Alo/phaseflow
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement auth middleware for API routes (P0.2)

Browse Source 
Add authentication infrastructure for protected routes:
- withAuth() wrapper for API route handlers (src/lib/auth-middleware.ts)
- Next.js middleware for page protection (src/middleware.ts)

withAuth() loads auth from cookies, validates session, and passes
user context to handlers. Returns 401 for unauthenticated requests.

Page middleware redirects unauthenticated users to /login, while
allowing public routes (/login), API routes (handled separately),
and static assets through.

Tests: 18 new tests (6 for withAuth, 12 for page middleware)
Total test count: 60 tests passing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Petru
2026-01-10 18:43:19 +00:00
parent caed11a445
commit 76a46439b3
5 changed files with 463 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
src/lib/auth-middleware.test.ts Normal file
View File

@@ -0,0 +1,164 @@
// ABOUTME: Unit tests for API route authentication middleware.
// ABOUTME: Tests withAuth wrapper for protected route handlers.
import { type NextRequest, NextResponse } from "next/server";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { withAuth } from "./auth-middleware";
// Mock the pocketbase module
vi.mock("./pocketbase", () => ({
createPocketBaseClient: vi.fn(),
loadAuthFromCookies: vi.fn(),
isAuthenticated: vi.fn(),
getCurrentUser: vi.fn(),
}));
// Mock next/headers
vi.mock("next/headers", () => ({
cookies: vi.fn(),
}));
import { cookies } from "next/headers";
import {
createPocketBaseClient,
getCurrentUser,
isAuthenticated,
loadAuthFromCookies,
} from "./pocketbase";
const mockCookies = cookies as ReturnType<typeof vi.fn>;
const mockCreatePocketBaseClient = createPocketBaseClient as ReturnType<
typeof vi.fn
>;
const mockLoadAuthFromCookies = loadAuthFromCookies as ReturnType<typeof vi.fn>;
const mockIsAuthenticated = isAuthenticated as ReturnType<typeof vi.fn>;
const mockGetCurrentUser = getCurrentUser as ReturnType<typeof vi.fn>;
describe("withAuth", () => {
const mockUser = {
id: "user123",
email: "test@example.com",
garminConnected: false,
garminOauth1Token: "",
garminOauth2Token: "",
garminTokenExpiresAt: new Date(),
calendarToken: "cal-token",
lastPeriodDate: new Date("2025-01-01"),
cycleLength: 31,
notificationTime: "07:00",
timezone: "UTC",
activeOverrides: [],
created: new Date(),
updated: new Date(),
};
const mockPbClient = {
authStore: {
isValid: true,
model: mockUser,
},
};
const mockCookieStore = {
get: vi.fn(),
};
beforeEach(() => {
vi.clearAllMocks();
mockCookies.mockResolvedValue(mockCookieStore);
mockCreatePocketBaseClient.mockReturnValue(mockPbClient);
});
it("returns 401 when not authenticated", async () => {
mockIsAuthenticated.mockReturnValue(false);
const handler = vi.fn();
const wrappedHandler = withAuth(handler);
const mockRequest = {} as NextRequest;
const response = await wrappedHandler(mockRequest);
expect(response.status).toBe(401);
const body = await response.json();
expect(body.error).toBe("Unauthorized");
expect(handler).not.toHaveBeenCalled();
});
it("calls handler with user when authenticated", async () => {
mockIsAuthenticated.mockReturnValue(true);
mockGetCurrentUser.mockReturnValue(mockUser);
const handler = vi
.fn()
.mockResolvedValue(NextResponse.json({ data: "success" }));
const wrappedHandler = withAuth(handler);
const mockRequest = {} as NextRequest;
const response = await wrappedHandler(mockRequest);
expect(response.status).toBe(200);
expect(handler).toHaveBeenCalledWith(mockRequest, mockUser, undefined);
});
it("loads auth from cookies before checking authentication", async () => {
mockIsAuthenticated.mockReturnValue(true);
mockGetCurrentUser.mockReturnValue(mockUser);
const handler = vi.fn().mockResolvedValue(NextResponse.json({}));
const wrappedHandler = withAuth(handler);
await wrappedHandler({} as NextRequest);
expect(mockCreatePocketBaseClient).toHaveBeenCalled();
expect(mockCookies).toHaveBeenCalled();
expect(mockLoadAuthFromCookies).toHaveBeenCalledWith(
mockPbClient,
mockCookieStore,
);
expect(mockIsAuthenticated).toHaveBeenCalledWith(mockPbClient);
});
it("returns 401 when getCurrentUser returns null", async () => {
mockIsAuthenticated.mockReturnValue(true);
mockGetCurrentUser.mockReturnValue(null);
const handler = vi.fn();
const wrappedHandler = withAuth(handler);
const response = await wrappedHandler({} as NextRequest);
expect(response.status).toBe(401);
expect(handler).not.toHaveBeenCalled();
});
it("passes route params to handler when provided", async () => {
mockIsAuthenticated.mockReturnValue(true);
mockGetCurrentUser.mockReturnValue(mockUser);
const handler = vi.fn().mockResolvedValue(NextResponse.json({}));
const wrappedHandler = withAuth(handler);
const mockRequest = {} as NextRequest;
const mockParams = { id: "123" };
await wrappedHandler(mockRequest, { params: mockParams });
expect(handler).toHaveBeenCalledWith(mockRequest, mockUser, {
params: mockParams,
});
});
it("handles handler errors gracefully", async () => {
mockIsAuthenticated.mockReturnValue(true);
mockGetCurrentUser.mockReturnValue(mockUser);
const handler = vi.fn().mockRejectedValue(new Error("Handler error"));
const wrappedHandler = withAuth(handler);
const response = await wrappedHandler({} as NextRequest);
expect(response.status).toBe(500);
const body = await response.json();
expect(body.error).toBe("Internal server error");
});
});

76
src/lib/auth-middleware.ts Normal file
View File

@@ -0,0 +1,76 @@
// ABOUTME: Authentication middleware wrapper for protected API routes.
// ABOUTME: Provides withAuth HOF that validates session and injects user context.
import { cookies } from "next/headers";
import type { NextRequest } from "next/server";
import { NextResponse } from "next/server";
import type { User } from "@/types";
import {
createPocketBaseClient,
getCurrentUser,
isAuthenticated,
loadAuthFromCookies,
} from "./pocketbase";
/**
* Route handler function type that receives the authenticated user.
*/
export type AuthenticatedHandler<T = unknown> = (
request: NextRequest,
user: User,
context?: { params?: T },
) => Promise<NextResponse>;
/**
* Higher-order function that wraps an API route handler with authentication.
* Loads auth from cookies, validates the session, and passes the user to the handler.
*
* @param handler - The route handler that requires authentication
* @returns A wrapped handler that checks auth before calling the original handler
*
* @example
* ```ts
* export const GET = withAuth(async (request, user) => {
* return NextResponse.json({ email: user.email });
* });
* ```
*/
export function withAuth<T = unknown>(
handler: AuthenticatedHandler<T>,
): (request: NextRequest, context?: { params?: T }) => Promise<NextResponse> {
return async (
request: NextRequest,
context?: { params?: T },
): Promise<NextResponse> => {
try {
// Create a fresh PocketBase client for this request
const pb = createPocketBaseClient();
// Load auth state from cookies
const cookieStore = await cookies();
loadAuthFromCookies(pb, cookieStore);
// Check if the user is authenticated
if (!isAuthenticated(pb)) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
// Get the current user
const user = getCurrentUser(pb);
if (!user) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
// Call the original handler with the user context
return await handler(request, user, context);
} catch (error) {
console.error("Auth middleware error:", error);
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 },
);
}
};
}