@useatlas/create 0.0.1

package/templates/docker/src/lib/auth/audit.ts

@@ -0,0 +1,89 @@
+/**
+ * Query audit logger.
+ *
+ * Logs every SQL query to pino (always) and to the internal Postgres
+ * audit_log table (when DATABASE_URL is set). Fire-and-forget DB writes —
+ * two layers of protection: internalExecute() returns a promise whose
+ * rejections are swallowed (async errors), and the surrounding try/catch
+ * in logQueryAudit covers synchronous throws from getInternalDB() (e.g.
+ * pool not initialized). Either way, audit failures never propagate to
+ * the caller.
+ *
+ * Dual-truncation strategy:
+ * - Pino log entries truncate SQL to 500 chars (PINO_SQL_LIMIT) to keep
+ *   structured log output concise and avoid overwhelming log aggregators.
+ * - DB audit_log inserts truncate SQL to 2000 chars (DB_SQL_LIMIT) to
+ *   preserve enough context for forensic review while respecting column limits.
+ */
+
+import { createLogger, getRequestContext } from "@atlas/api/lib/logger";
+import { hasInternalDB, internalExecute } from "@atlas/api/lib/db/internal";
+import { SENSITIVE_PATTERNS } from "@atlas/api/lib/security";
+import type { DBType } from "@atlas/api/lib/db/connection";
+
+const log = createLogger("audit");
+
+const PINO_SQL_LIMIT = 500;
+const DB_SQL_LIMIT = 2000;
+
+export type AuditEntry =
+  | { sql: string; durationMs: number; rowCount: number; success: true; sourceId?: string; sourceType?: DBType; targetHost?: string }
+  | { sql: string; durationMs: number; rowCount: null; success: false; error?: string; sourceId?: string; sourceType?: DBType; targetHost?: string };
+
+function scrubError(error: string | undefined): string | undefined {
+  if (!error) return undefined;
+  if (SENSITIVE_PATTERNS.test(error)) return "[scrubbed]";
+  return error;
+}
+
+export function logQueryAudit(entry: AuditEntry): void {
+  const ctx = getRequestContext();
+  const userId = ctx?.user?.id ?? null;
+  const userLabel = ctx?.user?.label ?? null;
+  const authMode = ctx?.user?.mode ?? "none";
+  const scrubbedError = scrubError(entry.success ? undefined : entry.error);
+
+  // Always log to pino (SQL truncated to 500 chars)
+  const logFn = entry.success ? log.info.bind(log) : log.warn.bind(log);
+  logFn(
+    {
+      sql: entry.sql.slice(0, PINO_SQL_LIMIT),
+      durationMs: entry.durationMs,
+      rowCount: entry.rowCount,
+      success: entry.success,
+      ...(scrubbedError && { error: scrubbedError }),
+      userId,
+      userLabel,
+      authMode,
+      ...(entry.sourceId && { sourceId: entry.sourceId }),
+      ...(entry.sourceType && { sourceType: entry.sourceType }),
+      ...(entry.targetHost && { targetHost: entry.targetHost }),
+    },
+    entry.success ? "query_success" : "query_failure",
+  );
+
+  // Insert into audit_log when internal DB is available (SQL truncated to 2000 chars)
+  if (hasInternalDB()) {
+    try {
+      internalExecute(
+        `INSERT INTO audit_log (user_id, user_label, auth_mode, sql, duration_ms, row_count, success, error, source_id, source_type, target_host)
+         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)`,
+        [
+          userId,
+          userLabel,
+          authMode,
+          entry.sql.slice(0, DB_SQL_LIMIT),
+          entry.durationMs,
+          entry.rowCount,
+          entry.success,
+          scrubbedError ?? null,
+          entry.sourceId ?? null,
+          entry.sourceType ?? null,
+          entry.targetHost ?? null,
+        ],
+      );
+    } catch (err) {
+      log.warn({ err }, "audit_log insert failed");
+    }
+  }
+}

package/templates/docker/src/lib/auth/byot.ts

@@ -0,0 +1,158 @@
+/**
+ * BYOT auth — JWT/JWKS validation for external identity providers.
+ *
+ * Validates JWTs signed by external IdPs (Auth0, Clerk, Supabase Auth, etc.)
+ * using a remote JWKS endpoint. Requires ATLAS_AUTH_JWKS_URL + ATLAS_AUTH_ISSUER.
+ */
+
+import { createRemoteJWKSet, jwtVerify, errors } from "jose";
+import type { AuthResult } from "@atlas/api/lib/auth/types";
+import { createAtlasUser } from "@atlas/api/lib/auth/types";
+import { parseRole } from "@atlas/api/lib/auth/permissions";
+import { resolveClaimPath } from "@atlas/api/lib/rls";
+import { createLogger } from "@atlas/api/lib/logger";
+
+const log = createLogger("auth:byot");
+
+let _jwks: ReturnType<typeof createRemoteJWKSet> | null = null;
+
+function getJWKS() {
+  if (!_jwks) {
+    const url = process.env.ATLAS_AUTH_JWKS_URL;
+    if (!url) throw new Error("ATLAS_AUTH_JWKS_URL is required for BYOT mode");
+    log.info({ jwksUrl: url }, "Initializing JWKS client");
+    _jwks = createRemoteJWKSet(new URL(url));
+  }
+  return _jwks;
+}
+
+/** Reset the cached JWKS instance — for test isolation. */
+export function resetJWKSCache(): void {
+  _jwks = null;
+}
+
+/** @internal — test-only. Inject a JWKS key-set getter (bypasses createRemoteJWKSet). */
+export function _setJWKS(jwks: ReturnType<typeof createRemoteJWKSet>): void {
+  _jwks = jwks;
+}
+
+/**
+ * Extract an Atlas role from the JWT payload using the configured claim path.
+ * ATLAS_AUTH_ROLE_CLAIM can be a dot-delimited path (e.g. "app_metadata.role").
+ * Defaults to checking "role" then "atlas_role" when not configured.
+ */
+function extractRoleFromPayload(payload: Record<string, unknown>) {
+  const claimPath = process.env.ATLAS_AUTH_ROLE_CLAIM;
+
+  if (claimPath) {
+    // Single configured claim path — may be nested (e.g. "app_metadata.role")
+    const value = resolveClaimPath(payload, claimPath);
+    if (typeof value === "string") {
+      const role = parseRole(value);
+      if (role) return role;
+      log.warn({ claimPath, value, validRoles: ["viewer", "analyst", "admin"] }, "JWT role claim value is not a valid Atlas role — ignoring");
+    } else if (value !== undefined && value !== null) {
+      log.warn({ claimPath, type: typeof value }, "JWT role claim is not a string — ignoring");
+    }
+    return undefined;
+  }
+
+  // Default: check "role" then "atlas_role" at the top level
+  for (const claim of ["role", "atlas_role"]) {
+    const value = payload[claim];
+    if (typeof value === "string") {
+      const role = parseRole(value);
+      if (role) return role;
+      log.warn({ claim, value, validRoles: ["viewer", "analyst", "admin"] }, "JWT role claim value is not a valid Atlas role — ignoring");
+    } else if (value !== undefined && value !== null) {
+      log.warn({ claim, type: typeof value }, "JWT role claim is not a string — ignoring");
+    }
+  }
+
+  return undefined;
+}
+
+export async function validateBYOT(req: Request): Promise<AuthResult> {
+  const authHeader = req.headers.get("authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    return {
+      authenticated: false,
+      mode: "byot",
+      status: 401,
+      error: "Missing or malformed Authorization header",
+    };
+  }
+
+  const token = authHeader.slice(7);
+  const jwks = getJWKS();
+
+  const issuer = process.env.ATLAS_AUTH_ISSUER;
+  if (!issuer)
+    throw new Error("ATLAS_AUTH_ISSUER is required for BYOT mode");
+
+  const rawAudience = process.env.ATLAS_AUTH_AUDIENCE;
+  if (rawAudience === "") {
+    log.warn("ATLAS_AUTH_AUDIENCE is set to empty string — audience check will be skipped");
+  }
+  const audience = rawAudience || undefined;
+
+  try {
+    const { payload } = await jwtVerify(token, jwks, { issuer, audience });
+    const sub = payload.sub;
+    if (!sub) {
+      return {
+        authenticated: false,
+        mode: "byot",
+        status: 401,
+        error: "JWT missing sub claim",
+      };
+    }
+    const email =
+      typeof payload.email === "string" ? payload.email : undefined;
+
+    // Extract role from JWT claim. Configurable via ATLAS_AUTH_ROLE_CLAIM
+    // (default: check "role", then "atlas_role").
+    const role = extractRoleFromPayload(payload);
+
+    return {
+      authenticated: true,
+      mode: "byot",
+      user: createAtlasUser(sub, "byot", email || sub, role, payload as Record<string, unknown>),
+    };
+  } catch (err) {
+    // Infrastructure errors — JWKS endpoint issues are not client auth failures.
+    // Re-throw so middleware.ts catches them as 500.
+    if (
+      err instanceof errors.JWKSTimeout ||
+      err instanceof errors.JWKSInvalid ||
+      err instanceof errors.JOSENotSupported
+    ) {
+      log.error(
+        { err, code: err.code },
+        "JWKS infrastructure error during BYOT validation",
+      );
+      throw err;
+    }
+
+    // Token validation errors — legitimate 401s
+    if (err instanceof errors.JOSEError) {
+      log.debug(
+        { code: err.code, message: err.message },
+        "BYOT token rejected",
+      );
+      return {
+        authenticated: false,
+        mode: "byot",
+        status: 401,
+        error: "Invalid or expired token",
+      };
+    }
+
+    // Unexpected non-JOSE errors (e.g., network fetch failure) — re-throw
+    log.error(
+      { err: err instanceof Error ? err : new Error(String(err)) },
+      "Unexpected BYOT validation error",
+    );
+    throw err;
+  }
+}

package/templates/docker/src/lib/auth/client.ts

@@ -0,0 +1,35 @@
+/**
+ * Better Auth React client.
+ *
+ * Imported from page.tsx. The useSession() hook runs in all auth modes
+ * but session data is only meaningful when authMode === "managed".
+ * Bearer tokens are handled server-side by the bearer plugin;
+ * browser sessions use cookies automatically.
+ *
+ * Base URL resolution priority:
+ *   1. NEXT_PUBLIC_ATLAS_API_URL — cross-origin API (set when frontend and API are separate)
+ *   2. window.location.origin    — same-origin fallback (browser)
+ *   3. http://localhost:3000      — SSR / prerender fallback
+ *
+ * A full URL is required for SSR compatibility — relative "/api/auth" fails
+ * during Next.js static prerendering because there's no host to resolve against.
+ */
+
+import { createAuthClient } from "better-auth/react";
+import { apiKeyClient } from "@better-auth/api-key/client";
+import { adminClient } from "better-auth/client/plugins";
+import { API_URL } from "@/lib/api-url";
+
+function getBaseURL(): string {
+  if (API_URL) return API_URL + "/api/auth";
+  if (typeof window !== "undefined") return window.location.origin + "/api/auth";
+  return "http://localhost:3000/api/auth";
+}
+
+export const authClient = createAuthClient({
+  baseURL: getBaseURL(),
+  plugins: [apiKeyClient(), adminClient()],
+  // Cross-origin deployments (app.useatlas.dev → api.useatlas.dev) require
+  // credentials: "include" so the browser stores and sends session cookies.
+  fetchOptions: API_URL ? { credentials: "include" as RequestCredentials } : {},
+});

package/templates/docker/src/lib/auth/detect.ts

@@ -0,0 +1,83 @@
+/**
+ * Auth mode detection.
+ *
+ * Resolves the active auth mode from environment variables.
+ *
+ * When `ATLAS_AUTH_MODE` is set, it is used directly (explicit mode).
+ * When unset, auto-detection reads env vars with priority:
+ *   JWKS (byot) > Better Auth (managed) > API key (simple-key) > none.
+ *
+ * Result is cached — call resetAuthModeCache() in tests.
+ */
+
+import type { AuthMode } from "@atlas/api/lib/auth/types";
+import { createLogger } from "@atlas/api/lib/logger";
+
+const log = createLogger("auth");
+
+/** User-friendly aliases accepted by ATLAS_AUTH_MODE. */
+const MODE_ALIASES: Record<string, AuthMode> = {
+  "none": "none",
+  "api-key": "simple-key",
+  "simple-key": "simple-key",
+  "managed": "managed",
+  "byot": "byot",
+};
+
+export type AuthModeSource = "explicit" | "auto-detected";
+
+let _cached: AuthMode | null = null;
+let _source: AuthModeSource | null = null;
+
+/**
+ * Detect auth mode from ATLAS_AUTH_MODE (explicit) or env var presence (auto).
+ * Cached after first call.
+ */
+export function detectAuthMode(): AuthMode {
+  if (_cached !== null) return _cached;
+
+  const explicit = process.env.ATLAS_AUTH_MODE?.trim();
+  if (explicit) {
+    const resolved = MODE_ALIASES[explicit.toLowerCase()];
+    if (resolved) {
+      _cached = resolved;
+      _source = "explicit";
+      log.info({ mode: _cached }, "Auth mode: %s (explicit)", _cached);
+      return _cached;
+    }
+    const valid = Object.keys(MODE_ALIASES).join(", ");
+    throw new Error(
+      `Invalid ATLAS_AUTH_MODE '${explicit}'. Valid values: ${valid}. ` +
+      `Remove ATLAS_AUTH_MODE to use auto-detection, or set it to a valid value.`,
+    );
+  }
+
+  // Auto-detection fallback
+  if (process.env.ATLAS_AUTH_JWKS_URL) {
+    _cached = "byot";
+  } else if (process.env.BETTER_AUTH_SECRET) {
+    _cached = "managed";
+  } else if (process.env.ATLAS_API_KEY) {
+    _cached = "simple-key";
+  } else {
+    _cached = "none";
+  }
+
+  _source = "auto-detected";
+  log.info({ mode: _cached }, "Auth mode: %s (auto-detected)", _cached);
+  return _cached;
+}
+
+/**
+ * Return how the auth mode was resolved: "explicit" or "auto-detected".
+ * Returns null if detectAuthMode() has not been called yet.
+ */
+export function getAuthModeSource(): AuthModeSource | null {
+  return _source;
+}
+
+/** Reset cached auth mode. For testing only. */
+export function resetAuthModeCache(): void {
+  _cached = null;
+  _source = null;
+}

package/templates/docker/src/lib/auth/managed.ts

@@ -0,0 +1,73 @@
+/**
+ * Managed auth (Better Auth) — session validation.
+ *
+ * Checks cookies and bearer tokens via auth.api.getSession().
+ * Returns AuthResult on success or missing session (never throws for
+ * "no session" — returns { authenticated: false } instead).
+ * Throws on infrastructure errors (DB unavailable, etc.);
+ * callers (middleware.ts) are expected to catch.
+ */
+
+import type { AuthResult } from "@atlas/api/lib/auth/types";
+import { createAtlasUser } from "@atlas/api/lib/auth/types";
+import { parseRole } from "@atlas/api/lib/auth/permissions";
+import { getAuthInstance } from "@atlas/api/lib/auth/server";
+import { createLogger } from "@atlas/api/lib/logger";
+
+const log = createLogger("auth:managed");
+
+export async function validateManaged(req: Request): Promise<AuthResult> {
+  const auth = getAuthInstance();
+
+  // Debug: log whether cookies are present in the request
+  const cookieHeader = req.headers.get("cookie");
+  const hasSessionToken = cookieHeader?.includes("session_token") ?? false;
+  const hasAuthorization = !!req.headers.get("authorization");
+  if (!hasSessionToken && !hasAuthorization) {
+    log.info({ url: req.url }, "No session_token cookie or Authorization header in request");
+  } else {
+    log.info({ hasSessionToken, hasAuthorization, url: req.url }, "Auth headers present");
+  }
+
+  const session = await auth.api.getSession({ headers: req.headers });
+
+  if (!session) {
+    log.info({ hasSessionToken, hasAuthorization }, "getSession returned null");
+    return { authenticated: false, mode: "managed", status: 401, error: "Not signed in" };
+  }
+
+  const userId = session.user?.id;
+  const email = session.user?.email;
+  if (!userId) {
+    log.error({ sessionExists: true }, "Session found but user.id is missing");
+    return { authenticated: false, mode: "managed", status: 500, error: "Session data is incomplete" };
+  }
+
+  // Extract role from session user (set by Better Auth admin plugin, stored in the `role` column).
+  // Falls back to default (viewer) when not present — see permissions.ts.
+  const sessionUser = session.user as Record<string, unknown>;
+  // Better Auth can store multiple roles as comma-separated strings; Atlas uses only the first.
+  const rawRoleField = sessionUser?.role;
+  const rawRole = typeof rawRoleField === "string" ? rawRoleField.split(",")[0].trim() : rawRoleField;
+  let role: ReturnType<typeof parseRole>;
+  if (typeof rawRole === "string") {
+    role = parseRole(rawRole);
+    if (rawRole && !role) {
+      log.warn({ value: rawRole, validRoles: ["viewer", "analyst", "admin"] }, "Session user role is not a valid Atlas role — defaulting to 'viewer'");
+    }
+  } else {
+    role = undefined;
+    if (rawRole !== undefined && rawRole !== null) {
+      log.warn({ type: typeof rawRole }, "Session user role is not a string — ignoring");
+    }
+  }
+
+  // Carry session user fields as claims for RLS policy evaluation
+  const claims: Record<string, unknown> = { ...sessionUser, sub: userId };
+
+  return {
+    authenticated: true,
+    mode: "managed",
+    user: createAtlasUser(userId, "managed", email || userId, role, claims),
+  };
+}

package/templates/docker/src/lib/auth/middleware.ts

@@ -0,0 +1,208 @@
+/**
+ * Auth middleware — central dispatcher + rate limiting.
+ *
+ * Calls detectAuthMode() and routes to the appropriate validator.
+ * Exports in-memory sliding-window rate limiting (checkRateLimit, getClientIP).
+ *
+ * A background setInterval timer evicts stale rate-limit entries every 60s.
+ * Call _stopCleanup() in tests to prevent the timer from keeping the process alive.
+ */
+
+import type { AuthResult } from "@atlas/api/lib/auth/types";
+import { detectAuthMode } from "@atlas/api/lib/auth/detect";
+import { validateApiKey } from "@atlas/api/lib/auth/simple-key";
+import { validateManaged } from "@atlas/api/lib/auth/managed";
+import { validateBYOT } from "@atlas/api/lib/auth/byot";
+import { createLogger } from "@atlas/api/lib/logger";
+
+const log = createLogger("auth");
+
+// ---------------------------------------------------------------------------
+// Rate limiting — in-memory sliding window
+// ---------------------------------------------------------------------------
+
+const WINDOW_MS = 60_000; // 60 seconds
+
+/** Map of rate-limit key → array of request timestamps (ms). */
+const windows = new Map<string, number[]>();
+
+let warnedInvalidRpm = false;
+
+function getRpmLimit(): number {
+  const raw = process.env.ATLAS_RATE_LIMIT_RPM;
+  if (raw === undefined || raw === "") return 0; // disabled
+  const n = Number(raw);
+  if (!Number.isFinite(n) || n < 0) {
+    if (!warnedInvalidRpm) {
+      log.warn({ value: raw }, "Invalid ATLAS_RATE_LIMIT_RPM; rate limiting disabled");
+      warnedInvalidRpm = true;
+    }
+    return 0;
+  }
+  return Math.floor(n);
+}
+
+/**
+ * Extract client IP from request headers.
+ *
+ * Both `X-Forwarded-For` and `X-Real-IP` are only trusted when
+ * `ATLAS_TRUST_PROXY` is `"true"` or `"1"`. Without this, an attacker
+ * can spoof these headers to bypass per-IP rate limits.
+ */
+export function getClientIP(req: Request): string | null {
+  const trustProxy = process.env.ATLAS_TRUST_PROXY;
+  if (trustProxy === "true" || trustProxy === "1") {
+    const xff = req.headers.get("x-forwarded-for");
+    if (xff) {
+      const first = xff.split(",")[0].trim();
+      if (first) return first;
+    }
+    const realIp = req.headers.get("x-real-ip");
+    if (realIp) return realIp.trim();
+  }
+  return null;
+}
+
+/**
+ * Sliding-window rate limit check.
+ *
+ * Returns `{ allowed: true }` when the request should proceed, or
+ * `{ allowed: false, retryAfterMs }` when the caller should back off.
+ * Always allows when ATLAS_RATE_LIMIT_RPM is unset or "0".
+ *
+ * Note: this limits API *requests*, not agent steps. A single chat request
+ * may run up to 25 agent steps internally, so effective LLM call volume
+ * can be higher than the RPM value implies.
+ */
+export function checkRateLimit(key: string): {
+  allowed: boolean;
+  retryAfterMs?: number;
+} {
+  const limit = getRpmLimit();
+  if (limit === 0) return { allowed: true };
+
+  const now = Date.now();
+  const cutoff = now - WINDOW_MS;
+
+  let timestamps = windows.get(key);
+  if (!timestamps) {
+    timestamps = [];
+    windows.set(key, timestamps);
+  }
+
+  // Evict stale entries
+  const firstValid = timestamps.findIndex((t) => t > cutoff);
+  if (firstValid > 0) timestamps.splice(0, firstValid);
+  else if (firstValid === -1) timestamps.length = 0;
+
+  if (timestamps.length < limit) {
+    timestamps.push(now);
+    return { allowed: true };
+  }
+
+  // Blocked — oldest entry determines when a slot opens
+  const retryAfterMs = Math.max(1, timestamps[0] + WINDOW_MS - now);
+  return { allowed: false, retryAfterMs };
+}
+
+/** Clear all rate limit state. For tests. */
+export function resetRateLimits(): void {
+  windows.clear();
+  warnedInvalidRpm = false;
+}
+
+/** Periodic cleanup — evict keys with no recent timestamps. */
+const cleanupInterval = setInterval(() => {
+  try {
+    const cutoff = Date.now() - WINDOW_MS;
+    for (const [key, timestamps] of windows) {
+      if (timestamps.length === 0 || timestamps[timestamps.length - 1] <= cutoff) {
+        windows.delete(key);
+      }
+    }
+  } catch (err) {
+    log.error(
+      { err: err instanceof Error ? err : new Error(String(err)) },
+      "Rate limit cleanup failed",
+    );
+  }
+}, WINDOW_MS);
+
+// Don't prevent Node/bun from exiting
+cleanupInterval.unref();
+
+/** Stop the periodic cleanup timer. For tests. */
+export function _stopCleanup(): void {
+  clearInterval(cleanupInterval);
+}
+
+// ---------------------------------------------------------------------------
+// Auth dispatcher
+// ---------------------------------------------------------------------------
+
+// ---------------------------------------------------------------------------
+// Test-only validator overrides
+// ---------------------------------------------------------------------------
+
+let _managedOverride: ((req: Request) => Promise<AuthResult>) | null = null;
+let _byotOverride: ((req: Request) => Promise<AuthResult>) | null = null;
+
+/** @internal — test-only. Override validateManaged/validateBYOT for isolation. */
+export function _setValidatorOverrides(overrides: {
+  managed?: ((req: Request) => Promise<AuthResult>) | null;
+  byot?: ((req: Request) => Promise<AuthResult>) | null;
+}): void {
+  _managedOverride = overrides.managed ?? null;
+  _byotOverride = overrides.byot ?? null;
+}
+
+/** Authenticate an incoming request based on the detected auth mode. */
+export async function authenticateRequest(req: Request): Promise<AuthResult> {
+  const mode = detectAuthMode();
+
+  switch (mode) {
+    case "none":
+      return { authenticated: true, user: undefined, mode: "none" };
+
+    case "simple-key":
+      return validateApiKey(req);
+
+    case "managed":
+      try {
+        return await (_managedOverride ?? validateManaged)(req);
+      } catch (err) {
+        log.error(
+          { err: err instanceof Error ? err : new Error(String(err)), mode },
+          "Managed auth error",
+        );
+        if (err instanceof TypeError || err instanceof ReferenceError || err instanceof SyntaxError) {
+          log.error({ err, mode }, "BUG: Unexpected programming error in auth validator");
+        }
+        return {
+          authenticated: false,
+          mode,
+          status: 500,
+          error: "Authentication service error",
+        };
+      }
+
+    case "byot":
+      try {
+        return await (_byotOverride ?? validateBYOT)(req);
+      } catch (err) {
+        log.error(
+          { err: err instanceof Error ? err : new Error(String(err)), mode },
+          "BYOT auth error",
+        );
+        if (err instanceof TypeError || err instanceof ReferenceError || err instanceof SyntaxError) {
+          log.error({ err, mode }, "BUG: Unexpected programming error in auth validator");
+        }
+        return {
+          authenticated: false,
+          mode,
+          status: 500,
+          error: "Authentication service error",
+        };
+      }
+  }
+}