829d365e80
Add complete auth backend (Workstream D): - Auth middleware for session/API key authentication - Signup with password or passkey (WebAuthn) - Login flow with device trust and email confirmation - Password reset and email verification - Session management and logout Utilities created: - cookies.ts: Cookie helpers and configuration - crypto.ts: Token generation and hashing - password.ts: zxcvbn validation, argon2id hashing - geo.ts: IP/location extraction from headers - email.ts: Stubbed email sending - session.ts: Session creation and device trust Code review improvements applied: - Use ORPCError instead of Error in procedures - Add ast-grep rule to enforce ORPCError usage - Remove error info leakage (generic messages) - Optimize N+1 query with JOIN in login-password - Extract signupWithPassword/signupWithPasskey for testability - Add 15-minute WebAuthn challenge expiry check - Strengthen CookieOptions type definitions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
22 lines
644 B
YAML
22 lines
644 B
YAML
id: orpc-error-required
|
|
language: typescript
|
|
severity: error
|
|
message: Use ORPCError instead of Error in API procedures for proper error handling
|
|
note: |
|
|
In oRPC procedures, always use ORPCError from @orpc/server to ensure
|
|
errors are properly serialized with correct HTTP status codes.
|
|
|
|
Example:
|
|
throw new ORPCError("BAD_REQUEST", { message: "..." });
|
|
|
|
Available error codes: UNAUTHORIZED, FORBIDDEN, BAD_REQUEST, NOT_FOUND,
|
|
INTERNAL_SERVER_ERROR, etc.
|
|
rule:
|
|
pattern: throw new Error($MSG)
|
|
inside:
|
|
kind: arrow_function
|
|
stopBy: end
|
|
files:
|
|
- "apps/api-server/src/procedures/**/*.ts"
|
|
- "apps/api-server/src/router.ts"
|