Migrate auth to central MAC service (String macUserId)#280
Draft
oliverhuangcode wants to merge 1 commit into
Draft
Migrate auth to central MAC service (String macUserId)#280oliverhuangcode wants to merge 1 commit into
oliverhuangcode wants to merge 1 commit into
Conversation
Replace NextAuth/Mongo-adapter auth with the central passwordless auth service (auth.monashcoding.com). The Next.js server layer now acts as the JWT-verifying resource server: - add lib/mac-auth.ts: requireMacUserId() mints a JWT via /api/auth/token and verifies it locally against the central JWKS (EdDSA, iss/aud) -> macUserId - add lib/mac-session.tsx: MacSessionProvider/useMacSession backed by /api/auth/get-session, plus social sign-in / sign-out helpers - my-applications actions: retype userId ObjectId -> String and drop all new ObjectId(userId) conversions; auth via requireMacUserId() - sign-in page: Google + Microsoft social; remove password form - delete [...nextauth] route, lib/auth.ts, and the /sign-up password flow - swap useSession/signOut across nav + client components - deps: remove next-auth, @auth/mongodb-adapter, bcryptjs; add jose - env: add NEXT_PUBLIC_AUTH_URL/AUTH_URL/JWT_AUDIENCE; drop NEXTAUTH_*/GOOGLE_* Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replaces mploy's self-hosted NextAuth/Mongo auth with the central passwordless auth service (
auth.monashcoding.com), and keys all user-scoped data by the opaque StringmacUserIdinstead of a MongoObjectId.There is no Spring backend in this repo — mploy's "backend" is Next.js Server Actions on MongoDB — so the Next.js server layer becomes the JWT-verifying resource server.
Changes
lib/mac-auth.ts(new):requireMacUserId()mints a JWT viaGET /api/auth/token(forwarding the shared.monashcoding.comcookie) and verifies it locally against the central JWKS withjose(EdDSA,iss=https://auth.monashcoding.com,aud=mac-suite), returningmacUserId.lib/mac-session.tsx(new):MacSessionProvider/useMacSessionbacked byGET /api/auth/get-session, plus social sign-in and sign-out helpers.my-applications/actions.ts: retypeuserIdObjectId → Stringon the 3 record types; drop allnew ObjectId(userId)conversions; auth viarequireMacUserId(). Affectsapplications,application_cycles,application_status_events.[...nextauth]route,lib/auth.ts, and the/sign-uppassword flow.useSession/signOutacross nav + client components.next-auth,@auth/mongodb-adapter,bcryptjs; addjose.NEXT_PUBLIC_AUTH_URL,AUTH_URL,JWT_AUDIENCE=mac-suite; dropNEXTAUTH_*/GOOGLE_*(all new vars default to production values in code).Not touched
active_jobs(public job board) — no user scoping.application_stages— not a code collection (stages are hardcoded).Verification
tsc --noEmit,eslint, andnext buildall pass.*.monashcoding.comhost (shared cookie) against a DB already holding StringuserIds — i.e. at cutover. Do not point at prod data until the remap runs.🤖 Generated with Claude Code