From 807e2dc408d5aa63bafe842b8f9c17938ba54e4f Mon Sep 17 00:00:00 2001
From: michivonah <info@michivonah.ch>
Date: Thu, 2 Oct 2025 22:02:44 +0200
Subject: [PATCH] implement authentication with GitHub (Auth.js)

---
 README.md                     |   7 ++-
 api/package-lock.json         | 109 ++++++++++++++++++++++++++++++++--
 api/package.json              |   4 +-
 api/src/index.ts              |  25 ++++++--
 api/worker-configuration.d.ts |   6 +-
 5 files changed, 140 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 676b396..5d0e7b9 100644
--- a/README.md
+++ b/README.md
@@ -42,4 +42,9 @@ npx wrangler dev --remote --test-scheduled
 Run curl request with cron expression
 ```bash
 curl "http://localhost:8787/__scheduled?cron=*+*+*+*+*"
-```
\ No newline at end of file
+```
+
+## Authentication endpoints
+- /auth/signin -> Login
+- /auth/signout -> Logout
+- /auth/callback/github -> Callback for GitHub OAuth config
\ No newline at end of file
diff --git a/api/package-lock.json b/api/package-lock.json
index 48b63ff..32b8800 100644
--- a/api/package-lock.json
+++ b/api/package-lock.json
@@ -6,9 +6,11 @@
     "": {
       "name": "themepark-assistant",
       "dependencies": {
+        "@auth/core": "^0.40.0",
+        "@hono/auth-js": "^1.1.0",
         "dotenv": "^17.2.2",
         "drizzle-orm": "^0.44.5",
-        "hono": "^4.9.6"
+        "hono": "^4.9.9"
       },
       "devDependencies": {
         "@types/node": "^24.3.1",
@@ -17,6 +19,35 @@
         "wrangler": "^4.4.0"
       }
     },
+    "node_modules/@auth/core": {
+      "version": "0.40.0",
+      "resolved": "https://registry.npmjs.org/@auth/core/-/core-0.40.0.tgz",
+      "integrity": "sha512-n53uJE0RH5SqZ7N1xZoMKekbHfQgjd0sAEyUbE+IYJnmuQkbvuZnXItCU7d+i7Fj8VGOgqvNO7Mw4YfBTlZeQw==",
+      "license": "ISC",
+      "dependencies": {
+        "@panva/hkdf": "^1.2.1",
+        "jose": "^6.0.6",
+        "oauth4webapi": "^3.3.0",
+        "preact": "10.24.3",
+        "preact-render-to-string": "6.5.11"
+      },
+      "peerDependencies": {
+        "@simplewebauthn/browser": "^9.0.1",
+        "@simplewebauthn/server": "^9.0.2",
+        "nodemailer": "^6.8.0"
+      },
+      "peerDependenciesMeta": {
+        "@simplewebauthn/browser": {
+          "optional": true
+        },
+        "@simplewebauthn/server": {
+          "optional": true
+        },
+        "nodemailer": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/@cloudflare/kv-asset-handler": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/@cloudflare/kv-asset-handler/-/kv-asset-handler-0.4.0.tgz",
@@ -1023,6 +1054,20 @@
         "node": ">=18"
       }
     },
+    "node_modules/@hono/auth-js": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@hono/auth-js/-/auth-js-1.1.0.tgz",
+      "integrity": "sha512-GFlycQPDkuSbySTq8hvc73Fb9Wx0TnGff0BdE/v5wwrfC37SoNca5McD+nK94jxA0chggVYvn0CxH68uTylR5A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.4.0"
+      },
+      "peerDependencies": {
+        "@auth/core": ">=0.35.0",
+        "hono": ">=3.0.0",
+        "react": "^18 || ^19 || ^19.0.0-rc"
+      }
+    },
     "node_modules/@img/sharp-darwin-arm64": {
       "version": "0.33.5",
       "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.33.5.tgz",
@@ -1431,6 +1476,15 @@
         "@jridgewell/sourcemap-codec": "^1.4.10"
       }
     },
+    "node_modules/@panva/hkdf": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@panva/hkdf/-/hkdf-1.2.1.tgz",
+      "integrity": "sha512-6oclG6Y3PiDFcoyk8srjLfVKyMfVCKJ27JwNPViuXziFpmdz+MZnZN/aKY0JGXgYuO/VghU0jcOAZgWXZ1Dmrw==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/@poppinss/colors": {
       "version": "4.1.5",
       "resolved": "https://registry.npmjs.org/@poppinss/colors/-/colors-4.1.5.tgz",
@@ -1890,9 +1944,9 @@
       "license": "BSD-2-Clause"
     },
     "node_modules/hono": {
-      "version": "4.9.6",
-      "resolved": "https://registry.npmjs.org/hono/-/hono-4.9.6.tgz",
-      "integrity": "sha512-doVjXhSFvYZ7y0dNokjwwSahcrAfdz+/BCLvAMa/vHLzjj8+CFyV5xteThGUsKdkaasgN+gF2mUxao+SGLpUeA==",
+      "version": "4.9.9",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.9.9.tgz",
+      "integrity": "sha512-Hxw4wT6zjJGZJdkJzAx9PyBdf7ZpxaTSA0NfxqjLghwMrLBX8p33hJBzoETRakF3UJu6OdNQBZAlNSkGqKFukw==",
       "license": "MIT",
       "engines": {
         "node": ">=16.9.0"
@@ -1905,6 +1959,15 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/jose": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-6.1.0.tgz",
+      "integrity": "sha512-TTQJyoEoKcC1lscpVDCSsVgYzUDg/0Bt3WE//WiTPK6uOCQC2KZS4MpugbMWt/zyjkopgZoXhZuCi00gLudfUA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/kleur": {
       "version": "4.1.5",
       "resolved": "https://registry.npmjs.org/kleur/-/kleur-4.1.5.tgz",
@@ -1962,6 +2025,15 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/oauth4webapi": {
+      "version": "3.8.2",
+      "resolved": "https://registry.npmjs.org/oauth4webapi/-/oauth4webapi-3.8.2.tgz",
+      "integrity": "sha512-FzZZ+bht5X0FKe7Mwz3DAVAmlH1BV5blSak/lHMBKz0/EBMhX6B10GlQYI51+oRp8ObJaX0g6pXrAxZh5s8rjw==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/ohash": {
       "version": "2.0.11",
       "resolved": "https://registry.npmjs.org/ohash/-/ohash-2.0.11.tgz",
@@ -1983,6 +2055,35 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/preact": {
+      "version": "10.24.3",
+      "resolved": "https://registry.npmjs.org/preact/-/preact-10.24.3.tgz",
+      "integrity": "sha512-Z2dPnBnMUfyQfSQ+GBdsGa16hz35YmLmtTLhM169uW944hYL6xzTYkJjC07j+Wosz733pMWx0fgON3JNw1jJQA==",
+      "license": "MIT",
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/preact"
+      }
+    },
+    "node_modules/preact-render-to-string": {
+      "version": "6.5.11",
+      "resolved": "https://registry.npmjs.org/preact-render-to-string/-/preact-render-to-string-6.5.11.tgz",
+      "integrity": "sha512-ubnauqoGczeGISiOh6RjX0/cdaF8v/oDXIjO85XALCQjwQP+SB4RDXXtvZ6yTYSjG+PC1QRP2AhPgCEsM2EvUw==",
+      "license": "MIT",
+      "peerDependencies": {
+        "preact": ">=10"
+      }
+    },
+    "node_modules/react": {
+      "version": "19.2.0",
+      "resolved": "https://registry.npmjs.org/react/-/react-19.2.0.tgz",
+      "integrity": "sha512-tmbWg6W31tQLeB5cdIBOicJDJRR2KzXsV7uSK9iNfLWQ5bIZfxuPEHp7M8wiHyHnn0DD1i7w3Zmin0FtkrwoCQ==",
+      "license": "MIT",
+      "peer": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/resolve-pkg-maps": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
diff --git a/api/package.json b/api/package.json
index 53738a2..33b8b24 100644
--- a/api/package.json
+++ b/api/package.json
@@ -7,9 +7,11 @@
     "cf-typegen": "wrangler types --env-interface CloudflareBindings"
   },
   "dependencies": {
+    "@auth/core": "^0.40.0",
+    "@hono/auth-js": "^1.1.0",
     "dotenv": "^17.2.2",
     "drizzle-orm": "^0.44.5",
-    "hono": "^4.9.6"
+    "hono": "^4.9.9"
   },
   "devDependencies": {
     "@types/node": "^24.3.1",
diff --git a/api/src/index.ts b/api/src/index.ts
index 3c71653..767b467 100644
--- a/api/src/index.ts
+++ b/api/src/index.ts
@@ -1,5 +1,6 @@
 import { Hono } from 'hono'
-import { bearerAuth } from 'hono/bearer-auth'
+import { authHandler, initAuthConfig, verifyAuth } from '@hono/auth-js'
+import GitHub from '@auth/core/providers/github'
 import notification from './routes/notification'
 import logbook from './routes/logbook'
 import cronRouter from './jobs/cron'
@@ -7,10 +8,26 @@ import cronRouter from './jobs/cron'
 // create app
 const app = new Hono()
 
-// add bearer authentication
-const token = 'insecure-token'
+// OAuth via Auth.js
+app.use('*', initAuthConfig((c) => ({
+    secret: c.env.AUTH_SECRET,
+    providers: [
+        GitHub({
+            clientId: c.env.GITHUB_ID,
+            clientSecret: c.env.GITHUB_SECRET,
+        })
+    ]
+})))
 
-app.use('/*', bearerAuth({ token }))
+app.use('/auth/*', authHandler())
+
+app.use('/*', verifyAuth())
+
+// example endpoint
+app.get('/protected', (c) => {
+  const auth = c.get('authUser')
+  return c.json(auth)
+})
 
 // define routes & export app
 app.route('/notification', notification)
diff --git a/api/worker-configuration.d.ts b/api/worker-configuration.d.ts
index d256758..97901ea 100644
--- a/api/worker-configuration.d.ts
+++ b/api/worker-configuration.d.ts
@@ -1,5 +1,5 @@
 /* eslint-disable */
-// Generated by Wrangler by running `wrangler types` (hash: aceadb651dd4392a981fdd98096a2639)
+// Generated by Wrangler by running `wrangler types` (hash: 95e16e3b0bf3458a0c120838843ae4f4)
 // Runtime types generated with workerd@1.20250902.0 2025-09-07 
 declare namespace Cloudflare {
 	interface Env {
@@ -8,6 +8,10 @@ declare namespace Cloudflare {
 		CLOUDFLARE_DATABASE_ID: string;
 		CLOUDFLARE_DATABASE_ID_DEV: string;
 		CLOUDFLARE_D1_TOKEN: string;
+		AUTH_SECRET: string;
+		AUTH_URL: string;
+		GITHUB_ID: string;
+		GITHUB_SECRET: string;
 		d1_db: D1Database;
 	}
 }