cairn work

src/server/api/root.ts

@@ -11,6 +11,8 @@ import { postHistoryRouter } from "./routers/post-history";
 import { infillRouter } from "./routers/infill";
 import { accountRouter } from "./routers/account";
 import { downloadsRouter } from "./routers/downloads";
+import { remoteDbRouter } from "./routers/remote-db";
+import { appleNotificationsRouter } from "./routers/apple-notifications";
 import { createTRPCRouter, createTRPCContext } from "./utils";
 import type { H3Event } from "h3";
 
@@ -27,7 +29,9 @@ export const appRouter = createTRPCRouter({
   postHistory: postHistoryRouter,
   infill: infillRouter,
   account: accountRouter,
-  downloads: downloadsRouter
+  downloads: downloadsRouter,
+  remoteDb: remoteDbRouter,
+  appleNotifications: appleNotificationsRouter
 });
 
 export type AppRouter = typeof appRouter;

src/server/api/routers/apple-notifications.test.ts

@@ -0,0 +1,34 @@
+import { describe, it, expect, vi } from "vitest";
+import { appRouter } from "~/server/api/root";
+import { createTRPCContext } from "~/server/api/utils";
+
+vi.mock("~/server/apple-notification", () => ({
+  verifyAppleNotification: async () => ({
+    notification_type: "consent-revoked",
+    sub: "apple-sub",
+    email: "test@apple.com",
+    event_time: Date.now()
+  })
+}));
+
+vi.mock("~/server/apple-notification-store", () => ({
+  storeAppleNotificationUser: async () => undefined
+}));
+
+vi.mock("~/server/session-helpers", () => ({
+  getAuthSession: async () => ({ userId: "admin", isAdmin: true })
+}));
+
+describe("apple notification router", () => {
+  it("verifies and stores notifications", async () => {
+    const caller = appRouter.createCaller(
+      await createTRPCContext({ nativeEvent: { node: { req: {} } } } as any)
+    );
+
+    const result = await caller.appleNotifications.verifyAndStore.mutate({
+      signedPayload: "test"
+    });
+
+    expect(result.success).toBe(true);
+  });
+});

src/server/api/routers/apple-notifications.ts

@@ -0,0 +1,14 @@
+import { createTRPCRouter, adminProcedure } from "../utils";
+import { z } from "zod";
+import { verifyAppleNotification } from "~/server/apple-notification";
+import { storeAppleNotificationUser } from "~/server/apple-notification-store";
+
+export const appleNotificationsRouter = createTRPCRouter({
+  verifyAndStore: adminProcedure
+    .input(z.record(z.unknown()))
+    .mutation(async ({ input }) => {
+      const notification = await verifyAppleNotification(input);
+      await storeAppleNotificationUser(notification);
+      return { success: true };
+    })
+});

src/server/api/routers/remote-db.test.ts

@@ -0,0 +1,33 @@
+import { describe, it, expect, vi } from "vitest";
+import { appRouter } from "~/server/api/root";
+import { createTRPCContext } from "~/server/api/utils";
+
+vi.mock("~/server/database", () => ({
+  CairnConnectionFactory: () => ({
+    execute: async () => ({ rows: [{ id: "1", email: "test@cairn.app" }] })
+  })
+}));
+
+vi.mock("~/server/cache", () => ({
+  cache: {
+    get: async () => null,
+    set: async () => undefined
+  }
+}));
+
+vi.mock("~/server/session-helpers", () => ({
+  getAuthSession: async () => ({ userId: "admin", isAdmin: true })
+}));
+
+describe("remoteDb router", () => {
+  it("returns users from remote database", async () => {
+    const caller = appRouter.createCaller(
+      await createTRPCContext({ nativeEvent: { node: { req: {} } } } as any)
+    );
+
+    const result = await caller.remoteDb.getUsers.query({ limit: 1, offset: 0 });
+
+    expect(result.users.length).toBe(1);
+    expect(result.users[0].email).toBe("test@cairn.app");
+  });
+});

src/server/api/utils.ts

@@ -4,11 +4,13 @@ import { getCookie } from "vinxi/http";
 import { logVisit, enrichAnalyticsEntry } from "~/server/analytics";
 import { getRequestIP } from "vinxi/http";
 import { getAuthSession } from "~/server/session-helpers";
+import { verifyCairnToken } from "~/server/cairn-auth";
 
 export type Context = {
   event: APIEvent;
   userId: string | null;
   isAdmin: boolean;
+  cairnUserId: string | null;
 };
 
 async function createContextInner(event: APIEvent): Promise<Context> {
@@ -37,6 +39,22 @@ async function createContextInner(event: APIEvent): Promise<Context> {
     undefined;
   const ipAddress = getRequestIP(event.nativeEvent) || undefined;
   const sessionId = getCookie(event.nativeEvent, "session_id") || undefined;
+  const authHeader =
+    event.request?.headers?.get("authorization") ||
+    req.headers?.authorization ||
+    req.headers?.Authorization ||
+    null;
+
+  let cairnUserId: string | null = null;
+  if (authHeader && authHeader.startsWith("Bearer ")) {
+    const token = authHeader.replace("Bearer ", "").trim();
+    try {
+      const payload = await verifyCairnToken(token);
+      cairnUserId = payload.sub;
+    } catch (error) {
+      console.error("Cairn JWT verification failed:", error);
+    }
+  }
 
   // Don't log the performance logging endpoint itself to avoid circular tracking
   if (!path.includes("analytics.logPerformance")) {
@@ -56,7 +74,8 @@ async function createContextInner(event: APIEvent): Promise<Context> {
   return {
     event,
     userId,
-    isAdmin
+    isAdmin,
+    cairnUserId
   };
 }
 
@@ -96,5 +115,21 @@ const enforceUserIsAdmin = t.middleware(({ ctx, next }) => {
   });
 });
 
+const enforceCairnUser = t.middleware(({ ctx, next }) => {
+  if (!ctx.cairnUserId) {
+    throw new TRPCError({
+      code: "UNAUTHORIZED",
+      message: "Cairn authentication required"
+    });
+  }
+  return next({
+    ctx: {
+      ...ctx,
+      cairnUserId: ctx.cairnUserId
+    }
+  });
+});
+
 export const protectedProcedure = t.procedure.use(enforceUserIsAuthed);
 export const adminProcedure = t.procedure.use(enforceUserIsAdmin);
+export const cairnProcedure = t.procedure.use(enforceCairnUser);