🛂 server: setup better auth

Author: nfmelendez

.changeset/rare-pears-sort.md

@@ -0,0 +1,5 @@
+---
+"@exactly/server": patch
+---
+
+🛂 setup better auth

docs/astro.config.ts

@@ -15,7 +15,7 @@ export default defineConfig({
           { base: "api", schema: "node_modules/@exactly/server/generated/openapi.json", sidebar: { collapsed: false } },
         ]),
       ],
-      sidebar: openAPISidebarGroups,
+      sidebar: [{ label: "Docs", items: ["index", "organization-authentication"] }, ...openAPISidebarGroups],
     }),
     mermaid(),
   ],

docs/src/content/docs/organization-authentication.md

@@ -0,0 +1,143 @@
+---
+title: Organizations, authentication and authorization
+sidebar:
+  label: Organizations and authentication
+  order: 10
+---
+
+Creating organizations is permission-less. Any user can create an organization and will be the owner.
+Then the owner can add members with admin role and those admins will be able to add more members with different roles.
+
+Better auth client and viem are the recommended libraries to use for authentication and signing using SIWE.
+
+## SIWE Authentication
+
+Example code to authenticate using SIWE, it will create the user if doesn't exist.
+Note: Check viem account to use a private key instead of a mnemonic.
+
+```typescript
+import { createAuthClient } from "better-auth/client";
+import { siweClient, organizationClient } from "better-auth/client/plugins";
+import { mnemonicToAccount } from "viem/accounts";
+import { optimismSepolia } from "viem/chains";
+import { createSiweMessage } from "viem/siwe";
+
+const chainId = optimismSepolia.id;
+
+const authClient = createAuthClient({
+  baseURL: "http://localhost:3000",
+  plugins: [siweClient(), organizationClient()],
+});
+
+const owner = mnemonicToAccount("test test test test test test test test test test test test");
+
+authClient.siwe
+  .nonce({
+    walletAddress: owner.address,
+    chainId,
+  })
+  .then(async ({ data: nonceResult }) => {
+    //can be any statement
+    const statement = "i accept exa terms and conditions";
+    const nonce = nonceResult?.nonce ?? "";
+    const message = createSiweMessage({
+      statement,
+      resources: ["https://exactly.github.io/exa"],
+      nonce,
+      uri: "https://localhost",
+      address: owner.address,
+      chainId,
+      scheme: "https",
+      version: "1",
+      domain: "localhost",
+    });
+    const signature = await owner.signMessage({ message });
+
+    await authClient.siwe.verify(
+      {
+        message,
+        signature,
+        walletAddress: owner.address,
+        chainId,
+      },
+      {
+        onSuccess: async (context) => {
+          // authentication successful, session cookie is now set
+        },
+        onError: (context) => {
+          console.log("authorization error", context);
+        },
+      },
+    );
+  }).catch((error: unknown) => {
+    console.error("nonce error", error);
+  });
+```
+
+## Creating an organization
+
+owner account will be the owner of the created organization
+
+```typescript
+const chainId = optimismSepolia.id;
+
+const authClient = createAuthClient({
+  baseURL: "http://localhost:3000",
+  plugins: [siweClient(), organizationClient()],
+});
+
+const owner = mnemonicToAccount("test test test test test test test test test test test siwe");
+
+authClient.siwe
+  .nonce({
+    walletAddress: owner.address,
+    chainId,
+  })
+  .then(async ({ data: nonceResult }) => {
+    const statement = `i accept exa terms and conditions`;
+    const nonce = nonceResult?.nonce ?? "";
+    const message = createSiweMessage({
+      statement,
+      resources: ["https://exactly.github.io/exa"],
+      nonce,
+      uri: `https://localhost`,
+      address: owner.address,
+      chainId,
+      scheme: "https",
+      version: "1",
+      domain: "localhost",
+    });
+    const signature = await owner.signMessage({ message });
+
+    await authClient.siwe.verify(
+      {
+        message,
+        signature,
+        walletAddress: owner.address,
+        chainId,
+      },
+      {
+        onSuccess: async (context) => {
+          const headers = new Headers();
+          headers.set("cookie", context.response.headers.get("set-cookie") ?? "");
+          const createOrganizationResult = await authClient.organization.create({
+            fetchOptions: { headers },
+            name: "Uphold",
+            slug: "uphold",
+            keepCurrentActiveOrganization: false,
+          });
+          if (createOrganizationResult.data) {
+            console.log(`organization created id: ${createOrganizationResult.data.id}`);
+          } else {
+            console.error("Failed to create organization error:", createOrganizationResult.error);
+          }
+        },
+        onError: (context) => {
+          console.log("authorization error", context);
+        },
+      },
+    );
+  }).catch((error: unknown) => {
+    console.error("nonce error", error);
+  });
+  ```

server/api/index.ts

@@ -11,6 +11,7 @@ import passkey from "./passkey";
 import pax from "./pax";
 import ramp from "./ramp";
 import appOrigin from "../utils/appOrigin";
+import auth from "../utils/auth";
 
 const api = new Hono()
   .use(cors({ origin: [appOrigin, "http://localhost:8081"], credentials: true, exposeHeaders: ["X-Session-Id"] }))
@@ -26,7 +27,8 @@ const api = new Hono()
   .route("/kyc", kyc)
   .route("/passkey", passkey) // eslint-disable-line @typescript-eslint/no-deprecated -- // TODO remove
   .route("/pax", pax)
-  .route("/ramp", ramp);
+  .route("/ramp", ramp)
+  .on(["POST", "GET"], "/auth/*", (c) => auth.handler(c.req.raw));
 
 export default api;
 export type ExaAPI = typeof api;

server/database/index.ts

@@ -1,10 +1,27 @@
+import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { drizzle } from "drizzle-orm/node-postgres";
 import { env } from "node:process";
 
 import * as schema from "./schema";
 
 if (!env.POSTGRES_URL) throw new Error("missing postgres url");
 
-export default drizzle(env.POSTGRES_URL, { schema });
+const database = drizzle(env.POSTGRES_URL, { schema });
+
+export default database;
 
 export * from "./schema";
+
+export const authAdapter = drizzleAdapter(database, {
+  provider: "pg",
+  schema: {
+    user: schema.users,
+    session: schema.sessions,
+    account: schema.authenticators,
+    verification: schema.verifications,
+    walletAddress: schema.walletAddresses,
+    organization: schema.organizations,
+    member: schema.members,
+    invitation: schema.invitations,
+  },
+});

server/index.ts

@@ -26,9 +26,7 @@ import type { UnofficialStatusCode } from "hono/utils/http-status";
 
 const app = new Hono();
 app.use(trimTrailingSlash());
-
 app.route("/api", api);
-
 app.route("/hooks/activity", activityHook);
 app.route("/hooks/block", block);
 app.route("/hooks/bridge", bridge);

server/middleware/auth.ts

@@ -1,14 +1,22 @@
 import { getSignedCookie } from "hono/cookie";
 import { createMiddleware } from "hono/factory";
 
+import betterAuth from "../utils/auth";
 import authSecret from "../utils/authSecret";
 
 import type { BlankInput, Env, Input } from "hono/types";
 
 export default function auth<E extends Env = Env, P extends string = string, I extends Input = BlankInput>() {
   return createMiddleware<E, P, I & { out: { cookie: { credentialId: string } } }>(async (c, next) => {
     const credentialId = await getSignedCookie(c, authSecret, "credential_id");
-    if (!credentialId) return c.json({ code: "unauthorized", legacy: "unauthorized" }, 401);
+    if (!credentialId) {
+      const session = await betterAuth.api.getSession({ headers: c.req.raw.headers });
+      if (session) {
+        await next();
+        return;
+      }
+      return c.json({ code: "unauthorized", legacy: "unauthorized" }, 401);
+    }
     c.req.addValidatedData("cookie", { credentialId });
     await next();
   });

server/script/openapi.ts

@@ -1,12 +1,12 @@
 import { generateSpecs } from "hono-openapi";
 import { writeFile } from "node:fs/promises";
-import { padHex } from "viem";
+import { padHex, zeroHash } from "viem";
 
 import { version } from "../package.json";
 
 process.env.ALCHEMY_ACTIVITY_ID = "activity";
 process.env.ALCHEMY_WEBHOOKS_KEY = "webhooks";
-process.env.AUTH_SECRET = "auth";
+process.env.AUTH_SECRET = zeroHash;
 process.env.BRIDGE_API_KEY = "bridge";
 process.env.BRIDGE_API_URL = "https://bridge.test";
 process.env.EXPO_PUBLIC_ALCHEMY_API_KEY = " ";
@@ -47,6 +47,7 @@ import("../api")
               in: "cookie",
               name: "credential_id",
             },
+            siweAuth: { type: "apiKey", in: "cookie", name: "__Secure-better-auth.session_token" },
           },
         },
       },

server/utils/auth.ts

@@ -0,0 +1,67 @@
+import { captureException } from "@sentry/core";
+import { betterAuth } from "better-auth";
+import { organization, siwe } from "better-auth/plugins";
+import { createAccessControl } from "better-auth/plugins/access";
+import { adminAc, defaultStatements, memberAc, ownerAc } from "better-auth/plugins/organization/access";
+import { safeParse } from "valibot";
+import { verifyMessage } from "viem";
+import { generateSiweNonce } from "viem/siwe";
+
+import domain from "@exactly/common/domain";
+import chain from "@exactly/common/generated/chain";
+import { Address, Hex } from "@exactly/common/validation";
+
+import appOrigin from "./appOrigin";
+import authSecret from "./authSecret";
+import { authAdapter } from "../database/index";
+const ac = createAccessControl({
+  ...defaultStatements,
+});
+
+export default betterAuth({
+  database: authAdapter,
+  baseURL: appOrigin,
+  trustedOrigins: [appOrigin],
+  secret: authSecret,
+  user: { changeEmail: { enabled: true } },
+  plugins: [
+    siwe({
+      domain,
+      emailDomainName: domain === "localhost" ? "localhost.com" : domain,
+      anonymous: true,
+      getNonce: () => Promise.resolve(generateSiweNonce()),
+      verifyMessage: async ({ message, signature, address, chainId }) => {
+        if (chainId !== chain.id) return false;
+
+        const parsedAddress = safeParse(Address, address);
+        const parsedSignature = safeParse(Hex, signature);
+        if (!parsedAddress.success || !parsedSignature.success) return false;
+        try {
+          return await verifyMessage({
+            address: parsedAddress.output,
+            message,
+            signature: parsedSignature.output,
+          });
+        } catch (error) {
+          captureException(error, { level: "error" });
+          return false;
+        }
+      },
+    }),
+    organization({
+      ac,
+      roles: {
+        admin: ac.newRole({
+          ...adminAc.statements,
+        }),
+        owner: ac.newRole({
+          ...ownerAc.statements,
+        }),
+        member: ac.newRole({
+          ...memberAc.statements,
+        }),
+      },
+      allowUserToCreateOrganization: () => true,
+    }),
+  ],
+});