refactor: 🔥 Remove plugin functionality, move OpenID plugin to core

2026-03-13 05:49:16 +01:00 · 2025-07-07 05:52:11 +02:00 · 2025-07-07 05:52:11 +02:00 · b5e9e35427
commit b5e9e35427
parent 278bf960cb
45 changed files with 1502 additions and 2304 deletions
--- a/utils/bull-board.ts
+++ b/utils/bull-board.ts
@ -1,7 +1,10 @@
 import { createBullBoard } from "@bull-board/api";
 import { BullMQAdapter } from "@bull-board/api/bullMQAdapter";
 import { HonoAdapter } from "@bull-board/hono";
+import { RolePermission } from "@versia/client/schemas";
 import { config } from "@versia-server/config";
+import { ApiError } from "@versia-server/kit";
+import { User } from "@versia-server/kit/db";
 import { deliveryQueue } from "@versia-server/kit/queues/delivery";
 import { fetchQueue } from "@versia-server/kit/queues/fetch";
 import { inboxQueue } from "@versia-server/kit/queues/inbox";
@ -10,6 +13,9 @@ import { pushQueue } from "@versia-server/kit/queues/push";
 import { relationshipQueue } from "@versia-server/kit/queues/relationships";
 import type { Hono } from "hono";
 import { serveStatic } from "hono/bun";
+import { getCookie } from "hono/cookie";
+import { jwtVerify } from "jose";
+import { JOSEError, JWTExpired } from "jose/errors";
 import type { HonoEnv } from "~/types/api";
 import pkg from "../package.json" with { type: "json" };

@ -44,4 +50,54 @@ export const applyToHono = (app: Hono<HonoEnv>): void => {

    serverAdapter.setBasePath("/admin/queues");
    app.route("/admin/queues", serverAdapter.registerPlugin());
+
+    app.use("/admin/queues/api/*", async (context, next) => {
+        const jwtCookie = getCookie(context, "jwt");
+
+        if (!jwtCookie) {
+            throw new ApiError(401, "Missing JWT cookie");
+        }
+
+        const result = await jwtVerify(
+            jwtCookie,
+            config.authentication.keys.public,
+            {
+                algorithms: ["EdDSA"],
+                issuer: new URL(context.get("config").http.base_url).origin,
+            },
+        ).catch((error) => {
+            if (error instanceof JOSEError) {
+                return error;
+            }
+
+            throw error;
+        });
+
+        if (result instanceof JOSEError) {
+            if (result instanceof JWTExpired) {
+                throw new ApiError(401, "JWT has expired");
+            }
+
+            throw new ApiError(401, "Invalid JWT");
+        }
+
+        const {
+            payload: { sub },
+        } = result;
+
+        if (!sub) {
+            throw new ApiError(401, "Invalid JWT (no sub)");
+        }
+
+        const user = await User.fromId(sub);
+
+        if (!user?.hasPermission(RolePermission.ManageInstanceFederation)) {
+            throw new ApiError(
+                403,
+                `Missing '${RolePermission.ManageInstanceFederation}' permission`,
+            );
+        }
+
+        await next();
+    });
 };