refactor: extract admin auth to stateless authkit

[itsLeonB]

Summary by CodeRabbit

• Refactor

  • Redesigned admin authentication system to use the authkit library instead of custom implementation.
  • Updated token verification and user management processes.

• Chores

  • Updated authkit dependency to v0.0.5.
  • Removed sekure dependency.
  • Removed unused admin configuration field.

[coderabbitai]

Warning

Review limit reached

@itsLeonB, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 43 minutes and 16 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2c28272a-085f-4957-b675-49c2803ee471

📥 Commits

Reviewing files that changed from the base of the PR and between d1a4181 and 30bcda6.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• go.mod
• internal/adapters/auth/admin/user_store.go
• internal/adapters/http/handler/admin/auth_handler.go
• internal/adapters/http/handler/admin/handlers.go
• internal/adapters/http/middlewares/middlewares.go
• internal/adapters/http/register_routes.go
• internal/adapters/http/server.go
• internal/core/config/admin/auth_config.go
• internal/domain/service/admin/auth_service.go
• internal/provider/admin/repository_provider.go
• internal/provider/admin/service_provider.go
• internal/provider/service_provider.go

📝 Walkthrough

Walkthrough

Admin authentication is migrated from a custom admin.AuthService backed by the sekure library to go-authkit's AuthKit. A new UserStore adapter bridges the admin user repository to the authkit interface. The admin provider, HTTP handlers, middlewares, and route registration are all rewired to use AuthKit, and the old auth service file is deleted.

Changes

Admin Authentication Migration to go-authkit

Layer / File(s)	Summary
Dependency update and old auth service removal go.mod, internal/core/config/admin/auth_config.go, internal/domain/service/admin/auth_service.go	go-authkit bumped to v0.0.5, sekure removed, HashCost field dropped from admin auth config, and the entire custom AuthService interface and 163-line implementation deleted.
UserStore adapter for authkit internal/adapters/auth/admin/user_store.go	New UserStore type backed by crud.Repository[admin.User] implements all required authkit user store methods: FindByID, FindByEmail, Create, CreateOAuth (unsupported), SetVerified (always true), UpdatePassword, Exists, and a toAuthUser conversion helper.
Admin repository and service provider wiring internal/provider/admin/repository_provider.go, internal/provider/admin/service_provider.go, internal/provider/service_provider.go	Repositories gains a Transactor field. Services.Auth is replaced with Services.Kit *authkit.AuthKit; ProvideServices constructs the authkit instance with JWT config, registers UserStore and Transactor as dependencies, and adds a BeforeRegister hook blocking registration when any admin user exists. A mustNewAuthKit panic-on-error helper is also added to the domain service provider.
HTTP handler, middleware, and route rewiring internal/adapters/http/handler/admin/auth_handler.go, internal/adapters/http/handler/admin/handlers.go, internal/adapters/http/middlewares/middlewares.go, internal/adapters/http/register_routes.go, internal/adapters/http/server.go	AuthHandler struct switches from authSvc to stateless *authgin.StatelessHandler and userRepo; HandleMe queries the repo directly. ProvideHandlers accepts adminServices and adminRepos. middlewares.Provide replaces admin.AuthService token verification with adminKit.VerifyToken. RegisterRoutes and server.Setup propagate adminRepos through the call chain.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant StatelessHandler as authgin.StatelessHandler
  participant AuthHandler
  participant adminKit as authkit.AuthKit
  participant userRepo as crud.Repository[admin.User]

  rect rgba(70, 130, 180, 0.5)
    note over Client, StatelessHandler: Registration / Login
    Client->>StatelessHandler: POST /admin/register or /login
    StatelessHandler->>adminKit: BeforeRegister hook (check existing admin)
    adminKit-->>StatelessHandler: forbidden if admin exists
    StatelessHandler-->>Client: JWT token response
  end

  rect rgba(60, 179, 113, 0.5)
    note over Client, userRepo: Authenticated /me request
    Client->>AuthHandler: GET /admin/me (Bearer token)
    AuthHandler->>adminKit: VerifyToken(ctx, token, "")
    adminKit-->>AuthHandler: claims or error
    AuthHandler->>userRepo: FindByID(userID from claims)
    userRepo-->>AuthHandler: admin.User or zero
    AuthHandler-->>Client: dto.AdminMe or 401 Unauthorized
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• itsLeonB/cashback#16: Originally introduced AuthHandler and ProvideHandlers using admin.AuthService, which this PR directly replaces with authkit-based wiring.
• itsLeonB/cashback#58: Also modifies middlewares.Provide and HTTP auth wiring to use go-authkit/authgin, overlapping with the same files changed here.
• itsLeonB/cashback#29: Added OTEL tracing to internal/domain/service/admin/auth_service.go, the same file this PR deletes entirely.

Poem

🐇 Hop hop, the old keys are gone,
No more sekure to rely upon!
authkit now guards the admin gate,
A UserStore adapts and translates.
The rabbit swapped the lock with glee —
One Kit to rule, clean and free! 🗝️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main refactoring objective: extracting admin authentication logic into a stateless authkit-based implementation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/adapters/auth/admin/user_store.go`:
- Around line 70-74: In the UpdatePassword method within UserStore, when
uuid.Parse fails for the userID parameter, the raw parse error is currently
returned directly. Instead, normalize this error to return
authkit.ErrUserNotFound, consistent with how invalid user IDs are handled in
other methods of UserStore (such as GetUser and DeleteUser). Replace the error
return from the uuid.Parse validation block with a return of
authkit.ErrUserNotFound to ensure consistent error handling across all methods
that validate user IDs.

In `@internal/provider/admin/service_provider.go`:
- Around line 28-35: The BeforeRegister hook performs a read check for existing
admin users, but the actual user creation happens later in a separate operation,
creating a race condition where concurrent requests can both pass the check and
create multiple admins. Move the singleton admin enforcement from the
BeforeRegister hook to the persistence layer (the actual create operation in
repos.User) by implementing a database-level constraint (such as a unique
constraint on an is_admin flag or using a transactional lock during creation),
and then modify the create operation to handle the resulting constraint
violation error by converting it to the same forbidden error outcome that
BeforeRegister currently returns.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d476fe44-7ab0-4ee4-9440-33a517baf157

📥 Commits

Reviewing files that changed from the base of the PR and between aec9f35 and d1a4181.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• go.mod
• internal/adapters/auth/admin/user_store.go
• internal/adapters/http/handler/admin/auth_handler.go
• internal/adapters/http/handler/admin/handlers.go
• internal/adapters/http/middlewares/middlewares.go
• internal/adapters/http/register_routes.go
• internal/adapters/http/server.go
• internal/core/config/admin/auth_config.go
• internal/domain/service/admin/auth_service.go
• internal/provider/admin/repository_provider.go
• internal/provider/admin/service_provider.go
• internal/provider/service_provider.go

💤 Files with no reviewable changes (2)

• internal/core/config/admin/auth_config.go
• internal/domain/service/admin/auth_service.go