Initial commit: Centralized auth service with Discord OAuth

.gitignore

@@ -0,0 +1,3 @@
+node_modules/
+*.db-shm
+*.db-wal

db.js

@@ -0,0 +1,37 @@
+import Database from 'better-sqlite3';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const dbPath = process.env.SANDBOX_DB_PATH || path.resolve(__dirname, '../sandbox/server/sandbox.db');
+const db = new Database(dbPath);
+
+db.pragma('journal_mode = WAL');
+db.pragma('foreign_keys = ON');
+
+db.exec(`
+  CREATE TABLE IF NOT EXISTS users (
+    id TEXT PRIMARY KEY,
+    username TEXT UNIQUE NOT NULL,
+    email TEXT UNIQUE,
+    password_hash TEXT,
+    discord_id TEXT UNIQUE,
+    global_name TEXT,
+    avatar TEXT,
+    created_at TEXT DEFAULT (datetime('now')),
+    updated_at TEXT DEFAULT (datetime('now'))
+  );
+`);
+
+const migrations = [
+  "ALTER TABLE users ADD COLUMN email TEXT",
+  "ALTER TABLE users ADD COLUMN discord_id TEXT UNIQUE",
+  "ALTER TABLE users ADD COLUMN global_name TEXT",
+  "ALTER TABLE users ADD COLUMN avatar TEXT",
+  "ALTER TABLE users ADD COLUMN updated_at TEXT DEFAULT (datetime('now'))",
+];
+for (const sql of migrations) {
+  try { db.exec(sql); } catch {}
+}
+
+export default db;

index.js

@@ -0,0 +1,25 @@
+import dotenv from 'dotenv';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import express from 'express';
+import cors from 'cors';
+import discordRoutes from './routes/discord.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+dotenv.config({ path: path.resolve(__dirname, '../sandbox/.env') });
+
+const app = express();
+const PORT = process.env.AUTH_PORT || 3004;
+
+app.use(cors());
+app.use(express.json());
+
+app.use('/auth', discordRoutes);
+
+app.get('/health', (req, res) => {
+  res.json({ status: 'ok', service: 'thw-auth', timestamp: new Date().toISOString() });
+});
+
+app.listen(PORT, () => {
+  console.log(`THW Auth service running on http://localhost:${PORT}`);
+});

middleware/auth.js

@@ -0,0 +1,18 @@
+import jwt from 'jsonwebtoken';
+
+const JWT_SECRET = process.env.JWT_SECRET || 'sandbox-secret-key-change-in-production';
+
+export function generateToken(userId) {
+  return jwt.sign({ userId }, JWT_SECRET, { expiresIn: '7d' });
+}
+
+export function authenticateToken(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+  if (!token) return res.status(401).json({ error: 'Authentication required' });
+  jwt.verify(token, JWT_SECRET, (err, decoded) => {
+    if (err) return res.status(403).json({ error: 'Invalid or expired token' });
+    req.userId = decoded.userId;
+    next();
+  });
+}

package.json

@@ -0,0 +1,19 @@
+{
+  "name": "thw-auth",
+  "version": "1.0.0",
+  "description": "Centralized auth service for The Howling Whispers",
+  "main": "index.js",
+  "type": "module",
+  "scripts": {
+    "start": "node index.js",
+    "dev": "node --watch index.js"
+  },
+  "dependencies": {
+    "better-sqlite3": "^12.11.1",
+    "cors": "^2.8.5",
+    "dotenv": "^16.3.1",
+    "express": "^4.18.2",
+    "jsonwebtoken": "^9.0.2",
+    "uuid": "^9.0.0"
+  }
+}

routes/discord.js

@@ -0,0 +1,100 @@
+import { Router } from 'express';
+import { v4 as uuidv4 } from 'uuid';
+import db from '../db.js';
+import { generateToken } from '../middleware/auth.js';
+
+const router = Router();
+
+const DISCORD_API = 'https://discord.com/api';
+
+const DISCORD_CLIENT_ID = process.env.DISCORD_CLIENT_ID;
+const DISCORD_CLIENT_SECRET = process.env.DISCORD_CLIENT_SECRET;
+const DISCORD_REDIRECT_URI = process.env.DISCORD_REDIRECT_URI;
+
+const WHITELIST = new Set([
+  '1207017997173137481'
+]);
+
+function getFrontendUrl() {
+  return process.env.FRONTEND_URL || 'http://localhost:3000';
+}
+
+router.get('/discord', (req, res) => {
+  const next = req.query.next || '/';
+  const safeNext = next.startsWith('/') && !next.startsWith('//') ? next : '/';
+  const params = new URLSearchParams({
+    client_id: DISCORD_CLIENT_ID,
+    redirect_uri: DISCORD_REDIRECT_URI,
+    response_type: 'code',
+    scope: 'identify',
+    state: safeNext,
+  });
+  res.redirect(`${DISCORD_API}/oauth2/authorize?${params.toString()}`);
+});
+
+router.get('/discord/callback', async (req, res) => {
+  const { code, state, error } = req.query;
+
+  if (error) {
+    return res.redirect(`${getFrontendUrl()}/login?error=${encodeURIComponent(error)}`);
+  }
+  if (!code || !state) {
+    return res.redirect(`${getFrontendUrl()}/login?error=missing_code_or_state`);
+  }
+
+  try {
+    const tokenRes = await fetch(`${DISCORD_API}/oauth2/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: DISCORD_CLIENT_ID,
+        client_secret: DISCORD_CLIENT_SECRET,
+        grant_type: 'authorization_code',
+        code,
+        redirect_uri: DISCORD_REDIRECT_URI,
+      }).toString(),
+    });
+    if (!tokenRes.ok) {
+      const text = await tokenRes.text();
+      throw new Error(`Discord token exchange failed: ${tokenRes.status} ${text}`);
+    }
+    const token = await tokenRes.json();
+
+    const userRes = await fetch(`${DISCORD_API}/users/@me`, {
+      headers: { Authorization: `Bearer ${token.access_token}` },
+    });
+    if (!userRes.ok) {
+      const text = await userRes.text();
+      throw new Error(`Discord user fetch failed: ${userRes.status} ${text}`);
+    }
+    const discordUser = await userRes.json();
+
+    if (!WHITELIST.has(discordUser.id)) {
+      return res.redirect(`${getFrontendUrl()}/login?error=not_allowed`);
+    }
+
+    const existing = db.prepare('SELECT id FROM users WHERE discord_id = ?').get(discordUser.id);
+    let userId;
+    if (existing) {
+      userId = existing.id;
+      db.prepare(
+        "UPDATE users SET username = ?, global_name = ?, avatar = ?, updated_at = datetime('now') WHERE id = ?"
+      ).run(discordUser.username, discordUser.global_name, discordUser.avatar, userId);
+    } else {
+      userId = uuidv4();
+      db.prepare(
+        'INSERT INTO users (id, username, global_name, avatar, discord_id) VALUES (?, ?, ?, ?, ?)'
+      ).run(userId, discordUser.username, discordUser.global_name, discordUser.avatar, discordUser.id);
+    }
+
+    const jwt = generateToken(userId);
+
+    const redirectTo = state.startsWith('/') ? state : '/';
+    res.redirect(`${getFrontendUrl()}${redirectTo}?token=${jwt}`);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : 'unknown error';
+    res.redirect(`${getFrontendUrl()}/login?error=${encodeURIComponent(msg.slice(0, 200))}`);
+  }
+});
+
+export default router;