feat/auto-deploy

.gitignore

@@ -15,6 +15,10 @@ dist/
 .vscode/*
 !.vscode/launch.json
 !.vscode/*.code-snippets
+!.vscode/extensions.json
+!.vscode/settings.json
+.vscode/settings.local.json
+!.vscode/tasks.json
 .idea/workspace.xml
 .idea/usage.statistics.xml
 .idea/shelf

.vscode/extensions.json

@@ -0,0 +1,3 @@
+{
+  "recommendations": ["biomejs.biome"]
+}

.vscode/settings.json

@@ -0,0 +1,11 @@
+{
+  "biome.enabled": true,
+  "biome.requireConfiguration": true,
+  "editor.defaultFormatter": "biomejs.biome",
+  "editor.formatOnSave": true,
+  "editor.codeActionsOnSave": {
+    "source.action.useSortedAttributes.biome": "explicit",
+    "source.organizeImports.biome": "explicit",
+    "source.fixAll.biome": "explicit"
+  }
+}

.vscode/tasks.json

@@ -0,0 +1,130 @@
+{
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "Start Frontend & Backend",
+      "detail": "Start dashboard (Next.js) and workers (Cloudflare Workers) in parallel terminal windows",
+      "dependsOn": ["Start Dashboard", "Start Workers"],
+      "dependsOrder": "parallel",
+      "presentation": {
+        "panel": "new",
+        "group": "dev",
+        "reveal": "always",
+        "clear": true
+      },
+      "group": {
+        "isDefault": true
+      }
+    },
+    {
+      "label": "Start All Dev Services",
+      "detail": "Start all dev services in one terminal window with turbo dev",
+      "type": "shell",
+      "command": "pnpm dev",
+      "options": {
+        "cwd": "${workspaceFolder}"
+      },
+      "isBackground": true,
+      "problemMatcher": [],
+      "presentation": {
+        "panel": "new",
+        "group": "dev",
+        "reveal": "always",
+        "clear": true
+      }
+    },
+    {
+      "label": "Start Dashboard",
+      "detail": "Start dashboard dev server (Next.js)",
+      "type": "shell",
+      "command": "pnpm dev",
+      "options": {
+        "cwd": "${workspaceFolder}/apps/app"
+      },
+      "isBackground": true,
+      "problemMatcher": [],
+      "presentation": {
+        "panel": "new",
+        "group": "dev",
+        "reveal": "always",
+        "clear": true
+      }
+    },
+    {
+      "label": "Start Auth Worker",
+      "detail": "Start auth worker dev server (Wrangler)",
+      "type": "shell",
+      "command": "pnpm dev",
+      "options": {
+        "cwd": "${workspaceFolder}/apps/workers/auth"
+      },
+      "isBackground": true,
+      "problemMatcher": [],
+      "presentation": {
+        "panel": "new",
+        "group": "dev",
+        "reveal": "always",
+        "clear": true
+      }
+    },
+    {
+      "label": "Start V0 Worker",
+      "detail": "Start v0 worker dev server (Wrangler)",
+      "type": "shell",
+      "command": "pnpm dev",
+      "options": {
+        "cwd": "${workspaceFolder}/apps/workers/v0"
+      },
+      "isBackground": true,
+      "problemMatcher": [],
+      "presentation": {
+        "panel": "new",
+        "group": "dev",
+        "reveal": "always",
+        "clear": true
+      }
+    },
+    {
+      "label": "Start Workers",
+      "detail": "Start auth + v0 workers in parallel",
+      "dependsOn": ["Start Auth Worker", "Start V0 Worker"],
+      "dependsOrder": "parallel",
+      "presentation": {
+        "panel": "new",
+        "group": "dev",
+        "reveal": "always",
+        "clear": true
+      }
+    },
+    {
+      "label": "Generate Worker Auth Types",
+      "detail": "Generate Cloudflare types for auth worker",
+      "type": "shell",
+      "command": "pnpm cf-typegen",
+      "options": {
+        "cwd": "${workspaceFolder}/apps/workers/auth"
+      },
+      "presentation": {
+        "panel": "new",
+        "group": "tools",
+        "reveal": "always",
+        "clear": true
+      }
+    },
+    {
+      "label": "Generate Worker V0 Types",
+      "detail": "Generate Cloudflare types for v0 worker",
+      "type": "shell",
+      "command": "pnpm cf-typegen",
+      "options": {
+        "cwd": "${workspaceFolder}/apps/workers/v0"
+      },
+      "presentation": {
+        "panel": "new",
+        "group": "tools",
+        "reveal": "always",
+        "clear": true
+      }
+    }
+  ]
+}

apps/app/app/api/auth/getSessionWithAPIKey/route.ts

@@ -0,0 +1,26 @@
+import { getAuth } from '@deepcrawl/auth/lib/auth';
+import { NextResponse } from 'next/server';
+
+export async function POST(request: Request) {
+  const body = await request.json().catch(() => ({}));
+  const apiKey =
+    body?.apiKey ??
+    request.headers.get('x-api-key') ??
+    request.headers.get('authorization')?.replace('Bearer ', '');
+
+  if (!apiKey) {
+    return NextResponse.json(
+      { error: 'Missing API key' },
+      {
+        status: 400,
+      },
+    );
+  }
+
+  const auth = getAuth();
+  const headers = new Headers(request.headers);
+  headers.set('x-api-key', apiKey);
+
+  const session = await auth.api.getSession({ headers });
+  return NextResponse.json(session);
+}

apps/workers/auth/src/rpc.d.ts

@@ -0,0 +1,11 @@
+import { WorkerEntrypoint } from 'cloudflare:workers';
+import type { Session } from '@deepcrawl/auth/types';
+
+/**
+ * Type-only RPC surface for the auth worker service binding.
+ * Keep this file free of runtime code or worker env dependencies.
+ */
+export default class AuthWorkerRpc extends WorkerEntrypoint {
+  getSessionWithAPIKey(apiKey: string): Promise<Session | undefined>;
+  clearApiKeyCache(apiKey: string): Promise<void>;
+}

apps/workers/v0/.dev.vars.example

@@ -4,6 +4,12 @@
 BETTER_AUTH_URL=http://localhost:8787
 BETTER_AUTH_SECRET=
 
+AUTH_MODE=better-auth
+
+JWT_SECRET=
+JWT_ISSUER=
+JWT_AUDIENCE=
+
 DATABASE_URL=
 
 # Github

apps/workers/v0/README.md

@@ -73,6 +73,123 @@ The worker is configured via `wrangler.jsonc` with:
 - **KV Storage** - Caching and data persistence
 - **Custom Domain** - `api.deepcrawl.dev`
 
+### Authentication Modes
+
+Deepcrawl supports multiple authentication modes. Default is `better-auth`.
+
+```bash
+# Auth mode: better-auth (default) | jwt | none
+AUTH_MODE=better-auth
+```
+
+- `better-auth` (default): API key + cookie auth via Better Auth.
+- `jwt`: Verify JWT tokens from `Authorization: Bearer <token>`.
+- `none`: No authentication, all operations are open. Use with caution.
+
+### JWT Configuration
+
+Required when `AUTH_MODE=jwt`:
+
+```bash
+JWT_SECRET=your_jwt_secret
+JWT_ISSUER=deepcrawl            # optional
+JWT_AUDIENCE=deepcrawl-api      # optional
+```
+
+JWT payload expectations:
+- `sub` is required and maps to `user.id` and `session.userId`
+- Optional fields: `email`, `name`, `picture`, `email_verified`, `exp`
+
+Notes on issuer/audience:
+- `iss` (issuer) identifies who minted the token.
+- `aud` (audience) identifies which service the token is intended for.
+- If unset, they are not validated. If set, tokens must match to be accepted.
+
+Generate a JWT secret:
+
+1. Cross-platform (Node.js):
+```bash
+node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+```
+
+2. macOS/Linux (OpenSSL):
+```bash
+openssl rand -hex 32
+```
+
+### JWT Example (Node.js)
+
+Use the simplest and most common library: `jsonwebtoken`.
+
+```bash
+pnpm add jsonwebtoken
+```
+
+```ts
+import jwt from 'jsonwebtoken';
+
+const token = jwt.sign(
+  {
+    sub: 'user_123',
+    email: 'alice@example.com',
+    name: 'Alice',
+  },
+  process.env.JWT_SECRET as string,
+  {
+    expiresIn: '24h',
+    issuer: 'deepcrawl',
+    audience: 'deepcrawl-api',
+  },
+);
+
+// Send as: Authorization: Bearer <token>
+```
+
+### JWT Quick Mint (CLI)
+
+If you only deploy the API worker and want a quick token for simple auth,
+use the built-in script in this repo:
+
+```bash
+# From the repo root
+JWT_SECRET=your_jwt_secret pnpm jwt:mint
+```
+
+This is an interactive Node.js script (not Bash), so it works on macOS and
+Windows. It will prompt you for required fields if you don’t pass flags.
+If you leave the JWT secret blank, the script can generate one for you.
+It can also write the secret into local env files for you.
+
+You can also pass flags to skip prompts:
+
+```bash
+pnpm jwt:mint -- --sub user_123 --email alice@example.com --expires-in 24
+```
+
+Write the secret into env files (optional):
+
+```bash
+pnpm jwt:mint -- --write-dev-vars
+pnpm jwt:mint -- --write-dev-vars-production
+```
+
+Required inputs:
+- `JWT_SECRET` (env var or prompt)
+- `sub` (user id)
+
+Optional inputs:
+- `email`
+- `name`
+- `issuer` (`JWT_ISSUER`)
+- `audience` (`JWT_AUDIENCE`)
+- `expires-in` (hours, default 24)
+
+The command prints a JWT you can attach as:
+
+```
+Authorization: Bearer <token>
+```
+
 ## 🔌 API Endpoints
 
 ### **oRPC Endpoints** (Type-safe)