tiennm99/llmapikey
1
0
Fork 0
mirror of https://github.com/tiennm99/llmapikey.git synced 2026-06-17 16:48:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8fcc705e2c5dc8ce342e30cfc80a1a899bc6cf72
llmapikey/lib/auth/current-github-identity.js
T
tiennm99 02fa52ccf9 feat: scaffold OpenRouter key giveaway site (gated, code-only) 
- Next.js 15 App Router (JS+JSDoc): landing, auth-gated dashboard, docs
- GitHub OAuth via Supabase; identity anchored on numeric provider_id
- key provisioning: reserve-then-mint-persist-compensate, one key per account
- api_keys in unexposed llmapikey schema via direct Postgres; RLS deny-all
- live minting gated behind PROVISIONING_ENABLED; Vercel auto-deploy disabled
- unit tests (mask, request-body), RLS deny-all test, reconcile script
2026-06-13 14:18:52 +07:00

45 lines
1.5 KiB
JavaScript
Raw Blame History

import "server-only";
import { createServerAuthClient } from "@/lib/supabase/server-client";
/**
* @typedef {Object} GithubIdentity
* @property {string} githubUserId Numeric, immutable GitHub id (provider_id).
* @property {string} githubUsername GitHub login (mutable — display only).
*/
/**
* Resolve the current GitHub identity from the validated server session.
*
* Identity anchor: `provider_id` — the numeric, immutable GitHub id. NOT
* `user_name` (the mutable login — a rename could otherwise mint a second key)
* and NOT `sub` (the Supabase user UUID). `user_metadata` is end-user-mutable,
* so it scopes queries server-side only and is never used as an RLS/auth claim.
*
* Uses `getUser()` (validates the token with Supabase), not `getSession()`.
*
* @returns {Promise<GithubIdentity | null>} null when unauthenticated.
*/
export async function getCurrentGithubIdentity() {
const supabase = await createServerAuthClient();
const {
data: { user },
} = await supabase.auth.getUser();
if (!user) return null;
const meta = user.user_metadata ?? {};
if (meta.provider_id == null || meta.user_name == null) {
throw new Error(
"GitHub identity missing provider_id/user_name in user_metadata",
);
}
const githubUserId = String(meta.provider_id);
// Assert numeric — guards against accidentally anchoring on the mutable login.
if (!/^\d+$/.test(githubUserId)) {
throw new Error(`Expected numeric GitHub provider_id, got: ${githubUserId}`);
}
return { githubUserId, githubUsername: String(meta.user_name) };
}
Reference in New Issue View Git Blame Copy Permalink