Add admin-create registration + live email-verified flag
Registration now goes through POST /api/auth/register, which admin-creates the Kratos identity (unverified email, NO auto-sent code). Kratos self-service registration never returns the verification flow id, so the client could never submit the user's code to the right flow; admin creation lets the client own a single verification flow instead. Also surface the live Kratos verified flag and fix Apple audience + team IDs. - kratos.Client.CreateIdentity via admin API; ErrIdentityExists / ErrInvalidCredentials - AuthService.Register + AuthHandler.Register + public POST /api/auth/register/ - CurrentUser overrides stale user_profile.verified with the live Kratos flag; UserRepository.MarkVerified mirrors it back - configmap: additional_id_token_audiences allows the .dev bundle id_token - fix Apple/APNs team id V3PF3M6B6U -> X86BR9WTLD in .env.example + dev init Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
@@ -49,6 +49,28 @@ func noStore(c echo.Context) {
|
||||
c.Response().Header().Set("Cache-Control", "no-store")
|
||||
}
|
||||
|
||||
// Register handles POST /api/auth/register/ — creates a new password account.
|
||||
//
|
||||
// The identity is admin-created in Kratos with an unverified email and no
|
||||
// auto-sent code (see services.AuthService.Register). The client logs in right
|
||||
// after to get a session, then completes email verification. Returns 201 with
|
||||
// no token; 409 if the email is taken; 400 on a weak password.
|
||||
func (h *AuthHandler) Register(c echo.Context) error {
|
||||
var req requests.RegisterRequest
|
||||
if err := c.Bind(&req); err != nil {
|
||||
return apperrors.BadRequest("error.invalid_request_body")
|
||||
}
|
||||
if err := c.Validate(&req); err != nil {
|
||||
return c.JSON(http.StatusBadRequest, validator.FormatValidationErrors(err))
|
||||
}
|
||||
if err := h.authService.Register(c.Request().Context(), &req); err != nil {
|
||||
return err
|
||||
}
|
||||
return c.JSON(http.StatusCreated, map[string]string{
|
||||
"message": "Account created. Please verify your email.",
|
||||
})
|
||||
}
|
||||
|
||||
// CurrentUser handles GET /api/auth/me/
|
||||
func (h *AuthHandler) CurrentUser(c echo.Context) error {
|
||||
noStore(c)
|
||||
@@ -63,6 +85,25 @@ func (h *AuthHandler) CurrentUser(c echo.Context) error {
|
||||
return err
|
||||
}
|
||||
|
||||
// user_profile.verified is a one-time mirror set at provision time
|
||||
// (see middleware/kratos_auth.go::provision). Kratos remains the source
|
||||
// of truth for email-verification state — it can flip from false → true
|
||||
// the instant the user completes the verification flow, and nothing
|
||||
// updates the local column. Override the response with the live value
|
||||
// the Kratos auth middleware already stashed in context so /auth/me
|
||||
// reflects current reality. Also opportunistically sync the DB mirror
|
||||
// (best-effort, ignore error) so background queries that read the
|
||||
// column see the same answer.
|
||||
if verified, ok := c.Get(middleware.AuthVerifiedKey).(bool); ok {
|
||||
mirrorStale := response.Profile != nil && response.Profile.Verified != verified
|
||||
if response.Profile != nil {
|
||||
response.Profile.Verified = verified
|
||||
}
|
||||
if verified && mirrorStale {
|
||||
_ = h.authService.MarkUserVerified(c.Request().Context(), user.ID)
|
||||
}
|
||||
}
|
||||
|
||||
return c.JSON(http.StatusOK, response)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user