feat: migrate auth stack and admin portal

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
2025-10-05 17:25:57 -03:00 · 2025-10-05 17:25:57 -03:00 · 7946b8d017
commit 7946b8d017
parent ff674d5bb5
46 changed files with 2564 additions and 178 deletions
--- a/web/src/lib/auth-server.ts
+++ b/web/src/lib/auth-server.ts
@ -0,0 +1,92 @@
+import { cookies, headers } from "next/headers"
+import { redirect } from "next/navigation"
+
+import { getCookieCache } from "better-auth/cookies"
+
+import { env } from "@/lib/env"
+import { isAdmin, isStaff } from "@/lib/authz"
+
+type ServerSession = Awaited<ReturnType<typeof getCookieCache>>
+
+function serializeCookies() {
+  const store = cookies()
+  return store.getAll().map((cookie) => `${cookie.name}=${cookie.value}`).join("; ")
+}
+
+function buildRequest() {
+  const cookieHeader = serializeCookies()
+  const headerList = headers()
+  const userAgent = headerList.get("user-agent") ?? ""
+  const ip =
+    headerList.get("x-forwarded-for") ||
+    headerList.get("x-real-ip") ||
+    headerList.get("cf-connecting-ip") ||
+    headerList.get("x-client-ip") ||
+    undefined
+
+  return new Request(env.BETTER_AUTH_URL ?? "http://localhost:3000", {
+    headers: {
+      cookie: cookieHeader,
+      "user-agent": userAgent,
+      ...(ip ? { "x-forwarded-for": ip } : {}),
+    },
+  })
+}
+
+export async function getServerSession(): Promise<ServerSession | null> {
+  try {
+    const request = buildRequest()
+    const session = await getCookieCache(request)
+    return session ?? null
+  } catch (error) {
+    console.error("Failed to read Better Auth session", error)
+    return null
+  }
+}
+
+export async function assertAuthenticatedSession() {
+  const session = await getServerSession()
+  return session?.user ? session : null
+}
+
+export async function requireAuthenticatedSession() {
+  const session = await assertAuthenticatedSession()
+  if (!session) {
+    redirect("/login")
+  }
+  return session
+}
+
+export async function assertStaffSession() {
+  const session = await assertAuthenticatedSession()
+  if (!session) return null
+  if (!isStaff(session.user.role)) {
+    return null
+  }
+  return session
+}
+
+export async function requireStaffSession() {
+  const session = await assertStaffSession()
+  if (!session) {
+    redirect("/portal")
+  }
+  return session
+}
+
+export async function assertAdminSession() {
+  const session = await assertAuthenticatedSession()
+  if (!session) return null
+  if (!isAdmin(session.user.role)) {
+    return null
+  }
+  return session
+}
+
+export async function requireAdminSession() {
+  const session = await assertAdminSession()
+  if (!session) {
+    redirect("/dashboard")
+  }
+  return session
+}