chore: logging, remove bootstrap TTL and updated .env examples

Author: Bccorb

.env.example

@@ -5,7 +5,7 @@ NODE_ENV=development
 VERSION=1.0.0
 APP_NAME=Seamless Auth Example
 APP_ID=local-dev
-APP_ORIGIN=http://localhost:5001
+APP_ORIGIN=http://localhost:3000
 ISSUER=http://localhost:5312
 
 # "web" for website to auth server, "server" for api server to auth server auth
@@ -40,14 +40,11 @@ JWKS_ACTIVE_KID=dev-main
 
 # WEBAUTHN
 RPID=localhost
-ORIGINS=http://localhost:5001
+ORIGINS=http://localhost:5173,http://localhost:5174
 
 # ADMIN BOOTSTRAP
 # Enables bootstrap feature
 SEAMLESS_BOOTSTRAP_ENABLED=true
 
 # Secret used to authorize bootstrap invite creation
-SEAMLESS_BOOTSTRAP_SECRET=dev-bootstrap-secret-123
-
-# How long the invite (and cookie) is valid
-SEAMLESS_BOOTSTRAP_TTL_MINUTES=15
+SEAMLESS_BOOTSTRAP_SECRET=dev-bootstrap-secret-123

src/app.ts

@@ -21,26 +21,15 @@ import getLogger from './utils/logger.js';
 const logger = getLogger('app');
 const app = express();
 
-const isValidUrl = (str: string) => {
-  try {
-    if (str === '*') return true;
-    new URL(str);
-    return true;
-  } catch {
-    throw new Error('Invalid host provied.');
-  }
-};
-
-const rawOrigin = process.env.APP_ORIGIN?.trim();
-const allowedOrigin = rawOrigin && isValidUrl(rawOrigin) ? rawOrigin : '';
+const rawOrigin = process.env.APP_ORIGINS!.split(',');
 
 const corsOptions: CorsOptions = {
   origin: (origin, callback) => {
     if (!origin) {
       return callback(null, true);
     }
 
-    if (origin === allowedOrigin || origin === 'http://localhost:5174') {
+    if (rawOrigin.includes(origin)) {
       return callback(null, true);
     }
 

src/controllers/bootstrap.ts

@@ -12,6 +12,9 @@ import {
   BootstrapError,
   createAdminBootstrapInvite,
 } from '../services/bootstrapService.js';
+import getLogger from '../utils/logger.js';
+
+const logger = getLogger('bootstrapAdminInvite');
 
 function getBearerToken(req: Request): string | undefined {
   const auth = req.header('authorization');
@@ -25,6 +28,8 @@ function getBearerToken(req: Request): string | undefined {
 
 export async function createAdminBootstrapInviteHandler(req: Request, res: Response) {
   try {
+    logger.info('Creating a bootstrap admin invitation');
+
     const bearerToken = getBearerToken(req);
 
     assertBootstrapSecret(bearerToken);

src/lib/bootstrapCookie.ts

@@ -6,23 +6,31 @@
 
 import { Request, Response } from 'express';
 
+import getLogger from '../utils/logger.js';
+
 const COOKIE_NAME = 'seamless_bootstrap_token';
 
+const logger = getLogger('bootstrapCookie');
+
 export function setBootstrapCookie(res: Response, token: string) {
   res.cookie(COOKIE_NAME, token, {
     httpOnly: true,
     secure: process.env.NODE_ENV === 'production',
     sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
-    maxAge: 15 * 60 * 1000, // 15 minutes
+    maxAge: 15 * 60 * 1000,
     path: '/',
   });
 }
 
 export function getBootstrapCookie(req: Request): string | null {
+  logger.debug(
+    `Checking for bootstrap cookie. Cookie value: ${req.cookies?.[COOKIE_NAME] ?? null}`,
+  );
   return req.cookies?.[COOKIE_NAME] ?? null;
 }
 
 export function clearBootstrapCookie(res: Response) {
+  logger.debug(`Clearing bootstrap cookie.`);
   res.clearCookie(COOKIE_NAME, {
     httpOnly: true,
     secure: process.env.NODE_ENV === 'production',

src/middleware/verifyBearerAuth.ts

@@ -15,7 +15,7 @@ const logger = getLogger('verifyBearerAuth');
 export async function verifyBearerAuth(req: Request, res: Response, next: NextFunction) {
   const auth = req.headers.authorization;
   if (!auth?.startsWith('Bearer ')) {
-    logger.error('Missing beartoken for authentication request');
+    logger.error('Missing bearer token for authentication request');
     return res.status(401).json({ error: 'missing bearer token' });
   }
 

src/services/bootstrapPromotionService.ts

@@ -66,6 +66,7 @@ export async function maybePromoteBootstrapAdmin(params: {
   logger.debug('checking for promotion');
 
   async function logSkip(reason: string) {
+    logger.info(`Skipped bootstrap for ${reason}`);
     await AuthEventService.log({
       userId: user.id,
       type: 'bootstrap_admin_check_skipped',
@@ -75,30 +76,18 @@ export async function maybePromoteBootstrapAdmin(params: {
   }
 
   if (!isBootstrapEnabled()) {
-    logger.info('Bootstrap is not enabled');
-    await AuthEventService.log({
-      userId: user.id,
-      type: 'bootstrap_admin_check_skipped',
-      req,
-      metadata: { reason: 'bootstrap disabled', completionMethod },
-    });
+    logSkip('disabled');
     return { promoted: false, reason: 'bootstrap_disabled' };
   }
 
   if (userHasAdminRole(user)) {
-    logger.info('User is already and admin');
-    await AuthEventService.log({
-      userId: user.id,
-      type: 'bootstrap_admin_check_skipped',
-      req,
-      metadata: { reason: 'User was already an admin', completionMethod },
-    });
+    logSkip('bootstrap_admin_check_skipped');
     return { promoted: false, reason: 'already_admin' };
   }
 
   const rawToken = getBootstrapCookie(req);
   if (!rawToken) {
-    logger.info('Missing token');
+    logSkip('Missing token');
     return { promoted: false, reason: 'missing_token' };
   }
 
@@ -168,6 +157,8 @@ export async function maybePromoteBootstrapAdmin(params: {
       },
     });
 
+    logger.info('User promoted to admin');
+
     return { promoted: true, reason: 'success' } as PromotionResult;
   });
 }

src/services/bootstrapService.ts

@@ -14,7 +14,6 @@ import getLogger from '../utils/logger.js';
 import { sendBootstrapEmail } from './messagingService.js';
 
 const logger = getLogger('adminBootstrapService');
-const DEFAULT_BOOTSTRAP_TTL_MINUTES = 15;
 
 export class BootstrapError extends Error {
   code: string;
@@ -27,11 +26,6 @@ export class BootstrapError extends Error {
   }
 }
 
-function getBootstrapTtlMinutes(): number {
-  const raw = Number(process.env.SEAMLESS_BOOTSTRAP_TTL_MINUTES ?? DEFAULT_BOOTSTRAP_TTL_MINUTES);
-  return Number.isFinite(raw) && raw > 0 ? raw : DEFAULT_BOOTSTRAP_TTL_MINUTES;
-}
-
 export function isBootstrapEnabled(): boolean {
   return process.env.SEAMLESS_BOOTSTRAP_ENABLED === 'true';
 }
@@ -50,6 +44,7 @@ export function getBootstrapSecret(): string {
 
 export function assertBootstrapSecret(provided: string | undefined): void {
   if (!provided) {
+    logger.error('Nothing provided for bootstrap secret');
     throw new BootstrapError('BOOTSTRAP_UNAUTHORIZED', 'Unauthorized.', 401);
   }
 
@@ -62,6 +57,7 @@ export function assertBootstrapSecret(provided: string | undefined): void {
     providedBuf.length !== expectedBuf.length ||
     !crypto.timingSafeEqual(providedBuf, expectedBuf)
   ) {
+    logger.error('Incorrect bootstrap secret');
     throw new BootstrapError('BOOTSTRAP_UNAUTHORIZED', 'Unauthorized.', 401);
   }
 }
@@ -120,9 +116,7 @@ export async function createAdminBootstrapInvite(params: {
 
   const rawToken = generateRawToken();
   const tokenHash = hashToken(rawToken);
-
-  const ttlMinutes = getBootstrapTtlMinutes();
-  const expiresAt = new Date(Date.now() + ttlMinutes * 60 * 1000);
+  const expiresAt = new Date(Date.now() + 15 * 60 * 1000);
 
   await BootstrapInvite.create({
     email: params.email.toLowerCase(),

tests/setup/mocks.ts

@@ -1,5 +1,7 @@
 import { vi } from 'vitest';
 
+vi.stubEnv('APP_ORIGINS', 'http://localhost:5137');
+
 export let mockUser: any = {
   id: 'user-1',
   email: 'test@example.com',

tests/unit/services/bootstrap.spec.ts

@@ -48,7 +48,6 @@ beforeEach(() => {
 
   process.env.SEAMLESS_BOOTSTRAP_ENABLED = 'true';
   process.env.SEAMLESS_BOOTSTRAP_SECRET = 'test-secret';
-  process.env.SEAMLESS_BOOTSTRAP_TTL_MINUTES = '15';
   process.env.NODE_ENV = 'test';
 
   (User.count as any).mockResolvedValue(0);
@@ -150,16 +149,6 @@ it('stores email in lowercase', async () => {
   );
 });
 
-it('falls back to default TTL when invalid env', async () => {
-  process.env.SEAMLESS_BOOTSTRAP_TTL_MINUTES = 'invalid';
-
-  const result = await createAdminBootstrapInvite({
-    email: 'test@example.com',
-  });
-
-  expect(result.expiresAt).toBeInstanceOf(Date);
-});
-
 it('hashes token consistently', () => {
   const hash1 = hashBootstrapToken('abc');
   const hash2 = hashBootstrapToken('abc');