Implements JWT auth flow with 7 day tokens

[elliotBraem]

Uses near-sign-verify

Summary by CodeRabbit

• New Features
  • Added backend support for authentication requests and JWT-based login, including new authentication endpoints for login initiation, verification, and logout.
  • Introduced a new user authorization flow in the app, separating sign-in from backend authorization and providing clear UI states for login and authorization.
• Improvements
  • Enhanced authentication state management, including backend verification, improved error handling, and clearer sign-in/authorization logic in the app.
  • Updated dependencies and improved Docker setup for database migrations and seeding.
• Database
  • Added a new table for authentication requests to support secure login flows.
• Bug Fixes
  • Simplified and unified authentication middleware to handle JWT tokens via cookies.
• Chores
  • Minor updates to package scripts and dependency versions.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
curatedotfun-app	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 21, 2025 6:17pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This set of changes introduces a new authentication system based on JWT tokens and authentication requests, replacing the previous NEAR signature-based flow. It adds backend routes and services for login initiation, verification, and logout, updates middleware to use JWT cookies, and refactors frontend authentication context and UI to support sign-in and authorization as separate steps. Supporting database schema, repository, and Docker configurations are also introduced or updated.

Changes

File(s) / Path(s)	Change Summary
apps/api/package.json, apps/app/package.json	Added @fastnear/utils dependency and upgraded near-sign-verify version.
apps/api/src/middlewares/auth.middleware.ts	Refactored middleware to use JWT cookie-based authentication, removing NEAR signature logic.
apps/api/src/routes/api/auth.ts, apps/api/src/routes/api/index.ts	Added new authentication routes and mounted them under /auth.
apps/api/src/services/auth.service.ts	Introduced AuthService to handle authentication requests, verification, and JWT issuance.
apps/api/src/services/users.service.ts	Added ensureUserProfile method to create or retrieve user profiles by NEAR account ID.
apps/api/src/utils/service-provider.ts	Registered AuthService in the service provider and exposed accessor method.
apps/app/src/components/UserMenu.tsx	Updated UI to distinguish between signed-in and authorized states, adding "Authorize App" button.
apps/app/src/contexts/auth-context.tsx	Refactored context to separate sign-in and authorization, added backend verification and new state.
apps/app/src/lib/api-client.ts	Removed all authentication header logic from API client requests.
packages/shared-db/migrations/0017_warm_cerebro.sql, meta/0017_snapshot.json, meta/_journal.json	Added migration for auth_requests table and updated migration metadata.
packages/shared-db/src/index.ts, src/schema/index.ts, src/schema/auth.ts	Exported new auth schema and repository modules.
packages/shared-db/src/repositories/authRequest.repository.ts	Added repository for managing authentication requests in the database.
packages/utils/src/errors.ts	Changed to type-only imports for type interfaces.
packages/utils/src/index.ts, packages/utils/src/plugins/index.ts	Removed plugin normalization utility and its export.
docker-compose.yml, packages/shared-db/Dockerfile.dev	Updated DB migration service to use a custom Dockerfile and improved build process.
scripts/dev.sh	Simplified install log message.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Frontend
    participant API
    participant AuthService
    participant AuthRequestRepo
    participant UserService
    participant JWT

    User->>Frontend: Clicks "Sign In"
    Frontend->>User: NEAR wallet sign-in flow
    User->>Frontend: Signs in with NEAR
    Frontend->>API: POST /auth/initiate-login (accountId)
    API->>AuthService: createAuthRequest(accountId)
    AuthService->>UserService: ensureUserProfile(accountId)
    AuthService->>AuthRequestRepo: create(nonce, accountId, expiresAt)
    AuthService-->>API: { nonce, recipient }
    API-->>Frontend: { nonce, recipient }
    Frontend->>User: Prompts to sign message (nonce)
    User->>Frontend: Signs nonce with NEAR key
    Frontend->>API: POST /auth/verify-login (token, accountId)
    API->>AuthService: verifyAuthRequest(token, accountId)
    AuthService->>AuthRequestRepo: findLatestByAccountId(accountId)
    AuthService->>NEAR: Verify token signature
    AuthService->>AuthRequestRepo: deleteById(id)
    AuthService->>JWT: Sign JWT (accountId)
    AuthService-->>API: JWT token
    API-->>Frontend: Set "token" cookie (JWT)
    Frontend->>User: User is now "authorized"

Loading

Possibly related PRs

• PotLock/curatedotfun#174: Introduced initial authentication support with near-sign-verify and middleware changes, forming the foundation for this PR's JWT-based evolution.
• PotLock/curatedotfun#175: Implemented an earlier version of authentication middleware using NEAR signature verification, which this PR replaces with JWT cookie logic.

Poem

🥕
A hop, a skip, a login dance,
Now JWTs give us a chance!
With cookies crisp and tokens neat,
Authorization is a treat.
The bunny guards your secret door—
Sign in, authorize, and hop some more!
🐇✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (10)

apps/api/src/utils/service-provider.ts (1)

91-93: Clean service registration following established pattern.

The AuthService registration correctly follows the dependency injection pattern used throughout the class. Consider adding a dedicated getter method like getAuthService() for consistency with other services.

Add a dedicated getter method for consistency:

+  /**
+   * Get the auth service
+   * @returns The auth service
+   */
+  public getAuthService(): AuthService {
+    return this.getService<AuthService>("authService");
+  }

packages/shared-db/src/schema/auth.ts (2)

11-11: Consider removing or documenting the unused state field.

The state field is defined as unique but doesn't appear to be used anywhere in the authentication flow. If it's intended for future OAuth-like state parameter support, consider adding a comment explaining its purpose. Otherwise, consider removing it to avoid confusion.

---

8-15: Add an index for efficient auth request lookups.

The findLatestByAccountId method queries by accountId and createdAt. Consider adding a composite index to optimize this common query pattern.

Add an index after the table definition:

import { index } from "drizzle-orm/pg-core";

export const authRequestsIndexes = {
  accountIdCreatedAt: index("auth_requests_account_id_created_at_idx")
    .on(authRequests.accountId, authRequests.createdAt),
};

apps/api/src/routes/api/auth.ts (1)

19-53: Consider adding rate limiting to prevent brute force attacks.

Authentication endpoints are susceptible to brute force attacks. Consider implementing rate limiting based on IP address or account ID.

packages/shared-db/src/repositories/authRequest.repository.ts (1)

6-76: Consider implementing cleanup for expired auth requests.

Auth requests have an expiration time but there's no mechanism to clean up expired entries. This could lead to database bloat over time.

Consider adding a method to delete expired auth requests that can be called periodically:

async deleteExpired(): Promise<number> {
  return withErrorHandling(
    async () => {
      return executeWithRetry(async (dbInstance) => {
        const now = new Date();
        const result = await dbInstance
          .delete(authRequests)
          .where(lt(authRequests.expiresAt, now))
          .returning();
        return result.length;
      }, this.db);
    },
    {
      operationName: "delete expired auth requests",
    },
    0,
  );
}

apps/api/src/services/auth.service.ts (1)

37-37: Use constants for time calculations.

Magic numbers make the code less maintainable. Define constants for time durations.

Add constants at the top of the file:

const AUTH_REQUEST_EXPIRY_MS = 5 * 60 * 1000; // 5 minutes
const JWT_EXPIRY_SECONDS = 60 * 60 * 24 * 7; // 7 days

Then use them:

-    const expiresAt = new Date(Date.now() + 5 * 60 * 1000); // 5 minutes
+    const expiresAt = new Date(Date.now() + AUTH_REQUEST_EXPIRY_MS);

-      exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 7, // 7 days
+      exp: Math.floor(Date.now() / 1000) + JWT_EXPIRY_SECONDS,

Also applies to: 82-82

apps/api/src/middlewares/auth.middleware.ts (1)

12-16: Consider making JWT_SECRET validation a startup check.

The middleware returns 500 if JWT_SECRET is missing, which means the application is misconfigured. This should ideally be caught during application startup rather than at runtime.

apps/app/src/contexts/auth-context.tsx (2)

45-52: Consider differentiating error types in authorization check.

The current implementation treats all errors equally. Consider logging errors or differentiating between authentication failures (401/403) and other errors (network, 500) for better debugging and user experience.

 const checkAuthorization = useCallback(async () => {
   try {
     await apiClient.makeRequest("GET", "/users/me");
     setIsAuthorized(true);
-  } catch {
+  } catch (error) {
+    // Log error for debugging while keeping user experience unchanged
+    console.error("Authorization check failed:", error);
     setIsAuthorized(false);
   }
 }, []);

---

75-117: Consider making the authorization message configurable.

The implementation is solid with proper error handling. However, the hardcoded message "Authorize Curate.fun" at line 90 could be made configurable for better reusability across different environments or applications.

Consider extracting the message to a configuration constant or environment variable:

-const message = "Authorize Curate.fun";
+const message = process.env.NEXT_PUBLIC_AUTH_MESSAGE || "Authorize Curate.fun";

packages/shared-db/migrations/meta/0017_snapshot.json (1)

1404-1471: Well-designed auth_requests table schema.

The table structure properly supports the JWT authentication flow with:

• Unique constraints on nonce and state for security
• Expiration timestamp for token validity
• No foreign key constraint allows authentication before user creation

Consider implementing a cleanup job to remove expired auth requests periodically.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5080606 and 38d0179.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (18)

• apps/api/package.json (1 hunks)
• apps/api/src/middlewares/auth.middleware.ts (1 hunks)
• apps/api/src/routes/api/auth.ts (1 hunks)
• apps/api/src/routes/api/index.ts (2 hunks)
• apps/api/src/services/auth.service.ts (1 hunks)
• apps/api/src/services/users.service.ts (1 hunks)
• apps/api/src/utils/service-provider.ts (3 hunks)
• apps/app/package.json (1 hunks)
• apps/app/src/components/UserMenu.tsx (2 hunks)
• apps/app/src/contexts/auth-context.tsx (2 hunks)
• apps/app/src/lib/api-client.ts (0 hunks)
• packages/shared-db/migrations/0017_loud_lady_vermin.sql (1 hunks)
• packages/shared-db/migrations/meta/0017_snapshot.json (1 hunks)
• packages/shared-db/migrations/meta/_journal.json (1 hunks)
• packages/shared-db/src/index.ts (1 hunks)
• packages/shared-db/src/repositories/authRequest.repository.ts (1 hunks)
• packages/shared-db/src/schema/auth.ts (1 hunks)
• packages/shared-db/src/schema/index.ts (1 hunks)

💤 Files with no reviewable changes (1)

• apps/app/src/lib/api-client.ts

🔇 Additional comments (16)

apps/api/package.json (1)

63-63: Bump near-sign-verify to ^0.4.1 for auth flow compatibility.

The minor version upgrade aligns with the NEAR signature verification enhancements in your new JWT auth implementation. Ensure this version is available in your registry and that no breaking changes affect your build.

apps/app/package.json (1)

41-41: Sync frontend near-sign-verify to ^0.4.1.

Updating to the same version used by your API prevents signature mismatches during the handleAuthorize step. Confirm the new package version supports your frontend flow without regressions.

apps/api/src/routes/api/index.ts (1)

17-17: Mount authRoutes under /auth.

Importing and routing authRoutes at /auth correctly integrates your login, verify, and logout endpoints. Verify that middleware order and path hierarchy don’t interfere with existing routes.

Also applies to: 40-40

packages/shared-db/migrations/meta/_journal.json (1)

123-130: Append migration journal entry for 0017_loud_lady_vermin.

New entry at idx: 17 tracks creation of the auth_requests table. Please verify that the corresponding SQL file (0017_loud_lady_vermin.sql) and snapshot (0017_snapshot.json) exist and reflect the intended schema changes.

packages/shared-db/src/index.ts (1)

18-18: Export authRequest.repository in shared-db index.

Exposing the new AuthRequestRepository makes it available for your API service. Ensure any consumers import it correctly and that unit tests cover its methods.

packages/shared-db/src/schema/index.ts (1)

9-9: LGTM! Clean export addition.

The auth schema export follows the established pattern and correctly exposes the authentication-related schema definitions.

packages/shared-db/migrations/0017_loud_lady_vermin.sql (1)

1-11: Excellent table design for secure authentication flow.

The auth_requests table schema demonstrates good security practices:

• Unique constraints on nonce and state prevent replay attacks and CSRF
• Non-null expires_at ensures proper cleanup of expired requests
• Standard audit fields support request tracking

The structure aligns well with OAuth-like authentication patterns.

apps/api/src/services/users.service.ts (1)

49-57: Well-implemented upsert pattern.

The ensureUserProfile method cleanly handles both existing and new user scenarios by reusing existing methods. The implementation is concise, follows established patterns, and maintains type safety.

apps/api/src/utils/service-provider.ts (1)

3-3: LGTM! Proper import additions for auth functionality.

The imports follow the established pattern and bring in the necessary auth-related dependencies.

Also applies to: 15-15

apps/app/src/components/UserMenu.tsx (3)

24-31: Good separation of authentication concerns.

The expanded auth context usage cleanly separates sign-in and authorization states, aligning well with the new JWT-based backend flow.

---

50-67: Excellent conditional rendering for auth states.

The progressive authentication flow is well-implemented:

1. "Login" for unauthenticated users
2. "Authorize App" for signed-in but unauthorized users
3. Full user menu for fully authorized users

This provides clear user guidance through the authentication process.

---

69-124: Clean user menu implementation.

The dropdown menu maintains the existing design patterns and functionality while properly integrating with the new authorization state. The conditional rendering and event handling are well-structured.

apps/app/src/contexts/auth-context.tsx (4)

1-22: Well-structured authentication interface with proper separation of concerns.

The addition of isAuthorized state and the new authorization methods properly separates NEAR wallet authentication from backend JWT authorization. The promise-based method signatures are appropriate for async operations.

---

41-43: Good practice: Lazy initialization of authentication state.

Initializing states as null/false instead of directly calling NEAR methods prevents potential race conditions and ensures predictable component initialization.

---

119-137: Excellent error handling in sign-out flow.

The implementation correctly prioritizes user experience by ensuring client-side sign-out succeeds even if the backend logout fails. The error is logged for debugging while the user sees a successful logout.

---

98-101: ```shell
#!/bin/bash

Search for any jsonwebtoken usage and token generation patterns in the backend

echo "=== jsonwebtoken imports ==="
rg "jsonwebtoken" -n apps/api

echo "=== .sign calls (possible token generation) ==="
rg ".sign" -n apps/api

echo "=== expiresIn usages ==="
rg "expiresIn" -n apps/api

echo "=== Environment variables referencing JWT ==="
rg "JWT" -n apps/api

</details>

</blockquote></details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->