Merge pull request #10 from soranjiro:feat/auth

create auth feat

Author: soranjiro

apps/api/package.json

@@ -9,6 +9,7 @@
     "migrations:apply": "wrangler d1 migrations apply tabitabi-db"
   },
   "dependencies": {
+    "@tsndr/cloudflare-worker-jwt": "^3.2.0",
     "hono": "^4.6.14"
   },
   "devDependencies": {

apps/api/src/index.ts

@@ -1,6 +1,7 @@
 import { Hono } from 'hono';
 import { Env } from './utils';
 import { corsMiddleware } from './middleware/cors';
+import auth from './routes/auth';
 import itineraries from './routes/itineraries';
 import steps from './routes/steps';
 
@@ -12,6 +13,7 @@ app.get('/health', (c) => {
   return c.json({ status: 'ok', service: 'tabitabi-api' });
 });
 
+app.route('/api/v1/auth', auth);
 app.route('/api/v1/itineraries', itineraries);
 app.route('/api/v1/steps', steps);
 

apps/api/src/middleware/auth.ts

@@ -0,0 +1,41 @@
+import type { Context, Next } from 'hono';
+import { Env } from '../utils';
+import { verifyToken, extractBearerToken } from '../utils/jwt';
+
+export async function authMiddleware(c: Context<{ Bindings: Env }>, next: Next) {
+  const authHeader = c.req.header('Authorization');
+  const token = extractBearerToken(authHeader);
+
+  if (!token) {
+    return c.json({
+      success: false,
+      error: { code: 'UNAUTHORIZED', message: 'No token provided' }
+    }, 401);
+  }
+
+  const payload = await verifyToken(token, c.env.JWT_SECRET);
+
+  if (!payload) {
+    return c.json({
+      success: false,
+      error: { code: 'UNAUTHORIZED', message: 'Invalid or expired token' }
+    }, 401);
+  }
+
+  c.set('shioriId', payload.shioriId);
+  await next();
+}
+
+export async function optionalAuthMiddleware(c: Context<{ Bindings: Env }>, next: Next) {
+  const authHeader = c.req.header('Authorization');
+  const token = extractBearerToken(authHeader);
+
+  if (token) {
+    const payload = await verifyToken(token, c.env.JWT_SECRET);
+    if (payload) {
+      c.set('shioriId', payload.shioriId);
+    }
+  }
+
+  await next();
+}

apps/api/src/routes/auth.ts

@@ -0,0 +1,70 @@
+import { Hono } from 'hono';
+import { Env } from '../utils';
+import { ItineraryService } from '../services/itinerary.service';
+import { generateToken, verifyToken, extractBearerToken } from '../utils/jwt';
+import type { PasswordAuthRequest } from '@tabitabi/types';
+
+const auth = new Hono<{ Bindings: Env }>();
+
+auth.post('/verify', async (c) => {
+  const authHeader = c.req.header('Authorization');
+  const token = extractBearerToken(authHeader);
+
+  if (!token) {
+    return c.json({
+      success: false,
+      error: { code: 'INVALID_INPUT', message: 'Token is required' }
+    }, 400);
+  }
+
+  const payload = await verifyToken(token, c.env.JWT_SECRET);
+
+  if (!payload) {
+    return c.json({
+      success: false,
+      error: { code: 'UNAUTHORIZED', message: 'Invalid or expired token' }
+    }, 401);
+  }
+
+  return c.json({
+    success: true,
+    data: { shioriId: payload.shioriId, valid: true }
+  });
+});
+
+auth.post('/password', async (c) => {
+  const { shioriId, password }: PasswordAuthRequest = await c.req.json();
+
+  if (!shioriId || !password) {
+    return c.json({
+      success: false,
+      error: { code: 'INVALID_INPUT', message: 'shioriId and password are required' }
+    }, 400);
+  }
+
+  const service = new ItineraryService(c.env.DB);
+  const itinerary = await service.get(shioriId);
+
+  if (!itinerary) {
+    return c.json({
+      success: false,
+      error: { code: 'NOT_FOUND', message: 'Itinerary not found' }
+    }, 404);
+  }
+
+  if (itinerary.password !== password) {
+    return c.json({
+      success: false,
+      error: { code: 'UNAUTHORIZED', message: 'Invalid password' }
+    }, 401);
+  }
+
+  const token = await generateToken(shioriId, c.env.JWT_SECRET);
+
+  return c.json({
+    success: true,
+    data: { token }
+  });
+});
+
+export default auth;

apps/api/src/routes/itineraries.ts

@@ -1,6 +1,8 @@
 import { Hono } from 'hono';
 import { Env } from '../utils';
 import { ItineraryService } from '../services/itinerary.service';
+import { authMiddleware } from '../middleware/auth';
+import { generateToken } from '../utils/jwt';
 
 const itineraries = new Hono<{ Bindings: Env }>();
 
@@ -26,11 +28,23 @@ itineraries.post('/', async (c) => {
   const input = await c.req.json();
   const service = new ItineraryService(c.env.DB);
   const data = await service.create(input);
-  return c.json({ success: true, data }, 201);
+
+  const token = await generateToken(data.id, c.env.JWT_SECRET);
+
+  return c.json({ success: true, data: { ...data, token } }, 201);
 });
 
-itineraries.put('/:id', async (c) => {
+itineraries.put('/:id', authMiddleware, async (c) => {
   const id = c.req.param('id');
+  const shioriId = c.get('shioriId');
+
+  if (id !== shioriId) {
+    return c.json({
+      success: false,
+      error: { code: 'FORBIDDEN', message: 'You can only edit your own itinerary' }
+    }, 403);
+  }
+
   const input = await c.req.json();
   const service = new ItineraryService(c.env.DB);
   const data = await service.update(id, input);
@@ -42,8 +56,17 @@ itineraries.put('/:id', async (c) => {
   return c.json({ success: true, data });
 });
 
-itineraries.delete('/:id', async (c) => {
+itineraries.delete('/:id', authMiddleware, async (c) => {
   const id = c.req.param('id');
+  const shioriId = c.get('shioriId');
+
+  if (id !== shioriId) {
+    return c.json({
+      success: false,
+      error: { code: 'FORBIDDEN', message: 'You can only delete your own itinerary' }
+    }, 403);
+  }
+
   const service = new ItineraryService(c.env.DB);
   const success = await service.delete(id);
 

apps/api/src/routes/steps.ts

@@ -1,6 +1,8 @@
 import { Hono } from 'hono';
 import { Env } from '../utils';
 import { StepService } from '../services/step.service';
+import { ItineraryService } from '../services/itinerary.service';
+import { authMiddleware } from '../middleware/auth';
 
 const steps = new Hono<{ Bindings: Env }>();
 
@@ -34,7 +36,7 @@ steps.get('/:stepId', async (c) => {
   return c.json({ success: true, data });
 });
 
-steps.post('/', async (c) => {
+steps.post('/', authMiddleware, async (c) => {
   const input = await c.req.json();
 
   if (!input.itinerary_id || !input.title || !input.date || !input.time) {
@@ -47,39 +49,65 @@ steps.post('/', async (c) => {
     }, 400);
   }
 
+  const shioriId = c.get('shioriId');
+  if (input.itinerary_id !== shioriId) {
+    return c.json({
+      success: false,
+      error: { code: 'FORBIDDEN', message: 'You can only add steps to your own itinerary' }
+    }, 403);
+  }
+
   const service = new StepService(c.env.DB);
   const data = await service.create(input);
   return c.json({ success: true, data }, 201);
 });
 
-steps.put('/:stepId', async (c) => {
+steps.put('/:stepId', authMiddleware, async (c) => {
   const stepId = c.req.param('stepId');
   const input = await c.req.json();
   const service = new StepService(c.env.DB);
-  const data = await service.update(stepId, input);
 
-  if (!data) {
+  const existingStep = await service.get(stepId);
+  if (!existingStep) {
     return c.json({
       success: false,
       error: { code: 'NOT_FOUND', message: 'Step not found' }
     }, 404);
   }
 
+  const shioriId = c.get('shioriId');
+  if (existingStep.itinerary_id !== shioriId) {
+    return c.json({
+      success: false,
+      error: { code: 'FORBIDDEN', message: 'You can only edit steps in your own itinerary' }
+    }, 403);
+  }
+
+  const data = await service.update(stepId, input);
   return c.json({ success: true, data });
 });
 
-steps.delete('/:stepId', async (c) => {
+steps.delete('/:stepId', authMiddleware, async (c) => {
   const stepId = c.req.param('stepId');
   const service = new StepService(c.env.DB);
-  const success = await service.delete(stepId);
 
-  if (!success) {
+  const existingStep = await service.get(stepId);
+  if (!existingStep) {
     return c.json({
       success: false,
       error: { code: 'NOT_FOUND', message: 'Step not found' }
     }, 404);
   }
 
+  const shioriId = c.get('shioriId');
+  if (existingStep.itinerary_id !== shioriId) {
+    return c.json({
+      success: false,
+      error: { code: 'FORBIDDEN', message: 'You can only delete steps in your own itinerary' }
+    }, 403);
+  }
+
+  const success = await service.delete(stepId);
   return c.json({ success: true, data: null });
 });
 

apps/api/src/services/itinerary.service.ts

@@ -30,13 +30,15 @@ export class ItineraryService {
       id,
       title: input.title,
       theme_id: input.theme_id || 'minimal',
+      memo: input.memo ?? null,
+      password: input.password ?? null,
       created_at: now,
       updated_at: now,
     };
 
     await this.db
-      .prepare('INSERT INTO itineraries (id, title, theme_id, created_at, updated_at) VALUES (?, ?, ?, ?, ?)')
-      .bind(itinerary.id, itinerary.title, itinerary.theme_id, itinerary.created_at, itinerary.updated_at)
+      .prepare('INSERT INTO itineraries (id, title, theme_id, memo, password, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?)')
+      .bind(itinerary.id, itinerary.title, itinerary.theme_id, itinerary.memo, itinerary.password, itinerary.created_at, itinerary.updated_at)
       .run();
 
     return itinerary;
@@ -58,6 +60,14 @@ export class ItineraryService {
       fields.push('theme_id = ?');
       values.push(input.theme_id);
     }
+    if (input.memo !== undefined) {
+      fields.push('memo = ?');
+      values.push(input.memo);
+    }
+    if (input.password !== undefined) {
+      fields.push('password = ?');
+      values.push(input.password);
+    }
 
     if (fields.length > 1) {
       values.push(id);
@@ -84,6 +94,8 @@ export class ItineraryService {
       id: row.id,
       title: row.title,
       theme_id: row.theme_id,
+      memo: row.memo,
+      password: row.password,
       created_at: row.created_at,
       updated_at: row.updated_at,
     };

apps/api/src/utils/index.ts

@@ -1,6 +1,7 @@
 export interface Env {
   DB: D1Database;
   ALLOWED_ORIGINS?: string;
+  JWT_SECRET?: string;
 }
 
 export function generateId(length: number = 32): string {

apps/api/src/utils/jwt.ts

@@ -0,0 +1,43 @@
+import { sign, verify } from '@tsndr/cloudflare-worker-jwt';
+
+export interface JwtPayload {
+  shioriId: string;
+  iat: number;
+  exp: number;
+}
+
+const DEFAULT_SECRET = 'tabitabi-default-secret-change-in-production';
+const TOKEN_EXPIRY = 30 * 24 * 60 * 60;
+
+export async function generateToken(shioriId: string, secret?: string): Promise<string> {
+  const now = Math.floor(Date.now() / 1000);
+  const payload: JwtPayload = {
+    shioriId,
+    iat: now,
+    exp: now + TOKEN_EXPIRY,
+  };
+
+  return await sign(payload, secret || DEFAULT_SECRET);
+}
+
+export async function verifyToken(token: string, secret?: string): Promise<JwtPayload | null> {
+  try {
+    const isValid = await verify(token, secret || DEFAULT_SECRET);
+    if (!isValid) return null;
+
+    const { payload } = await verify(token, secret || DEFAULT_SECRET, { throwError: true }) as { payload: JwtPayload };
+
+    if (payload.exp < Math.floor(Date.now() / 1000)) {
+      return null;
+    }
+
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+export function extractBearerToken(authHeader?: string): string | null {
+  if (!authHeader?.startsWith('Bearer ')) return null;
+  return authHeader.substring(7);
+}

apps/web/src/lib/api/auth.ts

@@ -0,0 +1,22 @@
+import { apiClient } from './client';
+import type { PasswordAuthRequest, PasswordAuthResponse } from '@tabitabi/types';
+
+export const authApi = {
+  async verifyToken(shioriId: string): Promise<boolean> {
+    try {
+      const response = await apiClient.post<{ valid: boolean }>('/auth/verify', {}, shioriId);
+      return response.valid;
+    } catch {
+      return false;
+    }
+  },
+
+  async authenticateWithPassword(shioriId: string, password: string): Promise<string> {
+    const data = await apiClient.post<PasswordAuthResponse>('/auth/password', {
+      shioriId,
+      password,
+    } as PasswordAuthRequest);
+
+    return data.token;
+  },
+};