@bbki.ng/backend 0.0.1 → 0.2.0

package/.dev.vars.example

@@ -0,0 +1,4 @@
+# Local development environment variables
+# Copy this file to .dev.vars and update the values
+
+API_KEY=your-local-dev-api-key

package/CHANGELOG.md

@@ -1,3 +1,7 @@
 # backend
 
+## 0.2.0
+
+## 0.1.0
+
 ## 0.0.2

package/package.json

@@ -1,13 +1,15 @@
 {
   "name": "@bbki.ng/backend",
-  "version": "0.0.1",
+  "version": "0.2.0",
   "type": "module",
   "dependencies": {
+    "@simplewebauthn/server": "13.2.2",
     "hono": "^4.10.7"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "4.20251128.0",
-    "wrangler": "^4.4.0"
+    "@types/node": "25.0.3",
+    "wrangler": "^4.58.0"
   },
   "scripts": {
     "dev": "wrangler dev",

package/src/config/app.config.ts

@@ -0,0 +1,19 @@
+import { Hono } from "hono";
+import type { D1Database } from "@cloudflare/workers-types";
+import { cors } from "hono/cors";
+
+type Bindings = {
+  DB: D1Database;
+  API_KEY: string;
+};
+
+const app = new Hono<{ Bindings: Bindings }>();
+
+app.use(
+  "*",
+  cors({
+    origin: ["https://bbki.ng"],
+  }),
+);
+
+export default app;

package/src/controllers/authn/db.ts

@@ -0,0 +1,98 @@
+import { Context } from "hono";
+import { Passkey, User } from "../../types";
+
+export const createDatabaseQuery = (c: Context) => {
+  const env = c.env;
+  return {
+    // 用户相关
+    async getUserByUsername(username: string): Promise<User | null> {
+      // TODO: 替换为 D1 SQL 查询
+      const stmt = env.DB.prepare(
+        "SELECT id, username, display_name FROM users WHERE username = ?",
+      ).bind(username);
+      const result = await stmt.first();
+      return result
+        ? {
+            id: result.id as string,
+            username: result.username as string,
+            displayName: result.display_name as string,
+          }
+        : null;
+    },
+
+    async createUser(
+      id: string,
+      username: string,
+      displayName: string,
+    ): Promise<User> {
+      await env.DB.prepare(
+        "INSERT INTO users (id, username, display_name) VALUES (?, ?, ?)",
+      )
+        .bind(id, username, displayName)
+        .run();
+      return { id, username, displayName };
+    },
+
+    // Passkey 相关
+    async getPasskeyById(credentialID: string): Promise<Passkey | null> {
+      const stmt = env.DB.prepare("SELECT * FROM passkeys WHERE id = ?").bind(
+        credentialID,
+      );
+      const row = await stmt.first();
+      if (!row) return null;
+      return {
+        id: row.id as string,
+        userId: row.user_id as string,
+        publicKey: row.public_key as string,
+        counter: row.counter as number,
+        deviceType: row.device_type as "singleDevice" | "multiDevice",
+        backedUp: Boolean(row.backed_up),
+        transports: row.transports
+          ? JSON.parse(row.transports as string)
+          : undefined,
+      };
+    },
+
+    async savePasskey(passkey: Passkey): Promise<void> {
+      const transportsStr = passkey.transports
+        ? JSON.stringify(passkey.transports)
+        : null;
+      await env.DB.prepare(
+        `
+      INSERT INTO passkeys (id, user_id, public_key, counter, device_type, backed_up, transports)
+      VALUES (?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(id) DO UPDATE SET
+        counter = excluded.counter,
+        backed_up = excluded.backed_up,
+        transports = excluded.transports
+    `,
+      )
+        .bind(
+          passkey.id,
+          passkey.userId,
+          passkey.publicKey,
+          passkey.counter,
+          passkey.deviceType,
+          passkey.backedUp ? 1 : 0,
+          transportsStr,
+        )
+        .run();
+    },
+
+    async listPasskeysByUserId(userId: string): Promise<Passkey[]> {
+      const stmt = env.DB.prepare(
+        "SELECT * FROM passkeys WHERE user_id = ?",
+      ).bind(userId);
+      const rows = await stmt.all();
+      return rows.results.map((row: any) => ({
+        id: row.id,
+        userId: row.user_id,
+        publicKey: row.public_key,
+        counter: row.counter,
+        deviceType: row.device_type,
+        backedUp: Boolean(row.backed_up),
+        transports: row.transports ? JSON.parse(row.transports) : undefined,
+      }));
+    },
+  };
+};

package/src/controllers/authn/register.controller.ts

@@ -0,0 +1,53 @@
+import {
+  AuthenticatorTransport,
+  generateRegistrationOptions,
+} from "@simplewebauthn/server";
+import { Context } from "hono";
+import { Buffer } from "node:buffer";
+import { createDatabaseQuery } from "./db";
+
+const rpID = "localhost"; // 主机名，不含协议
+
+export const registerOptions = async (c: Context) => {
+  const { username, displayName } = await c.req.json();
+  const db = createDatabaseQuery(c);
+
+  if (!username || !displayName) {
+    return c.json({ error: "Missing username or displayName" }, 400);
+  }
+
+  let user = await db.getUserByUsername(username);
+  if (!user) {
+    // 创建新用户（实际中可能需先验证邮箱等）
+    const crypto = c.env.crypto || globalThis.crypto;
+    const userId = crypto.randomUUID();
+    user = await db.createUser(userId, username, displayName);
+  }
+
+  const existingPasskeys = await db.listPasskeysByUserId(user.id);
+
+  const options = await generateRegistrationOptions({
+    rpName: "bbki.ng",
+    rpID,
+    userID: Buffer.from(user.id),
+    userName: user.username,
+    userDisplayName: user.displayName,
+    timeout: 60000,
+    attestationType: "none",
+    excludeCredentials: existingPasskeys.map((pk) => ({
+      id: atob(pk.id),
+      transports: pk.transports as AuthenticatorTransport[],
+    })),
+    authenticatorSelection: {
+      residentKey: "discouraged",
+      userVerification: "discouraged",
+    },
+    supportedAlgorithmIDs: [-7, -257], // ES256, RS256
+  });
+
+  c.env.KV.put(username, options.challenge, {
+    expirationTtl: 300, // 5 minutes
+  });
+
+  return c.json(options);
+};

package/src/controllers/authn/verify.controller.ts

@@ -0,0 +1,71 @@
+import {
+  RegistrationResponseJSON,
+  verifyRegistrationResponse,
+} from "@simplewebauthn/server";
+import { Context } from "hono";
+import { createDatabaseQuery } from "./db";
+
+const rpID = "localhost"; // 主机名，不含协议
+const origin = `http://${rpID}:8787`; // 完整的来源 URL，含协议和端口
+
+export const verify = async (c: Context) => {
+  const {
+    username,
+    response,
+  }: { username: string; response: RegistrationResponseJSON } =
+    await c.req.json();
+  const db = createDatabaseQuery(c);
+
+  const user = await db.getUserByUsername(username);
+  if (!user) {
+    return c.json({ error: "User not found" }, 404);
+  }
+
+  const challenge = c.env.KV.get(username);
+
+  let verification;
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge: challenge,
+      expectedOrigin: origin,
+      expectedRPID: rpID,
+      requireUserVerification: false,
+    });
+  } catch (error) {
+    console.error("Registration verification failed:", error);
+    return c.json({ error: "Registration failed" }, 400);
+  }
+
+  const { verified, registrationInfo } = verification;
+
+  if (!verified || !registrationInfo) {
+    return c.json({ error: "Registration not verified" }, 400);
+  }
+
+  const { credential, credentialDeviceType, credentialBackedUp } =
+    registrationInfo;
+
+  // 将 credentialID 转为 base64url 字符串作为主键
+  const credentialIDStr = credential.id
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");
+
+  const publicKeyStr = btoa(String.fromCharCode(...credential.publicKey))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");
+
+  await db.savePasskey({
+    id: credentialIDStr,
+    userId: user.id,
+    publicKey: publicKeyStr,
+    counter: credential.counter,
+    deviceType: credentialDeviceType,
+    backedUp: credentialBackedUp,
+    transports: credential.transports,
+  });
+
+  return c.json({ verified: true });
+};

package/src/controllers/comment/add.controller.ts

@@ -0,0 +1,25 @@
+import { Context } from "hono";
+
+export const addComment = async (c: Context) => {
+  const { articleId, author, content } = await c.req.json();
+
+  try {
+    let { results } = await c.env.DB.prepare(
+      "INSERT INTO comment (article_id, author, content, created_at) VALUES (?, ?, ?, ?);",
+    )
+      .bind(articleId, author, content, new Date().toISOString())
+      .run();
+
+    return c.json({
+      status: "success",
+      message: "Comment added successfully",
+      results,
+    });
+  } catch (error: any) {
+    return c.json({
+      status: "error",
+      message: "Failed to add comment",
+      error: error.message,
+    });
+  }
+};

package/src/controllers/streaming/add.controller.ts

@@ -0,0 +1,93 @@
+import { Context } from "hono";
+import { HTTPException } from "hono/http-exception";
+
+interface AddStreamingRequest {
+  author?: string;
+  content: string;
+  type?: 'note' | 'article' | 'link' | 'image';
+}
+
+const MAX_CONTENT_LENGTH = 50000;
+const ALLOWED_TYPES = ['note', 'article', 'link', 'image'] as const;
+
+const timingSafeEqual = (a: string, b: string): boolean => {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+};
+
+export const addStreaming = async (c: Context) => {
+  try {
+    // 1. 认证（Header 方式）
+    const apiKey = c.req.header('x-api-key');
+    if (!apiKey || !timingSafeEqual(apiKey, c.env.API_KEY)) {
+      throw new HTTPException(401, { message: "Invalid API key" });
+    }
+
+    // 2. 解析与验证
+    const body = await c.req.json<AddStreamingRequest>();
+    
+    if (!body.content || typeof body.content !== "string") {
+      throw new HTTPException(400, { message: "Content is required" });
+    }
+    
+    const content = body.content.trim();
+    if (content.length === 0) {
+      throw new HTTPException(400, { message: "Content cannot be empty" });
+    }
+    if (content.length > MAX_CONTENT_LENGTH) {
+      throw new HTTPException(413, { message: `Content exceeds ${MAX_CONTENT_LENGTH} chars` });
+    }
+
+    const author = (body.author ?? 'bbki.ng').trim();
+    if (author.length > 50) {
+      throw new HTTPException(400, { message: "Author too long" });
+    }
+
+    const type = body.type?.trim();
+    if (type && !ALLOWED_TYPES.includes(type as typeof ALLOWED_TYPES[number])) {
+      throw new HTTPException(400, { message: "Invalid type" });
+    }
+
+    // 3. 数据库检查
+    if (!c.env?.DB) {
+      throw new HTTPException(503, { message: "Database unavailable" });
+    }
+
+    // 4. 写入
+    const id = crypto.randomUUID();
+    const createdAt = new Date().toISOString();
+
+    try {
+      await c.env.DB.prepare(
+        "INSERT INTO streaming (id, author, content, type, created_at) VALUES (?, ?, ?, ?, ?)"
+      )
+        .bind(id, author, content, type || null, createdAt)
+        .run();
+    } catch (dbError) {
+      if (dbError instanceof Error && dbError.message.includes('UNIQUE')) {
+        throw new HTTPException(409, { message: "Duplicate entry" });
+      }
+      throw dbError;
+    }
+
+    return c.json({
+      status: "success",
+      data: { id, author, content, type, createdAt }
+    }, 201);
+
+  } catch (error) {
+    if (error instanceof HTTPException) {
+      return c.json({ status: "error", message: error.message }, error.status);
+    }
+    
+    console.error('Unexpected error:', error);
+    return c.json({ 
+      status: "error", 
+      message: "Internal server error" 
+    }, 500);
+  }
+};

package/src/controllers/streaming/list.controller.ts

@@ -0,0 +1,20 @@
+import { Context } from "hono";
+
+export const listStreaming = async (c: Context) => {
+  try {
+    const { results } = await c.env.DB.prepare(
+      "SELECT id, author, content, type, created_at as createdAt FROM streaming ORDER BY created_at DESC LIMIT 100"
+    ).all();
+
+    return c.json({
+      status: "success",
+      data: results,
+    });
+  } catch (error: any) {
+    return c.json({
+      status: "error",
+      message: "Failed to fetch streaming",
+      error: error.message,
+    }, 500);
+  }
+};

package/src/index.ts

@@ -1,45 +1,15 @@
-import { Hono } from "hono";
-import type { D1Database } from "@cloudflare/workers-types";
-import { cors } from "hono/cors";
+import app from "./config/app.config";
 
-type Bindings = {
-  DB: D1Database;
-};
+import { commentRouter } from "./routes/comment.routes";
+import { authRoutes } from "./routes/authn.routes";
+import { streamingRouter } from "./routes/streaming.routes";
 
-const app = new Hono<{ Bindings: Bindings }>();
+app.route("comment", commentRouter);
+app.route("auth", authRoutes);
+app.route("streaming", streamingRouter);
 
 app.get("/", (c) => {
   return c.text("Hello Hono!");
 });
 
-app.post(
-  "/comment/add",
-  cors({
-    origin: ["https://bbki.ng"],
-  }),
-  async (c) => {
-    const { articleId, author, content } = await c.req.json();
-
-    try {
-      let { results } = await c.env.DB.prepare(
-        "INSERT INTO comment (article_id, author, content, created_at) VALUES (?, ?, ?, ?);",
-      )
-        .bind(articleId, author, content, new Date().toISOString())
-        .run();
-
-      return c.json({
-        status: "success",
-        message: "Comment added successfully",
-        results,
-      });
-    } catch (error: any) {
-      return c.json({
-        status: "error",
-        message: "Failed to add comment",
-        error: error.message,
-      });
-    }
-  },
-);
-
 export default app;

package/src/routes/authn.routes.ts

@@ -0,0 +1,10 @@
+import { Hono } from "hono";
+import { registerOptions } from "../controllers/authn/register.controller";
+import { verify } from "../controllers/authn/verify.controller";
+
+const authRoutes = new Hono();
+
+authRoutes.post("/register/options", registerOptions);
+authRoutes.post("/register/verify", verify);
+
+export { authRoutes };

package/src/routes/comment.routes.ts

@@ -0,0 +1,8 @@
+import { Hono } from "hono";
+import { addComment } from "../controllers/comment/add.controller";
+
+const commentRouter = new Hono();
+
+commentRouter.post("/add", addComment);
+
+export { commentRouter };

package/src/routes/streaming.routes.ts

@@ -0,0 +1,10 @@
+import { Hono } from "hono";
+import { listStreaming } from "../controllers/streaming/list.controller";
+import { addStreaming } from "../controllers/streaming/add.controller";
+
+const streamingRouter = new Hono();
+
+streamingRouter.get("/", listStreaming);
+streamingRouter.post("/", addStreaming);
+
+export { streamingRouter };

package/src/types/index.ts

@@ -0,0 +1,23 @@
+export type User = {
+  id: string;
+  username: string;
+  displayName: string;
+};
+
+export type Passkey = {
+  id: string;
+  userId: string;
+  publicKey: string; // base64url
+  counter: number;
+  deviceType: "singleDevice" | "multiDevice";
+  backedUp: boolean;
+  transports?: string[]; // 存为 JSON 字符串
+};
+
+export type Streaming = {
+  id: string;
+  author: string;
+  content: string;
+  type?: string;
+  createdAt: string;
+};

package/wrangler.jsonc

@@ -28,6 +28,20 @@
       "database_id": "e938a347-b3be-4d60-9217-52f209ab7bb4",
     },
   ],
+  // Add this to your wrangler.jsonc
+  "kv_namespaces": [
+    {
+      "binding": "KV",
+      "id": "91dd9f607aae46e5829080d1c2aa3baa",
+
+      // Optional: preview_id used when running `wrangler dev` for local dev
+      "preview_id": "BBKING_KV_NAMESPACE_PREVIEW_ID",
+    },
+  ],
+  "compatibility_flags": ["nodejs_compat"],
+  "vars": {
+    "API_KEY": "your-secret-api-key-change-in-production"
+  },
   // "ai": {
   //   "binding": "AI"
   // },