Add shared auth middleware (JWT + API key + RBAC) and canonical withTenant() helper

2026-03-01 03:09:01 +00:00
parent 2bbaa1efde
commit 762e2db9df
3 changed files with 189 additions and 0 deletions
--- a/products/shared/README.md
+++ b/products/shared/README.md
@@ -0,0 +1,26 @@
+# dd0c Shared Modules
+
+Reusable code shared across all dd0c products.
+
+## Files
+
+- `auth.ts` — JWT + API key authentication middleware, RBAC, login/signup routes
+- `db.ts` — PostgreSQL connection pool with RLS `withTenant()` helper
+
+## Usage
+
+Copy into each product's `src/` directory, or symlink during build.
+These are kept here as the canonical source of truth.
+
+## Auth Flow
+
+1. **JWT (Browser/API):** `Authorization: Bearer <token>` → decoded → `req.tenantId`, `req.userId`, `req.userRole`
+2. **API Key (Agent/CLI):** `X-API-Key: dd0c_<32hex>` → prefix lookup → bcrypt verify → tenant context
+3. **Webhook (HMAC):** Per-provider signature validation (skips JWT middleware)
+4. **Slack (Signing Secret):** Slack request signature verification (skips JWT middleware)
+
+## RBAC Hierarchy
+
+`owner > admin > member > viewer`
+
+Use `requireRole(req, reply, 'admin')` in route handlers for access control.