feat: replace custom session auth with FerrisKey OIDC (Auth.js v5)#11
Open
asmuelle wants to merge 1 commit into
Open
feat: replace custom session auth with FerrisKey OIDC (Auth.js v5)#11asmuelle wants to merge 1 commit into
asmuelle wants to merge 1 commit into
Conversation
Identity is now owned by FerrisKey (Keycloak-alternative IAM) over OIDC via
Auth.js v5. Scope is authentication only: workspace tenancy + owner/member role
stay in the local memberships table, re-derived per request (Invariant 8).
- core/db: add app_user.external_subject + linkOrCreateUserBySubject (memory +
Drizzle), migration 0006. Match by IdP sub, else verified-email backfill, else
JIT-create. Unverified-email collision is rejected (IdentityConflictError) to
prevent account takeover.
- web: apps/web/auth.ts custom OIDC provider (PKCE, jwt/session callbacks pin the
local user id) + [...nextauth] route. resolveWorkspace keyed by {userId};
resolveActiveWorkspace rides on auth(). Remove hand-rolled session-crypto/secret.
- ui: "Continue with FerrisKey" sign-in; Auth.js sign-out + hint-cookie clear;
switchWorkspace fails closed before writing the hint.
- infra: FerrisKey API/console/Postgres in docker-compose (profile auth, pg 5434);
just ferriskey-up/down/bootstrap; scripts/ferriskey-bootstrap.ts.
- hardening: baseline security headers, Auth.js error->sign-in routing.
- env/docs: AUTH_SECRET + FERRISKEY_* ; TOOLS.md, DESIGN.md, ROADMAP updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| token, | ||
| json: { temporary: false, credential_type: 'password', value: DEMO_PASSWORD }, | ||
| }); | ||
| console.log(`✓ demo user ${DEMO_EMAIL} ready (password: ${DEMO_PASSWORD})`); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Identity is now owned by FerrisKey (Keycloak-alternative IAM) over OIDC via Auth.js v5. Scope is authentication only: workspace tenancy + owner/member role stay in the local memberships table, re-derived per request (Invariant 8).