feat: guild admin authentication & authorization

config.json

@@ -82,6 +82,7 @@
   "permissions": {
     "enabled": true,
     "adminRoleId": null,
+    "botOwners": ["191633014441115648"],
     "usePermissions": true,
     "allowedCommands": {
       "ping": "everyone",

package.json

@@ -20,6 +20,7 @@
     "discord.js": "^14.25.1",
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
+    "jsonwebtoken": "^9.0.3",
     "mem0ai": "^2.2.2",
     "pg": "^8.18.0",
     "winston": "^3.19.0",

src/api/index.js

@@ -5,6 +5,7 @@
 
 import { Router } from 'express';
 import { requireAuth } from './middleware/auth.js';
+import authRouter from './routes/auth.js';
 import guildsRouter from './routes/guilds.js';
 import healthRouter from './routes/health.js';
 
@@ -13,7 +14,10 @@ const router = Router();
 // Health check — public (no auth required)
 router.use('/health', healthRouter);
 
-// Guild routes — require API secret
+// Auth routes — public (no auth required)
+router.use('/auth', authRouter);
+
+// Guild routes — require API secret or OAuth2 JWT
 router.use('/guilds', requireAuth(), guildsRouter);
 
 export default router;

src/api/middleware/auth.js

@@ -1,9 +1,10 @@
 /**
  * Authentication Middleware
- * Validates requests using a shared API secret
+ * Supports both shared API secret and OAuth2 JWT authentication
  */
 
 import crypto from 'node:crypto';
+import jwt from 'jsonwebtoken';
 import { warn } from '../../logger.js';
 
 /**
@@ -24,23 +25,58 @@ export function isValidSecret(secret) {
 }
 
 /**
- * Creates middleware that validates the x-api-secret header against BOT_API_SECRET.
- * Returns 401 JSON error if the header is missing or does not match.
+ * Creates middleware that validates either:
+ * - x-api-secret header (shared secret) — sets req.authMethod = 'api-secret'
+ * - Authorization: Bearer <jwt> header (OAuth2) — sets req.authMethod = 'oauth', req.user = decoded JWT
+ *
+ * Returns 401 JSON error if neither is valid.
  *
  * @returns {import('express').RequestHandler} Express middleware function
  */
 export function requireAuth() {
   return (req, res, next) => {
-    if (!process.env.BOT_API_SECRET) {
-      warn('BOT_API_SECRET not configured — rejecting API request');
-      return res.status(401).json({ error: 'API authentication not configured' });
+    // Try API secret first
+    const apiSecret = req.headers['x-api-secret'];
+    if (apiSecret) {
+      if (!process.env.BOT_API_SECRET) {
+        warn('BOT_API_SECRET not configured — rejecting API request');
+        return res.status(401).json({ error: 'API authentication not configured' });
+      }
+
+      if (isValidSecret(apiSecret)) {
+        req.authMethod = 'api-secret';
+        return next();
+      }
+    }
+
+    // Try OAuth2 JWT
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith('Bearer ')) {
+      const token = authHeader.slice(7);
+      const sessionSecret = process.env.SESSION_SECRET;
+
+      if (!sessionSecret) {
+        return res.status(401).json({ error: 'Session not configured' });
+      }
+
+      try {
+        const decoded = jwt.verify(token, sessionSecret);
+        req.authMethod = 'oauth';
+        req.user = decoded;
+        return next();
+      } catch {
+        return res.status(401).json({ error: 'Invalid or expired token' });
+      }
     }
 
-    if (!isValidSecret(req.headers['x-api-secret'])) {
+    // Neither auth method provided or valid
+    if (!apiSecret && !authHeader) {
       warn('Unauthorized API request', { ip: req.ip, path: req.path });
       return res.status(401).json({ error: 'Unauthorized' });
     }
 
-    next();
+    // Had a secret but it didn't match
+    warn('Unauthorized API request', { ip: req.ip, path: req.path });
+    return res.status(401).json({ error: 'Unauthorized' });
   };
 }

src/api/middleware/oauth.js

@@ -0,0 +1,37 @@
+/**
+ * OAuth2 JWT Middleware
+ * Verifies JWT tokens from Discord OAuth2 sessions
+ */
+
+import jwt from 'jsonwebtoken';
+
+/**
+ * Creates middleware that verifies a JWT Bearer token from the Authorization header.
+ * Attaches the decoded user payload to req.user on success.
+ *
+ * @returns {import('express').RequestHandler} Express middleware function
+ */
+export function requireOAuth() {
+  return (req, res, next) => {
+    const authHeader = req.headers.authorization;
+
+    if (!authHeader?.startsWith('Bearer ')) {
+      return res.status(401).json({ error: 'No token provided' });
+    }
+
+    const token = authHeader.slice(7);
+    const sessionSecret = process.env.SESSION_SECRET;
+
+    if (!sessionSecret) {
+      return res.status(500).json({ error: 'Session not configured' });
+    }
+
+    try {
+      const decoded = jwt.verify(token, sessionSecret);
+      req.user = decoded;
+      next();
+    } catch {
+      return res.status(401).json({ error: 'Invalid or expired token' });
+    }
+  };
+}

src/api/routes/auth.js

@@ -0,0 +1,167 @@
+/**
+ * Auth Routes
+ * Discord OAuth2 authentication endpoints
+ */
+
+import { Router } from 'express';
+import jwt from 'jsonwebtoken';
+import { error, info } from '../../logger.js';
+
+const router = Router();
+
+const DISCORD_API = 'https://discord.com/api/v10';
+
+/**
+ * GET /discord — Redirect to Discord OAuth2 authorization
+ */
+router.get('/discord', (_req, res) => {
+  const clientId = process.env.DISCORD_CLIENT_ID;
+  const redirectUri = process.env.DISCORD_REDIRECT_URI;
+
+  if (!clientId || !redirectUri) {
+    return res.status(500).json({ error: 'OAuth2 not configured' });
+  }
+
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: 'code',
+    scope: 'identify guilds',
+  });
+
+  res.redirect(`https://discord.com/oauth2/authorize?${params}`);
+});
+
+/**
+ * GET /discord/callback — Handle Discord OAuth2 callback
+ * Exchanges code for token, fetches user info, creates JWT
+ */
+router.get('/discord/callback', async (req, res) => {
+  const { code } = req.query;
+
+  if (!code) {
+    return res.status(400).json({ error: 'Missing authorization code' });
+  }
+
+  const clientId = process.env.DISCORD_CLIENT_ID;
+  const clientSecret = process.env.DISCORD_CLIENT_SECRET;
+  const redirectUri = process.env.DISCORD_REDIRECT_URI;
+  const sessionSecret = process.env.SESSION_SECRET;
+
+  if (!clientId || !clientSecret || !redirectUri || !sessionSecret) {
+    return res.status(500).json({ error: 'OAuth2 not configured' });
+  }
+
+  try {
+    // Exchange code for access token
+    const tokenResponse = await fetch(`${DISCORD_API}/oauth2/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret,
+        grant_type: 'authorization_code',
+        code,
+        redirect_uri: redirectUri,
+      }),
+    });
+
+    if (!tokenResponse.ok) {
+      error('Discord token exchange failed', { status: tokenResponse.status });
+      return res.status(401).json({ error: 'Failed to exchange authorization code' });
+    }
+
+    const tokenData = await tokenResponse.json();
+    const accessToken = tokenData.access_token;
+
+    // Fetch user info
+    const userResponse = await fetch(`${DISCORD_API}/users/@me`, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+
+    if (!userResponse.ok) {
+      error('Discord user fetch failed', { status: userResponse.status });
+      return res.status(401).json({ error: 'Failed to fetch user info' });
+    }
+
+    const user = await userResponse.json();
+
+    // Fetch user guilds
+    const guildsResponse = await fetch(`${DISCORD_API}/users/@me/guilds`, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+
+    if (!guildsResponse.ok) {
+      error('Discord guilds fetch failed', { status: guildsResponse.status });
+      return res.status(401).json({ error: 'Failed to fetch user guilds' });
+    }
+
+    const guilds = await guildsResponse.json();
+
+    // Create JWT
+    const token = jwt.sign(
+      {
+        userId: user.id,
+        username: user.username,
+        discriminator: user.discriminator,
+        avatar: user.avatar,
+        guilds: guilds.map((g) => ({
+          id: g.id,
+          name: g.name,
+          permissions: g.permissions,
+        })),
+      },
+      sessionSecret,
+      { expiresIn: '7d' },
+    );
+
+    info('User authenticated via OAuth2', { userId: user.id, username: user.username });
+
+    // Redirect with token as query parameter
+    const dashboardUrl = process.env.DASHBOARD_URL || '/';
+    res.redirect(`${dashboardUrl}?token=${token}`);
+  } catch (err) {
+    error('OAuth2 callback error', { error: err.message });
+    res.status(500).json({ error: 'Authentication failed' });
+  }
+});
+
+/**
+ * GET /me — Return current authenticated user info from JWT
+ */
+router.get('/me', (req, res) => {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader?.startsWith('Bearer ')) {
+    return res.status(401).json({ error: 'No token provided' });
+  }
+
+  const token = authHeader.slice(7);
+  const sessionSecret = process.env.SESSION_SECRET;
+
+  if (!sessionSecret) {
+    return res.status(500).json({ error: 'Session not configured' });
+  }
+
+  try {
+    const decoded = jwt.verify(token, sessionSecret);
+    res.json({
+      userId: decoded.userId,
+      username: decoded.username,
+      discriminator: decoded.discriminator,
+      avatar: decoded.avatar,
+      guilds: decoded.guilds,
+    });
+  } catch {
+    res.status(401).json({ error: 'Invalid or expired token' });
+  }
+});
+
+/**
+ * POST /logout — Placeholder for logout (JWT is stateless, client discards token)
+ */
+router.post('/logout', (_req, res) => {
+  res.json({ message: 'Logged out successfully' });
+});
+
+export default router;