logicspike/docs

Authentication & Team

Outstanding Auth Implementation Tasks

During the comprehensive documentation audit—including a direct review of the codebase—several critical implementation gaps and bugs were identified. These represent technical debt and missing features that must be addressed in upcoming sprints.

1. Dynamic PBAC Permission Synchronization ✅ FIXED

  • Fix Applied: Created a centralized PERMISSION_CATALOGUE in packages/core-access/src/permission-catalogue.ts as the single source of truth. Added GET /manager/permissions/catalog endpoint. Both frontend UIs (Role Builder in members/page.tsx and API Key Dialog in create-key-dialog.tsx) now fetch permissions dynamically instead of hardcoding them. Adding a new permission only requires editing one file.

2. API Key Creation Schema Mismatch ✅ FIXED

  • Fix Applied: Updated createKeySchema in apps/manager/src/routes/api-keys.tspermissions now expects z.array(z.string()) (flat PBAC strings like ["blog:posts.read"]) instead of the old object format.

3. Missing role in Issued JWTs ✅ FIXED

  • Fix Applied: Injected role: roleId into signAccessToken payloads across all 5 JWT-issuing routes: register.ts, login.ts, oauth.ts, mfa.ts, and session.ts (token refresh). Also added role: RoleId to the JWTClaims type in packages/core-types/src/auth.ts.

4. Timing Attack Vulnerability in Login ✅ FIXED

  • Fix Applied: Added a dummy verifyPassword call in login.ts when no user is found, ensuring the response latency is constant regardless of whether the email exists.

5. PBAC Permission Standardization ✅ FIXED

  • Fix Applied: Standardized all 32+ permission strings across the entire codebase to follow the strict service:resource.action naming convention. Eliminated legacy bare formats (blog:write, media:read, apikeys:manage, etc.) from code, comments, documentation, and seed files. Final grep scan confirms zero stale references remain.

6. Extract Duplicate SHA-256 Logic ✅ FIXED

  • Fix Applied: Created packages/core-auth/src/api-key.ts with generateSecureToken() and hashSHA256() using Web Standard Crypto API. Both the Gateway middleware (api-key.middleware.ts) and the Manager route (api-keys.ts) now import from @repo/core-auth instead of maintaining separate implementations.

7. Rate Limiting on API Key Validation

  • Current State: The Gateway's api-key.middleware.ts performs a SHA-256 hash and database sub-query for every x-api-key provided. There is currently no protection against brute-force key guessing.
  • Action Required: Implement Redis or Cloudflare Workers KV/Rate-Limiting on the Gateway to limit requests per IP for /manager/api-keys endpoints, and globally throttle invalid API key attempt bursts.

8. API Keys Missing from CORS

  • Current State: While API keys can be passed as Authorization: Bearer <key>, the x-api-key header itself is not currently exposed via the explicit CORS Access-Control-Allow-Headers configuration.
  • Action Required: Update the Cloudflare Gateway global CORS configuration to explicitly allow the x-api-key header for browser SDK usage scenarios.

9. Audit Logging for Auth Events

  • Current State: We have an audit_log_spec.md specification, but key lifecycle events (creation, revocation) and user auth events (login, MFA toggle, workspace invite) are not currently broadcasting an event to be logged.
  • Action Required: Implement the EventDispatcher within the relevant Manager auth and team routes to push events into the Kafka/Redis stream for the audit logging consumer.
Authentication & Team