refactor(auth): migrate plain-session batch A to shared plugin (#50)#59
Merged
Conversation
Migrate mail, domain, inbox, and webhook onto createAuthPlugin following the upload pilot recipe. Delete bespoke cookie-auth / api-key-auth files, inject SESSION_CACHE_REDIS_PREFIX redis + baseUrl/ttl, and keep service-specific internal-secret macros where needed (mail auth, domain apiKeyOrInternalAuth). Narrow fail-closed auth/apiKeyAuth organizationId to string for handler types; optional apiKeyId for audit/inject paths. Smoke tests per service.
| userId: "internal", | ||
| organizationId, | ||
| role: null as string | null, | ||
| authType: "session" as const, |
There was a problem hiding this comment.
Internal Sends Look Like Sessions
When a caller authenticates with x-internal-secret, this branch now returns authType: "session" instead of the previous internal marker. The send-email path forwards that context into rate limiting and audit logging, so service-to-service sends are recorded and bucketed like user-session sends with the shared userId: "internal".
Suggested change
| authType: "session" as const, | |
| authType: "internal" as const, |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batch A plain-session migrations onto
@reloop/auth/middleware(after pilot #49):authfail-closedauthfail-closedapiKeyOrInternalAuthfor Kumo dkim-key;cookieAuth→authauthre-declare for internal secret;activeOrganizationId→organizationIdAlso: fail-closed macros narrow
organizationIdtostring;apiKeyIdon API-key path for audit/inject.Stacked on #58 (#49). Closes #50.
Test plan
tsc --noEmitgreen for all four servicesGreptile Summary
This PR moves several backend services onto the shared auth middleware. The main changes are:
@reloop/auth/middleware.Confidence Score: 4/5
The changed flow looks mergeable after preserving the mail internal-service identity.
organizationIdshape consistently.apps/backend/mail/src/middleware/auth.ts
Important Files Changed
apiKeyIdpropagation and requires an organization for the standard sharedauthmacro.authoverride for API-key, internal-secret, and session callers.organizationIdfield and chooses inject credentials fromauthType.Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD Req[Request] --> Shared[Shared auth plugin] Shared --> ApiKey[API key] Shared --> Session[Session] Req --> Mail[Mail auth override] Mail --> MailApiKey[API key] Mail --> Internal[Internal secret] Mail --> MailSession[Session] MailApiKey --> Send[send-email route] Internal --> Send MailSession --> Send Send --> RateLimit[Rate limit] Send --> Controller[Send email controller] Controller --> Audit[Audit log] Controller --> Kumo[KumoMTA inject]%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% flowchart TD Req[Request] --> Shared[Shared auth plugin] Shared --> ApiKey[API key] Shared --> Session[Session] Req --> Mail[Mail auth override] Mail --> MailApiKey[API key] Mail --> Internal[Internal secret] Mail --> MailSession[Session] MailApiKey --> Send[send-email route] Internal --> Send MailSession --> Send Send --> RateLimit[Rate limit] Send --> Controller[Send email controller] Controller --> Audit[Audit log] Controller --> Kumo[KumoMTA inject]Reviews (1): Last reviewed commit: "refactor(auth): migrate plain-session ba..." | Re-trigger Greptile