mirror of
https://github.com/tiennm99/llmapikey.git
synced 2026-07-10 13:03:34 +00:00
feat(auth): replace Supabase Auth with app-native GitHub OAuth
Self-contained GitHub OAuth (Arctic) with a stateless HS256 signed-cookie session (jose); Supabase is downgraded to the Postgres host only. - Origin-derived callback (no redirect-uri env); read:user scope; access token read once at callback and discarded (no token storage). - CSRF via single-use state cookie; open-redirect guard on next. - getCurrentGithubIdentity() now reads the session cookie, preserving the numeric provider_id identity contract for admin/dashboard/mint. - Remove @supabase/ssr + @supabase/supabase-js, middleware, and the supabase-dependent rls test; delete lib/supabase clients.
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
import "server-only";
|
||||
|
||||
import { GitHub } from "arctic";
|
||||
|
||||
/**
|
||||
* GitHub OAuth scopes. `read:user` is enough to read the public profile
|
||||
* (`id` + `login`) at the callback; no email scope, no token storage.
|
||||
*/
|
||||
export const GITHUB_SCOPES = ["read:user"];
|
||||
|
||||
/**
|
||||
* Build the Arctic GitHub OAuth client.
|
||||
*
|
||||
* Redirect URI is derived from the request `origin` (`${origin}/auth/callback`),
|
||||
* so no callback env is needed. GitHub validates this against the OAuth App's
|
||||
* registered callback, so requests reaching the app on a non-registered host
|
||||
* (e.g. a Vercel deployment-hash URL) will fail at GitHub — link only the
|
||||
* canonical domain. Login and callback MUST pass the same origin so the
|
||||
* `redirect_uri` matches across the authorize + token-exchange steps.
|
||||
*
|
||||
* @param {string} origin Request origin, e.g. `https://llmapikey.vercel.app`.
|
||||
* @returns {import('arctic').GitHub}
|
||||
*/
|
||||
export function getGithubOAuth(origin) {
|
||||
const clientId = process.env.GITHUB_OAUTH_CLIENT_ID;
|
||||
const clientSecret = process.env.GITHUB_OAUTH_CLIENT_SECRET;
|
||||
if (!clientId || !clientSecret) {
|
||||
throw new Error(
|
||||
"Missing GITHUB_OAUTH_CLIENT_ID / GITHUB_OAUTH_CLIENT_SECRET",
|
||||
);
|
||||
}
|
||||
return new GitHub(clientId, clientSecret, `${origin}/auth/callback`);
|
||||
}
|
||||
Reference in New Issue
Block a user