441c828a17
Task: Replace Clerk (Replit-managed) with a standalone JWT/cookie-based auth system. ## What changed ### Backend (api-server) - Added `admin_users` table (lib/db/src/schema/adminUsers.ts) with id, email (unique), password_hash, created_at; pushed to DB with drizzle-kit push - Replaced `resolveAuth`/`requireAdmin` in auth.ts middleware: now reads a signed HS256 JWT from the `session` httpOnly cookie (via `jose`) instead of Clerk tokens - Added `POST /api/auth/login` (bcrypt password check → sets httpOnly cookie), `POST /api/auth/logout` (clears cookie), `GET /api/me` (unchanged contract) - Added `seedAdminUser()` in lib/seedAdmin.ts: on startup, if no admin exists, creates one from ADMIN_EMAIL + ADMIN_PASSWORD env vars (bcrypt-hashed) - Removed all Clerk imports from app.ts: clerkMiddleware, publishableKeyFromHost, clerkProxyMiddleware deleted - Deleted clerkProxyMiddleware.ts entirely - Added cookie-parser middleware to app.ts - Removed @clerk/express, @clerk/shared from package.json; added jose, bcryptjs, @types/bcryptjs ### Frontend (skillguard) - Removed ClerkProvider, SignIn, SignUp, ClerkQueryClientCacheInvalidator from App.tsx; replaced with plain wouter routes - Replaced /sign-in and /sign-up routes with a single /sign-in route pointing to new LoginPage - New LoginPage (src/pages/login.tsx): email+password form using shadcn Input/Button/Card, calls POST /api/auth/login, redirects to /admin on success - layout.tsx: replaced useClerk/useUser with useGetMe() + fetch POST /api/auth/logout - require-admin.tsx: unchanged logic (already used useGetMe()), updated comment - Removed @clerk/react, @clerk/localizations, @clerk/themes from package.json - Added signInButton + loginError i18n keys to all 3 locales (de/en/es) ## New secrets required - SESSION_SECRET (already existed) - ADMIN_EMAIL (new — first admin email) - ADMIN_PASSWORD (new — first admin password, stored as bcrypt hash) ## Removed env vars - CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, VITE_CLERK_PUBLISHABLE_KEY, VITE_CLERK_PROXY_URL (can be deleted from secrets) ## Test results All 79 tests pass. Replit-Task-Id: 41d32d48-8f20-44bc-b665-a2becb83e503
69 lines
1.9 KiB
TypeScript
69 lines
1.9 KiB
TypeScript
import type { Request, Response, NextFunction } from "express";
|
|
import * as jose from "jose";
|
|
import { logger } from "../lib/logger";
|
|
|
|
export type AuthInfo = {
|
|
userId: string | null;
|
|
email: string | null;
|
|
isAdmin: boolean;
|
|
};
|
|
|
|
function getSecret(): Uint8Array {
|
|
const secret = process.env.SESSION_SECRET;
|
|
if (!secret) throw new Error("SESSION_SECRET is not set");
|
|
return new TextEncoder().encode(secret);
|
|
}
|
|
|
|
export async function resolveAuth(req: Request): Promise<AuthInfo> {
|
|
const token = req.cookies?.session;
|
|
if (!token) return { userId: null, email: null, isAdmin: false };
|
|
|
|
try {
|
|
const { payload } = await jose.jwtVerify(token, getSecret(), {
|
|
algorithms: ["HS256"],
|
|
});
|
|
const email = typeof payload.email === "string" ? payload.email : null;
|
|
const userId = typeof payload.sub === "string" ? payload.sub : null;
|
|
if (!email || !userId) return { userId: null, email: null, isAdmin: false };
|
|
return { userId, email, isAdmin: true };
|
|
} catch (err) {
|
|
logger.debug({ err }, "JWT verification failed");
|
|
return { userId: null, email: null, isAdmin: false };
|
|
}
|
|
}
|
|
|
|
export async function signToken(userId: number, email: string): Promise<string> {
|
|
return new jose.SignJWT({ email })
|
|
.setProtectedHeader({ alg: "HS256" })
|
|
.setSubject(String(userId))
|
|
.setIssuedAt()
|
|
.setExpirationTime("30d")
|
|
.sign(getSecret());
|
|
}
|
|
|
|
declare global {
|
|
// eslint-disable-next-line @typescript-eslint/no-namespace
|
|
namespace Express {
|
|
interface Request {
|
|
auth?: AuthInfo;
|
|
}
|
|
}
|
|
}
|
|
|
|
export async function requireAdmin(
|
|
req: Request,
|
|
res: Response,
|
|
next: NextFunction,
|
|
): Promise<void> {
|
|
const info = await resolveAuth(req);
|
|
if (!info.userId) {
|
|
res.status(401).json({ error: "Nicht angemeldet." });
|
|
return;
|
|
}
|
|
if (!info.isAdmin) {
|
|
res.status(403).json({ error: "Kein Administratorzugriff." });
|
|
return;
|
|
}
|
|
req.auth = info;
|
|
next();
|
|
}
|