admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add admin-create registration + live email-verified flag
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details

Browse Source 
Registration now goes through POST /api/auth/register, which admin-creates the
Kratos identity (unverified email, NO auto-sent code). Kratos self-service
registration never returns the verification flow id, so the client could never
submit the user's code to the right flow; admin creation lets the client own a
single verification flow instead. Also surface the live Kratos verified flag
and fix Apple audience + team IDs.

- kratos.Client.CreateIdentity via admin API; ErrIdentityExists / ErrInvalidCredentials
- AuthService.Register + AuthHandler.Register + public POST /api/auth/register/
- CurrentUser overrides stale user_profile.verified with the live Kratos flag;
  UserRepository.MarkVerified mirrors it back
- configmap: additional_id_token_audiences allows the .dev bundle id_token
- fix Apple/APNs team id V3PF3M6B6U -> X86BR9WTLD in .env.example + dev init

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-06-03 17:46:30 -05:00
parent 7b87f2e392
commit 81e454d86d
9 changed files with 223 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/middleware/kratos_auth.go
+7 -5
View File
@@ -24,8 +24,10 @@ const (
AuthUserKey = "auth_user"
// AuthTokenKey stores the raw session credential in the echo context.
AuthTokenKey = "auth_token"
// authVerifiedKey stores the Kratos email-verified flag in the context.
authVerifiedKey = "auth_email_verified"
// AuthVerifiedKey stores the Kratos email-verified flag in the context.
// Handlers can read this to override stale local mirrors like
// user_profile.verified with the live Kratos truth.
AuthVerifiedKey = "auth_email_verified"
// UserCacheTTL / UserCacheMaxSize bound the in-memory local-user cache.
UserCacheTTL = 5 * time.Minute
@@ -76,7 +78,7 @@ func (m *KratosAuth) Authenticate() echo.MiddlewareFunc {
}
c.Set(AuthUserKey, user)
c.Set(AuthTokenKey, cred)
c.Set(authVerifiedKey, verified)
c.Set(AuthVerifiedKey, verified)
return next(c)
}
}
@@ -90,7 +92,7 @@ func (m *KratosAuth) OptionalAuthenticate() echo.MiddlewareFunc {
if user, verified, cred, err := m.resolve(c); err == nil {
c.Set(AuthUserKey, user)
c.Set(AuthTokenKey, cred)
c.Set(authVerifiedKey, verified)
c.Set(AuthVerifiedKey, verified)
}
return next(c)
}
@@ -105,7 +107,7 @@ func (m *KratosAuth) RequireVerified() echo.MiddlewareFunc {
if GetAuthUser(c) == nil {
return apperrors.Unauthorized("error.not_authenticated")
}
if verified, _ := c.Get(authVerifiedKey).(bool); !verified {
if verified, _ := c.Get(AuthVerifiedKey).(bool); !verified {
return apperrors.Forbidden("error.email_not_verified")
}
return next(c)