Skip to content

refactor(auth): migrate plain-session batch B to shared plugin (#51)#60

Merged
pranavp10 merged 1 commit into
mainfrom
auth-refactor-51-migrate-batch-b
Jul 13, 2026
Merged

refactor(auth): migrate plain-session batch B to shared plugin (#51)#60
pranavp10 merged 1 commit into
mainfrom
auth-refactor-51-migrate-batch-b

Conversation

@pranavp10

@pranavp10 pranavp10 commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

Batch B plain-session migrations onto @reloop/auth/middleware:

Service Notes
template Shared plugin + collabAuth for collab WS (email/name/image)
api-key Shared plugin; keeps @reloop/apikey for key generation helpers
logs Shared plugin; unused insertAuth dropped
workflow No auth middleware — not applicable

Stacked on #59 (#50). Closes #51.

Test plan

  • Smoke: template, api-key, logs (3 each)
  • tsc --noEmit green for all three
  • Characterization tripwire still green
  • CI green once stack base merges

Greptile Summary

This PR migrates several plain-session backends onto the shared auth middleware. The main changes are:

  • Shared auth plugin wiring for api-key, logs, and template services.
  • Deleted local API-key and cookie-session middleware wrappers.
  • New template collabAuth path for collaboration WebSocket profile fields.
  • Smoke tests and package dependency updates for the migrated services.

Confidence Score: 4/5

The changed auth paths need fixes before merging.

  • The collaboration WebSocket auth path can throw on auth-service network or JSON failures.
  • API-key validation now uses a session-scoped cache namespace, which can leave revoked keys usable if cleanup still targets the old namespace.
  • Logs route usage appears compatible with the shared plugin fields.

apps/backend/template/src/middleware/auth.ts and apps/backend/api-key/src/middleware/auth.ts

Security Review

API-key validation is now routed through a session-scoped Redis cache in the migrated paths. If revocation cleanup still targets the old API-key namespace, revoked keys can remain usable from the new cache namespace until expiry.

Important Files Changed

Filename Overview
apps/backend/api-key/src/middleware/auth.ts Switches the service to createAuthPlugin, with a cache namespace change that can affect API-key revocation behavior.
apps/backend/logs/src/middleware/auth.ts Switches logs routes to the shared auth plugin; current route context usage still matches the shared plugin fields.
apps/backend/template/src/middleware/auth.ts Adds shared auth plus collabAuth; the direct session fetch can escape on auth-service failures and API-key validation uses the session cache namespace.
apps/backend/template/src/routes/template/collaboration/collaboration.route.ts Moves the collaboration WebSocket route from generic auth to collabAuth so presence fields are available.
apps/backend/api-key/test/auth-smoke.test.ts Adds smoke coverage for shared-plugin session, missing credentials, and API-key flows.
apps/backend/logs/test/auth-smoke.test.ts Adds smoke coverage for shared-plugin session, missing credentials, and API-key flows.
apps/backend/template/test/auth-smoke.test.ts Adds smoke coverage for shared-plugin session, missing credentials, and API-key flows.

Reviews (1): Last reviewed commit: "refactor(auth): migrate plain-session ba..." | Re-trigger Greptile

Greptile also left 3 inline comments on this PR.

Migrate template, api-key, and logs onto createAuthPlugin following the
pilot recipe. Delete bespoke cookie-auth / api-key-auth middleware.

- template: shared plugin + collabAuth (profile fields for websocket presence)
- api-key / logs: straight plugin mount with fail-closed auth
- Smoke tests per service; workflow has no auth middleware (skipped)
Comment on lines +64 to +83
const response = await fetch(
`${templateConfig.BASE_URL.replace(/\/$/, "")}/api/auth/v1/get-session`,
{
method: "GET",
headers: {
"Content-Type": "application/json",
Cookie: cookie,
},
},
);
if (!response.ok) throw AuthErrors.unauthorized();

const body = (await response.json()) as {
user?: {
id: string;
email?: string;
name?: string;
image?: string;
activeOrganizationId?: string | null;
role?: string | null;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Auth Outage Escapes Macro

When get-session is unreachable or returns malformed JSON, this direct fetch() or response.json() throws out of collabAuth. The previous template auth path caught session validation failures and returned unauthorized, but this WebSocket guard can now turn an auth-service blip into an unhandled upgrade error instead of a clean rejection.

Comment on lines +19 to +23
/** Batch B migration: shared auth plugin (fail-closed org via `auth`). */
export const authMiddleware = new Elysia({ name: "auth-middleware" }).use(
createAuthPlugin({
baseUrl: apiKeyConfig.BASE_URL,
redis: sessionRedis,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Revoked Keys Stay Cached

This passes the session-scoped Redis cache into the shared auth plugin, and that same Redis object is used for API-key validation. If API-key revocation or eviction still targets the old API-key cache namespace, a key cached through this path is read back from reloop-session:apikey:v1:* and can keep authenticating until the API-key cache TTL expires.

Comment on lines +45 to +56
const result = await validateApiKey(apiKey, sessionRedis);
if (result?.organizationId) {
return {
userId: result.userId,
organizationId: result.organizationId,
role: null as string | null,
authType: "apikey" as const,
apiKeyId: result.apiKeyId,
userEmail: undefined as string | undefined,
userName: undefined as string | undefined,
userImage: undefined as string | undefined,
};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Revoked Keys Stay Cached

collabAuth validates API keys against sessionRedis, so collaboration API-key lookups are cached in the session namespace rather than the old API-key namespace. If revocation cleanup deletes only the API-key namespace, a revoked collaboration key can still pass this branch from cache until the long API-key TTL expires.

Base automatically changed from auth-refactor-50-migrate-batch-a to main July 13, 2026 05:13
@pranavp10 pranavp10 changed the base branch from auth-refactor-50-migrate-batch-a to main July 13, 2026 05:13
@pranavp10 pranavp10 merged commit 41e1b44 into main Jul 13, 2026
1 check passed
@pranavp10 pranavp10 deleted the auth-refactor-51-migrate-batch-b branch July 13, 2026 05:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Auth refactor 8/10 — Migrate plain-session services, batch B

1 participant