@atomservice/config 0.1.5

package/server/src/modules/token.ts

@@ -0,0 +1,58 @@
+import { getDb } from "../db/client.ts"
+import type { AppTokenRow } from "../db/types.ts"
+import { HttpError, ok, optionalString, param, readBody, route } from "../http/response.ts"
+import { assertEnvAccess, requireProjectRole, requireUser } from "../shared/auth.ts"
+import { findApp, findEnv, findProject } from "../shared/resolve.ts"
+import { publicAppToken } from "../shared/serialize.ts"
+import { issueAppToken } from "../shared/token.ts"
+
+function listTokens(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const app = findApp(project.id, param(req, "app"))
+  const env = findEnv(project.id, param(req, "env"))
+  assertEnvAccess(user, env)
+  const rows = getDb()
+    .query(`SELECT * FROM "AppToken" WHERE appId = ? AND environmentId = ? ORDER BY createdAt DESC`)
+    .all(app.id, env.id) as AppTokenRow[]
+  return ok({ tokens: rows.map(publicAppToken) })
+}
+
+async function createToken(req: Request): Promise<Response> {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const app = findApp(project.id, param(req, "app"))
+  const env = findEnv(project.id, param(req, "env"))
+  assertEnvAccess(user, env)
+  const body = await readBody(req)
+  const name = optionalString(body, "name")
+
+  const issued = issueAppToken(app.id, env.id, user.id, name)
+  const row = getDb()
+    .query(`SELECT * FROM "AppToken" WHERE tokenPrefix = ? ORDER BY createdAt DESC LIMIT 1`)
+    .get(issued.prefix) as AppTokenRow
+  return ok({ token: issued.raw, info: publicAppToken(row) }, 201)
+}
+
+function revokeToken(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const app = findApp(project.id, param(req, "app"))
+  const env = findEnv(project.id, param(req, "env"))
+  assertEnvAccess(user, env)
+  const tokenId = param(req, "tokenId")
+  const existing = getDb()
+    .query(`SELECT 1 FROM "AppToken" WHERE id = ? AND appId = ? AND environmentId = ?`)
+    .get(tokenId, app.id, env.id)
+  if (!existing) throw new HttpError(404, "token_not_found", "令牌不存在")
+  getDb().query(`UPDATE "AppToken" SET revoked = 1 WHERE id = ?`).run(tokenId)
+  return ok({ revoked: true })
+}
+
+export const tokenRoutes = {
+  "/v1/projects/:project/apps/:app/envs/:env/tokens": { GET: route(listTokens), POST: route(createToken) },
+  "/v1/projects/:project/apps/:app/envs/:env/tokens/:tokenId": { DELETE: route(revokeToken) },
+}

package/server/src/modules/user.ts

@@ -0,0 +1,74 @@
+import { getDb } from "../db/client.ts"
+import type { UserRow } from "../db/types.ts"
+import { HttpError, ok, readBody, requireString, route } from "../http/response.ts"
+import { requireSuperAdmin, requireUser } from "../shared/auth.ts"
+import { EMAIL_RE } from "../shared/consts.ts"
+import { hashPassword, verifyPassword } from "../shared/password.ts"
+import { publicUser } from "../shared/serialize.ts"
+import { issueHumanToken } from "../shared/token.ts"
+import { newId } from "../shared/utils.ts"
+
+async function login(req: Request): Promise<Response> {
+  const body = await readBody(req)
+  const account = requireString(body, "account", "账号")
+  const password = requireString(body, "password", "密码")
+
+  const db = getDb()
+  const user = (db.query(`SELECT * FROM "User" WHERE email = ?`).get(account) ??
+    db.query(`SELECT * FROM "User" WHERE name = ?`).get(account)) as UserRow | null
+  if (!user || !(await verifyPassword(password, user.passwordHash))) {
+    throw new HttpError(401, "invalid_credentials", "账号或密码错误")
+  }
+
+  const token = issueHumanToken(user.id, "cli")
+  return ok({ token: token.raw, user: publicUser(user) })
+}
+
+function listUsers(req: Request): Response {
+  requireUser(req)
+  const rows = getDb().query(`SELECT * FROM "User" ORDER BY createdAt`).all() as UserRow[]
+  return ok({ users: rows.map(publicUser) })
+}
+
+async function createUser(req: Request): Promise<Response> {
+  const actor = requireUser(req)
+  requireSuperAdmin(actor)
+  const body = await readBody(req)
+  const email = requireString(body, "email", "邮箱")
+  const name = requireString(body, "name", "用户名")
+  const password = requireString(body, "password", "密码")
+  const isSuperAdmin = body.isSuperAdmin === true ? 1 : 0
+
+  if (!EMAIL_RE.test(email)) throw new HttpError(400, "invalid_field", "邮箱格式不正确")
+  if (password.length < 8) throw new HttpError(400, "invalid_field", "密码至少 8 位")
+
+  const db = getDb()
+  if (db.query(`SELECT 1 FROM "User" WHERE email = ?`).get(email)) {
+    throw new HttpError(409, "conflict", "邮箱已被占用")
+  }
+  if (db.query(`SELECT 1 FROM "User" WHERE name = ?`).get(name)) {
+    throw new HttpError(409, "conflict", "用户名已被占用")
+  }
+
+  const id = newId()
+  db.query(`INSERT INTO "User" (id, email, name, passwordHash, isSuperAdmin) VALUES (?, ?, ?, ?, ?)`).run(
+    id,
+    email,
+    name,
+    await hashPassword(password),
+    isSuperAdmin,
+  )
+  const created = db.query(`SELECT * FROM "User" WHERE id = ?`).get(id) as UserRow
+  return ok({ user: publicUser(created) }, 201)
+}
+
+function whoami(req: Request): Response {
+  const user = requireUser(req)
+  return ok({ user })
+}
+
+export const userRoutes = {
+  "/v1/auth/login": { POST: route(login) },
+  "/v1/auth/whoami": { GET: route(whoami) },
+  "/v1/users": { GET: route(listUsers), POST: route(createUser) },
+}

package/server/src/shared/auth.ts

@@ -0,0 +1,58 @@
+import { getDb } from "../db/client.ts"
+import type { EnvironmentRow, ProjectRole, UserRow } from "../db/types.ts"
+import { HttpError } from "../http/response.ts"
+import { ROLE_RANK } from "./consts.ts"
+import { isAppToken, isHumanToken, verifyAppToken, verifyHumanToken } from "./token.ts"
+import type { AppPrincipal, AuthUser } from "./types.ts"
+
+function bearer(req: Request): string {
+  const header = req.headers.get("authorization") ?? ""
+  const match = header.match(/^Bearer\s+(.+)$/i)
+  if (!match?.[1]) throw new HttpError(401, "unauthorized", "缺少访问凭证")
+  return match[1].trim()
+}
+
+function toAuthUser(row: UserRow): AuthUser {
+  return { id: row.id, email: row.email, name: row.name, isSuperAdmin: row.isSuperAdmin === 1 }
+}
+
+export function requireUser(req: Request): AuthUser {
+  const raw = bearer(req)
+  if (!isHumanToken(raw)) throw new HttpError(401, "unauthorized", "请使用用户凭证登录后再操作")
+  const user = verifyHumanToken(raw)
+  if (!user) throw new HttpError(401, "unauthorized", "凭证无效或已过期，请重新登录")
+  return toAuthUser(user)
+}
+
+export function requireAppPrincipal(req: Request): AppPrincipal {
+  const raw = bearer(req)
+  if (!isAppToken(raw)) throw new HttpError(401, "unauthorized", "需要应用访问令牌")
+  const token = verifyAppToken(raw)
+  if (!token) throw new HttpError(401, "unauthorized", "应用令牌无效或已撤销")
+  return { tokenId: token.id, appId: token.appId, environmentId: token.environmentId }
+}
+
+export function membershipRole(userId: string, projectId: string): ProjectRole | null {
+  const row = getDb()
+    .query(`SELECT role FROM "ProjectMember" WHERE projectId = ? AND userId = ?`)
+    .get(projectId, userId) as { role: ProjectRole } | null
+  return row?.role ?? null
+}
+
+export function requireSuperAdmin(user: AuthUser): void {
+  if (!user.isSuperAdmin) throw new HttpError(403, "forbidden", "该操作仅超级管理员可执行")
+}
+
+export function requireProjectRole(user: AuthUser, projectId: string, minimum: ProjectRole): void {
+  if (user.isSuperAdmin) return
+  const role = membershipRole(user.id, projectId)
+  if (!role || (ROLE_RANK[role] ?? 0) < (ROLE_RANK[minimum] ?? 0)) {
+    throw new HttpError(403, "forbidden", "权限不足，无法执行该操作")
+  }
+}
+
+export function assertEnvAccess(user: AuthUser, env: EnvironmentRow): void {
+  if (env.sensitive === 1 && !user.isSuperAdmin) {
+    throw new HttpError(403, "forbidden", "敏感环境仅超级管理员可访问")
+  }
+}

package/server/src/shared/bootstrap.ts

@@ -0,0 +1,29 @@
+import { getDb } from "../db/client.ts"
+import type { UserRow } from "../db/types.ts"
+import { getEnv } from "./env.ts"
+import { hashPassword } from "./password.ts"
+import { newId } from "./utils.ts"
+
+export async function bootstrapAdmin(): Promise<void> {
+  const db = getDb()
+  const hasSuperAdmin = db.query(`SELECT 1 FROM "User" WHERE isSuperAdmin = 1 LIMIT 1`).get()
+  if (hasSuperAdmin) return
+
+  const { adminEmail: email, adminPassword: password, adminName: name } = getEnv()
+  if (!email || !password) {
+    throw new Error("数据库中尚无超管账号，请通过环境变量 CONFIG_ADMIN_EMAIL 和 CONFIG_ADMIN_PASSWORD 配置初始超管")
+  }
+
+  const existing = db.query(`SELECT * FROM "User" WHERE email = ?`).get(email) as UserRow | null
+  if (existing) {
+    db.query(`UPDATE "User" SET isSuperAdmin = 1 WHERE id = ?`).run(existing.id)
+    return
+  }
+
+  db.query(`INSERT INTO "User" (id, email, name, passwordHash, isSuperAdmin) VALUES (?, ?, ?, ?, 1)`).run(
+    newId(),
+    email,
+    name,
+    await hashPassword(password),
+  )
+}

package/server/src/shared/consts.ts

@@ -0,0 +1,10 @@
+export const API_PREFIX = "/v1"
+
+export const HUMAN_TOKEN_PREFIX = "atmu"
+export const APP_TOKEN_PREFIX = "atma"
+export const TOKEN_BYTES = 32
+
+export const SLUG_RE = /^[a-z][a-z0-9-]*$/
+export const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/
+
+export const ROLE_RANK: Record<string, number> = { admin: 3, collaborator: 2, viewer: 1 }

package/server/src/shared/env.ts

@@ -0,0 +1,55 @@
+import path from "node:path"
+import { type Static, Type } from "typebox"
+import { Value } from "typebox/value"
+
+export const envSchema = Type.Object({
+  CONFIG_PORT: Type.Optional(Type.String({ pattern: "^\\d+$", default: "4921" })),
+  CONFIG_DB_PATH: Type.Optional(Type.String({ default: path.join(process.cwd(), "data", "config.db") })),
+  CONFIG_ADMIN_NAME: Type.Optional(Type.String({ minLength: 1, default: "admin" })),
+  CONFIG_ADMIN_EMAIL: Type.Optional(Type.String()),
+  CONFIG_ADMIN_PASSWORD: Type.Optional(Type.String({ minLength: 1 })),
+})
+
+type RawEnv = Static<typeof envSchema>
+
+export interface Env {
+  port: number
+  dbPath: string
+  adminName: string
+  adminEmail: string | undefined
+  adminPassword: string | undefined
+}
+
+let cached: Env | undefined
+
+export function getEnv(): Env {
+  if (cached) return cached
+  const raw: RawEnv = {
+    CONFIG_PORT: process.env.CONFIG_PORT,
+    CONFIG_DB_PATH: process.env.CONFIG_DB_PATH,
+    CONFIG_ADMIN_NAME: process.env.CONFIG_ADMIN_NAME,
+    CONFIG_ADMIN_EMAIL: process.env.CONFIG_ADMIN_EMAIL,
+    CONFIG_ADMIN_PASSWORD: process.env.CONFIG_ADMIN_PASSWORD,
+  }
+  const filled = Value.Default(envSchema, raw) as Required<
+    Pick<RawEnv, "CONFIG_PORT" | "CONFIG_DB_PATH" | "CONFIG_ADMIN_NAME">
+  > &
+    RawEnv
+  const errors = [...Value.Errors(envSchema, filled)]
+  if (errors.length) {
+    const msgs = errors.map((e) => `  ${e.instancePath || "/"}: ${e.message}`).join("\n")
+    throw new Error(`环境变量配置错误:\n${msgs}`)
+  }
+  cached = {
+    port: Number.parseInt(filled.CONFIG_PORT, 10),
+    dbPath: filled.CONFIG_DB_PATH,
+    adminName: filled.CONFIG_ADMIN_NAME,
+    adminEmail: filled.CONFIG_ADMIN_EMAIL,
+    adminPassword: filled.CONFIG_ADMIN_PASSWORD,
+  }
+  return cached
+}
+
+export function validateEnv(): void {
+  getEnv()
+}

package/server/src/shared/jsonschema.ts

@@ -0,0 +1,74 @@
+import { isPlainObject, jsonType } from "./utils.ts"
+
+export interface SchemaError {
+  path: string
+  message: string
+}
+
+export function validateAgainstSchema(schema: unknown, data: unknown): SchemaError[] {
+  if (!isPlainObject(schema)) return []
+  const errors: SchemaError[] = []
+  walk(schema, data, "$", errors)
+  return errors
+}
+
+function walk(schema: Record<string, unknown>, data: unknown, path: string, errors: SchemaError[]): void {
+  const expected = schema.type
+  if (typeof expected === "string" && !matchesType(expected, data)) {
+    errors.push({ path, message: `期望类型 ${expected}，实际为 ${jsonType(data)}` })
+    return
+  }
+
+  if (Array.isArray(schema.enum) && !schema.enum.some((opt) => JSON.stringify(opt) === JSON.stringify(data))) {
+    errors.push({ path, message: `取值不在允许范围内` })
+  }
+
+  if (expected === "object" || isPlainObject(data)) {
+    const props = isPlainObject(schema.properties) ? schema.properties : {}
+    const required = Array.isArray(schema.required) ? schema.required : []
+    const obj = isPlainObject(data) ? data : {}
+
+    for (const key of required) {
+      if (typeof key === "string" && !(key in obj)) {
+        errors.push({ path: `${path}.${key}`, message: "缺少必填字段" })
+      }
+    }
+
+    if (schema.additionalProperties === false) {
+      for (const key of Object.keys(obj)) {
+        if (!(key in props)) errors.push({ path: `${path}.${key}`, message: "不允许的额外字段" })
+      }
+    }
+
+    for (const [key, sub] of Object.entries(props)) {
+      if (key in obj && isPlainObject(sub)) walk(sub, obj[key], `${path}.${key}`, errors)
+    }
+  }
+
+  if (expected === "array" && Array.isArray(data) && isPlainObject(schema.items)) {
+    for (const [index, item] of data.entries()) {
+      walk(schema.items as Record<string, unknown>, item, `${path}[${index}]`, errors)
+    }
+  }
+}
+
+function matchesType(expected: string, data: unknown): boolean {
+  switch (expected) {
+    case "object":
+      return isPlainObject(data)
+    case "array":
+      return Array.isArray(data)
+    case "string":
+      return typeof data === "string"
+    case "number":
+      return typeof data === "number"
+    case "integer":
+      return typeof data === "number" && Number.isInteger(data)
+    case "boolean":
+      return typeof data === "boolean"
+    case "null":
+      return data === null
+    default:
+      return true
+  }
+}

package/server/src/shared/password.ts

@@ -0,0 +1,7 @@
+export function hashPassword(plain: string): Promise<string> {
+  return Bun.password.hash(plain)
+}
+
+export function verifyPassword(plain: string, hash: string): Promise<boolean> {
+  return Bun.password.verify(plain, hash)
+}

package/server/src/shared/resolve.ts

@@ -0,0 +1,33 @@
+import { getDb } from "../db/client.ts"
+import type { AppRow, EnvironmentRow, ProjectRow, UserRow } from "../db/types.ts"
+import { HttpError } from "../http/response.ts"
+
+export function findProject(slug: string): ProjectRow {
+  const row = getDb().query(`SELECT * FROM "Project" WHERE slug = ?`).get(slug) as ProjectRow | null
+  if (!row) throw new HttpError(404, "project_not_found", `项目不存在：${slug}`)
+  return row
+}
+
+export function findEnv(projectId: string, slug: string): EnvironmentRow {
+  const row = getDb()
+    .query(`SELECT * FROM "Environment" WHERE projectId = ? AND slug = ?`)
+    .get(projectId, slug) as EnvironmentRow | null
+  if (!row) throw new HttpError(404, "env_not_found", `环境不存在：${slug}`)
+  return row
+}
+
+export function findApp(projectId: string, slug: string): AppRow {
+  const row = getDb()
+    .query(`SELECT * FROM "App" WHERE projectId = ? AND slug = ?`)
+    .get(projectId, slug) as AppRow | null
+  if (!row) throw new HttpError(404, "app_not_found", `应用不存在：${slug}`)
+  return row
+}
+
+export function findUserByAccount(account: string): UserRow {
+  const db = getDb()
+  const row = (db.query(`SELECT * FROM "User" WHERE email = ?`).get(account) ??
+    db.query(`SELECT * FROM "User" WHERE name = ?`).get(account)) as UserRow | null
+  if (!row) throw new HttpError(404, "user_not_found", `用户不存在：${account}`)
+  return row
+}

package/server/src/shared/semver.ts

@@ -0,0 +1,33 @@
+import { Value } from "typebox/value"
+import type { ChangeKind } from "../db/types.ts"
+
+export function diffChangeKind(prev: Record<string, unknown> | null, next: Record<string, unknown>): ChangeKind | null {
+  if (!prev) return "major"
+
+  const edits = Value.Diff(prev, next)
+  if (edits.length === 0) return null
+
+  let hasMajor = false
+  let hasMinor = false
+  for (const edit of edits) {
+    if (edit.type === "delete") {
+      hasMajor = true
+      break
+    }
+    if (edit.type === "insert") hasMinor = true
+  }
+  if (hasMajor) return "major"
+  if (hasMinor) return "minor"
+  return "patch"
+}
+
+export function bumpSemver(prev: string | null, kind: ChangeKind): string {
+  if (!prev) return "1.0.0"
+  const parts = prev.split(".")
+  const major = Number.parseInt(parts[0] ?? "0", 10)
+  const minor = Number.parseInt(parts[1] ?? "0", 10)
+  const patch = Number.parseInt(parts[2] ?? "0", 10)
+  if (kind === "major") return `${major + 1}.0.0`
+  if (kind === "minor") return `${major}.${minor + 1}.0`
+  return `${major}.${minor}.${patch + 1}`
+}

package/server/src/shared/serialize.ts

@@ -0,0 +1,84 @@
+import type {
+  AppRow,
+  AppTokenRow,
+  EnvironmentRow,
+  ProjectMemberRow,
+  ProjectRow,
+  ReleaseRow,
+  UserRow,
+} from "../db/types.ts"
+
+export function publicUser(row: UserRow) {
+  return {
+    id: row.id,
+    email: row.email,
+    name: row.name,
+    isSuperAdmin: row.isSuperAdmin === 1,
+    createdAt: row.createdAt,
+  }
+}
+
+export function publicProject(row: ProjectRow) {
+  return {
+    id: row.id,
+    slug: row.slug,
+    name: row.name,
+    description: row.description,
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt,
+  }
+}
+
+export function publicMember(row: ProjectMemberRow & Pick<UserRow, "email" | "name">) {
+  return { userId: row.userId, email: row.email, name: row.name, role: row.role, joinedAt: row.joinedAt }
+}
+
+export function publicEnv(row: EnvironmentRow) {
+  return {
+    id: row.id,
+    slug: row.slug,
+    name: row.name,
+    description: row.description,
+    sortOrder: row.sortOrder,
+    sensitive: row.sensitive === 1,
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt,
+  }
+}
+
+export function publicApp(row: AppRow) {
+  return {
+    id: row.id,
+    slug: row.slug,
+    name: row.name,
+    description: row.description,
+    schema: row.schema ? JSON.parse(row.schema) : {},
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt,
+  }
+}
+
+export function publicRelease(row: ReleaseRow, withConfig: boolean) {
+  return {
+    id: row.id,
+    semver: row.semver,
+    changeKind: row.changeKind,
+    status: row.status,
+    notes: row.notes,
+    createdBy: row.createdBy,
+    createdAt: row.createdAt,
+    config: withConfig ? JSON.parse(row.snapshot) : undefined,
+    schema: withConfig ? JSON.parse(row.schemaSnapshot) : undefined,
+  }
+}
+
+export function publicAppToken(row: AppTokenRow) {
+  return {
+    id: row.id,
+    name: row.name,
+    tokenPrefix: row.tokenPrefix,
+    revoked: row.revoked === 1,
+    lastUsedAt: row.lastUsedAt,
+    createdAt: row.createdAt,
+  }
+}

package/server/src/shared/token.ts

@@ -0,0 +1,59 @@
+import { getDb } from "../db/client.ts"
+import type { AppTokenRow, TokenRow, UserRow } from "../db/types.ts"
+import { APP_TOKEN_PREFIX, HUMAN_TOKEN_PREFIX, TOKEN_BYTES } from "./consts.ts"
+import type { IssuedToken } from "./types.ts"
+import { newId, nowSec } from "./utils.ts"
+
+function randomSecret(): string {
+  const buf = crypto.getRandomValues(new Uint8Array(TOKEN_BYTES))
+  return Buffer.from(buf).toString("base64url")
+}
+
+function hashSecret(raw: string): string {
+  return new Bun.CryptoHasher("sha256").update(raw).digest("hex")
+}
+
+export function isHumanToken(raw: string): boolean {
+  return raw.startsWith(`${HUMAN_TOKEN_PREFIX}_`)
+}
+
+export function isAppToken(raw: string): boolean {
+  return raw.startsWith(`${APP_TOKEN_PREFIX}_`)
+}
+
+export function issueHumanToken(userId: string, name?: string): IssuedToken {
+  const raw = `${HUMAN_TOKEN_PREFIX}_${randomSecret()}`
+  const prefix = raw.slice(0, 14)
+  getDb()
+    .query(`INSERT INTO "Token" (id, userId, name, tokenHash, tokenPrefix) VALUES (?, ?, ?, ?, ?)`)
+    .run(newId(), userId, name ?? null, hashSecret(raw), prefix)
+  return { raw, prefix }
+}
+
+export function verifyHumanToken(raw: string): UserRow | null {
+  const db = getDb()
+  const row = db.query(`SELECT * FROM "Token" WHERE tokenHash = ?`).get(hashSecret(raw)) as TokenRow | null
+  if (!row || row.revoked) return null
+  if (row.expiresAt && row.expiresAt < nowSec()) return null
+  db.query(`UPDATE "Token" SET lastUsedAt = ? WHERE id = ?`).run(nowSec(), row.id)
+  return db.query(`SELECT * FROM "User" WHERE id = ?`).get(row.userId) as UserRow | null
+}
+
+export function issueAppToken(appId: string, environmentId: string, createdBy: string, name?: string): IssuedToken {
+  const raw = `${APP_TOKEN_PREFIX}_${randomSecret()}`
+  const prefix = raw.slice(0, 14)
+  getDb()
+    .query(
+      `INSERT INTO "AppToken" (id, appId, environmentId, name, tokenHash, tokenPrefix, createdBy) VALUES (?, ?, ?, ?, ?, ?, ?)`,
+    )
+    .run(newId(), appId, environmentId, name ?? null, hashSecret(raw), prefix, createdBy)
+  return { raw, prefix }
+}
+
+export function verifyAppToken(raw: string): AppTokenRow | null {
+  const db = getDb()
+  const row = db.query(`SELECT * FROM "AppToken" WHERE tokenHash = ?`).get(hashSecret(raw)) as AppTokenRow | null
+  if (!row || row.revoked) return null
+  db.query(`UPDATE "AppToken" SET lastUsedAt = ? WHERE id = ?`).run(nowSec(), row.id)
+  return row
+}

package/server/src/shared/types.ts

@@ -0,0 +1,25 @@
+import type { ProjectRole } from "../db/types.ts"
+
+export interface AuthUser {
+  id: string
+  email: string
+  name: string
+  isSuperAdmin: boolean
+}
+
+export interface AppPrincipal {
+  tokenId: string
+  appId: string
+  environmentId: string
+}
+
+export interface IssuedToken {
+  raw: string
+  prefix: string
+}
+
+export interface JsonObject {
+  [key: string]: unknown
+}
+
+export type { ProjectRole }

package/server/src/shared/utils.ts

@@ -0,0 +1,17 @@
+export function newId(): string {
+  return Bun.randomUUIDv7().replaceAll("-", "")
+}
+
+export function nowSec(): number {
+  return Math.floor(Date.now() / 1000)
+}
+
+export function jsonType(value: unknown): string {
+  if (value === null) return "null"
+  if (Array.isArray(value)) return "array"
+  return typeof value
+}
+
+export function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value)
+}

package/server/tsconfig.json

@@ -0,0 +1,27 @@
+{
+  "compilerOptions": {
+    "lib": ["ESNext"],
+    "target": "ESNext",
+    "module": "Preserve",
+    "moduleDetection": "force",
+    "jsx": "react-jsx",
+    "allowJs": true,
+    "types": ["bun"],
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "noEmit": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedIndexedAccess": true,
+    "noImplicitOverride": true,
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "noPropertyAccessFromIndexSignature": false,
+    "paths": {
+      "~/*": ["./src/*"]
+    }
+  },
+  "include": ["src"]
+}