From 4d30f46d4691c9aead411b893b1ab279b05d439c Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Wed, 3 Dec 2025 05:54:50 +0900
Subject: feat(auth): add auth middleware for JWT validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add middleware that validates JWT tokens from Authorization header
and sets authenticated user in request context. Includes helper
function getAuthUser() to retrieve user from context with proper
error handling.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 pkgs/server/src/middleware/auth.ts | 65 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 pkgs/server/src/middleware/auth.ts

(limited to 'pkgs/server/src/middleware/auth.ts')

diff --git a/pkgs/server/src/middleware/auth.ts b/pkgs/server/src/middleware/auth.ts
new file mode 100644
index 0000000..c295834
--- /dev/null
+++ b/pkgs/server/src/middleware/auth.ts
@@ -0,0 +1,65 @@
+import type { Context, Next } from "hono";
+import { verify } from "hono/jwt";
+import { Errors } from "./error-handler";
+
+const JWT_SECRET = process.env.JWT_SECRET;
+if (!JWT_SECRET) {
+	throw new Error("JWT_SECRET environment variable is required");
+}
+
+export interface AuthUser {
+	id: string;
+}
+
+interface JWTPayload {
+	sub: string;
+	iat: number;
+	exp: number;
+}
+
+/**
+ * Auth middleware that validates JWT tokens from Authorization header
+ * Sets the authenticated user in context variables
+ */
+export async function authMiddleware(c: Context, next: Next) {
+	const authHeader = c.req.header("Authorization");
+
+	if (!authHeader) {
+		throw Errors.unauthorized("Missing Authorization header", "MISSING_AUTH");
+	}
+
+	if (!authHeader.startsWith("Bearer ")) {
+		throw Errors.unauthorized(
+			"Invalid Authorization header format",
+			"INVALID_AUTH_FORMAT",
+		);
+	}
+
+	const token = authHeader.slice(7);
+
+	try {
+		const payload = (await verify(token, JWT_SECRET)) as unknown as JWTPayload;
+
+		const user: AuthUser = {
+			id: payload.sub,
+		};
+
+		c.set("user", user);
+
+		await next();
+	} catch {
+		throw Errors.unauthorized("Invalid or expired token", "INVALID_TOKEN");
+	}
+}
+
+/**
+ * Helper function to get the authenticated user from context
+ * Throws if user is not authenticated
+ */
+export function getAuthUser(c: Context): AuthUser {
+	const user = c.get("user") as AuthUser | undefined;
+	if (!user) {
+		throw Errors.unauthorized("Not authenticated", "NOT_AUTHENTICATED");
+	}
+	return user;
+}
-- 
cgit v1.2.3-70-g09d2