Skip to content

apps/api/src/middleware/requireAuth.ts ​

Auto-generated by scripts/generate-file-docs.ts. Do not edit — overwritten on every run.

Purpose ​

requireAuth — Fastify preHandler that authenticates the caller. Token verification per auth-rbac-design §API middleware enforcement step 1: 1a. If the token carries type: "child" or type: "platform" (i.e. a platform-issued JWT — verifiable with CHILD_JWT_SECRET), verify it locally and resolve sub to a Users.id directly. 1b. Otherwise, verify against Clerk; resolve the Clerk sub to a Users row by externalUserId. Status enforcement per auth-rbac-design §API middleware enforcement step 3: - status MUST be ACTIVE → other statuses (PENDING_APPROVAL, SUSPENDED, DEACTIVATED) all return 403. ADR 0038 — AuthContext.roles is now an array. UserRole rows (isActive=true) are the source of truth; User.role scalar is the fallback when no UserRole rows exist yet (migration transition period). requireRole() and requireAnyRole() both read request.auth.roles. /

Exports ​

  • export type DbUserStatus
  • export interface AuthContext
  • export function toRoleSlug
  • export async function requireAuth

Imports ​

  • ../adapters/db
  • ../config
  • ../lib/errors
  • ../lib/response
  • @clerk/backend
  • @hch/shared-types
  • fastify
  • jsonwebtoken

Imported by ​

Heritage Community Hub — Internal. Access restricted via Cloudflare Access + Entra ID.