feat: V2 microservices stack — backend services, gateway, JWT auth

Add full V2 architecture: identity, content, studio (.NET 10) and file, render, notification, gateway (Go) services with vendored deps, plus DB migrations, event/API contracts, and an init-db script. Wire the Next.js frontend to the gateway: server-side JWT auth routes (login/register/refresh/logout/me), gateway fetch helper, and session/ cookie/jwt helpers under src/lib. Containerize the stack via docker-compose.v2.yml and per-service Dockerfiles. Base images resolve through a Nexus mirror (Docker Hub) and MCR directly; npm/NuGet pull from Nexus groups. Self-host fonts via next/font/local to avoid Google Fonts (geo-blocked). Add CI workflow and ignore .env.v2, *.stackdump, and .NET bin/obj. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 23:29:31 +03:30
parent 53ea78a00d
commit 90ac0b81d1
7636 changed files with 3707504 additions and 240 deletions
@@ -1,7 +1,7 @@
 import { redirect } from "next/navigation";

 import { DashboardShell } from "@/components/dashboard/DashboardShell";
-import { createClient } from "@/lib/supabase/server";
+import { getCurrentUser } from "@/lib/auth/session";

 export const dynamic = "force-dynamic";

@@ -10,24 +10,16 @@ export default async function DashboardLayout({
 }: Readonly<{
  children: React.ReactNode;
 }>) {
-  const supabase = await createClient();
-  const {
-    data: { user },
-  } = await supabase.auth.getUser();
+  const user = await getCurrentUser();

  if (!user) {
    redirect("/auth");
  }

-  const userName =
-    typeof user.user_metadata?.full_name === "string"
-      ? user.user_metadata.full_name
-      : null;
-
  return (
    <DashboardShell
      userEmail={user.email ?? ""}
-      userName={userName}
+      userName={user.full_name ?? null}
      userId={user.id}
    >
      {children}
@@ -1,5 +1,5 @@
 import type { Metadata } from "next";
-import { Inter, Plus_Jakarta_Sans, Vazirmatn } from "next/font/google";
+import localFont from "next/font/local";
 import { notFound } from "next/navigation";
 import { getMessages, getTranslations } from "next-intl/server";
 import { NextIntlClientProvider } from "next-intl";
@@ -10,23 +10,28 @@ import type { Locale } from "@/i18n/routing";

 import "../globals.css";

-/* ── Fonts ─────────────────────────────────────────────────────── */
+/* ── Fonts (self-hosted via @fontsource — no Google CDN required) ── */

-const vazirmatn = Vazirmatn({
-  subsets: ["arabic"],
+const vazirmatn = localFont({
+  src: [
+    { path: "../../../node_modules/@fontsource/vazirmatn/files/vazirmatn-arabic-400-normal.woff2", weight: "400" },
+    { path: "../../../node_modules/@fontsource/vazirmatn/files/vazirmatn-arabic-500-normal.woff2", weight: "500" },
+    { path: "../../../node_modules/@fontsource/vazirmatn/files/vazirmatn-arabic-600-normal.woff2", weight: "600" },
+    { path: "../../../node_modules/@fontsource/vazirmatn/files/vazirmatn-arabic-700-normal.woff2", weight: "700" },
+    { path: "../../../node_modules/@fontsource/vazirmatn/files/vazirmatn-arabic-800-normal.woff2", weight: "800" },
+  ],
  variable: "--font-vazirmatn",
  display: "swap",
-  weight: ["400", "500", "600", "700", "800"],
 });

-const plusJakartaSans = Plus_Jakarta_Sans({
-  subsets: ["latin"],
+const plusJakartaSans = localFont({
+  src: "../../../node_modules/@fontsource-variable/plus-jakarta-sans/files/plus-jakarta-sans-latin-wght-normal.woff2",
  variable: "--font-heading",
  display: "swap",
 });

-const inter = Inter({
-  subsets: ["latin"],
+const inter = localFont({
+  src: "../../../node_modules/@fontsource-variable/inter/files/inter-latin-wght-normal.woff2",
  variable: "--font-body",
  display: "swap",
 });
@@ -97,12 +102,6 @@ export default async function LocaleLayout({
    >
      <head>
        <link rel="icon" href="/favicon.svg" type="image/svg+xml" />
-        <link rel="preconnect" href="https://fonts.googleapis.com" />
-        <link
-          rel="preconnect"
-          href="https://fonts.gstatic.com"
-          crossOrigin="anonymous"
-        />
        <link rel="preconnect" href="https://picsum.photos" />
      </head>
      <body
@@ -1,6 +1,6 @@
 import { redirect } from "next/navigation";

-import { createClient } from "@/lib/supabase/server";
+import { getSession } from "@/lib/auth/session";

 export const dynamic = "force-dynamic";

@@ -9,12 +9,9 @@ export default async function VideoProjectNewLayout({
 }: Readonly<{
  children: React.ReactNode;
 }>) {
-  const supabase = await createClient();
-  const {
-    data: { user },
-  } = await supabase.auth.getUser();
+  const session = await getSession();

-  if (!user) {
+  if (!session) {
    redirect("/auth");
  }

@@ -0,0 +1,51 @@
+import { NextResponse } from "next/server";
+
+import { gatewayFetch } from "@/lib/api/gateway";
+import { DEFAULT_TENANT_SLUG } from "@/lib/auth/constants";
+import { setAuthCookies } from "@/lib/auth/cookies";
+
+export const dynamic = "force-dynamic";
+
+export async function POST(req: Request) {
+  const body = await req.json().catch(() => null);
+  const email = body?.email?.trim();
+  const password = body?.password;
+  if (!email || !password) {
+    return NextResponse.json(
+      { error: "Email and password are required." },
+      { status: 400 }
+    );
+  }
+
+  const res = await gatewayFetch("/v1/auth/login", {
+    method: "POST",
+    body: JSON.stringify({
+      tenant_slug: DEFAULT_TENANT_SLUG,
+      email,
+      password,
+    }),
+  });
+  const data = await res.json().catch(() => null);
+
+  if (!res.ok) {
+    // 403 from Identity means MFA is required.
+    if (res.status === 403 && data?.mfa_required) {
+      return NextResponse.json(
+        { error: "MFA is required for this account.", mfaRequired: true },
+        { status: 403 }
+      );
+    }
+    return NextResponse.json(
+      { error: data?.message ?? "Invalid email or password." },
+      { status: res.status === 401 ? 401 : res.status }
+    );
+  }
+
+  const out = NextResponse.json({ user: data.user, tenant: data.tenant });
+  return setAuthCookies(
+    out,
+    data.access_token,
+    data.refresh_token,
+    data.expires_in ?? 900
+  );
+}
@@ -0,0 +1,24 @@
+import { cookies } from "next/headers";
+import { NextResponse } from "next/server";
+
+import { gatewayFetch } from "@/lib/api/gateway";
+import { ACCESS_TOKEN_COOKIE } from "@/lib/auth/constants";
+import { clearAuthCookies } from "@/lib/auth/cookies";
+
+export const dynamic = "force-dynamic";
+
+export async function POST() {
+  const token = (await cookies()).get(ACCESS_TOKEN_COOKIE)?.value;
+  if (token) {
+    // Best-effort server-side session revoke; ignore failures.
+    try {
+      await gatewayFetch("/v1/auth/logout", {
+        method: "POST",
+        headers: { Authorization: `Bearer ${token}` },
+      });
+    } catch {
+      /* noop */
+    }
+  }
+  return clearAuthCookies(NextResponse.json({ ok: true }));
+}
@@ -0,0 +1,25 @@
+import { cookies } from "next/headers";
+import { NextResponse } from "next/server";
+
+import { gatewayFetch } from "@/lib/api/gateway";
+import { ACCESS_TOKEN_COOKIE } from "@/lib/auth/constants";
+
+export const dynamic = "force-dynamic";
+
+/** Returns the current user profile from Identity, or { user: null } if signed out. */
+export async function GET() {
+  const token = (await cookies()).get(ACCESS_TOKEN_COOKIE)?.value;
+  if (!token) {
+    return NextResponse.json({ user: null });
+  }
+
+  const res = await gatewayFetch("/v1/users/me", {
+    headers: { Authorization: `Bearer ${token}` },
+  });
+  if (!res.ok) {
+    return NextResponse.json({ user: null });
+  }
+
+  const user = await res.json().catch(() => null);
+  return NextResponse.json({ user });
+}
@@ -0,0 +1,36 @@
+import { cookies } from "next/headers";
+import { NextResponse } from "next/server";
+
+import { gatewayFetch } from "@/lib/api/gateway";
+import { REFRESH_TOKEN_COOKIE } from "@/lib/auth/constants";
+import { clearAuthCookies, setAuthCookies } from "@/lib/auth/cookies";
+
+export const dynamic = "force-dynamic";
+
+export async function POST() {
+  const refreshToken = (await cookies()).get(REFRESH_TOKEN_COOKIE)?.value;
+  if (!refreshToken) {
+    return NextResponse.json({ error: "Not authenticated." }, { status: 401 });
+  }
+
+  const res = await gatewayFetch("/v1/auth/refresh", {
+    method: "POST",
+    body: JSON.stringify({ refresh_token: refreshToken }),
+  });
+  const data = await res.json().catch(() => null);
+
+  if (!res.ok || !data?.access_token) {
+    // Refresh token invalid/expired/rotated — force re-login.
+    return clearAuthCookies(
+      NextResponse.json({ error: "Session expired." }, { status: 401 })
+    );
+  }
+
+  const out = NextResponse.json({ ok: true, user: data.user });
+  return setAuthCookies(
+    out,
+    data.access_token,
+    data.refresh_token,
+    data.expires_in ?? 900
+  );
+}
@@ -0,0 +1,66 @@
+import { NextResponse } from "next/server";
+
+import { gatewayFetch } from "@/lib/api/gateway";
+import { DEFAULT_TENANT_SLUG } from "@/lib/auth/constants";
+import { setAuthCookies } from "@/lib/auth/cookies";
+
+export const dynamic = "force-dynamic";
+
+export async function POST(req: Request) {
+  const body = await req.json().catch(() => null);
+  const email = body?.email?.trim();
+  const password = body?.password;
+  const fullName = body?.full_name ?? body?.fullName ?? null;
+  if (!email || !password) {
+    return NextResponse.json(
+      { error: "Email and password are required." },
+      { status: 400 }
+    );
+  }
+
+  const reg = await gatewayFetch("/v1/auth/register", {
+    method: "POST",
+    body: JSON.stringify({
+      tenant_slug: DEFAULT_TENANT_SLUG,
+      email,
+      password,
+      full_name: fullName,
+    }),
+  });
+  const regData = await reg.json().catch(() => null);
+
+  if (!reg.ok) {
+    // Surface the first ASP.NET validation error if present.
+    const firstError =
+      regData?.errors && typeof regData.errors === "object"
+        ? (Object.values(regData.errors)[0] as string[])?.[0]
+        : undefined;
+    return NextResponse.json(
+      { error: regData?.message ?? firstError ?? "Registration failed." },
+      { status: reg.status }
+    );
+  }
+
+  // Registration succeeded — log in immediately for a seamless flow.
+  const login = await gatewayFetch("/v1/auth/login", {
+    method: "POST",
+    body: JSON.stringify({ tenant_slug: DEFAULT_TENANT_SLUG, email, password }),
+  });
+  const loginData = await login.json().catch(() => null);
+
+  if (!login.ok) {
+    // Account created but auto-login failed (e.g. verification gate) — let them sign in.
+    return NextResponse.json({
+      registered: true,
+      verificationRequired: regData?.verification_required ?? false,
+    });
+  }
+
+  const out = NextResponse.json({ user: loginData.user, tenant: loginData.tenant });
+  return setAuthCookies(
+    out,
+    loginData.access_token,
+    loginData.refresh_token,
+    loginData.expires_in ?? 900
+  );
+}
@@ -1,11 +1,24 @@
+import { cookies } from "next/headers";
 import { NextResponse } from "next/server";

-import { createClient } from "@/lib/supabase/server";
+import { gatewayFetch } from "@/lib/api/gateway";
+import { ACCESS_TOKEN_COOKIE } from "@/lib/auth/constants";
+import { clearAuthCookies } from "@/lib/auth/cookies";

 export async function POST(request: Request) {
-  const supabase = await createClient();
-  await supabase.auth.signOut();
+  const token = (await cookies()).get(ACCESS_TOKEN_COOKIE)?.value;
+  if (token) {
+    try {
+      await gatewayFetch("/v1/auth/logout", {
+        method: "POST",
+        headers: { Authorization: `Bearer ${token}` },
+      });
+    } catch {
+      /* best-effort revoke */
+    }
+  }

  const { origin } = new URL(request.url);
-  return NextResponse.redirect(`${origin}/auth`, { status: 303 });
+  const res = NextResponse.redirect(`${origin}/auth`, { status: 303 });
+  return clearAuthCookies(res);
 }