feat(web): accept JWT Bearer auth on /api/auth/sync for account provisioning

pilartomas · pilartomas · commit c53edb96f474 · 2026-04-14T13:17:36.000+02:00
API-first clients can now provision their account by calling
GET /api/auth/sync with a JWT access token instead of requiring
a browser login first. Email and name are read from JWT claims.
diff --git a/apps/web/src/app/api/auth/sync/route.ts b/apps/web/src/app/api/auth/sync/route.ts
@@ -1,6 +1,7 @@
 import { type NextRequest, NextResponse } from "next/server";
 import { db } from "@onecli/db";
 import { getServerSession } from "@/lib/auth/server";
+import { verifyAndResolveIdentity } from "@/lib/validate-jwt";
 import { logger } from "@/lib/logger";
 import { DEFAULT_AGENT_NAME } from "@/lib/constants";
 import { seedDemoSecret } from "@/lib/services/secret-service";
@@ -12,37 +13,57 @@ import { getSessionAttributes, onUserCreated } from "@/lib/auth/session-hooks";
  * GET /api/auth/sync
  *
  * Single endpoint that handles the full auth → DB sync flow:
- * 1. Reads the auth session (cookie/token)
+ * 1. Reads the auth session (cookie/token) or validates a JWT Bearer token
  * 2. Upserts the user in the database
  * 3. Ensures the user has an Account + AccountMember + ApiKey
  * 4. Seeds defaults (agent, demo secret) into the account
  * 5. Returns the user profile
  *
- * Called by the login page after auth and by the dashboard layout on mount.
- * Returns 401 if no valid session exists.
+ * Called by the login page after auth, by the dashboard layout on mount,
+ * or by API clients with a JWT access token to provision their account.
+ * Returns 401 if no valid session or token exists.
  */
 export const GET = async (request: NextRequest) => {
   try {
+    // Try session auth first, then JWT Bearer token
     const session = await getServerSession();
-    if (!session || !session.email) {
-      return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+    let authId: string;
+    let email: string;
+    let name: string | null | undefined;
+
+    if (session?.email) {
+      authId = session.id;
+      email = session.email;
+      name = session.name;
+    } else {
+      const identity = await verifyAndResolveIdentity(request);
+      if (!identity) {
+        return NextResponse.json(
+          { error: "Not authenticated" },
+          { status: 401 },
+        );
+      }
+      authId = identity.sub;
+      email = identity.email;
+      name = identity.name;
     }
 
     const extra = getSessionAttributes(request);
 
     // Upsert user by email — creates on first login, updates on subsequent.
     const user = await db.user.upsert({
-      where: { email: session.email },
+      where: { email },
       create: {
-        externalAuthId: session.id,
-        email: session.email,
-        name: session.name,
+        externalAuthId: authId,
+        email,
+        name: name ?? null,
         lastLoginAt: new Date(),
         ...extra,
       },
       update: {
-        externalAuthId: session.id,
-        name: session.name,
+        externalAuthId: authId,
+        name: name ?? null,
         lastLoginAt: new Date(),
         ...extra,
       },
diff --git a/apps/web/src/lib/validate-jwt.ts b/apps/web/src/lib/validate-jwt.ts
@@ -109,3 +109,56 @@ export const validateJwt = async (
     return null;
   }
 };
+
+// ── Identity resolution (JWT verify + email/name from claims) ──────────
+
+export interface ResolvedIdentity {
+  sub: string;
+  email: string;
+  name?: string;
+}
+
+/**
+ * Verify a JWT access token and resolve the user's identity (sub + email + name)
+ * from the token claims, without performing a database lookup.
+ *
+ * Returns null if the JWT is invalid or the email claim is missing.
+ */
+export const verifyAndResolveIdentity = async (
+  request: Request,
+): Promise<ResolvedIdentity | null> => {
+  if (!OAUTH_ISSUER) return null;
+
+  const token = extractBearerToken(request);
+  if (!token) return null;
+
+  const getKey = await getKeyFunction();
+  if (!getKey) return null;
+
+  try {
+    const { payload } = await jwtVerify(token, getKey, {
+      issuer: OAUTH_ISSUER,
+      audience: OAUTH_AUDIENCE || undefined,
+      algorithms: ["RS256", "RS384", "RS512"],
+    });
+
+    const sub = payload.sub;
+    if (!sub) {
+      log.warn("JWT missing sub claim");
+      return null;
+    }
+
+    const email = typeof payload.email === "string" ? payload.email : undefined;
+    if (!email) {
+      log.warn({ sub }, "JWT missing email claim");
+      return null;
+    }
+
+    const name = typeof payload.name === "string" ? payload.name : undefined;
+
+    return { sub, email, name };
+  } catch (err) {
+    log.warn({ err }, "JWT verification failed");
+    return null;
+  }
+};
