Skip to content

Migrate auth to central MAC service (String macUserId)#280

Draft
oliverhuangcode wants to merge 1 commit into
developmentfrom
oliver/mac-auth-migration
Draft

Migrate auth to central MAC service (String macUserId)#280
oliverhuangcode wants to merge 1 commit into
developmentfrom
oliver/mac-auth-migration

Conversation

@oliverhuangcode

Copy link
Copy Markdown
Contributor

Draft — do not merge yet. This must land during the coordinated cutover (the DB userId remap ObjectId → String macUserId and this deploy happen together). Merging before the remap would break the application tracker against un-remapped data.

What

Replaces mploy's self-hosted NextAuth/Mongo auth with the central passwordless auth service (auth.monashcoding.com), and keys all user-scoped data by the opaque String macUserId instead of a Mongo ObjectId.

There is no Spring backend in this repo — mploy's "backend" is Next.js Server Actions on MongoDB — so the Next.js server layer becomes the JWT-verifying resource server.

Changes

  • lib/mac-auth.ts (new): requireMacUserId() mints a JWT via GET /api/auth/token (forwarding the shared .monashcoding.com cookie) and verifies it locally against the central JWKS with jose (EdDSA, iss=https://auth.monashcoding.com, aud=mac-suite), returning macUserId.
  • lib/mac-session.tsx (new): MacSessionProvider / useMacSession backed by GET /api/auth/get-session, plus social sign-in and sign-out helpers.
  • my-applications/actions.ts: retype userId ObjectId → String on the 3 record types; drop all new ObjectId(userId) conversions; auth via requireMacUserId(). Affects applications, application_cycles, application_status_events.
  • Sign-in page: Google + Microsoft social buttons; password form removed (privacy-policy notice kept).
  • Deleted [...nextauth] route, lib/auth.ts, and the /sign-up password flow.
  • Swapped useSession/signOut across nav + client components.
  • Deps: remove next-auth, @auth/mongodb-adapter, bcryptjs; add jose.
  • Env: add NEXT_PUBLIC_AUTH_URL, AUTH_URL, JWT_AUDIENCE=mac-suite; drop NEXTAUTH_* / GOOGLE_* (all new vars default to production values in code).

Not touched

  • active_jobs (public job board) — no user scoping.
  • application_stages — not a code collection (stages are hardcoded).

Verification

  • tsc --noEmit, eslint, and next build all pass.
  • Runtime sign-in must be tested on a *.monashcoding.com host (shared cookie) against a DB already holding String userIds — i.e. at cutover. Do not point at prod data until the remap runs.

🤖 Generated with Claude Code

Replace NextAuth/Mongo-adapter auth with the central passwordless auth
service (auth.monashcoding.com). The Next.js server layer now acts as the
JWT-verifying resource server:

- add lib/mac-auth.ts: requireMacUserId() mints a JWT via /api/auth/token
  and verifies it locally against the central JWKS (EdDSA, iss/aud) -> macUserId
- add lib/mac-session.tsx: MacSessionProvider/useMacSession backed by
  /api/auth/get-session, plus social sign-in / sign-out helpers
- my-applications actions: retype userId ObjectId -> String and drop all
  new ObjectId(userId) conversions; auth via requireMacUserId()
- sign-in page: Google + Microsoft social; remove password form
- delete [...nextauth] route, lib/auth.ts, and the /sign-up password flow
- swap useSession/signOut across nav + client components
- deps: remove next-auth, @auth/mongodb-adapter, bcryptjs; add jose
- env: add NEXT_PUBLIC_AUTH_URL/AUTH_URL/JWT_AUDIENCE; drop NEXTAUTH_*/GOOGLE_*

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mploy-app Ready Ready Preview, Comment Jul 2, 2026 2:37pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant