts
+++ b/apps/api-server/src/procedures/auth/logout.ts
@@ -18,7 +18,7 @@ export const logout = os.auth.logout
    await context.db
      .updateTable("sessions")
      .set({ revoked_at: new Date() })
-    .where("id", "=", String(context.session.id))
+      .where("id", "=", context.session.id)
      .execute();
    // Clear the session cookie
--- a/apps/api-server/src/procedures/auth/signup.ts
+++ b/apps/api-server/src/procedures/auth/signup.ts
@@ -2,16 +2,15 @@
 * Signup procedure - creates a new user account with email + password or passkey
 */
 import type { DB } from "@reviq/db-schema";
 import type {
  PublicKeyCredentialCreationOptionsJSON,
  RegistrationResponseJSON,
 } from "@simplewebauthn/types";
 import type { Kysely } from "kysely";
 import type { DB } from "@reviq/db-schema";
 import type { RPInfo } from "../../utils/webauthn.js";
 import { ORPCError } from "@orpc/server";
 import { verifyRegistrationResponse } from "@simplewebauthn/server";
 import { os } from "../base.js";
 import {
  COOKIE_NAMES,
  COOKIE_OPTIONS,
@@ -24,6 +23,7 @@ import { getGeoInfo, getUserAgent } from "../../utils/geo.js";
 import { hashPassword, validatePassword } from "../../utils/password.js";
 import { createSession } from "../../utils/session.js";
 import { getRPInfo, KNOWN_AAGUIDS } from "../../utils/webauthn.js";
 import { os } from "../base.js";
 /**
 * Create user with password authentication
@@ -231,7 +231,11 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
  if (password) {
    userId = await signupWithPassword(context.db, email, password);
  } else if (passkeyInfo) {
-    const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
+    const rpInfo = getRPInfo(
      context.origin,
      context.allowedOrigins,
      context.rpName,
    );
    userId = await signupWithPasskey(context.db, email, passkeyInfo, rpInfo);
  } else {
    // Should never reach here due to schema validation
--- a/apps/api-server/src/procedures/base.ts
+++ b/apps/api-server/src/procedures/base.ts
@@ -111,13 +111,13 @@ export const authMiddleware = os.middleware(async ({ context, next }) => {
  const sessionInfo: Session = session
    ? {
-        id: Number(session.id),
+        id: session.id,
        trustedMode: session.trusted_mode,
        createdAt: session.created_at,
      }
    : {
        // For API token auth, create a synthetic session object
-        id: 0,
+        id: "0",
        trustedMode: true,
        createdAt: apiToken?.created_at ?? new Date(),
      };
@@ -133,7 +133,8 @@ export const authMiddleware = os.middleware(async ({ context, next }) => {
 /**
 * Login request middleware - validates login request token from cookie
 */
-export const loginRequestMiddleware = os.middleware(async ({ context, next }) => {
+export const loginRequestMiddleware = os.middleware(
  async ({ context, next }) => {
    const { db, reqHeaders } = context;
    // Read login request token from cookie
@@ -195,7 +196,8 @@ export const loginRequestMiddleware = os.middleware(async ({ context, next }) =>
        user: sessionUser,
      },
    });
-});
+  },
 );
 /**
 * Superuser middleware - requires admin access (must be used after authMiddleware)
--- a/apps/api-server/src/router.ts
+++ b/apps/api-server/src/router.ts
@@ -9,7 +9,11 @@ import { resendVerificationEmail as resendVerificationHandler } from "./procedur
 import { resetPassword as resetPasswordHandler } from "./procedures/auth/reset-password.js";
 import { signup as signupHandler } from "./procedures/auth/signup.js";
 import { verifyEmail as verifyEmailHandler } from "./procedures/auth/verify-email.js";
-import { authMiddleware, loginRequestMiddleware, os } from "./procedures/base.js";
+import {
  authMiddleware,
  loginRequestMiddleware,
  os,
 } from "./procedures/base.js";
 import {
  createAuthenticationOptions as createAuthOptions,
  createRegistrationOptions as createRegOptions,
@@ -39,7 +43,11 @@ const createRegistrationOptions =
      // For signup flow, we don't have a user yet
      // The user will be created when signup is called with the passkeyInfo
-      const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
+      const rpInfo = getRPInfo(
        context.origin,
        context.allowedOrigins,
        context.rpName,
      );
      const result = await createRegOptions(context.db, rpInfo, { email });
      return result;
@@ -51,14 +59,22 @@ const verifyRegistration = os.auth.webauthn.verifyRegistration
  .handler(async ({ input, context }) => {
    const { challengeId, response } = input;
-    const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
+    const rpInfo = getRPInfo(
      context.origin,
      context.allowedOrigins,
      context.rpName,
    );
    await verifyReg(context.db, rpInfo, context.user.id, challengeId, response);
  });
 const createAuthenticationOptions = os.auth.webauthn.createAuthenticationOptions
  .use(loginRequestMiddleware)
  .handler(async ({ context }) => {
-    const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
+    const rpInfo = getRPInfo(
      context.origin,
      context.allowedOrigins,
      context.rpName,
    );
    const result = await createAuthOptions(context.db, rpInfo, context.user.id);
    return result;
  });
@@ -68,7 +84,11 @@ const verifyAuthentication = os.auth.webauthn.verifyAuthentication
  .handler(async ({ input, context }) => {
    const { challengeId, response } = input;
-    const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
+    const rpInfo = getRPInfo(
      context.origin,
      context.allowedOrigins,
      context.rpName,
    );
    const verified = await verifyAuth(
      context.db,
      rpInfo,
@@ -89,11 +109,15 @@ const meGet = os.me.get.use(authMiddleware).handler(async () => {
  throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
 });
-const setupProfile = os.me.setupProfile.use(authMiddleware).handler(async () => {
+const setupProfile = os.me.setupProfile
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const updateProfile = os.me.updateProfile.use(authMiddleware).handler(async () => {
+const updateProfile = os.me.updateProfile
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
@@ -105,7 +129,7 @@ const setPassword = os.me.setPassword.use(authMiddleware).handler(async () => {
  throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
 });
-const listPasskeys = os.me.listPasskeys
+const passkeysList = os.me.passkeys.list
  .use(authMiddleware)
  .handler(async ({ context }) => {
    const passkeys = await getUserPasskeys(context.db, context.user.id);
@@ -118,22 +142,7 @@ const listPasskeys = os.me.listPasskeys
    }));
  });
-const createPasskey = os.me.createPasskey
+const passkeysRename = os.me.passkeys.rename
  .use(authMiddleware)
  .handler(async ({ input, context }) => {
    const { name: _name } = input;
    const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
    const result = await createRegOptions(context.db, rpInfo, {
      id: context.user.id,
      email: context.user.email,
      displayName: context.user.displayName,
    });
    return result;
  });
 const renamePasskey = os.me.renamePasskey
  .use(authMiddleware)
  .handler(async ({ input, context }) => {
    const { passkeyId, name } = input;
@@ -146,7 +155,7 @@ const renamePasskey = os.me.renamePasskey
      .execute();
  });
-const deletePasskey = os.me.deletePasskey
+const passkeysDelete = os.me.passkeys.delete
  .use(authMiddleware)
  .handler(async ({ input, context }) => {
    const { passkeyId } = input;
@@ -177,19 +186,27 @@ const deletePasskey = os.me.deletePasskey
      .execute();
  });
-const listSessions = os.me.listSessions.use(authMiddleware).handler(async () => {
+const listSessions = os.me.listSessions
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const revokeSession = os.me.revokeSession.use(authMiddleware).handler(async () => {
+const revokeSession = os.me.revokeSession
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const revokeAllSessions = os.me.revokeAllSessions.use(authMiddleware).handler(async () => {
+const revokeAllSessions = os.me.revokeAllSessions
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const getDeviceInfo = os.me.getDeviceInfo.use(authMiddleware).handler(async () => {
+const getDeviceInfo = os.me.getDeviceInfo
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
@@ -197,11 +214,15 @@ const trustDevice = os.me.trustDevice.use(authMiddleware).handler(async () => {
  throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
 });
-const listTrustedDevices = os.me.listTrustedDevices.use(authMiddleware).handler(async () => {
+const listTrustedDevices = os.me.listTrustedDevices
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const untrustDevice = os.me.untrustDevice.use(authMiddleware).handler(async () => {
+const untrustDevice = os.me.untrustDevice
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
@@ -237,32 +258,46 @@ const orgsLeave = os.orgs.leave.use(authMiddleware).handler(async () => {
 });
 // Orgs members procedures
-const membersList = os.orgs.members.list.use(authMiddleware).handler(async () => {
+const membersList = os.orgs.members.list
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const membersUpdateRole = os.orgs.members.updateRole.use(authMiddleware).handler(async () => {
+const membersUpdateRole = os.orgs.members.updateRole
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const membersRemove = os.orgs.members.remove.use(authMiddleware).handler(async () => {
+const membersRemove = os.orgs.members.remove
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
 // Orgs invites procedures
-const invitesList = os.orgs.invites.list.use(authMiddleware).handler(async () => {
+const invitesList = os.orgs.invites.list
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const invitesCreate = os.orgs.invites.create.use(authMiddleware).handler(async () => {
+const invitesCreate = os.orgs.invites.create
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const invitesCancel = os.orgs.invites.cancel.use(authMiddleware).handler(async () => {
+const invitesCancel = os.orgs.invites.cancel
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const invitesAccept = os.orgs.invites.accept.use(authMiddleware).handler(async () => {
+const invitesAccept = os.orgs.invites.accept
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
@@ -272,7 +307,9 @@ const sitesList = os.orgs.sites.list.use(authMiddleware).handler(async () => {
 });
 // Admin orgs procedures (require superuser - for now just auth, will add superuser middleware later)
-const adminOrgsList = os.admin.orgs.list.use(authMiddleware).handler(async () => {
+const adminOrgsList = os.admin.orgs.list
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
@@ -280,53 +317,77 @@ const adminOrgsGet = os.admin.orgs.get.use(authMiddleware).handler(async () => {
  throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
 });
-const adminOrgsCreate = os.admin.orgs.create.use(authMiddleware).handler(async () => {
+const adminOrgsCreate = os.admin.orgs.create
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminOrgsUpdate = os.admin.orgs.update.use(authMiddleware).handler(async () => {
+const adminOrgsUpdate = os.admin.orgs.update
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminOrgsDelete = os.admin.orgs.delete.use(authMiddleware).handler(async () => {
+const adminOrgsDelete = os.admin.orgs.delete
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminOrgsListSites = os.admin.orgs.listSites.use(authMiddleware).handler(async () => {
+const adminOrgsListSites = os.admin.orgs.listSites
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminOrgsAddSite = os.admin.orgs.addSite.use(authMiddleware).handler(async () => {
+const adminOrgsAddSite = os.admin.orgs.addSite
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminOrgsRemoveSite = os.admin.orgs.removeSite.use(authMiddleware).handler(async () => {
+const adminOrgsRemoveSite = os.admin.orgs.removeSite
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
 // Admin users procedures
-const adminUsersList = os.admin.users.list.use(authMiddleware).handler(async () => {
+const adminUsersList = os.admin.users.list
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminUsersGet = os.admin.users.get.use(authMiddleware).handler(async () => {
+const adminUsersGet = os.admin.users.get
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminUsersCreate = os.admin.users.create.use(authMiddleware).handler(async () => {
+const adminUsersCreate = os.admin.users.create
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminUsersUpdate = os.admin.users.update.use(authMiddleware).handler(async () => {
+const adminUsersUpdate = os.admin.users.update
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
-const adminUsersConfirmEmail = os.admin.users.confirmEmail.use(authMiddleware).handler(async () => {
+const adminUsersConfirmEmail = os.admin.users.confirmEmail
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
 // Admin auth procedures
-const adminAuthCompleteLogin = os.admin.auth.completeLogin.use(authMiddleware).handler(async () => {
+const adminAuthCompleteLogin = os.admin.auth.completeLogin
  .use(authMiddleware)
  .handler(async () => {
    throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
  });
@@ -356,10 +417,11 @@ export const router = os.router({
    updateProfile,
    delete: meDelete,
    setPassword,
-    listPasskeys,
+    passkeys: {
-    createPasskey,
+      list: passkeysList,
-    renamePasskey,
+      rename: passkeysRename,
-    deletePasskey,
+      delete: passkeysDelete,
    },
    listSessions,
    revokeSession,
    revokeAllSessions,