Add admin CLI command and auth guard, use oRPC client

CLI changes: - Use official oRPC client instead of manual HTTP requests - Add admin complete-login command for dev workflow - Remove type assertions, use proper ContractRouterClient typing - Add @orpc/client and @orpc/contract dependencies API changes: - Use oRPC cookie helpers from @orpc/server/helpers - Improve admin complete-login error messages (expired, already completed) Dashboard changes: - Add AuthGuard component to redirect unauthenticated users to /auth/login - Update confirm page with correct CLI command and copy button - Remove duplicate auth redirect from dashboard layout Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 19:12:19 +08:00
parent 60bcbeffb3
commit d66894e8dc
19 changed files with 220 additions and 188 deletions
--- a/apps/api-server/src/procedures/admin/auth/complete-login.ts
+++ b/apps/api-server/src/procedures/admin/auth/complete-login.ts
@@ -9,24 +9,40 @@ export const adminAuthCompleteLogin = os.admin.auth.completeLogin
  .use(authMiddleware)
  .use(superuserMiddleware)
  .handler(async ({ input, context }) => {
-    const loginRequest = await context.db
+    const email = input.email.toLowerCase();
+
+    // First check if any login request exists for this email
+    const anyRequest = await context.db
      .selectFrom("login_requests")
-      .where("email", "=", input.email.toLowerCase())
-      .where("completed_at", "is", null)
-      .where("expires_at", ">", new Date())
+      .where("email", "=", email)
      .orderBy("created_at", "desc")
-      .select(["id"])
+      .select(["id", "completed_at", "expires_at"])
      .executeTakeFirst();

-    if (!loginRequest) {
+    if (!anyRequest) {
      throw new ORPCError("NOT_FOUND", {
-        message: "No pending login request found",
+        message: `No login request found for ${email}`,
      });
    }

+    // Check if already completed
+    if (anyRequest.completed_at) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: "Login request already completed",
+      });
+    }
+
+    // Check if expired
+    if (new Date(anyRequest.expires_at) < new Date()) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: "Login request expired (15 min limit). Start a new login flow.",
+      });
+    }
+
+    // Complete the login request
    await context.db
      .updateTable("login_requests")
      .set({ completed_at: new Date() })
-      .where("id", "=", loginRequest.id)
+      .where("id", "=", anyRequest.id)
      .execute();
  });