fix(auth): require JWT-derived identity on every write endpoint

[bryanfawcett]

Summary

Closes the #1 finding from the recent security review: ~10 worker write endpoints were trusting body.userId / body.hostId for the actor identity (and a couple had no auth at all), while the frontend's admin pages sent cookies that the JWKS-validated worker doesn't read and every write helper in src/lib/api.ts had an optional sessionJwt that no call site passed. Net effect: any browser on a trusted origin could act as any user.

After this PR every mutating worker endpoint derives the actor from the WorkOS JWT (sub → identity.person.id lookup), and every frontend write call threads the access token through.

Worker — auth foundation (commit 1)

• New worker/src/auth/identity.ts:
  • resolvePersonId(env, workosUserId) — canonical JWT-subject → identity.person.id lookup
  • requireRequesterPersonId(c) — returns either the person id or a 401 Response for the handler to short-circuit on
• worker/src/middleware/auth.ts:
  • validateApiKey() no longer falls back to Authorization: Bearer (was conflating machine API keys with per-user JWTs — a leaked user JWT in the X-API-Key slot could have bypassed origin checks)
  • writeAuth now treats PATCH as mutating alongside POST / PUT / DELETE

Worker — every write endpoint hardened (commit 2)

File	Endpoint	Change
events.ts	POST /	organizer_person_id from JWT; body.organizerPersonId ignored
events.ts	PUT /:id	Must be event organizer, else 403
events.ts	POST /:id/cancel	Organizer-only; audit row carries requester as actorId
events.ts	DELETE /:id	Organizer-only; audit row carries actorId
events.ts	POST /:id/reviews	Author from JWT; body.userId ignored
registrations.ts	GET /	JWT required; user_id query must equal requester OR (with event_id) requester is organizer OR admin
registrations.ts	POST /	agent_person_id from JWT; userId dropped from required fields
registrations.ts	PUT /:id	Refactored to shared helper
registrations.ts	DELETE /:id	Registrant OR organizer; emits registration.cancelled audit row
checkin.ts	POST /events/:id/checkin	Organizer-only (paired-kiosk flow is separate)
waitlist.ts	POST /events/:id/waitlist	Person from JWT; body.userId dropped
waitlist.ts	DELETE /events/:id/waitlist	Same
series.ts	POST /	hostId from JWT; on template promotion the caller must already own the event
series.ts	PUT /:id	Series parent's organizer only
series.ts	DELETE /:id	Series parent's organizer only
reviews.ts	POST /:id/helpful	JWT required; body.userId dropped
payments.ts	POST /create	Requester must equal rsvp.agent_person_id
users.ts	DELETE /:id	Self OR admin; audit row's actorId is the requester
links.ts	POST /	Added writeAuth (route had no auth at all); created_by from JWT

Verified clean: grep -rn 'body.userId\|body\.hostId\|body\["userId"\]' worker/src/routes/ returns no matches.

Worker — tests (commit 3)

Updated 6 test files + the shared mock layer to cover the new flow. Every write test mocks getAuthenticatedUser via vi.mock("../auth/workos") and adds a person GET to satisfy resolvePersonId. New authedOriginHeaders(token) helper in mocks.ts for the common case where a route needs both writeAuth origin AND a Bearer token. New tests include explicit 401/403 coverage and assert that body-side identity is ignored. Worker test count: 231 → 243 (all passing).

Frontend — api.ts + auth-context (commit 4)

• src/lib/api.ts — every write helper has sessionJwt as a required parameter now (was optional and unused). Body-side userId / hostId / createdBy dropped from the signatures since the worker ignores them.
• src/components/auth/auth-context.tsx — AuthContext now exposes accessToken and getAccessToken() so consumers don't need to re-import the WorkOS hook.
• src/components/auth/auth-guard.tsx — supports optional requiredRole prop; signed-in users without the role see a "Not authorized" placeholder instead of being redirected (avoids loops).
• src/components/ui/event-ratings.tsx and src/lib/use-tracked-link.ts — threaded the access token through existing flows.

Frontend — call sites + admin Bearer + kraal bug (commit 5)

Threaded access token through:

• src/app/events/[id]/rsvp-button.tsx
• src/app/events/[id]/manage/page.tsx (3 call sites)
• src/app/events/create/create-event-form.tsx
• src/app/events/[id]/kiosk/host/page.tsx

Admin pages switched from credentials: "include" to Authorization: Bearer ${accessToken}:

• src/app/admin/page.tsx
• src/app/admin/users/page.tsx
• src/app/admin/events/page.tsx
• src/app/admin/support/page.tsx

The admin layout (src/app/admin/layout.tsx) already enforces a role gate client-side, so the new fetches wait for useAuth().isLoading to resolve before firing.

Kraal personId snake_case bug fixed:

• src/app/kraal/kraal-index-client.tsx
• src/app/kraal/[id]/kraal-detail-client.tsx

The buggy cast was (user as { person_id?: string } | null)?.person_id — but NhimbeUser exposes the field as camelCase personId. Dropped the cast and read user?.personId directly.

Pre-existing bugs surfaced

• src/app/events/[id]/kiosk/page.tsx — the paired-kiosk frontend calls /api/events/:id/checkin, which the spec defines as organizer-only (the kiosk flow is supposed to use the separate session-token path in worker/src/routes/kiosk.ts, but there's no check-in endpoint on that path yet). After this PR the paired kiosk will 401 because it has no JWT. Marked with a FIXME and left for a follow-up that adds a kiosk-session-authenticated check-in endpoint.
• worker/src/utils/audit.ts writes to system.activity_logs, but the audit.ts doc-string mentions audit_logs — minor naming inconsistency, not touched.
• worker/src/routes/categories.ts — the spec referenced an inline resolvePersonId at ~line 210, but the file is 99 lines and has no such inline helper on this branch (categories is now DB-only). No-op for that step.

Test plan

• cd worker && npx tsc --noEmit — passes
• cd worker && npx vitest run — 243/243 passing (was 231)
• npm run lint — 0 errors
• npx vitest run (root) — 162/162 passing
• npm run build — succeeds
• grep -rn 'body.userId\|body\.hostId\|body\["userId"\]' worker/src/routes/ — no matches
• Manual smoke: sign in, create an event, RSVP, cancel, host-approve, host-cancel — verify each call carries a Bearer token in the network panel and the worker accepts it
• Manual smoke: try the impersonation case — send a POST /api/events with someone else's organizerPersonId in the body and confirm the resulting row's organizer_person_id is the requester's id, not the body value
• Manual smoke: confirm admin pages render data when signed in as an admin and 401 otherwise

https://claude.ai/code/session_01Dp6YFZCHz1HjL9svPWmso2

---

Generated by Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nhimbe	Ready	Preview, Comment	May 17, 2026 4:20pm

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	mukoko-nhimbe-api	3f51191	Commit Preview URL Branch Preview URL	May 17 2026, 04:19 PM

[claude]

Claude finished @bryanfawcett's task —— View job

---

Security Review of Authentication Hardening

Todo List:

• Review new identity resolution system (worker/src/auth/identity.ts)
• Check authentication middleware changes
• Review hardened write endpoints for security issues
• Analyze frontend JWT threading implementation
• Check for performance implications
• Verify adherence to project conventions
• Look for potential bugs or edge cases
• Review test coverage for new auth flow

---

✅ SECURITY REVIEW - NO CRITICAL ISSUES FOUND

This PR successfully closes a critical security vulnerability. The implementation is well-architected with strong security practices throughout.

Security Strengths

🔐 Robust Identity Resolution

• JWT-first authentication: All write endpoints now derive identity from WorkOS JWT instead of trusting request bodies
• Soft-delete protection: deleted_at=is.null filters prevent access by deactivated users
• Type-safe error handling: requireRequesterPersonId() returns string | Response preventing auth bypass bugs

🛡️ Hardened Authorization

• Verified body parameter removal: grep confirms no remaining body.userId|body.hostId references in routes
• Owner-only operations: Event updates/deletes require requesterPersonId === organizerPersonId
• Registration authorization: Payment creation verifies requester === rsvp.agent_person_id at payments.ts:68

🔒 Enhanced Middleware Security

• API key isolation: Removed dangerous fallback from Authorization: Bearer to X-API-Key header (prevents JWT-in-API-key bypass)
• PATCH verb coverage: Added PATCH alongside POST/PUT/DELETE in writeAuth middleware
• Timing-safe comparisons: API key validation uses crypto.subtle.timingSafeEqual()

Performance Assessment

✅ Minimal Performance Impact

• Single DB lookup per request: resolvePersonId() adds one fast indexed query (workos_user_id lookup)
• No N+1 issues: Identity resolution happens once per request, not per operation
• Cached JWT validation: WorkOS JWKS caching (1hr TTL) prevents repeated key fetches

Code Quality & Conventions

✅ Excellent Adherence to Project Standards

• Structured logging: Proper [mukoko] prefixes maintained
• Error handling: Consistent use of notFound(), forbidden(), badRequest() helpers
• Type safety: All new code follows strict TypeScript patterns from CLAUDE.md
• Circuit breaker ready: New supabaseFetch() calls integrate with existing resilience patterns

✅ Frontend JWT Threading

• Required parameters: All write methods now mandate sessionJwt: string parameter
• Admin Bearer auth: Admin pages correctly switched from cookies to Authorization: Bearer ${accessToken}
• Context exposure: AuthContext properly exposes accessToken and getAccessToken() for consumers

Test Coverage Assessment

✅ Comprehensive Test Updates

• Mock architecture: Tests properly mock getAuthenticatedUser() and add person lookup stubs
• Auth coverage: New tests verify 401/403 responses and ignore body-side identity parameters
• Helper functions: authedOriginHeaders() simplifies testing authenticated routes

Edge Cases Identified

⚠️ One Known Issue (Acknowledged)

• Kiosk check-in: src/app/events/[id]/kiosk/page.tsx will 401 after this PR since it lacks JWT but calls organizer-only /api/events/:id/checkin
• Status: Marked with FIXME comment; planned for follow-up to add kiosk-session check-in endpoint

✅ Race Conditions Handled

• Registration capacity: Atomic checks in registrations.ts prevent overselling
• Audit logging: Proper actorId tracking for all destructive operations

Migration Safety

✅ Safe Deployment Path

• Backward compatible: Frontend changes are additive (access tokens now required vs optional)
• Database unchanged: No schema migrations required
• Rollback ready: Changes are code-only and reversible

---

Recommendation: ✅ APPROVE

This PR effectively addresses the #1 security finding with a well-architected solution. The JWT-derived identity system provides strong authentication guarantees while maintaining good performance characteristics. Code quality is excellent and follows all project conventions.

Next Steps:

1. Address the kiosk check-in 401 issue in a follow-up PR
2. Consider adding integration tests for the full auth flow in a future iteration

---

[bryanfawcett]

Closing — consolidating into PR #36 per the "all in one PR" directive. Cherry-picking the 5 commits onto claude/worker-observability-and-categories. The known kiosk regression flagged in this PR's body will be fixed inside #36 (kiosk-session-authenticated check-in endpoint) so we don't ship a regression to prod. Branch claude/critical-auth-jwt-bearer will stay around for reference until #36 merges.

---

Generated by Claude Code