feat(auth): add better-auth core wiring for admin and db

2026-02-10 12:42:49 +01:00
parent 3949fd2c11
commit ba8abb3b1b
30 changed files with 807 additions and 32 deletions
--- a/apps/admin/src/lib/access-server.ts
+++ b/apps/admin/src/lib/access-server.ts
@@ -0,0 +1,40 @@
+import { auth, resolveRoleFromAuthSession } from "@cms/auth/server"
+import type { Role } from "@cms/content/rbac"
+import { cookies, headers } from "next/headers"
+
+import { resolveDefaultRole, resolveRoleFromRawValue } from "./access"
+
+export async function resolveRoleFromServerContext(): Promise<Role | null> {
+  const roleFromAuthSession = await resolveRoleFromAuthSessionInServerContext()
+
+  if (roleFromAuthSession) {
+    return roleFromAuthSession
+  }
+
+  const cookieStore = await cookies()
+  const headerStore = await headers()
+
+  const roleFromCookie = cookieStore.get("cms_role")?.value
+  const roleFromHeader = headerStore.get("x-cms-role")
+
+  const resolved = resolveRoleFromRawValue(roleFromCookie ?? roleFromHeader)
+
+  if (resolved) {
+    return resolved
+  }
+
+  return resolveDefaultRole()
+}
+
+async function resolveRoleFromAuthSessionInServerContext(): Promise<Role | null> {
+  try {
+    const headerStore = await headers()
+    const session = await auth.api.getSession({
+      headers: headerStore,
+    })
+
+    return resolveRoleFromAuthSession(session)
+  } catch {
+    return null
+  }
+}
--- a/apps/admin/src/lib/access.ts
+++ b/apps/admin/src/lib/access.ts
@@ -1,5 +1,4 @@
 import { hasPermission, normalizeRole, type PermissionScope, type Role } from "@cms/content/rbac"
-import { cookies, headers } from "next/headers"
 import type { NextRequest } from "next/server"

 type RoutePermission = {
@@ -17,6 +16,14 @@ const guardRules: GuardRule[] = [
    route: /^\/unauthorized(?:\/|$)/,
    requirement: null,
  },
+  {
+    route: /^\/api\/auth(?:\/|$)/,
+    requirement: null,
+  },
+  {
+    route: /^\/login(?:\/|$)/,
+    requirement: null,
+  },
  {
    route: /^\/todo(?:\/|$)/,
    requirement: {
@@ -33,15 +40,15 @@ const guardRules: GuardRule[] = [
  },
 ]

-function resolveDefaultRole(): Role | null {
+export function resolveDefaultRole(): Role | null {
  if (process.env.NODE_ENV === "production") {
    return null
  }

-  return normalizeRole(process.env.CMS_DEV_ROLE ?? "admin")
+  return normalizeRole(process.env.CMS_DEV_ROLE)
 }

-function resolveRoleFromRawValue(raw: string | null | undefined): Role | null {
+export function resolveRoleFromRawValue(raw: string | null | undefined): Role | null {
  return normalizeRole(raw)
 }

@@ -58,22 +65,6 @@ export function resolveRoleFromRequest(request: NextRequest): Role | null {
  return resolveDefaultRole()
 }

-export async function resolveRoleFromServerContext(): Promise<Role | null> {
-  const cookieStore = await cookies()
-  const headerStore = await headers()
-
-  const roleFromCookie = cookieStore.get("cms_role")?.value
-  const roleFromHeader = headerStore.get("x-cms-role")
-
-  const resolved = resolveRoleFromRawValue(roleFromCookie ?? roleFromHeader)
-
-  if (resolved) {
-    return resolved
-  }
-
-  return resolveDefaultRole()
-}
-
 export function getRequiredPermission(pathname: string): RoutePermission {
  for (const rule of guardRules) {
    if (rule.route.test(pathname)) {
@@ -103,3 +94,9 @@ export function canAccessRoute(role: Role, pathname: string): boolean {

  return hasPermission(role, requirement.permission, requirement.scope)
 }
+
+export function isPublicRoute(pathname: string): boolean {
+  const rule = guardRules.find((item) => item.route.test(pathname))
+
+  return rule?.requirement === null
+}