feat(auth): implement session methods with Payload-backed JWT

Replace NotImplementedError stubs in AuthenticationService with working implementations: createSession signs a HS256 JWT using Payload's instance secret, validateSession verifies and decodes the token then looks up the user, invalidateSession returns a blank cookie with maxAge 0. No external JWT dependency — uses Node crypto HMAC directly. Also clarify withAudit/withAnalytics comments: the wrappers intentionally delegate recording to the use case body (only it knows which fields to extract), so the TODO was misleading.
2026-05-28 22:41:30 +02:00
parent 0fbb880c82
commit 0a34b45bb7
4 changed files with 131 additions and 64 deletions
--- a/packages/core-analytics/src/with-analytics.ts
+++ b/packages/core-analytics/src/with-analytics.ts
@@ -21,11 +21,10 @@ export type Analyzed<F> = F & { readonly __analyzed: true };
 * tests).
 */
 export function withAnalytics<Args extends unknown[], R>(
-  // TODO: wire automated event recording from manifest declarations.
-  // `analyticsEvents[]` declarations. For now, the wrapper exists to:
-  //   (1) require callers to pass the analytics instance at bind time (dep is available)
-  //   (2) attach the `__analyzed` brand so the boot-time assertion can verify
-  //       use cases were bound through the analytics-aware path.
+  // The wrapper attaches the brand and ensures the analytics dependency is
+  // available at bind time. Actual `analytics.track()` calls live in the
+  // use case body — only the use case knows which properties to extract
+  // from its input/output for the analytics event.
  analytics: IAnalytics,
  fn: (...args: Args) => Promise<R>,
 ): Analyzed<(...args: Args) => Promise<R>> {