BetterFrame/server/src/plugins/service-admin-http/middleware.ts

/**
 * Auth & setup gate middleware for admin-http.
 */
import { type H3, getCookie, getRequestPath } from "h3";
import type { AdminDeps } from "./index.js";
import type { User, Session } from "../../shared/types.js";

declare module "h3" {
  interface H3EventContext {
    user?: User;
    session?: Session;
  }
}

export function registerMiddleware(app: H3, deps: AdminDeps): void {
  app.use((event) => {
    const path = getRequestPath(event);

    if (
      path === "/setup" ||
      path.startsWith("/static/") ||
      path === "/healthz" ||
      path === "/readyz" ||
      path === "/version" ||
      path === "/"
    ) {
      return;
    }

    if (!deps.repo.isSetupComplete()) {
      if (!path.startsWith("/auth/")) {
        return new Response(null, { status: 302, headers: { location: "/setup" } });
      }
    }

    if (path.startsWith("/auth/")) {
      return;
    }

    if (path.startsWith("/admin") || path.startsWith("/api/admin")) {
      const cookie = getCookie(event, deps.cookieName);
      if (!cookie) {
        return new Response(null, { status: 302, headers: { location: "/auth/login" } });
      }
      const resolved = deps.auth.resolveSession(cookie);
      if (!resolved) {
        return new Response(null, { status: 302, headers: { location: "/auth/login" } });
      }
      if (resolved.session.totp_pending) {
        return new Response(null, { status: 302, headers: { location: "/auth/totp" } });
      }
      event.context.user = resolved.user;
      event.context.session = resolved.session;
      return;
    }
  });
}
adding initial project 2026-05-09 23:09:13 +00:00			`/**`
			`* Auth & setup gate middleware for admin-http.`
			`*/`
refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`import { type H3, getCookie, getRequestPath } from "h3";`
adding initial project 2026-05-09 23:09:13 +00:00			`import type { AdminDeps } from "./index.js";`
			`import type { User, Session } from "../../shared/types.js";`

			`declare module "h3" {`
			`interface H3EventContext {`
			`user?: User;`
			`session?: Session;`
			`}`
			`}`

			`export function registerMiddleware(app: H3, deps: AdminDeps): void {`
			`app.use((event) => {`
			`const path = getRequestPath(event);`

			`if (`
			`path === "/setup" \|\|`
			`path.startsWith("/static/") \|\|`
			`path === "/healthz" \|\|`
			`path === "/readyz" \|\|`
			`path === "/version" \|\|`
			`path === "/"`
			`) {`
			`return;`
			`}`

refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`if (!deps.repo.isSetupComplete()) {`
adding initial project 2026-05-09 23:09:13 +00:00			`if (!path.startsWith("/auth/")) {`
			`return new Response(null, { status: 302, headers: { location: "/setup" } });`
			`}`
			`}`

			`if (path.startsWith("/auth/")) {`
			`return;`
			`}`

			`if (path.startsWith("/admin") \|\| path.startsWith("/api/admin")) {`
refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`const cookie = getCookie(event, deps.cookieName);`
			`if (!cookie) {`
			`return new Response(null, { status: 302, headers: { location: "/auth/login" } });`
			`}`
			`const resolved = deps.auth.resolveSession(cookie);`
adding initial project 2026-05-09 23:09:13 +00:00			`if (!resolved) {`
			`return new Response(null, { status: 302, headers: { location: "/auth/login" } });`
			`}`
			`if (resolved.session.totp_pending) {`
			`return new Response(null, { status: 302, headers: { location: "/auth/totp" } });`
			`}`
			`event.context.user = resolved.user;`
			`event.context.session = resolved.session;`
			`return;`
			`}`
			`});`
			`}`