mirror of
https://github.com/tiennm99/llmapikey.git
synced 2026-06-17 08:52:35 +00:00
tiennm99
559bac8104
Self-contained GitHub OAuth (Arctic) with a stateless HS256 signed-cookie session (jose); Supabase is downgraded to the Postgres host only. - Origin-derived callback (no redirect-uri env); read:user scope; access token read once at callback and discarded (no token storage). - CSRF via single-use state cookie; open-redirect guard on next. - getCurrentGithubIdentity() now reads the session cookie, preserving the numeric provider_id identity contract for admin/dashboard/mint. - Remove @supabase/ssr + @supabase/supabase-js, middleware, and the supabase-dependent rls test; delete lib/supabase clients.
24 lines
815 B
JavaScript
24 lines
815 B
JavaScript
import "server-only";
|
|
|
|
import { readSession } from "@/lib/auth/session";
|
|
|
|
/**
|
|
* @typedef {Object} GithubIdentity
|
|
* @property {string} githubUserId Numeric, immutable GitHub id (provider_id).
|
|
* @property {string} githubUsername GitHub login (mutable — display only).
|
|
*/
|
|
|
|
/**
|
|
* Resolve the current GitHub identity from the signed session cookie.
|
|
*
|
|
* Identity anchor: `provider_id` — the numeric, immutable GitHub id. NOT the
|
|
* mutable login (a rename could otherwise mint a second key). The numeric
|
|
* invariant is enforced inside `readSession` (defense in depth) and again at
|
|
* mint time in the OAuth callback. `githubUsername` is display-only.
|
|
*
|
|
* @returns {Promise<GithubIdentity | null>} null when unauthenticated.
|
|
*/
|
|
export async function getCurrentGithubIdentity() {
|
|
return readSession();
|
|
}
|