You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The heart of the refactor: one shared Elysia plugin factory at @reloop/auth/middleware that every backend service will eventually mount. It takes injected config, validates both session cookies and API keys, caches results, and returns one canonical shape. It is fully tested at the package level but not yet adopted by any service.
Canonical context shape (from the grilling session):
typeAuthContext={userId: string;organizationId: string|null;// null only via authNoOrg / platformAdmin routesrole: string|null;authType: "session"|"apikey";// legacy "auth" literal removed};
Registers macros: auth (fail-closed on missing active org), authNoOrg, apiKeyAuth, platformAdmin
Returns the canonical AuthContext for both session and API-key paths
Session results cached keyed by session token (extracted from cookie), plus a per-user index of tokens; writes both on cache miss
Always checks the get-session HTTP response status before trusting it
API-key path reuses the absorbed validation and derives organizationId from the key's owning organization
Package-level test suite mounts the plugin on a throwaway Elysia app and covers session auth, API-key auth, caching, fail-closed org logic, and all four macros (401 vs 200 + AuthContext)
Parent
#43
What to build
The heart of the refactor: one shared Elysia plugin factory at
@reloop/auth/middlewarethat every backend service will eventually mount. It takes injected config, validates both session cookies and API keys, caches results, and returns one canonical shape. It is fully tested at the package level but not yet adopted by any service.Canonical context shape (from the grilling session):
Acceptance criteria
{ baseUrl, redis, ttl }(default ttl 5s) — no hardcoded per-service valuesauth(fail-closed on missing active org),authNoOrg,apiKeyAuth,platformAdminAuthContextfor both session and API-key pathsget-sessionHTTP response status before trusting itorganizationIdfrom the key's owning organizationBlocked by