Skip to content

refactor(auth): migrate special services contacts/admin/credits (#52)#61

Merged
pranavp10 merged 3 commits into
mainfrom
auth-refactor-52-special-services
Jul 13, 2026
Merged

refactor(auth): migrate special services contacts/admin/credits (#52)#61
pranavp10 merged 3 commits into
mainfrom
auth-refactor-52-special-services

Conversation

@pranavp10

@pranavp10 pranavp10 commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

Migrates the remaining special services onto @reloop/auth/middleware:

Service Notes
contacts Shared plugin (token-keyed session cache replaces cookie-hash cache)
credits Shared auth + platformAdmin; cookieAuth routes → auth
admin Shared platformAdmin + scoped supportSession

Admin email/name decision (#52)

Lean AuthContext omits email/name. Admin audit stores actorUserId only; email/name are resolved via JOIN on user when listing audit logs. isPlatformAdmin is derived from role === PLATFORM_ADMIN_ROLE.

Stacked on #60 (#51). Closes #52.

Test plan

  • Smoke: contacts (3), credits (3 incl. platformAdmin), admin (3 incl. platformAdmin + supportSession)
  • Typecheck green for all three
  • Characterization tripwire still green
  • CI green once stack base merges

Greptile Summary

This PR moves the remaining special services onto the shared auth middleware. The main changes are:

  • Admin now uses shared platform-admin auth with a scoped support-session path.
  • Contacts now mounts the shared auth plugin with Redis-backed session caching.
  • Credits now uses shared auth and platform-admin guards.
  • API-key helpers moved from the deleted shim package into @reloop/auth/apikey imports.
  • Smoke tests were added for admin, contacts, and credits auth behavior.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
apps/backend/admin/src/middleware/auth-middleware.ts Admin auth now mounts the shared plugin and keeps a local support-session macro.
apps/backend/contacts/src/middleware/auth.ts Contacts auth now delegates to the shared plugin with Redis-backed session caching.
apps/backend/credits/src/middleware/auth-middleware.ts Credits auth now delegates to the shared plugin for customer and platform-admin guards.
apps/backend/credits/src/routes/credits/get-plan/get-plan.route.ts The plan route now uses the shared auth guard.
apps/backend/credits/src/routes/credits/get-usage/get-usage.route.ts The usage route now uses the shared auth guard.
apps/backend/credits/src/routes/credits/list-transactions/list-transactions.route.ts The transactions route now uses the shared auth guard.
packages/apikey/src/index.ts The old API-key shim package was removed after consumers moved to @reloop/auth exports.

Reviews (2): Last reviewed commit: "Merge pull request #62 from reloop-labs/..." | Re-trigger Greptile

Last service migrations onto the shared plugin:

- contacts: replace cookie-hash session cache with shared token-keyed cache
- credits: shared auth + platformAdmin; cookieAuth routes → auth (fail-closed)
- admin: shared platformAdmin; scoped supportSession; email/name via audit JOIN

Documents #52 decision: lean AuthContext; admin audit lists email/name by
joining user on actorUserId. Smoke tests cover platform-admin paths.
Contract step of the auth refactor: repoint generation/validation
consumers to @reloop/auth/apikey (+ /validate), remove the workspace
shim package, and clean tsconfig paths and lockfile.

Importers updated:
- be-api-key create/rotate controllers
- be-email onboarding
- be-auth characterization tests
},
{
cookieAuth: true,
auth: true,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security API Keys Reach Billing Plan

When this route uses the shared auth macro, a valid organization x-api-key can call the plan endpoint. The deleted cookieAuth guard only accepted session cookies, so integration keys can now read billing plan data that was previously session-only.

},
{
cookieAuth: true,
auth: true,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security API Keys Reach Credit Usage

The shared auth macro accepts both session cookies and valid organization API keys. This changes the usage endpoint from the deleted session-only cookieAuth path to a broader credential path, so an integration key can now read credit usage for its organization.

},
{
cookieAuth: true,
auth: true,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security API Keys Reach Transaction History

This route now accepts the shared auth context, which permits valid organization API keys. The old cookieAuth guard did not check API keys, so an integration key can now list billing transactions for its organization.

…y-shim

refactor(auth): delete @reloop/apikey shim; repoint importers (#53)
Base automatically changed from auth-refactor-51-migrate-batch-b to main July 13, 2026 05:13
@pranavp10 pranavp10 merged commit 66b33c5 into main Jul 13, 2026
1 check passed
@pranavp10 pranavp10 deleted the auth-refactor-52-special-services branch July 13, 2026 05:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Auth refactor 9/10 — Migrate the special services (contacts, admin, credits)

1 participant