Move middlewares to dedicated folder with one per file

- Create src/middlewares/ folder with separate files:
  - os.ts: base implementer
  - auth.ts: authentication middleware
  - login-request.ts: login request middleware
  - superuser.ts: chains authMiddleware then checks superuser
- Update base.ts to re-export from middlewares
- Update admin procedures to use merged superuserMiddleware
  (no longer need to chain authMiddleware.use(superuserMiddleware))

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/middlewares/auth.ts

@@ -0,0 +1,138 @@
+/**
+ * Auth middleware - validates session/API token and adds user to context
+ */
+
+import type { AuthInfo, Session, SessionUser } from "../context.js";
+import { ORPCError } from "@orpc/server";
+import { COOKIE_NAMES, getCookie } from "../utils/cookies.js";
+import { hashToken } from "../utils/crypto.js";
+import { os } from "./os.js";
+
+export const authMiddleware = os.middleware(async ({ context, next }) => {
+  const { db, reqHeaders } = context;
+
+  // Try session cookie first
+  let tokenHash: string | undefined;
+  const sessionToken = getCookie(reqHeaders, COOKIE_NAMES.SESSION_TOKEN);
+  if (sessionToken) {
+    tokenHash = await hashToken(sessionToken);
+  }
+
+  // Fall back to API key header (for CLI)
+  const apiKey = reqHeaders.get("x-api-key");
+  if (!tokenHash && apiKey) {
+    tokenHash = await hashToken(apiKey);
+  }
+
+  if (!tokenHash) {
+    throw new ORPCError("UNAUTHORIZED", { message: "No session or API key" });
+  }
+
+  // Look up session (check not expired and not revoked)
+  const session = await db
+    .selectFrom("sessions")
+    .where("token_hash", "=", tokenHash)
+    .where("expires_at", ">", new Date())
+    .where("revoked_at", "is", null)
+    .selectAll()
+    .executeTakeFirst();
+
+  // Fall back to API token if no session found
+  const apiToken = !session
+    ? await db
+        .selectFrom("api_tokens")
+        .where("token_hash", "=", tokenHash)
+        .where("expires_at", ">", new Date())
+        .selectAll()
+        .executeTakeFirst()
+    : undefined;
+
+  const userId = session?.user_id ?? apiToken?.user_id;
+  if (!userId) {
+    throw new ORPCError("UNAUTHORIZED", {
+      message: "Invalid or expired token",
+    });
+  }
+
+  // Update last_used_at for API tokens
+  if (apiToken) {
+    await db
+      .updateTable("api_tokens")
+      .set({ last_used_at: new Date() })
+      .where("id", "=", apiToken.id)
+      .execute();
+  }
+
+  // Fetch user details
+  const user = await db
+    .selectFrom("users")
+    .where("id", "=", userId)
+    .select([
+      "id",
+      "email",
+      "display_name",
+      "email_verified_at",
+      "is_superuser",
+    ])
+    .executeTakeFirst();
+
+  if (!user) {
+    throw new ORPCError("UNAUTHORIZED", {
+      message: "User not found",
+    });
+  }
+
+  const sessionUser: SessionUser = {
+    id: user.id,
+    email: user.email,
+    displayName: user.display_name,
+    emailVerifiedAt: user.email_verified_at,
+    isSuperuser: user.is_superuser,
+  };
+
+  // Build session and auth info based on authentication method
+  let sessionInfo: Session;
+  let authInfo: AuthInfo;
+
+  if (session) {
+    sessionInfo = {
+      id: session.id,
+      trustedMode: session.trusted_mode,
+      createdAt: session.created_at,
+    };
+    authInfo = {
+      method: "session",
+      sessionId: session.id,
+      expiresAt: session.expires_at,
+      createdAt: session.created_at,
+    };
+  } else if (apiToken) {
+    sessionInfo = {
+      // For API token auth, create a synthetic session object
+      id: "0",
+      trustedMode: true,
+      createdAt: apiToken.created_at,
+    };
+    authInfo = {
+      method: "api_token",
+      tokenId: apiToken.id,
+      tokenName: apiToken.name,
+      expiresAt: apiToken.expires_at,
+      lastUsedAt: apiToken.last_used_at,
+      createdAt: apiToken.created_at,
+    };
+  } else {
+    // This should never happen since we checked userId above
+    throw new ORPCError("UNAUTHORIZED", {
+      message: "Invalid authentication state",
+    });
+  }
+
+  return next({
+    context: {
+      user: sessionUser,
+      session: sessionInfo,
+      auth: authInfo,
+    },
+  });
+});

apps/api-server/src/middlewares/index.ts

@@ -0,0 +1,8 @@
+/**
+ * Middleware exports
+ */
+
+export { authMiddleware } from "./auth.js";
+export { loginRequestMiddleware } from "./login-request.js";
+export { os } from "./os.js";
+export { superuserMiddleware } from "./superuser.js";

apps/api-server/src/middlewares/login-request.ts

@@ -0,0 +1,64 @@
+/**
+ * Login request middleware - validates login request token from cookie
+ */
+
+import type { SessionUser } from "../context.js";
+import { ORPCError } from "@orpc/server";
+import { COOKIE_NAMES, getCookie } from "../utils/cookies.js";
+import { os } from "./os.js";
+
+export const loginRequestMiddleware = os.middleware(
+  async ({ context, next }) => {
+    const { db, reqHeaders } = context;
+
+    // Read login request token from cookie
+    const loginRequestToken = getCookie(
+      reqHeaders,
+      COOKIE_NAMES.LOGIN_REQUEST_TOKEN,
+    );
+
+    if (!loginRequestToken) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: "No login request found",
+      });
+    }
+
+    // Fetch login request with user data by token
+    const result = await db
+      .selectFrom("login_requests")
+      .innerJoin("users", "users.id", "login_requests.user_id")
+      .select([
+        "login_requests.id",
+        "login_requests.user_id",
+        "login_requests.expires_at",
+        "users.email",
+        "users.display_name",
+        "users.email_verified_at",
+        "users.is_superuser",
+      ])
+      .where("login_requests.token", "=", loginRequestToken)
+      .where("login_requests.expires_at", ">", new Date())
+      .executeTakeFirst();
+
+    if (!result) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: "Login request expired or not found",
+      });
+    }
+
+    const sessionUser: SessionUser = {
+      id: result.user_id,
+      email: result.email,
+      displayName: result.display_name,
+      emailVerifiedAt: result.email_verified_at,
+      isSuperuser: result.is_superuser,
+    };
+
+    return next({
+      context: {
+        loginRequestId: Number(result.id),
+        user: sessionUser,
+      },
+    });
+  },
+);

apps/api-server/src/middlewares/os.ts

@@ -0,0 +1,10 @@
+/**
+ * Base implementer with typed APIContext
+ * All procedures and middlewares should derive from this
+ */
+
+import type { APIContext } from "../context.js";
+import { implement } from "@orpc/server";
+import { contract } from "@reviq/api-contract";
+
+export const os = implement(contract).$context<APIContext>();

apps/api-server/src/middlewares/superuser.ts

@@ -0,0 +1,23 @@
+/**
+ * Superuser middleware - authenticates and requires superuser access
+ *
+ * This middleware chains authMiddleware first, then checks for superuser.
+ */
+
+import type { AuthenticatedContext } from "../context.js";
+import { ORPCError } from "@orpc/server";
+import { authMiddleware } from "./auth.js";
+import { os } from "./os.js";
+
+const superuserCheck = os.middleware(
+  async ({ context, next }: { context: AuthenticatedContext; next: () => Promise<unknown> }) => {
+    if (!context.user.isSuperuser) {
+      throw new ORPCError("FORBIDDEN", {
+        message: "Superuser access required",
+      });
+    }
+    return next();
+  },
+);
+
+export const superuserMiddleware = authMiddleware.concat(superuserCheck);