refactor: Delegate all authentication, including JWT and OAuth, to Supabase by removing custom implementations.

Author: MatD1

cmd/server/main.go

@@ -168,7 +168,6 @@ func main() {
 	managementHandler := handlers.NewManagementHandler(
 		authService,
 		apiKeyRepo,
-		jwtTokenRepo,
 		auditLogRepo,
 		userRepo,
 		hideoutModuleRepo,
@@ -221,19 +220,7 @@ func main() {
 	api := r.Group("/api/v1")
 	api.Use(middleware.RateLimitMiddleware(cacheService, cfg.RateLimitRequests, cfg.RateLimitWindowSeconds))
 	{
-		auth := api.Group("/auth")
-		{
-			auth.GET("/github/login", authHandler.GitHubLogin)
-			auth.GET("/github/callback", authHandler.GitHubCallback)
-			auth.GET("/discord/login", authHandler.DiscordLogin)
-			auth.GET("/discord/callback", authHandler.DiscordCallback)
-			auth.GET("/exchange-token", authHandler.ExchangeTempToken)
-			auth.POST("/login", authHandler.LoginWithAPIKey)
-			auth.POST("/token", authHandler.TokenExchange)
-			auth.POST("/refresh", authHandler.RefreshToken)
-		}
-
-		// Read-only routes (require JWT only)
+		// JWTAuthMiddleware handles Supabase JWT validation
 		readOnly := api.Group("")
 		readOnly.Use(middleware.JWTAuthMiddleware(authService, cfg, supabaseAuthService))
 		{
@@ -334,8 +321,6 @@ func main() {
 				admin.POST("/api-keys", managementHandler.CreateAPIKey)
 				admin.GET("/api-keys", managementHandler.ListAPIKeys)
 				admin.DELETE("/api-keys/:id", managementHandler.RevokeAPIKey)
-				admin.POST("/jwts/revoke", managementHandler.RevokeJWT)
-				admin.GET("/jwts", managementHandler.ListJWTs)
 				admin.GET("/logs", managementHandler.QueryLogs)
 				admin.POST("/sync/force", syncHandler.ForceSync)
 				admin.GET("/sync/status", syncHandler.SyncStatus)

go.mod

@@ -14,7 +14,6 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/vektah/gqlparser/v2 v2.5.31
 	golang.org/x/crypto v0.43.0
-	golang.org/x/oauth2 v0.32.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/gorm v1.25.10
 )

go.sum

@@ -146,8 +146,6 @@ golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
 golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
 golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
 golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

internal/config/config.go

@@ -23,24 +23,6 @@ type Config struct {
 	RedisAddr     string `envconfig:"REDIS_ADDR" default:"localhost:6379"` // Fallback if REDIS_URL not set
 	RedisPassword string `envconfig:"REDIS_PASSWORD" default:""`           // Fallback if REDIS_URL not set
 
-	// JWT
-	JWTSecret      string `envconfig:"JWT_SECRET" required:"true"`
-	JWTExpiryHours int    `envconfig:"JWT_EXPIRY_HOURS" default:"72"`
-	RefreshTokenExpiryDays int `envconfig:"REFRESH_TOKEN_EXPIRY_DAYS" default:"14"`
-
-	// OAuth - GitHub
-	GitHubClientID     string `envconfig:"GITHUB_CLIENT_ID" default:""`
-	GitHubClientSecret string `envconfig:"GITHUB_CLIENT_SECRET" default:""`
-
-	// OAuth - Discord
-	DiscordClientID     string `envconfig:"DISCORD_CLIENT_ID" default:""`
-	DiscordClientSecret string `envconfig:"DISCORD_CLIENT_SECRET" default:""`
-
-	OAuthEnabled        bool   `envconfig:"OAUTH_ENABLED" default:"true"`
-	OAuthRedirectURL    string `envconfig:"OAUTH_REDIRECT_URL" default:"http://localhost:8080/api/v1/auth/github/callback"`
-	DiscordRedirectURL  string `envconfig:"DISCORD_REDIRECT_URL" default:"http://localhost:8080/api/v1/auth/discord/callback"`
-	FrontendCallbackURL string `envconfig:"FRONTEND_CALLBACK_URL" default:"http://localhost:8080/dashboard/api/auth/github/callback/"`
-
 	// Sync
 	SyncCron string `envconfig:"SYNC_CRON" default:"*/15 * * * *"`
 
@@ -60,7 +42,6 @@ type Config struct {
 	SupabaseURL            string `envconfig:"SUPABASE_URL" default:""`            // Main project URL (fallback: NEXT_PUBLIC_SUPABASE_URL)
 	SupabaseJWKSURL        string `envconfig:"SUPABASE_JWKS_URL" default:""`        // Use if different from standard auth/v1/jwks
 	SupabasePublishableKey string `envconfig:"SUPABASE_PUBLISHABLE_KEY" default:""` // Modern label (replacing "Anon Key")
-	SupabaseProjectID      string `envconfig:"SUPABASE_PROJECT_ID" default:""`      // Legacy fallback or id-only setups
 }
 
 func LoadConfig() (*Config, error) {
@@ -96,15 +77,15 @@ func (c *Config) GetDSN() string {
 }
 
 func (c *Config) IsOAuthEnabled() bool {
-	return c.OAuthEnabled && (c.GitHubClientID != "" && c.GitHubClientSecret != "" || c.DiscordClientID != "" && c.DiscordClientSecret != "")
+	return false // OAuth is now managed entirely by Supabase
 }
 
 func (c *Config) IsGitHubOAuthEnabled() bool {
-	return c.OAuthEnabled && c.GitHubClientID != "" && c.GitHubClientSecret != ""
+	return false
 }
 
 func (c *Config) IsDiscordOAuthEnabled() bool {
-	return c.OAuthEnabled && c.DiscordClientID != "" && c.DiscordClientSecret != ""
+	return false
 }
 
 func (c *Config) GetAllowedOrigins() []string {

internal/graph/handler_simple.go

@@ -100,11 +100,8 @@ func setupSecurityMiddleware(srv *handler.Server, authService *services.AuthServ
 				// Extract and validate token
 				parts := strings.Split(authHeader, " ")
 				if len(parts) == 2 && parts[0] == "Bearer" {
-					user, err := authService.ValidateJWT(parts[1])
-					if err == nil {
-						// Add user to context
-						ctx = context.WithValue(ctx, UserContextKey, user)
-					}
+					// TODO: Use Supabase validation
+					// user, err := authService.SyncSupabaseUser(claims)
 				}
 			}
 		}