buildmymcpserver/apps/api/src/routes/auth.ts

import type { FastifyInstance } from 'fastify';
import { z } from 'zod';
import { consumeMagicLink, destroySession, getSession, issueMagicLink } from '@bmm/auth';
import { audit } from '../lib/audit.js';
import { config } from '../config.js';

const SESSION_COOKIE = 'bmm_session';

export async function authRoutes(app: FastifyInstance): Promise<void> {
  app.post('/v1/auth/magic-link', async (req, reply) => {
    const Body = z.object({ email: z.string().email() });
    const parsed = Body.safeParse(req.body);
    if (!parsed.success) return reply.code(400).send({ error: 'invalid_email' });
    try {
      const { token, expiresAt } = await issueMagicLink(parsed.data.email);
      const callbackUrl = `${config.NEXT_PUBLIC_APP_URL}/login/callback?token=${token}`;
      // Dev transport: print to stdout. Production: send via Resend / SES.
      app.log.info({ to: parsed.data.email, expiresAt }, `[magic-link] -> ${callbackUrl}`);
      console.log(`\n[magic-link] ${parsed.data.email} ->\n  ${callbackUrl}\n`);
      return reply.send({ ok: true });
    } catch (e) {
      app.log.error(e);
      return reply.code(400).send({ error: 'magic_link_failed' });
    }
  });

  app.post('/v1/auth/verify', async (req, reply) => {
    const Body = z.object({ token: z.string().min(10) });
    const parsed = Body.safeParse(req.body);
    if (!parsed.success) return reply.code(400).send({ error: 'invalid_token' });
    try {
      const session = await consumeMagicLink(parsed.data.token, {
        ipAddress: req.ip,
        userAgent: req.headers['user-agent'],
      });
      reply.setCookie(SESSION_COOKIE, session.sessionToken, {
        httpOnly: true,
        sameSite: 'lax',
        path: '/',
        secure: config.NODE_ENV === 'production',
        maxAge: 30 * 24 * 60 * 60,
      });
      await audit({
        orgId: session.orgId,
        userId: session.userId,
        action: 'auth.login',
        resourceType: 'session',
        metadata: { email: session.email },
        ipAddress: req.ip,
      });
      return reply.send({
        ok: true,
        user: { id: session.userId, email: session.email, orgId: session.orgId },
      });
    } catch (e) {
      app.log.warn({ err: e }, 'magic link verify failed');
      return reply.code(400).send({ error: 'invalid_or_expired_token' });
    }
  });

  app.get('/v1/auth/me', async (req, reply) => {
    const token = req.cookies[SESSION_COOKIE];
    const session = await getSession(token);
    if (!session) return reply.code(401).send({ error: 'unauthorized' });
    return reply.send({ user: session });
  });

  app.post('/v1/auth/logout', async (req, reply) => {
    const token = req.cookies[SESSION_COOKIE];
    const session = token ? await getSession(token) : null;
    if (token) await destroySession(token);
    reply.clearCookie(SESSION_COOKIE, { path: '/' });
    if (session) {
      await audit({
        orgId: session.orgId,
        userId: session.userId,
        action: 'auth.logout',
        resourceType: 'session',
        ipAddress: req.ip,
      });
    }
    return reply.send({ ok: true });
  });
}
feat(api): Fastify control plane (auth, servers, WS build stream, OAuth 2.1 AS, JWKS) 2026-05-19 00:24:47 +02:00			`import type { FastifyInstance } from 'fastify';`
			`import { z } from 'zod';`
			`import { consumeMagicLink, destroySession, getSession, issueMagicLink } from '@bmm/auth';`
feat(api,generator): preview endpoint + spec cache + audit-log writes - POST /v1/servers/preview runs Claude synchronously, validates output, caches spec in Redis under preview:<id> with 5min TTL, returns previewId+spec+detectedSecrets. - POST /v1/servers accepts optional previewId; worker reuses the cached spec if the entry is still present, otherwise regenerates fresh. Skips the second Claude round-trip (~30s saved on the demoable path). - audit() helper writes auth.login, auth.logout, server.create, server.iterate, server.delete to audit_log with ip, metadata, resourceId. - GET /v1/me/org returns organization + members list for the settings page. - GET /v1/audit?limit=&action=&resourceType= returns scoped audit entries. 2026-05-19 18:08:29 +02:00			`import { audit } from '../lib/audit.js';`
feat(api): Fastify control plane (auth, servers, WS build stream, OAuth 2.1 AS, JWKS) 2026-05-19 00:24:47 +02:00			`import { config } from '../config.js';`

			`const SESSION_COOKIE = 'bmm_session';`

			`export async function authRoutes(app: FastifyInstance): Promise<void> {`
			`app.post('/v1/auth/magic-link', async (req, reply) => {`
			`const Body = z.object({ email: z.string().email() });`
			`const parsed = Body.safeParse(req.body);`
			`if (!parsed.success) return reply.code(400).send({ error: 'invalid_email' });`
			`try {`
			`const { token, expiresAt } = await issueMagicLink(parsed.data.email);`
			const callbackUrl = `${config.NEXT_PUBLIC_APP_URL}/login/callback?token=${token}`;
			`// Dev transport: print to stdout. Production: send via Resend / SES.`
			app.log.info({ to: parsed.data.email, expiresAt }, `[magic-link] -> ${callbackUrl}`);
			console.log(`\n[magic-link] ${parsed.data.email} ->\n ${callbackUrl}\n`);
			`return reply.send({ ok: true });`
			`} catch (e) {`
			`app.log.error(e);`
			`return reply.code(400).send({ error: 'magic_link_failed' });`
			`}`
			`});`

			`app.post('/v1/auth/verify', async (req, reply) => {`
			`const Body = z.object({ token: z.string().min(10) });`
			`const parsed = Body.safeParse(req.body);`
			`if (!parsed.success) return reply.code(400).send({ error: 'invalid_token' });`
			`try {`
			`const session = await consumeMagicLink(parsed.data.token, {`
			`ipAddress: req.ip,`
			`userAgent: req.headers['user-agent'],`
			`});`
			`reply.setCookie(SESSION_COOKIE, session.sessionToken, {`
			`httpOnly: true,`
			`sameSite: 'lax',`
			`path: '/',`
			`secure: config.NODE_ENV === 'production',`
			`maxAge: 30 * 24 * 60 * 60,`
			`});`
feat(api,generator): preview endpoint + spec cache + audit-log writes - POST /v1/servers/preview runs Claude synchronously, validates output, caches spec in Redis under preview:<id> with 5min TTL, returns previewId+spec+detectedSecrets. - POST /v1/servers accepts optional previewId; worker reuses the cached spec if the entry is still present, otherwise regenerates fresh. Skips the second Claude round-trip (~30s saved on the demoable path). - audit() helper writes auth.login, auth.logout, server.create, server.iterate, server.delete to audit_log with ip, metadata, resourceId. - GET /v1/me/org returns organization + members list for the settings page. - GET /v1/audit?limit=&action=&resourceType= returns scoped audit entries. 2026-05-19 18:08:29 +02:00			`await audit({`
			`orgId: session.orgId,`
			`userId: session.userId,`
			`action: 'auth.login',`
			`resourceType: 'session',`
			`metadata: { email: session.email },`
			`ipAddress: req.ip,`
			`});`
feat(api): Fastify control plane (auth, servers, WS build stream, OAuth 2.1 AS, JWKS) 2026-05-19 00:24:47 +02:00			`return reply.send({`
			`ok: true,`
			`user: { id: session.userId, email: session.email, orgId: session.orgId },`
			`});`
			`} catch (e) {`
			`app.log.warn({ err: e }, 'magic link verify failed');`
			`return reply.code(400).send({ error: 'invalid_or_expired_token' });`
			`}`
			`});`

			`app.get('/v1/auth/me', async (req, reply) => {`
			`const token = req.cookies[SESSION_COOKIE];`
			`const session = await getSession(token);`
			`if (!session) return reply.code(401).send({ error: 'unauthorized' });`
			`return reply.send({ user: session });`
			`});`

			`app.post('/v1/auth/logout', async (req, reply) => {`
			`const token = req.cookies[SESSION_COOKIE];`
feat(api,generator): preview endpoint + spec cache + audit-log writes - POST /v1/servers/preview runs Claude synchronously, validates output, caches spec in Redis under preview:<id> with 5min TTL, returns previewId+spec+detectedSecrets. - POST /v1/servers accepts optional previewId; worker reuses the cached spec if the entry is still present, otherwise regenerates fresh. Skips the second Claude round-trip (~30s saved on the demoable path). - audit() helper writes auth.login, auth.logout, server.create, server.iterate, server.delete to audit_log with ip, metadata, resourceId. - GET /v1/me/org returns organization + members list for the settings page. - GET /v1/audit?limit=&action=&resourceType= returns scoped audit entries. 2026-05-19 18:08:29 +02:00			`const session = token ? await getSession(token) : null;`
feat(api): Fastify control plane (auth, servers, WS build stream, OAuth 2.1 AS, JWKS) 2026-05-19 00:24:47 +02:00			`if (token) await destroySession(token);`
			`reply.clearCookie(SESSION_COOKIE, { path: '/' });`
feat(api,generator): preview endpoint + spec cache + audit-log writes - POST /v1/servers/preview runs Claude synchronously, validates output, caches spec in Redis under preview:<id> with 5min TTL, returns previewId+spec+detectedSecrets. - POST /v1/servers accepts optional previewId; worker reuses the cached spec if the entry is still present, otherwise regenerates fresh. Skips the second Claude round-trip (~30s saved on the demoable path). - audit() helper writes auth.login, auth.logout, server.create, server.iterate, server.delete to audit_log with ip, metadata, resourceId. - GET /v1/me/org returns organization + members list for the settings page. - GET /v1/audit?limit=&action=&resourceType= returns scoped audit entries. 2026-05-19 18:08:29 +02:00			`if (session) {`
			`await audit({`
			`orgId: session.orgId,`
			`userId: session.userId,`
			`action: 'auth.logout',`
			`resourceType: 'session',`
			`ipAddress: req.ip,`
			`});`
			`}`
feat(api): Fastify control plane (auth, servers, WS build stream, OAuth 2.1 AS, JWKS) 2026-05-19 00:24:47 +02:00			`return reply.send({ ok: true });`
			`});`
			`}`