Feat/auth

[taterhead247]

This pull request introduces the initial setup for the new apps/auth OAuth server, including build, deployment, and documentation updates. The most important changes are the addition of a production-ready Dockerfile, a GitHub Actions deployment workflow, new scripts and configs for managing OAuth clients, and updates to documentation reflecting the migration from auth-sdk to sso.

Infrastructure and Deployment

• Added .github/workflows/deploy-auth.yml workflow to automate CI gating, image building, and deployment to both staging and production environments using Google Cloud Run.
• Introduced a multi-stage Dockerfile (apps/auth/Dockerfile) for efficient, secure builds and production deployment of the Next.js OAuth server.

App Configuration and Setup

• Added apps/auth/package.json with all dependencies, scripts, and workspace settings for the OAuth server.
• Added apps/auth/next.config.js for standalone output and build settings, including package transpilation and build error ignores.
• Added apps/auth/postcss.config.cjs and apps/auth/public/manifest.json for styling and PWA support. [1] [2]

OAuth Client Management

• Added apps/auth/scripts/add-client.ts, an interactive CLI for registering/updating OAuth clients directly in the database, supporting local, staging, and production environments.

[Copilot]

Pull request overview

Introduces the initial apps/auth OAuth/OIDC server and the new @acme/sso TypeScript client, alongside DB schema/migrations for auth-owned tables and API support for verifying RS256 JWT bearer tokens via remote JWKS. This fits into the broader migration plan away from legacy NextAuth-only auth toward a centralized SSO provider.

Changes:

• Added a new Next.js auth server (apps/auth) with email MFA login + OAuth 2.0 endpoints, plus Docker/Cloud Run deployment tooling.
• Added packages/sso SDK (AuthClient) and docs for integrating OAuth/PKCE.
• Added auth.* DB schema/migration and updated packages/api to verify JWT bearer tokens using jose + configurable JWKS URL.

Reviewed changes

Copilot reviewed 61 out of 68 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
packages/ui/package.json	Bumps next-themes version.
packages/sso/tsconfig.json	Adds TS build config for the new SSO package.
packages/sso/src/index.ts	Implements the AuthClient OAuth/OIDC HTTP client.
packages/sso/package.json	Defines @acme/sso package metadata/exports.
packages/sso/README.md	Full integration guide + API reference for SSO client usage.
packages/env/src/index.ts	Adds AUTH_JWKS_URL env var for JWT verification configuration.
packages/db/src/index.ts	Exposes new auth schema tables via schema export.
packages/db/drizzle/schema.ts	Adds auth.* tables (oauth + email MFA) via pgSchema("auth").
packages/db/drizzle/meta/_journal.json	Registers new migration 0011_*.
packages/db/drizzle/0011_wise_jane_foster.sql	Creates auth schema + OAuth/MFA tables and FKs.
packages/api/src/shared.ts	Adds JWT bearer verification via remote JWKS; refactors API key expiry checks to use DB_NOW.
packages/api/package.json	Adds jose dependency.
package.json	Adjusts workspace lint/typecheck/build filtering (excludes @acme/auth).
docs/MIGRATE_TO_SSO.md	Documents the staged migration plan to the new SSO/auth server model.
apps/auth/tsconfig.json	Adds TS config for the new auth app.
apps/auth/tailwind.config.ts	Tailwind config (preset + fonts) for auth app UI.
apps/auth/src/types/next-auth.d.ts	NextAuth Session/JWT type augmentation for auth app.
apps/auth/src/lib/rate-limit.ts	In-memory rate limiter for auth endpoints.
apps/auth/src/lib/oauth.ts	Core OAuth logic (clients, codes, refresh, userinfo validation, revocation).
apps/auth/src/lib/jwt.ts	RS256 JWT signing + JWKS generation.
apps/auth/src/lib/email-mfa.ts	Email MFA code generation/verification + email delivery.
apps/auth/src/lib/db.ts	Drizzle DB client wiring for the auth app.
apps/auth/src/lib/cors.ts	Per-client CORS handling and preflight response helpers.
apps/auth/src/lib/auth.ts	NextAuth initialization/exports for route handlers.
apps/auth/src/lib/auth-options.ts	NextAuth config with credentials provider for email MFA.
apps/auth/src/env.ts	Auth app env validation (@t3-oss/env-nextjs).
apps/auth/src/app/register/page.tsx	Registration UI for new users.
apps/auth/src/app/providers.tsx	Adds NextAuth SessionProvider.
apps/auth/src/app/page.tsx	Home entrypoint, forwards OAuth query params to authorize route.
apps/auth/src/app/onboarding/page.tsx	Onboarding UI for incomplete profiles.
apps/auth/src/app/login/page.tsx	Login method selection UI.
apps/auth/src/app/login/email/verify/page.tsx	Email code verification UI + register redirect for new users.
apps/auth/src/app/login/email/page.tsx	Email submission UI to request MFA code.
apps/auth/src/app/layout.tsx	Root layout + fonts + providers.
apps/auth/src/app/globals.css	Tailwind base styles + theme CSS variables.
apps/auth/src/app/favicon.ico	Auth app favicon asset.
apps/auth/src/app/components/SignOutButton.tsx	Logout UX + server-side token revocation call.
apps/auth/src/app/api/verify-email/route.ts	Sends/verifies MFA codes with rate limiting.
apps/auth/src/app/api/session/route.ts	Returns enriched session/user profile JSON.
apps/auth/src/app/api/register/route.ts	Creates a new user by calling the F3 API.
apps/auth/src/app/api/regions/route.ts	Lists active regions for registration dropdown.
apps/auth/src/app/api/onboarding/route.ts	Completes onboarding via direct DB update.
apps/auth/src/app/api/oauth/userinfo/route.ts	OIDC userinfo endpoint for JWT access tokens.
apps/auth/src/app/api/oauth/token/route.ts	OAuth token endpoint for code/refresh exchange + CORS + rate limiting.
apps/auth/src/app/api/oauth/revoke/route.ts	OAuth token revocation endpoint (RFC 7009 behavior).
apps/auth/src/app/api/oauth/authorize/route.ts	OAuth authorize endpoint with client validation + onboarding gating.
apps/auth/src/app/api/logout/route.ts	Logs out user by revoking refresh tokens.
apps/auth/src/app/api/health/route.ts	Health check route.
apps/auth/src/app/api/check-user/route.ts	Checks if a user exists by email.
apps/auth/src/app/api/auth/[...nextauth]/route.ts	NextAuth dynamic handler route for auth endpoints.
apps/auth/src/app/api/.well-known/openid-configuration/route.ts	OIDC discovery document endpoint (currently under /api/.well-known/...).
apps/auth/src/app/api/.well-known/jwks.json/route.ts	JWKS endpoint serving the public key set.
apps/auth/scripts/cloud-run-env.sh	Script to manage Cloud Run secrets/env vars for auth service.
apps/auth/scripts/add-client.ts	Interactive CLI for registering/updating OAuth clients in DB.
apps/auth/public/manifest.json	PWA manifest.
apps/auth/public/f3nation.svg	Logo asset.
apps/auth/public/f3nation.png	Logo asset.
apps/auth/public/f3nation-white.svg	Logo asset.
apps/auth/postcss.config.cjs	PostCSS config for Tailwind.
apps/auth/package.json	Auth app dependencies and scripts.
apps/auth/next.config.js	Next.js config for standalone output + transpilation.
apps/auth/SEED.md	Updates SEED doc references from auth-sdk to sso.
apps/auth/README.md	Auth app documentation (setup, flows, endpoints, deployment).
apps/auth/Dockerfile	Multi-stage Docker build for Cloud Run deployment.
.vscode/settings.json	Disables CSS validation in VS Code workspace settings.
.github/workflows/deploy-auth.yml	Adds tag-triggered build/deploy workflow for auth service.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.