@brika/auth 0.1.1

package/src/server/routes/profile.ts

@@ -0,0 +1,162 @@
+/**
+ * Profile routes — update name, avatar upload/remove/serve
+ */
+
+import { inject } from '@brika/di';
+import { BadRequest, rateLimit, route } from '@brika/router';
+import { z } from 'zod';
+import { NameSchema, PasswordSchema } from '../../schemas';
+import { SessionService } from '../../services/SessionService';
+import { UserService } from '../../services/UserService';
+import { requireSession } from '../requireSession';
+import { ImageQuerySchema, serveImage } from '../serveImage';
+
+const IMAGE_MAGIC_BYTES: Array<{
+  mime: string;
+  bytes: number[];
+}> = [
+  {
+    mime: 'image/png',
+    bytes: [0x89, 0x50, 0x4e, 0x47],
+  },
+  {
+    mime: 'image/jpeg',
+    bytes: [0xff, 0xd8, 0xff],
+  },
+  {
+    mime: 'image/webp',
+    bytes: [0x52, 0x49, 0x46, 0x46],
+  }, // "RIFF"
+];
+
+function isValidImage(buffer: Buffer): boolean {
+  return IMAGE_MAGIC_BYTES.some(({ bytes }) => bytes.every((b, i) => buffer[i] === b));
+}
+
+const ChangePasswordSchema = z.object({
+  currentPassword: z.string().min(1),
+  newPassword: PasswordSchema,
+});
+
+const UpdateProfileSchema = z.object({
+  name: NameSchema.optional(),
+});
+
+/** PUT /profile — Update own profile (name) */
+const updateProfile = route.put({
+  path: '/profile',
+  body: UpdateProfileSchema,
+  handler: (ctx) => {
+    const session = requireSession(ctx);
+    const userService = inject(UserService);
+    const user = userService.updateUser(session.userId, {
+      name: ctx.body.name,
+    });
+    return {
+      user,
+    };
+  },
+});
+
+/** PUT /profile/avatar — Upload avatar image */
+const uploadAvatar = route.put({
+  path: '/profile/avatar',
+  handler: async (ctx) => {
+    const session = requireSession(ctx);
+    const contentType = ctx.req.headers.get('content-type') ?? '';
+    let imageBuffer: Buffer;
+
+    if (contentType.includes('application/json')) {
+      const body = (ctx.body ?? {}) as {
+        data: string;
+      };
+      if (!body.data) {
+        throw new BadRequest('Missing image data');
+      }
+      imageBuffer = Buffer.from(body.data, 'base64');
+    } else {
+      imageBuffer = Buffer.from(await ctx.req.arrayBuffer());
+    }
+
+    if (imageBuffer.length === 0) {
+      throw new BadRequest('Empty image data');
+    }
+    if (imageBuffer.length > 5 * 1024 * 1024) {
+      throw new BadRequest('Image too large (max 5MB)');
+    }
+    if (!isValidImage(imageBuffer)) {
+      throw new BadRequest('Invalid image format (PNG, JPEG, or WebP required)');
+    }
+
+    const userService = inject(UserService);
+    const avatarHash = userService.setAvatar(session.userId, imageBuffer);
+    return {
+      ok: true,
+      avatarHash,
+    };
+  },
+});
+
+/** DELETE /profile/avatar — Remove avatar */
+const removeAvatar = route.delete({
+  path: '/profile/avatar',
+  handler: (ctx) => {
+    const session = requireSession(ctx);
+    const userService = inject(UserService);
+    userService.removeAvatar(session.userId);
+    return {
+      ok: true,
+    };
+  },
+});
+
+/** PUT /profile/password — Change own password */
+const changePassword = route.put({
+  path: '/profile/password',
+  middleware: [
+    rateLimit({
+      window: 900,
+      max: 10,
+    }),
+  ],
+  body: ChangePasswordSchema,
+  handler: async (ctx) => {
+    const session = requireSession(ctx);
+
+    const userService = inject(UserService);
+    const valid = await userService.verifyPassword(session.userId, ctx.body.currentPassword);
+    if (!valid) {
+      throw new BadRequest('Invalid current password');
+    }
+
+    try {
+      await userService.setPassword(session.userId, ctx.body.newPassword);
+    } catch (err) {
+      throw new BadRequest(err instanceof Error ? err.message : 'Invalid password');
+    }
+
+    // Revoke all other sessions after password change to invalidate potentially compromised sessions
+    const sessionService = inject(SessionService);
+    sessionService.revokeAllUserSessions(session.userId);
+
+    return {
+      ok: true,
+    };
+  },
+});
+
+/** GET /avatar/:userId — Serve avatar image (?s=128 square, ?w=200&h=100, ?w=200) */
+const getAvatar = route.get({
+  path: '/avatar/:userId',
+  query: ImageQuerySchema,
+  handler: (ctx) => {
+    const userService = inject(UserService);
+    const { userId } = ctx.params as {
+      userId: string;
+    };
+    const avatar = userService.getAvatarData(userId);
+    return serveImage(avatar?.data ?? null, ctx);
+  },
+});
+
+export const profileRoutes = [updateProfile, changePassword, uploadAvatar, removeAvatar, getAvatar];

package/src/server/routes/scopes.ts

@@ -0,0 +1,22 @@
+/**
+ * Scope routes — list available scopes (public)
+ */
+
+import { inject } from '@brika/di';
+import { route } from '@brika/router';
+import { ScopeService } from '../../services/ScopeService';
+
+/** GET /scopes — List all available scopes */
+const listScopes = route.get({
+  path: '/scopes',
+  handler: () => {
+    const scopeService = inject(ScopeService);
+
+    return {
+      scopes: scopeService.getRegistry(),
+      categories: ['admin', 'workflow', 'board', 'plugin', 'settings'],
+    };
+  },
+});
+
+export const scopeRoutes = [listScopes];

package/src/server/routes/sessions.ts

@@ -0,0 +1,68 @@
+/**
+ * Session management routes — list, revoke
+ */
+
+import { inject } from '@brika/di';
+import { Forbidden, route } from '@brika/router';
+import { canAccess } from '../../middleware/canAccess';
+import { SessionService } from '../../services/SessionService';
+import { Scope } from '../../types';
+import { requireSession } from '../requireSession';
+
+/** GET /sessions — List active sessions for current user */
+const listSessions = route.get({
+  path: '/sessions',
+  handler: (ctx) => {
+    const session = requireSession(ctx);
+    const sessionService = inject(SessionService);
+    const sessions = sessionService.listUserSessions(session.userId);
+
+    return {
+      sessions: sessions.map((s) => ({
+        id: s.id,
+        ip: s.ip,
+        userAgent: s.userAgent,
+        createdAt: s.createdAt,
+        lastSeenAt: s.lastSeenAt,
+        current: s.id === session.id,
+      })),
+    };
+  },
+});
+
+/** DELETE /sessions/:id — Revoke a specific session */
+const revokeSession = route.delete({
+  path: '/sessions/:id',
+  handler: (ctx) => {
+    const session = requireSession(ctx);
+    const { id: sessionId } = ctx.params as {
+      id: string;
+    };
+    const sessionService = inject(SessionService);
+
+    const isOwn = sessionService.listUserSessions(session.userId).some((s) => s.id === sessionId);
+    if (!isOwn && !canAccess(session.scopes, Scope.ADMIN_ALL)) {
+      throw new Forbidden();
+    }
+
+    sessionService.revokeSession(sessionId);
+    return {
+      ok: true,
+    };
+  },
+});
+
+/** DELETE /sessions — Revoke all sessions for current user (signs out everywhere) */
+const revokeAllSessions = route.delete({
+  path: '/sessions',
+  handler: (ctx) => {
+    const session = requireSession(ctx);
+    const sessionService = inject(SessionService);
+    sessionService.revokeAllUserSessions(session.userId);
+    return {
+      ok: true,
+    };
+  },
+});
+
+export const sessionRoutes = [listSessions, revokeSession, revokeAllSessions];

package/src/server/routes/setup.ts

@@ -0,0 +1,50 @@
+/**
+ * Setup routes — First-run admin creation
+ *
+ * These routes are public (no auth required) but locked once an admin exists.
+ * Setup status is served by the hub-level route at /api/setup/status which
+ * combines hasAdmin() with the hub's setupCompleted flag.
+ */
+
+import { inject } from '@brika/di';
+import { Conflict, rateLimit, route } from '@brika/router';
+import { Role } from '../../roles';
+import { SetupSchema } from '../../schemas';
+import { AuthService } from '../../services/AuthService';
+import { UserService } from '../../services/UserService';
+import { sessionCookie } from './cookie';
+
+/** POST / — Create the first admin account */
+const createAdmin = route.post({
+  path: '/',
+  middleware: [rateLimit({ window: 60, max: 3 })],
+  body: SetupSchema,
+  handler: async (ctx) => {
+    const userService = inject(UserService);
+    const authService = inject(AuthService);
+
+    if (userService.hasAdmin()) {
+      throw new Conflict('Setup already completed');
+    }
+
+    const { email, name, password } = ctx.body;
+    const user = userService.createUser(email, name, Role.ADMIN);
+    await userService.setPassword(user.id, password);
+
+    // Auto-login: create session and set cookie
+    const ip =
+      ctx.req.headers.get('x-forwarded-for') ?? ctx.req.headers.get('x-real-ip') ?? undefined;
+    const userAgent = ctx.req.headers.get('user-agent') ?? undefined;
+    const result = await authService.login(email, password, ip, userAgent);
+
+    return new Response(JSON.stringify({ user: result.user }), {
+      status: 201,
+      headers: {
+        'Content-Type': 'application/json',
+        'Set-Cookie': sessionCookie(result.token, result.expiresIn),
+      },
+    });
+  },
+});
+
+export const setupRoutes = [createAdmin];

package/src/server/routes/users.ts

@@ -0,0 +1,175 @@
+/**
+ * User admin routes — list, create, get, update, delete, reset password
+ */
+
+import { inject } from '@brika/di';
+import { BadRequest, Forbidden, group, NotFound, route } from '@brika/router';
+import { z } from 'zod';
+import { canAccess } from '../../middleware/canAccess';
+import { requireAuth } from '../../middleware/requireAuth';
+import {
+  CreateUserSchema,
+  NameSchema,
+  PasswordSchema,
+  RoleSchema,
+  ScopeSchema,
+} from '../../schemas';
+import { SessionService } from '../../services/SessionService';
+import { UserService } from '../../services/UserService';
+import { Scope } from '../../types';
+import { requireSession } from '../requireSession';
+
+const UpdateUserSchema = z.object({
+  name: NameSchema.optional(),
+  role: RoleSchema.optional(),
+  isActive: z.boolean().optional(),
+  scopes: z.array(ScopeSchema).optional(),
+});
+
+const ResetPasswordSchema = z.object({
+  password: PasswordSchema,
+});
+
+/** GET / — List all users (admin only) */
+const listUsers = route.get({
+  path: '/',
+  handler: (ctx) => {
+    requireSession(ctx, Scope.ADMIN_ALL);
+
+    const userService = inject(UserService);
+    return {
+      users: userService.listUsers(),
+    };
+  },
+});
+
+/** POST / — Create new user (admin only) */
+const createUser = route.post({
+  path: '/',
+  body: CreateUserSchema,
+  handler: async (ctx) => {
+    requireSession(ctx, Scope.ADMIN_ALL);
+
+    const userService = inject(UserService);
+    const { email, name, role, password } = ctx.body;
+    const user = userService.createUser(email, name, role);
+
+    if (password) {
+      await userService.setPassword(user.id, password);
+    }
+
+    return {
+      status: 201,
+      body: {
+        user,
+      },
+    };
+  },
+});
+
+/** GET /:id — Get user by ID (admin or self) */
+const getUser = route.get({
+  path: '/:id',
+  handler: (ctx) => {
+    const session = requireSession(ctx);
+    const { id: userId } = ctx.params as {
+      id: string;
+    };
+
+    if (!canAccess(session.scopes, Scope.ADMIN_ALL) && session.userId !== userId) {
+      throw new Forbidden();
+    }
+
+    const userService = inject(UserService);
+    const user = userService.getUser(userId);
+    if (!user) {
+      throw new NotFound('User not found');
+    }
+
+    return {
+      user,
+    };
+  },
+});
+
+/** PUT /:id/password — Reset user password (admin only) */
+const resetPassword = route.put({
+  path: '/:id/password',
+  body: ResetPasswordSchema,
+  handler: async (ctx) => {
+    requireSession(ctx, Scope.ADMIN_ALL);
+
+    const userService = inject(UserService);
+    const sessionService = inject(SessionService);
+    const { id: userId } = ctx.params as {
+      id: string;
+    };
+
+    const user = userService.getUser(userId);
+    if (!user) {
+      throw new NotFound('User not found');
+    }
+
+    await userService.setPassword(userId, ctx.body.password);
+    // Revoke all sessions after admin password reset to invalidate potentially compromised sessions
+    sessionService.revokeAllUserSessions(userId);
+    return {
+      ok: true,
+    };
+  },
+});
+
+/** PUT /:id — Update user (admin only) */
+const updateUser = route.put({
+  path: '/:id',
+  body: UpdateUserSchema,
+  handler: (ctx) => {
+    requireSession(ctx, Scope.ADMIN_ALL);
+
+    const userService = inject(UserService);
+    const { id: userId } = ctx.params as {
+      id: string;
+    };
+
+    const user = userService.updateUser(userId, ctx.body);
+
+    return {
+      user,
+    };
+  },
+});
+
+/** DELETE /:id — Delete user (admin only) */
+const deleteUser = route.delete({
+  path: '/:id',
+  handler: (ctx) => {
+    const session = requireSession(ctx, Scope.ADMIN_ALL);
+
+    const { id: userId } = ctx.params as {
+      id: string;
+    };
+
+    if (session.userId === userId) {
+      throw new BadRequest('Cannot delete your own account');
+    }
+
+    const userService = inject(UserService);
+    const sessionService = inject(SessionService);
+    const user = userService.getUser(userId);
+    if (!user) {
+      throw new NotFound('User not found');
+    }
+
+    sessionService.revokeAllUserSessions(userId);
+    userService.deleteUser(user.email);
+    return {
+      ok: true,
+    };
+  },
+});
+
+export const userRoutes = group({
+  prefix: '/api/users',
+  middleware: [requireAuth()],
+  routes: [listUsers, createUser, resetPassword, updateUser, deleteUser, getUser],
+});

package/src/server/serveImage.ts

@@ -0,0 +1,91 @@
+/**
+ * @brika/auth/server - serveImage
+ *
+ * Serve binary image data as a Response with resize, cache, and ETag support.
+ *
+ * Query params (validated via ImageQuerySchema in the route):
+ * - `?s=128`       → square resize (128×128 cover crop)
+ * - `?w=200&h=100` → explicit width/height (cover crop)
+ * - `?w=200`       → resize width, keep aspect ratio
+ * - `?h=100`       → resize height, keep aspect ratio
+ *
+ * All output as webp. Cache-Control + ETag for caching. 304 on match.
+ */
+
+import { photon } from '@brika/photon';
+import { z } from 'zod';
+
+const MAX_PX = 2048;
+const dim = z.coerce.number().int().min(1).max(MAX_PX).optional();
+
+export const ImageQuerySchema = z.object({
+  w: dim,
+  h: dim,
+  s: dim,
+});
+
+export type ImageQuery = z.infer<typeof ImageQuerySchema>;
+
+interface ServeImageOptions {
+  maxAge?: number;
+  immutable?: boolean;
+}
+
+export function serveImage(
+  data: Buffer | null,
+  ctx: {
+    req: Request;
+    query: ImageQuery;
+  },
+  options?: ServeImageOptions
+): Response {
+  if (!data) {
+    return new Response(null, {
+      status: 204,
+    });
+  }
+
+  const maxAge = options?.maxAge ?? 31536000;
+  const { s, w, h } = ctx.query ?? {};
+  const width = s ?? w;
+  const height = s ?? h;
+
+  let output: Buffer = data;
+  if (width ?? height) {
+    const fit = width && height ? 'cover' : 'contain';
+    output = photon(data)
+      .resize({
+        width,
+        height,
+        fit,
+      })
+      .webp()
+      .toBuffer();
+  }
+
+  const etag = `"${Bun.hash(output).toString(36)}"`;
+
+  if (ctx.req.headers.get('if-none-match') === etag) {
+    return new Response(null, {
+      status: 304,
+      headers: {
+        ETag: etag,
+      },
+    });
+  }
+
+  const useImmutable = options?.immutable ?? maxAge > 0;
+  let cacheControl = 'no-cache';
+  if (maxAge > 0) {
+    const suffix = useImmutable ? ', immutable' : ', must-revalidate';
+    cacheControl = `public, max-age=${maxAge}${suffix}`;
+  }
+
+  return new Response(new Uint8Array(output), {
+    headers: {
+      'Content-Type': 'image/webp',
+      'Cache-Control': cacheControl,
+      ETag: etag,
+    },
+  });
+}

package/src/services/AuthService.ts

@@ -0,0 +1,80 @@
+/**
+ * @brika/auth - AuthService
+ * Handles authentication operations using server-side sessions.
+ */
+
+import { inject, injectable } from '@brika/di';
+import { LoginResponse, User } from '../types';
+import { ScopeService } from './ScopeService';
+import { SessionService } from './SessionService';
+import { UserService } from './UserService';
+
+/**
+ * Service for authentication operations
+ */
+@injectable()
+export class AuthService {
+  private readonly sessionService: SessionService;
+  private readonly userService: UserService;
+  private readonly scopeService: ScopeService;
+
+  constructor(userService?: UserService) {
+    if (userService) {
+      this.userService = userService;
+      this.sessionService = inject(SessionService);
+      this.scopeService = inject(ScopeService);
+    } else {
+      this.sessionService = inject(SessionService);
+      this.userService = inject(UserService);
+      this.scopeService = inject(ScopeService);
+    }
+  }
+
+  /**
+   * Login with email and password.
+   * Creates a server-side session and returns the raw token.
+   */
+  async login(
+    email: string,
+    password: string,
+    ip?: string,
+    userAgent?: string
+  ): Promise<LoginResponse> {
+    const user = this.userService.getUserByEmail(email);
+    if (!user) {
+      throw new Error('Invalid credentials');
+    }
+
+    // Deactivated users must not be allowed to log in
+    if (!user.isActive) {
+      throw new Error('Invalid credentials');
+    }
+
+    const passwordValid = await this.userService.verifyPassword(user.id, password);
+    if (!passwordValid) {
+      throw new Error('Invalid credentials');
+    }
+
+    const token = this.sessionService.createSession(user.id, ip, userAgent);
+
+    return {
+      token,
+      user,
+      expiresIn: this.sessionService.getSessionTTL(),
+    };
+  }
+
+  /**
+   * Logout — revoke the current session.
+   */
+  logout(sessionId: string): void {
+    this.sessionService.revokeSession(sessionId);
+  }
+
+  /**
+   * Get current user from user ID.
+   */
+  getCurrentUser(userId: string): User | null {
+    return this.userService.getUser(userId);
+  }
+}