aevgarik/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): add get-session endpoint and harden session resolution

Browse Source 
Add /api/auth/get-session for board actors to retrieve their session
info. Wrap resolveSession in try/catch to prevent unhandled errors from
crashing requests when auth headers are missing or malformed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dotta
2026-03-02 17:02:01 -06:00
parent dff78a6df4
commit 90dfa2e9cd
2 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
server/src/app.ts
View File

@@ -66,6 +66,23 @@ export async function createApp(
resolveSession: opts.resolveSession,
}),
);
app.get("/api/auth/get-session", (req, res) => {
if (req.actor.type !== "board" || !req.actor.userId) {
res.status(401).json({ error: "Unauthorized" });
return;
}
res.json({
session: {
id: `paperclip:${req.actor.source}:${req.actor.userId}`,
userId: req.actor.userId,
},
user: {
id: req.actor.userId,
email: null,
name: req.actor.source === "local_implicit" ? "Local Board" : null,
},
});
});
if (opts.betterAuthHandler) {
app.all("/api/auth/*authPath", opts.betterAuthHandler);
}

11
server/src/middleware/auth.ts
View File

@@ -6,6 +6,7 @@ import { agentApiKeys, agents, companyMemberships, instanceUserRoles } from "@pa
import { verifyLocalAgentJwt } from "../agent-auth-jwt.js";
import type { DeploymentMode } from "@paperclip/shared";
import type { BetterAuthSessionResult } from "../auth/better-auth.js";
import { logger } from "./logger.js";
function hashToken(token: string) {
return createHash("sha256").update(token).digest("hex");
@@ -28,7 +29,15 @@ export function actorMiddleware(db: Db, opts: ActorMiddlewareOptions): RequestHa
const authHeader = req.header("authorization");
if (!authHeader?.toLowerCase().startsWith("bearer ")) {
if (opts.deploymentMode === "authenticated" && opts.resolveSession) {
const session = await opts.resolveSession(req);
let session: BetterAuthSessionResult | null = null;
try {
session = await opts.resolveSession(req);
} catch (err) {
logger.warn(
{ err, method: req.method, url: req.originalUrl },
"Failed to resolve auth session from request headers",
);
}
if (session?.user?.id) {
const userId = session.user.id;
const [roleRow, memberships] = await Promise.all([