feat(auth): replace hand-rolled auth with Ory Kratos — phase 2 backend

Delegates all credential management (login, register, password reset, email verification, social sign-in) to Ory Kratos. The Go API now acts as a resource server: the new KratosAuth middleware validates sessions against the Kratos whoami endpoint, writes the local User mirror into Echo context, and all existing domain handlers continue working unchanged. Hand-rolled token auth, AuthToken model, apple_auth/ google_auth services, and the auth refresh flow are removed. Tests are updated to use the fake-token middleware pattern so existing integration assertions require no rewrite. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 17:55:56 -05:00
parent b66151ddd9
commit 81578f6e27
36 changed files with 927 additions and 7002 deletions
@@ -19,7 +19,6 @@ func TestUserRepository_Create(t *testing.T) {
 		Email:    "test@example.com",
 		IsActive: true,
 	}
-	user.SetPassword("Password123")

 	err := repo.Create(user)
 	require.NoError(t, err)
@@ -192,39 +191,11 @@ func TestUserRepository_FindAuthProvider(t *testing.T) {
 	db := testutil.SetupTestDB(t)
 	repo := NewUserRepository(db)

-	t.Run("email user", func(t *testing.T) {
+	t.Run("kratos user", func(t *testing.T) {
 		user := testutil.CreateTestUser(t, db, "emailuser", "email@test.com", "Password123")
 		provider, err := repo.FindAuthProvider(user.ID)
 		require.NoError(t, err)
-		assert.Equal(t, "email", provider)
-	})
-
-	t.Run("apple user", func(t *testing.T) {
-		user := testutil.CreateTestUser(t, db, "appleuser", "apple@test.com", "Password123")
-		appleAuth := &models.AppleSocialAuth{
-			UserID:  user.ID,
-			AppleID: "apple_sub_test",
-			Email:   "apple@test.com",
-		}
-		require.NoError(t, db.Create(appleAuth).Error)
-
-		provider, err := repo.FindAuthProvider(user.ID)
-		require.NoError(t, err)
-		assert.Equal(t, "apple", provider)
-	})
-
-	t.Run("google user", func(t *testing.T) {
-		user := testutil.CreateTestUser(t, db, "googleuser", "google@test.com", "Password123")
-		googleAuth := &models.GoogleSocialAuth{
-			UserID:   user.ID,
-			GoogleID: "google_sub_test",
-			Email:    "google@test.com",
-		}
-		require.NoError(t, db.Create(googleAuth).Error)
-
-		provider, err := repo.FindAuthProvider(user.ID)
-		require.NoError(t, err)
-		assert.Equal(t, "google", provider)
+		assert.Equal(t, "kratos", provider) // All users are Kratos-managed
 	})
 }

@@ -235,11 +206,9 @@ func TestUserRepository_DeleteUserCascade(t *testing.T) {

 		user := testutil.CreateTestUser(t, db, "deletebare", "deletebare@test.com", "Password123")

-		// Create profile and token
+		// Create profile
 		profile := &models.UserProfile{UserID: user.ID, Verified: true}
 		require.NoError(t, db.Create(profile).Error)
-		_, err := models.GetOrCreateToken(db, user.ID)
-		require.NoError(t, err)

 		var fileURLs []string
 		txErr := repo.Transaction(func(txRepo *UserRepository) error {
@@ -261,10 +230,6 @@ func TestUserRepository_DeleteUserCascade(t *testing.T) {
 		// Verify profile is gone
 		db.Model(&models.UserProfile{}).Where("user_id = ?", user.ID).Count(&count)
 		assert.Equal(t, int64(0), count)
-
-		// Verify token is gone
-		db.Model(&models.AuthToken{}).Where("user_id = ?", user.ID).Count(&count)
-		assert.Equal(t, int64(0), count)
 	})

 	t.Run("returns file URLs for cleanup", func(t *testing.T) {