feat(auth): replace hand-rolled auth with Ory Kratos — phase 2 backend
Delegates all credential management (login, register, password reset, email verification, social sign-in) to Ory Kratos. The Go API now acts as a resource server: the new KratosAuth middleware validates sessions against the Kratos whoami endpoint, writes the local User mirror into Echo context, and all existing domain handlers continue working unchanged. Hand-rolled token auth, AuthToken model, apple_auth/ google_auth services, and the auth refresh flow are removed. Tests are updated to use the fake-token middleware pattern so existing integration assertions require no rewrite. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
@@ -190,6 +190,27 @@ func shouldSkipSpecRoute(path string) bool {
|
||||
if strings.HasPrefix(path, "/uploads/") || strings.HasPrefix(path, "/media/") {
|
||||
return true
|
||||
}
|
||||
|
||||
// Auth routes delegated to Ory Kratos (phase 2 auth refactor).
|
||||
// These endpoints are no longer served by the Go API; the spec is retained
|
||||
// as documentation of the Kratos-facing contract.
|
||||
kratosRoutes := map[string]bool{
|
||||
"/auth/login/": true,
|
||||
"/auth/register/": true,
|
||||
"/auth/logout/": true,
|
||||
"/auth/refresh/": true,
|
||||
"/auth/forgot-password/": true,
|
||||
"/auth/verify-reset-code/": true,
|
||||
"/auth/reset-password/": true,
|
||||
"/auth/verify-email/": true,
|
||||
"/auth/resend-verification/": true,
|
||||
"/auth/apple-sign-in/": true,
|
||||
"/auth/google-sign-in/": true,
|
||||
}
|
||||
if kratosRoutes[path] {
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user