Files

Max Mayfield 5ee869b9d8 Implement auth: login/signup (scrypt), API key generation, shared migration

- Login: email + password lookup, scrypt verify, JWT token
- Signup: create tenant + owner user in transaction, slug generation
- API key: dd0c_ prefix, SHA-256 hash (not bcrypt — faster for API key lookups), prefix index
- Scrypt over bcrypt: zero native deps, Node.js built-in crypto
- Auth routes skip JWT middleware (login/signup are public)
- 002_auth.sql: users + api_keys tables with RLS, copied to all products
- Synced auth middleware to P3/P4/P5/P6

2026-03-01 03:19:18 +00:00

002_auth.sql

Implement auth: login/signup (scrypt), API key generation, shared migration

2026-03-01 03:19:18 +00:00

auth.ts

Implement auth: login/signup (scrypt), API key generation, shared migration

2026-03-01 03:19:18 +00:00

db.ts

Add shared auth middleware (JWT + API key + RBAC) and canonical withTenant() helper

2026-03-01 03:09:01 +00:00

README.md

Add shared auth middleware (JWT + API key + RBAC) and canonical withTenant() helper

2026-03-01 03:09:01 +00:00

README.md

dd0c Shared Modules

Reusable code shared across all dd0c products.

Files

auth.ts — JWT + API key authentication middleware, RBAC, login/signup routes
db.ts — PostgreSQL connection pool with RLS withTenant() helper

Usage

Copy into each product's src/ directory, or symlink during build. These are kept here as the canonical source of truth.

Auth Flow

JWT (Browser/API): Authorization: Bearer <token> → decoded → req.tenantId, req.userId, req.userRole
API Key (Agent/CLI): X-API-Key: dd0c_<32hex> → prefix lookup → bcrypt verify → tenant context
Webhook (HMAC): Per-provider signature validation (skips JWT middleware)
Slack (Signing Secret): Slack request signature verification (skips JWT middleware)

RBAC Hierarchy

owner > admin > member > viewer

Use requireRole(req, reply, 'admin') in route handlers for access control.