feat(auth): replace hand-rolled auth with Ory Kratos — phase 2 backend

Delegates all credential management (login, register, password reset, email verification, social sign-in) to Ory Kratos. The Go API now acts as a resource server: the new KratosAuth middleware validates sessions against the Kratos whoami endpoint, writes the local User mirror into Echo context, and all existing domain handlers continue working unchanged. Hand-rolled token auth, AuthToken model, apple_auth/ google_auth services, and the auth refresh flow are removed. Tests are updated to use the fake-token middleware pattern so existing integration assertions require no rewrite. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 17:55:56 -05:00
parent b66151ddd9
commit 81578f6e27
36 changed files with 927 additions and 7002 deletions
@@ -11,18 +11,21 @@ import (
 	"github.com/treytartt/honeydue-api/internal/models"
 )

+// FindByKratosID finds a user by Kratos identity UUID.
+func (r *UserRepository) FindByKratosID(kratosID string) (*models.User, error) {
+	var user models.User
+	if err := r.db.Where("kratos_id = ?", kratosID).First(&user).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrUserNotFound
+		}
+		return nil, err
+	}
+	return &user, nil
+}
+
 var (
-	ErrUserNotFound       = errors.New("user not found")
-	ErrUserExists         = errors.New("user already exists")
-	ErrInvalidToken       = errors.New("invalid token")
-	ErrTokenNotFound      = errors.New("token not found")
-	ErrCodeNotFound       = errors.New("code not found")
-	ErrCodeExpired        = errors.New("code expired")
-	ErrCodeUsed           = errors.New("code already used")
-	ErrTooManyAttempts    = errors.New("too many attempts")
-	ErrRateLimitExceeded  = errors.New("rate limit exceeded")
-	ErrAppleAuthNotFound  = errors.New("apple social auth not found")
-	ErrGoogleAuthNotFound = errors.New("google social auth not found")
+	ErrUserNotFound = errors.New("user not found")
+	ErrUserExists   = errors.New("user already exists")
 )

 // UserRepository handles user-related database operations
@@ -145,111 +148,6 @@ func (r *UserRepository) ExistsByEmail(email string) (bool, error) {
 	return count > 0, nil
 }

-// --- Auth Token Methods ---
-
-// GetOrCreateToken gets or creates an auth token for a user.
-// Wrapped in a transaction to prevent race conditions where two
-// concurrent requests could create duplicate tokens for the same user.
-func (r *UserRepository) GetOrCreateToken(userID uint) (*models.AuthToken, error) {
-	var token models.AuthToken
-
-	err := r.db.Transaction(func(tx *gorm.DB) error {
-		result := tx.Where("user_id = ?", userID).First(&token)
-
-		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
-			token = models.AuthToken{UserID: userID}
-			if err := tx.Create(&token).Error; err != nil {
-				return err
-			}
-		} else if result.Error != nil {
-			return result.Error
-		}
-
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	return &token, nil
-}
-
-// FindTokenByKey looks up an auth token by its raw key value. The raw token
-// is hashed (audit C1) before the indexed lookup, since only the hash is
-// stored.
-func (r *UserRepository) FindTokenByKey(rawKey string) (*models.AuthToken, error) {
-	var token models.AuthToken
-	if err := r.db.Where("key = ?", models.HashToken(rawKey)).First(&token).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, ErrTokenNotFound
-		}
-		return nil, err
-	}
-	return &token, nil
-}
-
-// CreateToken creates a new auth token for a user.
-func (r *UserRepository) CreateToken(userID uint) (*models.AuthToken, error) {
-	token := models.AuthToken{UserID: userID}
-	if err := r.db.Create(&token).Error; err != nil {
-		return nil, err
-	}
-	return &token, nil
-}
-
-// CreateFreshToken issues a new auth token for the user, replacing any
-// existing one. Because tokens are stored hashed (audit C1) the server
-// cannot re-issue a previously-minted token's plaintext, so every login
-// mints a fresh token. The returned token's Plaintext field carries the
-// raw value to hand to the client; it is never persisted.
-//
-// It also returns the stored hashes of the token rows it deleted, so the
-// caller can evict those entries from the Redis token cache (audit MEDIUM-1).
-// Without that, a prior (e.g. stolen) token keeps authenticating via a cache
-// hit for up to the cache TTL even though its DB row is gone.
-func (r *UserRepository) CreateFreshToken(userID uint) (*models.AuthToken, []string, error) {
-	var token models.AuthToken
-	var oldHashes []string
-	err := r.db.Transaction(func(tx *gorm.DB) error {
-		var old []models.AuthToken
-		if err := tx.Where("user_id = ?", userID).Find(&old).Error; err != nil {
-			return err
-		}
-		oldHashes = make([]string, 0, len(old))
-		for i := range old {
-			if old[i].Key != "" {
-				oldHashes = append(oldHashes, old[i].Key)
-			}
-		}
-		if err := tx.Where("user_id = ?", userID).Delete(&models.AuthToken{}).Error; err != nil {
-			return err
-		}
-		token = models.AuthToken{UserID: userID}
-		return tx.Create(&token).Error
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-	return &token, oldHashes, nil
-}
-
-// DeleteToken deletes an auth token by its raw key value. The raw token is
-// hashed (audit C1) before the lookup, since only the hash is stored.
-func (r *UserRepository) DeleteToken(token string) error {
-	result := r.db.Where("key = ?", models.HashToken(token)).Delete(&models.AuthToken{})
-	if result.Error != nil {
-		return result.Error
-	}
-	if result.RowsAffected == 0 {
-		return ErrTokenNotFound
-	}
-	return nil
-}
-
-// DeleteTokenByUserID deletes an auth token by user ID
-func (r *UserRepository) DeleteTokenByUserID(userID uint) error {
-	return r.db.Where("user_id = ?", userID).Delete(&models.AuthToken{}).Error
-}

 // --- User Profile Methods ---

@@ -280,146 +178,6 @@ func (r *UserRepository) SetProfileVerified(userID uint, verified bool) error {
 	return r.db.Model(&models.UserProfile{}).Where("user_id = ?", userID).Update("verified", verified).Error
 }

-// --- Confirmation Code Methods ---
-
-// CreateConfirmationCode creates a new confirmation code
-func (r *UserRepository) CreateConfirmationCode(userID uint, code string, expiresAt time.Time) (*models.ConfirmationCode, error) {
-	// Invalidate any existing unused codes for this user
-	r.db.Model(&models.ConfirmationCode{}).
-		Where("user_id = ? AND is_used = ?", userID, false).
-		Update("is_used", true)
-
-	confirmCode := &models.ConfirmationCode{
-		UserID:    userID,
-		Code:      code,
-		ExpiresAt: expiresAt,
-		IsUsed:    false,
-	}
-
-	if err := r.db.Create(confirmCode).Error; err != nil {
-		return nil, err
-	}
-
-	return confirmCode, nil
-}
-
-// FindConfirmationCode finds a valid confirmation code for a user
-func (r *UserRepository) FindConfirmationCode(userID uint, code string) (*models.ConfirmationCode, error) {
-	var confirmCode models.ConfirmationCode
-	if err := r.db.Where("user_id = ? AND code = ? AND is_used = ?", userID, code, false).
-		First(&confirmCode).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, ErrCodeNotFound
-		}
-		return nil, err
-	}
-
-	if !confirmCode.IsValid() {
-		if confirmCode.IsUsed {
-			return nil, ErrCodeUsed
-		}
-		return nil, ErrCodeExpired
-	}
-
-	return &confirmCode, nil
-}
-
-// MarkConfirmationCodeUsed marks a confirmation code as used
-func (r *UserRepository) MarkConfirmationCodeUsed(codeID uint) error {
-	return r.db.Model(&models.ConfirmationCode{}).Where("id = ?", codeID).Update("is_used", true).Error
-}
-
-// --- Password Reset Code Methods ---
-
-// CreatePasswordResetCode creates a new password reset code
-func (r *UserRepository) CreatePasswordResetCode(userID uint, codeHash string, resetToken string, expiresAt time.Time) (*models.PasswordResetCode, error) {
-	// Invalidate any existing unused codes for this user
-	r.db.Model(&models.PasswordResetCode{}).
-		Where("user_id = ? AND used = ?", userID, false).
-		Update("used", true)
-
-	resetCode := &models.PasswordResetCode{
-		UserID:      userID,
-		CodeHash:    codeHash,
-		ResetToken:  resetToken,
-		ExpiresAt:   expiresAt,
-		Used:        false,
-		Attempts:    0,
-		MaxAttempts: 5,
-	}
-
-	if err := r.db.Create(resetCode).Error; err != nil {
-		return nil, err
-	}
-
-	return resetCode, nil
-}
-
-// FindPasswordResetCode finds a password reset code by email and checks validity
-func (r *UserRepository) FindPasswordResetCodeByEmail(email string) (*models.PasswordResetCode, *models.User, error) {
-	user, err := r.FindByEmail(email)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	var resetCode models.PasswordResetCode
-	if err := r.db.Where("user_id = ? AND used = ?", user.ID, false).
-		Order("created_at DESC").
-		First(&resetCode).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, nil, ErrCodeNotFound
-		}
-		return nil, nil, err
-	}
-
-	return &resetCode, user, nil
-}
-
-// FindPasswordResetCodeByToken finds a password reset code by reset token
-func (r *UserRepository) FindPasswordResetCodeByToken(resetToken string) (*models.PasswordResetCode, error) {
-	var resetCode models.PasswordResetCode
-	if err := r.db.Where("reset_token = ?", resetToken).First(&resetCode).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, ErrCodeNotFound
-		}
-		return nil, err
-	}
-
-	if !resetCode.IsValid() {
-		if resetCode.Used {
-			return nil, ErrCodeUsed
-		}
-		if resetCode.Attempts >= resetCode.MaxAttempts {
-			return nil, ErrTooManyAttempts
-		}
-		return nil, ErrCodeExpired
-	}
-
-	return &resetCode, nil
-}
-
-// IncrementResetCodeAttempts increments the attempt counter
-func (r *UserRepository) IncrementResetCodeAttempts(codeID uint) error {
-	return r.db.Model(&models.PasswordResetCode{}).Where("id = ?", codeID).
-		Update("attempts", gorm.Expr("attempts + 1")).Error
-}
-
-// MarkPasswordResetCodeUsed marks a password reset code as used
-func (r *UserRepository) MarkPasswordResetCodeUsed(codeID uint) error {
-	return r.db.Model(&models.PasswordResetCode{}).Where("id = ?", codeID).Update("used", true).Error
-}
-
-// CountRecentPasswordResetRequests counts reset requests in the last hour
-func (r *UserRepository) CountRecentPasswordResetRequests(userID uint) (int64, error) {
-	var count int64
-	oneHourAgo := time.Now().UTC().Add(-1 * time.Hour)
-	if err := r.db.Model(&models.PasswordResetCode{}).
-		Where("user_id = ? AND created_at > ?", userID, oneHourAgo).
-		Count(&count).Error; err != nil {
-		return 0, err
-	}
-	return count, nil
-}

 // --- Search Methods ---

@@ -576,27 +334,11 @@ func (r *UserRepository) FindProfilesInSharedResidences(userID uint) ([]models.U
 	return profiles, err
 }

-// --- Auth Provider Detection ---
-
-// FindAuthProvider determines the auth provider for a user.
-// Returns "apple", "google", or "email".
-func (r *UserRepository) FindAuthProvider(userID uint) (string, error) {
-	var count int64
-	if err := r.db.Model(&models.AppleSocialAuth{}).Where("user_id = ?", userID).Count(&count).Error; err != nil {
-		return "", err
-	}
-	if count > 0 {
-		return "apple", nil
-	}
-
-	if err := r.db.Model(&models.GoogleSocialAuth{}).Where("user_id = ?", userID).Count(&count).Error; err != nil {
-		return "", err
-	}
-	if count > 0 {
-		return "google", nil
-	}
-
-	return "email", nil
+// FindAuthProvider returns "kratos" for all Kratos-managed users (the sole
+// provider after the Ory Kratos migration). Kept for compatibility with
+// callers that still check the provider string.
+func (r *UserRepository) FindAuthProvider(_ uint) (string, error) {
+	return "kratos", nil
 }

 // --- Account Deletion ---
@@ -721,35 +463,12 @@ func (r *UserRepository) DeleteUserCascade(userID uint) ([]string, error) {
 		return nil, err
 	}

-	// 8. Social auth records
-	if err := db.Where("user_id = ?", userID).Delete(&models.AppleSocialAuth{}).Error; err != nil {
-		return nil, err
-	}
-	if err := db.Where("user_id = ?", userID).Delete(&models.GoogleSocialAuth{}).Error; err != nil {
-		return nil, err
-	}
-
-	// 9. Confirmation codes
-	if err := db.Where("user_id = ?", userID).Delete(&models.ConfirmationCode{}).Error; err != nil {
-		return nil, err
-	}
-
-	// 10. Password reset codes
-	if err := db.Where("user_id = ?", userID).Delete(&models.PasswordResetCode{}).Error; err != nil {
-		return nil, err
-	}
-
-	// 11. Auth tokens
-	if err := db.Where("user_id = ?", userID).Delete(&models.AuthToken{}).Error; err != nil {
-		return nil, err
-	}
-
-	// 12. User profile
+	// 8. User profile
 	if err := db.Where("user_id = ?", userID).Delete(&models.UserProfile{}).Error; err != nil {
 		return nil, err
 	}

-	// 13. User
+	// 9. User
 	if err := db.Where("id = ?", userID).Delete(&models.User{}).Error; err != nil {
 		return nil, err
 	}
@@ -765,53 +484,6 @@ func (r *UserRepository) DeleteUserCascade(userID uint) ([]string, error) {
 	return cleanURLs, nil
 }

-// --- Apple Social Auth Methods ---
-
-// FindByAppleID finds an Apple social auth by Apple ID
-func (r *UserRepository) FindByAppleID(appleID string) (*models.AppleSocialAuth, error) {
-	var auth models.AppleSocialAuth
-	if err := r.db.Where("apple_id = ?", appleID).First(&auth).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, ErrAppleAuthNotFound
-		}
-		return nil, err
-	}
-	return &auth, nil
-}
-
-// CreateAppleSocialAuth creates a new Apple social auth record
-func (r *UserRepository) CreateAppleSocialAuth(auth *models.AppleSocialAuth) error {
-	return r.db.Create(auth).Error
-}
-
-// UpdateAppleSocialAuth updates an Apple social auth record
-func (r *UserRepository) UpdateAppleSocialAuth(auth *models.AppleSocialAuth) error {
-	return r.db.Save(auth).Error
-}
-
-// --- Google Social Auth Methods ---
-
-// FindByGoogleID finds a Google social auth by Google ID
-func (r *UserRepository) FindByGoogleID(googleID string) (*models.GoogleSocialAuth, error) {
-	var auth models.GoogleSocialAuth
-	if err := r.db.Where("google_id = ?", googleID).First(&auth).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, ErrGoogleAuthNotFound
-		}
-		return nil, err
-	}
-	return &auth, nil
-}
-
-// CreateGoogleSocialAuth creates a new Google social auth record
-func (r *UserRepository) CreateGoogleSocialAuth(auth *models.GoogleSocialAuth) error {
-	return r.db.Create(auth).Error
-}
-
-// UpdateGoogleSocialAuth updates a Google social auth record
-func (r *UserRepository) UpdateGoogleSocialAuth(auth *models.GoogleSocialAuth) error {
-	return r.db.Save(auth).Error
-}

 // WithContext returns a copy of the repository whose underlying *gorm.DB carries
 // the supplied context. SQL emitted via this copy gets attached to ctx's trace span