feat(web): add OAuth JWT validation to API routes

API routes now accept OIDC access tokens via Authorization: Bearer header,
matching the gateway's auth flow. Precedence: API key → OAuth JWT → session.

Author: pilartomas

apps/web/package.json

@@ -19,6 +19,7 @@
     "@onecli/ui": "workspace:*",
     "aws-amplify": "^6.16.2",
     "input-otp": "^1.4.2",
+    "jose": "^6.2.2",
     "lucide-react": "^0.562.0",
     "next": "16.1.0",
     "next-auth": "5.0.0-beta.30",

apps/web/src/lib/api-auth.ts

@@ -1,5 +1,6 @@
 import { db } from "@onecli/db";
 import { validateApiKey } from "@/lib/validate-api-key";
+import { validateJwt } from "@/lib/validate-jwt";
 import { getServerSession } from "@/lib/auth/server";
 
 export interface AuthContext {
@@ -9,7 +10,7 @@ export interface AuthContext {
 
 /**
  * Resolve the authenticated user + account from an API request.
- * Tries API key first (`Authorization: Bearer oc_...`), then falls back to session.
+ * Tries API key first, then OAuth JWT, then falls back to session.
  */
 export const resolveApiAuth = async (
   request: Request,
@@ -18,6 +19,10 @@ export const resolveApiAuth = async (
   const apiKeyAuth = await validateApiKey(request);
   if (apiKeyAuth) return apiKeyAuth;
 
+  // OAuth JWT auth — validate OIDC access token
+  const jwtAuth = await validateJwt(request);
+  if (jwtAuth) return jwtAuth;
+
   // Session auth — resolve from membership
   const session = await getServerSession();
   if (!session) return null;

apps/web/src/lib/env.ts

@@ -58,6 +58,8 @@ export const OAUTH_ISSUER = process.env.OAUTH_ISSUER ?? "";
 
 export const OAUTH_JWKS_URL = process.env.OAUTH_JWKS_URL ?? "";
 
+export const OAUTH_AUDIENCE = process.env.OAUTH_AUDIENCE ?? "";
+
 export const OAUTH_AUTHORIZATION_URL =
   process.env.OAUTH_AUTHORIZATION_URL ?? "";
 

apps/web/src/lib/validate-jwt.ts

@@ -0,0 +1,111 @@
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { db } from "@onecli/db";
+import { OAUTH_ISSUER, OAUTH_AUDIENCE, OAUTH_JWKS_URL } from "@/lib/env";
+import { logger } from "@/lib/logger";
+
+export interface JwtAuth {
+  userId: string;
+  accountId: string;
+}
+
+const log = logger.child({ module: "validate-jwt" });
+
+// Module-level singletons — persist across requests in the Node.js process.
+let cachedJwksUri: string | null = null;
+let cachedGetKey: ReturnType<typeof createRemoteJWKSet> | null = null;
+
+const resolveJwksUri = async (): Promise<string | null> => {
+  if (cachedJwksUri) return cachedJwksUri;
+
+  if (OAUTH_JWKS_URL) {
+    cachedJwksUri = OAUTH_JWKS_URL;
+    return cachedJwksUri;
+  }
+
+  try {
+    const res = await fetch(`${OAUTH_ISSUER}/.well-known/openid-configuration`);
+    const doc = (await res.json()) as { jwks_uri?: string };
+    if (!doc.jwks_uri) {
+      log.warn("OIDC discovery response missing jwks_uri");
+      return null;
+    }
+    cachedJwksUri = doc.jwks_uri;
+    return cachedJwksUri;
+  } catch (err) {
+    log.warn({ err }, "OIDC discovery failed");
+    return null;
+  }
+};
+
+const getKeyFunction = async (): Promise<ReturnType<
+  typeof createRemoteJWKSet
+> | null> => {
+  if (cachedGetKey) return cachedGetKey;
+
+  const jwksUri = await resolveJwksUri();
+  if (!jwksUri) return null;
+
+  cachedGetKey = createRemoteJWKSet(new URL(jwksUri));
+  return cachedGetKey;
+};
+
+const extractBearerToken = (request: Request): string | null => {
+  const header = request.headers.get("authorization");
+  if (!header) return null;
+  const token = header.startsWith("Bearer ") ? header.slice(7).trim() : null;
+  if (!token || token.startsWith("oc_")) return null;
+  return token;
+};
+
+const lookupUser = async (externalAuthId: string): Promise<JwtAuth | null> => {
+  const user = await db.user.findUnique({
+    where: { externalAuthId },
+    select: {
+      id: true,
+      memberships: { select: { accountId: true }, take: 1 },
+    },
+  });
+
+  if (!user || user.memberships.length === 0) {
+    log.warn({ sub: externalAuthId }, "JWT auth: user or account not found");
+    return null;
+  }
+
+  return { userId: user.id, accountId: user.memberships[0]!.accountId };
+};
+
+/**
+ * Validate an OAuth access token (JWT) from a request's `Authorization: Bearer ...` header.
+ * Verifies signature via JWKS, checks issuer + audience + expiration, then resolves the user.
+ * Returns null (and logs a warning) on any failure, allowing fallthrough to session auth.
+ */
+export const validateJwt = async (
+  request: Request,
+): Promise<JwtAuth | null> => {
+  if (!OAUTH_ISSUER) return null;
+
+  const token = extractBearerToken(request);
+  if (!token) return null;
+
+  const getKey = await getKeyFunction();
+  if (!getKey) return null;
+
+  try {
+    const { payload } = await jwtVerify(token, getKey, {
+      issuer: OAUTH_ISSUER,
+      audience: OAUTH_AUDIENCE || undefined,
+      algorithms: ["RS256", "RS384", "RS512"],
+    });
+
+    const sub = payload.sub;
+    if (!sub) {
+      log.warn("JWT missing sub claim");
+      return null;
+    }
+
+    return await lookupUser(sub);
+  } catch (err) {
+    log.warn({ err }, "JWT validation failed");
+    return null;
+  }
+};