Blame · collab-auth.ts

0b4b582	1	import { parse as parseCookie } from "cookie";
0b4b582	2
0b4b582	3	const GROVE_HUB_API_URL =
0b4b582	4	process.env.GROVE_HUB_API_URL \|\| "http://localhost:4001";
0b4b582	5
0b4b582	6	/**
0b4b582	7	* Verify a token by calling the hub-api (the authority that issued it).
0b4b582	8	* Returns the user object on success, throws on failure.
0b4b582	9	*/
0b4b582	10	export async function verifyToken(token: string): Promise<any> {
0b4b582	11	const res = await fetch(`${GROVE_HUB_API_URL}/api/auth/me`, {
0b4b582	12	headers: { Authorization: `Bearer ${token}` },
0b4b582	13	});
0b4b582	14	if (!res.ok) throw new Error(`hub-api returned ${res.status}`);
0b4b582	15	const data = await res.json();
0b4b582	16	return data.user;
0b4b582	17	}
0b4b582	18
0b4b582	19	export function extractToken(req: Request): string \| null {
0b4b582	20	// 1. Authorization header
0b4b582	21	const authHeader = req.headers.get("authorization");
0b4b582	22	if (authHeader?.startsWith("Bearer ")) {
0b4b582	23	return authHeader.slice(7);
0b4b582	24	}
0b4b582	25	// 2. Cookie
0b4b582	26	const cookieHeader = req.headers.get("cookie");
0b4b582	27	if (cookieHeader) {
0b4b582	28	const cookies = parseCookie(cookieHeader);
0b4b582	29	if (cookies.grove_hub_token) return cookies.grove_hub_token;
0b4b582	30	}
0b4b582	31	return null;
0b4b582	32	}
0b4b582	33
0b4b582	34	// Socket.IO middleware for /collab namespace
0b4b582	35	export function socketAuth(
0b4b582	36	socket: { handshake: { auth?: { token?: string }; headers?: { cookie?: string } }; user?: any; token?: string },
0b4b582	37	next: (err?: Error) => void
0b4b582	38	) {
0b4b582	39	// 1. Handshake auth (client passes { auth: { token } })
0b4b582	40	let token = socket.handshake.auth?.token;
0b4b582	41	// 2. Fallback to cookie
0b4b582	42	if (!token) {
0b4b582	43	const cookieHeader = socket.handshake.headers?.cookie;
0b4b582	44	if (cookieHeader) {
0b4b582	45	const cookies = parseCookie(cookieHeader);
0b4b582	46	token = cookies.grove_hub_token;
0b4b582	47	}
0b4b582	48	}
0b4b582	49	if (!token) return next(new Error("unauthorized"));
0b4b582	50	verifyToken(token)
0b4b582	51	.then((user) => {
0b4b582	52	socket.user = user;
0b4b582	53	socket.token = token!;
0b4b582	54	next();
0b4b582	55	})
0b4b582	56	.catch(() => {
0b4b582	57	next(new Error("unauthorized"));
0b4b582	58	});
0b4b582	59	}