Subscription endpoint: support token bearer auth

Author: jahooma

web/src/app/api/referrals/route.ts

@@ -10,7 +10,10 @@ import { authOptions } from '../auth/[...nextauth]/auth-options'
 
 import type { NextRequest } from 'next/server'
 
-import { extractApiKeyFromHeader } from '@/util/auth'
+import {
+  extractApiKeyFromHeader,
+  getUserIdFromSessionToken,
+} from '@/util/auth'
 
 
 type Referral = Pick<typeof schema.user.$inferSelect, 'id' | 'name' | 'email'> &
@@ -169,16 +172,11 @@ export async function POST(request: NextRequest) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
 
-  const user = await db.query.session.findFirst({
-    where: eq(schema.session.sessionToken, authToken),
-    columns: {
-      userId: true,
-    },
-  })
+  const userId = await getUserIdFromSessionToken(authToken)
 
-  if (!user?.userId) {
+  if (!userId) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
 
-  return redeemReferralCode(referralCode, user.userId)
+  return redeemReferralCode(referralCode, userId)
 }

web/src/app/api/user/subscription/route.ts

@@ -11,20 +11,36 @@ import { NextResponse } from 'next/server'
 import { getServerSession } from 'next-auth'
 
 import { authOptions } from '@/app/api/auth/[...nextauth]/auth-options'
+import { extractApiKeyFromHeader, getUserIdFromSessionToken } from '@/util/auth'
 import { logger } from '@/util/logger'
 
 import type {
   NoSubscriptionResponse,
   ActiveSubscriptionResponse,
 } from '@codebuff/common/types/subscription'
+import type { NextRequest } from 'next/server'
 
-export async function GET() {
-  const session = await getServerSession(authOptions)
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+export async function GET(req: NextRequest) {
+  let userId: string | undefined
+
+  // First, try Bearer token authentication (for CLI clients)
+  const apiKey = extractApiKeyFromHeader(req)
+  if (apiKey) {
+    const userIdFromToken = await getUserIdFromSessionToken(apiKey)
+    if (userIdFromToken) {
+      userId = userIdFromToken
+    }
+  }
+
+  // Fall back to NextAuth session authentication (for web clients)
+  if (!userId) {
+    const session = await getServerSession(authOptions)
+    userId = session?.user?.id
   }
 
-  const userId = session.user.id
+  if (!userId) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
 
   // Fetch user preference for always use a-la-carte
   const [subscription, userPrefs] = await Promise.all([

web/src/util/auth.ts

@@ -1,5 +1,26 @@
+import db from '@codebuff/internal/db'
+import * as schema from '@codebuff/internal/db/schema'
+import { and, eq, gt } from 'drizzle-orm'
+
 import type { NextRequest } from 'next/server'
 
+/**
+ * Look up user ID from a session token in the database.
+ * Returns null if the token is invalid or expired.
+ */
+export async function getUserIdFromSessionToken(
+  sessionToken: string,
+): Promise<string | null> {
+  const session = await db.query.session.findFirst({
+    where: and(
+      eq(schema.session.sessionToken, sessionToken),
+      gt(schema.session.expires, new Date()),
+    ),
+    columns: { userId: true },
+  })
+  return session?.userId ?? null
+}
+
 /**
  * Extract api key from x-codebuff-api-key header or authorization header
  */