@autumnsgrove/groveengine 0.4.1 → 0.4.2

package/dist/auth/session.d.ts

@@ -40,3 +40,21 @@ export function parseSessionCookie(cookieHeader: string): string | null;
  * @returns {boolean} - Whether the user is allowed
  */
 export function isAllowedAdmin(email: string, allowedList: string): boolean;
+/**
+ * Verify that a user owns/has access to a tenant
+ * @param {Object} db - D1 database instance
+ * @param {string} tenantId - Tenant ID to check
+ * @param {string} userEmail - User's email address
+ * @returns {Promise<boolean>} - Whether the user owns the tenant
+ */
+export function verifyTenantOwnership(db: Object, tenantId: string, userEmail: string): Promise<boolean>;
+/**
+ * Get tenant ID with ownership verification
+ * Throws 403 if user doesn't own the tenant
+ * @param {Object} db - D1 database instance
+ * @param {string} tenantId - Tenant ID from request
+ * @param {Object} user - User object with email
+ * @returns {Promise<string>} - Verified tenant ID
+ * @throws {Error} - If unauthorized
+ */
+export function getVerifiedTenantId(db: Object, tenantId: string, user: Object): Promise<string>;

package/dist/auth/session.js

@@ -54,7 +54,7 @@ export function createSessionCookie(token, isProduction = true) {
     "Path=/",
     `Max-Age=${SESSION_DURATION_SECONDS}`,
     "HttpOnly",
-    "SameSite=Lax",
+    "SameSite=Strict",
   ];
 
   if (isProduction) {
@@ -69,7 +69,7 @@ export function createSessionCookie(token, isProduction = true) {
  * @returns {string} - Cookie header value
  */
 export function clearSessionCookie() {
-  return `${SESSION_COOKIE_NAME}=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax`;
+  return `${SESSION_COOKIE_NAME}=; Path=/; Max-Age=0; HttpOnly; SameSite=Strict`;
 }
 
 /**
@@ -103,3 +103,65 @@ export function isAllowedAdmin(email, allowedList) {
   const allowed = allowedList.split(",").map((e) => e.trim().toLowerCase());
   return allowed.includes(email.toLowerCase());
 }
+
+/**
+ * Verify that a user owns/has access to a tenant
+ * @param {Object} db - D1 database instance
+ * @param {string} tenantId - Tenant ID to check
+ * @param {string} userEmail - User's email address
+ * @returns {Promise<boolean>} - Whether the user owns the tenant
+ */
+export async function verifyTenantOwnership(db, tenantId, userEmail) {
+  if (!tenantId || !userEmail) {
+    return false;
+  }
+
+  try {
+    const tenant = await db
+      .prepare("SELECT email FROM tenants WHERE id = ?")
+      .bind(tenantId)
+      .first();
+
+    if (!tenant) {
+      return false;
+    }
+
+    // Check if user email matches tenant owner email
+    return tenant.email.toLowerCase() === userEmail.toLowerCase();
+  } catch (error) {
+    console.error("Error verifying tenant ownership:", error);
+    return false;
+  }
+}
+
+/**
+ * Get tenant ID with ownership verification
+ * Throws 403 if user doesn't own the tenant
+ * @param {Object} db - D1 database instance
+ * @param {string} tenantId - Tenant ID from request
+ * @param {Object} user - User object with email
+ * @returns {Promise<string>} - Verified tenant ID
+ * @throws {Error} - If unauthorized
+ */
+export async function getVerifiedTenantId(db, tenantId, user) {
+  if (!tenantId) {
+    const err = new Error("Tenant ID required");
+    err.status = 400;
+    throw err;
+  }
+
+  if (!user?.email) {
+    const err = new Error("Unauthorized");
+    err.status = 401;
+    throw err;
+  }
+
+  const isOwner = await verifyTenantOwnership(db, tenantId, user.email);
+  if (!isOwner) {
+    const err = new Error("Access denied - you do not own this tenant");
+    err.status = 403;
+    throw err;
+  }
+
+  return tenantId;
+}

package/dist/ui/components/ui/Toast.svelte

@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { Toaster } from "svelte-sonner";
+	import { Toaster } from "sonner";
 
 	interface Props {
 		position?:

package/dist/ui/components/ui/toast.js

@@ -1,4 +1,4 @@
-import { toast as sonnerToast } from "svelte-sonner";
+import { toast as sonnerToast } from "sonner";
 /**
  * Toast notification utility for displaying temporary messages
  * Wraps sonner toast with consistent defaults and API

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@autumnsgrove/groveengine",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "Multi-tenant blog engine for Grove Platform. Features gutter annotations, markdown editing, magic code auth, and Cloudflare Workers deployment.",
   "author": "AutumnsGrove",
   "license": "MIT",
@@ -132,7 +132,6 @@
   "peerDependencies": {
     "@sveltejs/kit": "^2.0.0",
     "svelte": "^5.0.0",
-    "svelte-sonner": "^1.0.0",
     "tailwindcss": "^3.4.0"
   },
   "devDependencies": {
@@ -166,6 +165,8 @@
     "gray-matter": "^4.0.3",
     "lucide-svelte": "^0.554.0",
     "marked": "^17.0.1",
+    "sonner": "^2.0.7",
+    "svelte-sonner": "^1.0.7",
     "tailwind-merge": "^3.4.0"
   },
   "scripts": {
@@ -175,8 +176,8 @@
     "build:package": "svelte-kit sync && svelte-package -o dist",
     "package": "svelte-kit sync && svelte-package -o dist",
     "preview": "vite preview",
-    "audit": "npm audit --audit-level=moderate",
-    "audit:fix": "npm audit fix",
+    "audit": "pnpm audit --audit-level=moderate",
+    "audit:fix": "pnpm audit --fix",
     "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
     "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
     "test": "vitest",