refactor: create shared @codebuff/internal package for authentication utilities

- Create new @codebuff/internal package with centralized auth functions
- Move reusable authentication logic from backend and web packages
- Consolidate admin email list into single source of truth
- Update all imports from @codebuff/integrations to @codebuff/internal
- Fix build configuration and project references
- Improve error handling with structured AuthResult interface

🤖 Generated with Codebuff
Co-Authored-By: Codebuff <noreply@codebuff.com>

Author: brandonkachen

backend/package.json

@@ -17,10 +17,10 @@
     "@ai-sdk/openai": "1.3.22",
     "@anthropic-ai/sdk": "^0.39.0",
     "@codebuff/billing": "workspace:*",
+    "@codebuff/internal": "workspace:*",
     "@google-cloud/vertexai": "1.10.0",
     "@google/generative-ai": "0.24.1",
     "@t3-oss/env-core": "0.11.1",
-    "@types/cors": "^2.8.17",
     "ai": "4.3.16",
     "common": "workspace:*",
     "cors": "^2.8.5",

backend/src/util/check-auth.ts

@@ -7,13 +7,7 @@ import { ServerAction } from 'common/actions'
 import { logger } from '@/util/logger'
 import { triggerMonthlyResetAndGrant } from '@codebuff/billing'
 
-// List of admin user emails
-const ADMIN_USER_EMAILS = [
-  'venkateshrameshkumar+1@gmail.com',
-  'brandonchenjiacheng@gmail.com',
-  'jahooma@gmail.com',
-  'charleslien97@gmail.com',
-]
+import * as internal from '@codebuff/internal'
 
 export const checkAuth = async ({
   fingerprintId,
@@ -24,44 +18,31 @@ export const checkAuth = async ({
   authToken?: string
   clientSessionId: string
 }): Promise<void | ServerAction> => {
-  if (!authToken) {
-    if (!fingerprintId) {
-      logger.error(
-        { clientSessionId },
-        'Auth token and fingerprint ID are missing'
-      )
-      return {
-        type: 'action-error',
-        message: 'Auth token and fingerprint ID are missing',
-      }
-    }
-    return
-  }
-
-  const user = await db
-    .select({
-      id: schema.user.id,
-      email: schema.user.email,
-      discord_id: schema.user.discord_id,
-    })
-    .from(schema.user)
-    .innerJoin(schema.session, eq(schema.user.id, schema.session.userId))
-    .where(eq(schema.session.sessionToken, authToken))
-    .then((users) => {
-      if (users.length === 1) {
-        return users[0]
-      }
-      return undefined
-    })
+  // Use shared auth check functionality
+  const authResult = await internal.utils.checkAuthToken({
+    fingerprintId,
+    authToken,
+  })
 
-  if (!user) {
-    logger.warn({ clientSessionId }, 'Invalid auth token')
+  if (!authResult.success) {
+    logger.error(
+      { clientSessionId, error: authResult.error },
+      authResult.error?.message || 'Authentication failed'
+    )
     return {
       type: 'action-error',
-      message: 'Invalid auth token',
+      message: authResult.error?.message || 'Authentication failed',
     }
   }
 
+  if (authResult.user) {
+    // Log successful authentication if we have a user
+    logger.debug(
+      { clientSessionId, userId: authResult.user.id },
+      'Authentication successful'
+    )
+  }
+
   return
 }
 
@@ -98,7 +79,7 @@ export const checkAdmin = async (
     return res.status(401).json({ error: errorMessage })
   }
 
-  // Get the user email associated with this session token
+  // Get the user ID associated with this session token
   const user = await db
     .select({
       id: schema.user.id,
@@ -109,17 +90,22 @@ export const checkAdmin = async (
     .where(eq(schema.session.sessionToken, authToken))
     .then((users) => users[0])
 
-  // Check if user has admin access
-  if (!user?.email || !ADMIN_USER_EMAILS.includes(user.email)) {
+  if (!user) {
+    return res.status(401).json({ error: 'Invalid session' })
+  }
+
+  // Check if user has admin access using shared utility
+  const adminUser = await internal.utils.checkUserIsCodebuffAdmin(user.id)
+  if (!adminUser) {
     logger.warn(
-      { userId: user?.id, email: user?.email, clientSessionId },
+      { userId: user.id, email: user.email, clientSessionId },
       'Unauthorized access attempt to admin endpoint'
     )
     return res.status(403).json({ error: 'Forbidden' })
   }
 
   // Store user info in request for handlers to use if needed
-  // req.user = user // TODO: ensure type check passes
+  // req.user = adminUser // TODO: ensure type check passes
 
   // Auth passed and user is admin, proceed to next middleware
   next()

backend/tsconfig.json

@@ -19,7 +19,8 @@
       "common/*": ["./src/common/*", "../common/src/*"],
       "@/*": ["./src/*"],
       "@codebuff/billing": ["../packages/billing/src"],
-      "@codebuff/bigquery": ["../packages/bigquery/src"]
+      "@codebuff/bigquery": ["../packages/bigquery/src"],
+      "@codebuff/internal": ["../packages/internal/src"]
     },
     "typeRoots": [
       "./node_modules/@types",
@@ -33,7 +34,8 @@
   "references": [
     { "path": "../common" },
     { "path": "../packages/billing" },
-    { "path": "../packages/bigquery" }
+    { "path": "../packages/bigquery" },
+    { "path": "../packages/internal" }
   ],
   "ts-node": {
     "require": ["tsconfig-paths/register"]

bun.lock

@@ -1,4 +1,4 @@
-import { sendBasicEmail } from '../../packages/integrations/src'
+import { sendBasicEmail } from '../../packages/internal/src/loops'
 import { FullEvalLog } from './types'
 import { PostEvalAnalysis } from './post-eval-analysis'
 

evals/git-evals/email-eval-results.ts

@@ -13,5 +13,5 @@
     }
   },
   "tags": [],
-  "implicitDependencies": ["@codebuff/integrations", "codebuff"]
+  "implicitDependencies": ["@codebuff/internal", "codebuff"]
 }

evals/project.json

@@ -7,15 +7,15 @@
       "common/*": ["../common/src/*"],
       "backend/*": ["../backend/src/*"],
       "npm-app/*": ["../npm-app/src/*"],
-      "@codebuff/integrations/*": ["../packages/integrations/src/*"]
+      "@codebuff/internal/*": ["../packages/internal/src/*"]
     },
     "typeRoots": ["./node_modules/@types", "../node_modules/@types"]
   },
   "references": [
     { "path": "../common" },
     { "path": "../backend" },
     { "path": "../npm-app" },
-    { "path": "../packages/integrations" }
+    { "path": "../packages/internal" }
   ],
   "exclude": ["test-repos"],
   "include": ["**/*.ts"]

evals/tsconfig.json

@@ -1,5 +1,5 @@
 {
-  "name": "@codebuff/integrations",
+  "name": "@codebuff/internal",
   "version": "1.0.0",
   "license": "UNLICENSED",
   "main": "dist/index.js",
@@ -11,6 +11,7 @@
   },
   "dependencies": {
     "common": "workspace:*",
+    "drizzle-orm": "*",
     "loops": "^5.0.1"
   },
   "devDependencies": {

packages/integrations/src/index.ts

@@ -0,0 +1,5 @@
+// Export internal utilities
+export * as utils from './utils/auth';
+
+// Export loops functionality
+export * from './loops';