Implement auth procedures with code review fixes

Add complete auth backend (Workstream D): - Auth middleware for session/API key authentication - Signup with password or passkey (WebAuthn) - Login flow with device trust and email confirmation - Password reset and email verification - Session management and logout Utilities created: - cookies.ts: Cookie helpers and configuration - crypto.ts: Token generation and hashing - password.ts: zxcvbn validation, argon2id hashing - geo.ts: IP/location extraction from headers - email.ts: Stubbed email sending - session.ts: Session creation and device trust Code review improvements applied: - Use ORPCError instead of Error in procedures - Add ast-grep rule to enforce ORPCError usage - Remove error info leakage (generic messages) - Optimize N+1 query with JOIN in login-password - Extract signupWithPassword/signupWithPasskey for testability - Add 15-minute WebAuthn challenge expiry check - Strengthen CookieOptions type definitions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 15:19:15 +08:00
parent 8de88472b1
commit 829d365e80
24 changed files with 1739 additions and 47 deletions
--- a/apps/api-server/src/index.ts
+++ b/apps/api-server/src/index.ts
@@ -25,17 +25,30 @@ Bun.serve({
      const origin =
        request.headers.get("origin") ?? `http://localhost:${String(port)}`;

+      // Create response headers for setting cookies
+      const resHeaders = new Headers();
+
      const context: APIContext = {
        db,
        origin,
        allowedOrigins,
        rpName,
+        reqHeaders: request.headers,
+        resHeaders,
      };

      const { response } = await handler.handle(request, {
        prefix: "/api/v1/rpc",
        context,
      });
+
+      // Merge response headers (cookies) into the response
+      if (response) {
+        resHeaders.forEach((value, key) => {
+          response.headers.append(key, value);
+        });
+      }
+
      return response ?? new Response("Not Found", { status: 404 });
    }