@commonpub/layer 0.1.0

package/server/api/admin/users/[id]/role.put.ts

@@ -0,0 +1,12 @@
+import { updateUserRole } from '@commonpub/server';
+import { adminUpdateRoleSchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<void> => {
+  requireFeature('admin');
+  const admin = requireAdmin(event);
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+  const input = await parseBody(event, adminUpdateRoleSchema);
+
+  return updateUserRole(db, id, input.role, admin.id);
+});

package/server/api/admin/users/[id]/status.put.ts

@@ -0,0 +1,12 @@
+import { updateUserStatus } from '@commonpub/server';
+import { adminUpdateStatusSchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<void> => {
+  requireFeature('admin');
+  const admin = requireAdmin(event);
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+  const input = await parseBody(event, adminUpdateStatusSchema);
+
+  return updateUserStatus(db, id, input.status, admin.id);
+});

package/server/api/admin/users/[id].delete.ts

@@ -0,0 +1,10 @@
+import { deleteUser } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<void> => {
+  requireFeature('admin');
+  const admin = requireAdmin(event);
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  return deleteUser(db, id, admin.id);
+});

package/server/api/admin/users.get.ts

@@ -0,0 +1,18 @@
+import { listUsers } from '@commonpub/server';
+import type { PaginatedResponse, UserListItem } from '@commonpub/server';
+import { z } from 'zod';
+
+const adminUsersQuerySchema = z.object({
+  search: z.string().max(200).optional(),
+  limit: z.coerce.number().int().positive().max(100).optional(),
+  offset: z.coerce.number().int().min(0).optional(),
+});
+
+export default defineEventHandler(async (event): Promise<PaginatedResponse<UserListItem>> => {
+  requireFeature('admin');
+  requireAdmin(event);
+  const db = useDB();
+  const filters = parseQueryParams(event, adminUsersQuerySchema);
+
+  return listUsers(db, filters);
+});

package/server/api/auth/federated/callback.get.ts

@@ -0,0 +1,67 @@
+import { consumeOAuthState, exchangeCodeForToken, linkFederatedAccount } from '@commonpub/server';
+import { z } from 'zod';
+
+const callbackSchema = z.object({
+  code: z.string(),
+  state: z.string(),
+});
+
+/**
+ * OAuth2 callback handler for federated login.
+ * Exchanges authorization code for token, links federated account.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('federation');
+  const db = useDB();
+  const { code, state: stateToken } = parseQueryParams(event, callbackSchema);
+
+  // Retrieve and consume the stored OAuth state (single-use, 10min TTL)
+  const oauthState = await consumeOAuthState(db, stateToken);
+  if (!oauthState) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Invalid or expired OAuth state. Please try logging in again.',
+    });
+  }
+
+  // Exchange the authorization code for an access token + user info
+  const tokenResult = await exchangeCodeForToken(oauthState, code);
+  if (!tokenResult) {
+    throw createError({
+      statusCode: 502,
+      statusMessage: 'Failed to exchange authorization code with the remote instance.',
+    });
+  }
+
+  // Check if a local user is already linked to this federated account
+  const { findUserByFederatedAccount } = await import('@commonpub/server');
+  const existingLink = await findUserByFederatedAccount(db, tokenResult.user.actorUri);
+
+  if (existingLink) {
+    // User already linked — redirect to dashboard
+    // In a full implementation, this would also create a Better Auth session
+    return sendRedirect(event, `/dashboard?federated=linked&user=${existingLink.username}`, 302);
+  }
+
+  // Check if the current user is logged in — if so, link to their account
+  const auth = event.context.auth;
+  if (auth?.user) {
+    await linkFederatedAccount(db, auth.user.id, tokenResult.user.actorUri, oauthState.instanceDomain, {
+      preferredUsername: tokenResult.user.username,
+      displayName: tokenResult.user.displayName ?? undefined,
+      avatarUrl: tokenResult.user.avatarUrl ?? undefined,
+    });
+
+    return sendRedirect(event, '/settings/account?federated=linked', 302);
+  }
+
+  // Not logged in and no existing link — redirect to login page with federated context
+  // The user needs to either create an account or log in to link
+  const params = new URLSearchParams({
+    federated: 'true',
+    actorUri: tokenResult.user.actorUri,
+    username: tokenResult.user.username,
+    instance: oauthState.instanceDomain,
+  });
+  return sendRedirect(event, `/auth/login?${params.toString()}`, 302);
+});

package/server/api/auth/federated/login.post.ts

@@ -0,0 +1,60 @@
+import { discoverOAuthEndpoint, isTrustedInstance } from '@commonpub/auth';
+import { storeOAuthState } from '@commonpub/server';
+import { z } from 'zod';
+
+const loginSchema = z.object({
+  instanceDomain: z.string().min(3).max(255),
+  /** Client credentials — in production these come from admin-registered clients */
+  clientId: z.string().optional(),
+  clientSecret: z.string().optional(),
+});
+
+/**
+ * Initiate federated login. Discovers OAuth endpoints via WebFinger,
+ * stores state for callback, returns authorization URL.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('federation');
+  const config = useConfig();
+  const db = useDB();
+  const { instanceDomain, clientId, clientSecret } = await parseBody(event, loginSchema);
+
+  if (!isTrustedInstance(config, instanceDomain)) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: `Instance ${instanceDomain} is not in the trusted instances list`,
+    });
+  }
+
+  const endpoints = await discoverOAuthEndpoint(instanceDomain, 'instance');
+  if (!endpoints) {
+    throw createError({
+      statusCode: 502,
+      statusMessage: `Could not discover OAuth endpoints for ${instanceDomain}`,
+    });
+  }
+
+  const redirectUri = `https://${config.instance.domain}/api/auth/federated/callback`;
+  const effectiveClientId = clientId ?? `cpub_${config.instance.domain}`;
+  const effectiveClientSecret = clientSecret ?? '';
+
+  // Store state for the callback handler
+  const stateToken = await storeOAuthState(db, {
+    tokenEndpoint: endpoints.tokenEndpoint,
+    clientId: effectiveClientId,
+    clientSecret: effectiveClientSecret,
+    redirectUri,
+    instanceDomain,
+  });
+
+  const authUrl = new URL(endpoints.authorizationEndpoint);
+  authUrl.searchParams.set('client_id', effectiveClientId);
+  authUrl.searchParams.set('redirect_uri', redirectUri);
+  authUrl.searchParams.set('response_type', 'code');
+  authUrl.searchParams.set('state', stateToken);
+
+  return {
+    authorizationUrl: authUrl.toString(),
+    state: stateToken,
+  };
+});

package/server/api/auth/oauth2/authorize.get.ts

@@ -0,0 +1,30 @@
+import { z } from 'zod';
+
+const authorizeQuerySchema = z.object({
+  client_id: z.string(),
+  redirect_uri: z.string().url(),
+  response_type: z.string(),
+  scope: z.string().optional(),
+  state: z.string().optional(),
+});
+
+/**
+ * OAuth2 authorize endpoint (GET).
+ * Returns the authorization parameters for the consent page to render.
+ * The actual authorization happens via POST after user consents.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const query = parseQueryParams(event, authorizeQuerySchema);
+
+  // Return params for the consent page to display
+  return {
+    clientId: query.client_id,
+    redirectUri: query.redirect_uri,
+    responseType: query.response_type,
+    scope: query.scope,
+    state: query.state,
+    user: { username: user.username },
+  };
+});

package/server/api/auth/oauth2/authorize.post.ts

@@ -0,0 +1,51 @@
+import { processAuthorize } from '@commonpub/server';
+import { z } from 'zod';
+
+const authorizeSchema = z.object({
+  clientId: z.string(),
+  redirectUri: z.string().url(),
+  responseType: z.string(),
+  scope: z.string().optional(),
+  state: z.string().optional(),
+});
+
+/**
+ * OAuth2 authorize endpoint (POST).
+ * Called when user approves the consent screen.
+ * Generates auth code and returns redirect URL.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const input = await parseBody(event, authorizeSchema);
+
+  const result = await processAuthorize(
+    db,
+    {
+      clientId: input.clientId,
+      redirectUri: input.redirectUri,
+      responseType: input.responseType,
+      scope: input.scope,
+      state: input.state,
+    },
+    user.id,
+    config.instance.domain,
+  );
+
+  if ('error' in result) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: result.errorDescription,
+      data: { error: result.error },
+    });
+  }
+
+  // Build redirect URL with code and state
+  const redirectUrl = new URL(result.redirectUri);
+  redirectUrl.searchParams.set('code', result.code);
+  if (result.state) redirectUrl.searchParams.set('state', result.state);
+
+  return { redirectUrl: redirectUrl.toString() };
+});

package/server/api/auth/oauth2/register.post.ts

@@ -0,0 +1,41 @@
+import { processDynamicRegistration } from '@commonpub/server';
+import { z } from 'zod';
+
+const registerSchema = z.object({
+  client_name: z.string().min(1).max(255),
+  redirect_uris: z.array(z.string().url()).min(1),
+  client_uri: z.string().url().optional(),
+  instance_domain: z.string().min(3).max(255),
+});
+
+/**
+ * Dynamic OAuth client registration endpoint.
+ * Allows remote CommonPub instances to auto-register for SSO.
+ * No auth required — the whole point is zero-friction instance-to-instance setup.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('federation');
+  const db = useDB();
+  const input = await parseBody(event, registerSchema);
+
+  const result = await processDynamicRegistration(db, {
+    clientName: input.client_name,
+    redirectUris: input.redirect_uris,
+    clientUri: input.client_uri,
+    instanceDomain: input.instance_domain,
+  });
+
+  if ('error' in result) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: result.errorDescription,
+      data: { error: result.error },
+    });
+  }
+
+  return {
+    client_id: result.clientId,
+    client_secret: result.clientSecret,
+    registration_type: 'dynamic',
+  };
+});

package/server/api/auth/oauth2/token.post.ts

@@ -0,0 +1,48 @@
+import { processTokenExchange } from '@commonpub/server';
+import { z } from 'zod';
+
+const tokenSchema = z.object({
+  grant_type: z.string(),
+  code: z.string(),
+  client_id: z.string(),
+  client_secret: z.string(),
+  redirect_uri: z.string().url(),
+});
+
+/**
+ * OAuth2 token endpoint.
+ * Exchanges authorization code for access token + user info.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('federation');
+  const db = useDB();
+  const config = useConfig();
+  const input = await parseBody(event, tokenSchema);
+
+  const result = await processTokenExchange(
+    db,
+    {
+      grantType: input.grant_type,
+      code: input.code,
+      clientId: input.client_id,
+      clientSecret: input.client_secret,
+      redirectUri: input.redirect_uri,
+    },
+    config.instance.domain,
+  );
+
+  if ('error' in result) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: result.errorDescription,
+      data: { error: result.error },
+    });
+  }
+
+  return {
+    access_token: result.accessToken,
+    token_type: result.tokenType,
+    expires_in: result.expiresIn,
+    user: result.user,
+  };
+});

package/server/api/cert/[code].get.ts

@@ -0,0 +1,13 @@
+import { getCertificateByCode } from '@commonpub/server';
+
+export default defineEventHandler(async (event) => {
+  const db = useDB();
+  const { code } = parseParams(event, { code: 'string' });
+
+  const result = await getCertificateByCode(db, code);
+  if (!result) {
+    throw createError({ statusCode: 404, statusMessage: 'Certificate not found' });
+  }
+
+  return result;
+});

package/server/api/content/[id]/build.post.ts

@@ -0,0 +1,9 @@
+import { toggleBuildMark } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ marked: boolean; count: number }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  return toggleBuildMark(db, id, user.id);
+});

package/server/api/content/[id]/fork.post.ts

@@ -0,0 +1,10 @@
+import { forkContent } from '@commonpub/server';
+import type { ContentDetail } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<ContentDetail> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  return forkContent(db, id, user.id);
+});

package/server/api/content/[id]/index.delete.ts

@@ -0,0 +1,18 @@
+import { deleteContent, onContentDeleted } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  const deleted = await deleteContent(db, id, user.id);
+  if (!deleted) {
+    throw createError({ statusCode: 404, statusMessage: 'Content not found or not owned by you' });
+  }
+
+  // Federate the deletion (content row still exists as soft-deleted, slug available)
+  await onContentDeleted(db, id, user.username, config);
+
+  return { success: true };
+});

package/server/api/content/[id]/index.get.ts

@@ -0,0 +1,15 @@
+import { getContentBySlug } from '@commonpub/server';
+import type { ContentDetail } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<ContentDetail> => {
+  const db = useDB();
+  // Param is named 'id' (directory name) but the value is a slug for GET requests
+  const { id: slugOrId } = parseParams(event, { id: 'string' });
+  const user = getOptionalUser(event);
+
+  const content = await getContentBySlug(db, slugOrId, user?.id);
+  if (!content) {
+    throw createError({ statusCode: 404, statusMessage: 'Content not found' });
+  }
+  return content;
+});

package/server/api/content/[id]/index.put.ts

@@ -0,0 +1,23 @@
+import { updateContent, onContentUpdated } from '@commonpub/server';
+import type { ContentDetail } from '@commonpub/server';
+import { updateContentSchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<ContentDetail> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { id } = parseParams(event, { id: 'uuid' });
+  const input = await parseBody(event, updateContentSchema);
+
+  const content = await updateContent(db, id, user.id, input);
+  if (!content) {
+    throw createError({ statusCode: 404, statusMessage: 'Content not found or not owned by you' });
+  }
+
+  // Only federate updates to published content
+  if (content.status === 'published') {
+    await onContentUpdated(db, id, config);
+  }
+
+  return content;
+});

package/server/api/content/[id]/products/[productId].delete.ts

@@ -0,0 +1,28 @@
+import { removeContentProduct } from '@commonpub/server';
+import { eq, and } from 'drizzle-orm';
+import { contentItems } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<{ removed: boolean }> => {
+  const db = useDB();
+  const user = requireAuth(event);
+  const { id, productId } = parseParams(event, { id: 'uuid', productId: 'uuid' });
+
+  // Ownership check
+  const [content] = await db
+    .select({ authorId: contentItems.authorId })
+    .from(contentItems)
+    .where(and(eq(contentItems.id, id), eq(contentItems.authorId, user.id)))
+    .limit(1);
+
+  if (!content) {
+    throw createError({ statusCode: 403, statusMessage: 'Not authorized to modify this content' });
+  }
+
+  const removed = await removeContentProduct(db, id, productId);
+
+  if (!removed) {
+    throw createError({ statusCode: 404, statusMessage: 'Product link not found' });
+  }
+
+  return { removed: true };
+});

package/server/api/content/[id]/products-sync.post.ts

@@ -0,0 +1,29 @@
+import { syncContentProducts } from '@commonpub/server';
+import type { ContentProductItem } from '@commonpub/server';
+import { eq, and } from 'drizzle-orm';
+import { contentItems } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<ContentProductItem[]> => {
+  const db = useDB();
+  const user = requireAuth(event);
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  // Ownership check
+  const [content] = await db
+    .select({ authorId: contentItems.authorId })
+    .from(contentItems)
+    .where(and(eq(contentItems.id, id), eq(contentItems.authorId, user.id)))
+    .limit(1);
+
+  if (!content) {
+    throw createError({ statusCode: 403, statusMessage: 'Not authorized to modify this content' });
+  }
+
+  const body = await readBody(event);
+
+  if (!Array.isArray(body?.items)) {
+    throw createError({ statusCode: 400, statusMessage: 'items array is required' });
+  }
+
+  return syncContentProducts(db, id, body.items);
+});

package/server/api/content/[id]/products.get.ts

@@ -0,0 +1,9 @@
+import { listContentProducts } from '@commonpub/server';
+import type { ContentProductItem } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<ContentProductItem[]> => {
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  return listContentProducts(db, id);
+});

package/server/api/content/[id]/products.post.ts

@@ -0,0 +1,31 @@
+import { addContentProduct } from '@commonpub/server';
+import type { ContentProductItem } from '@commonpub/server';
+import { addContentProductSchema } from '@commonpub/schema';
+import { eq, and } from 'drizzle-orm';
+import { contentItems } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<ContentProductItem> => {
+  const db = useDB();
+  const user = requireAuth(event);
+  const { id } = parseParams(event, { id: 'uuid' });
+  const input = await parseBody(event, addContentProductSchema);
+
+  // Ownership check
+  const [content] = await db
+    .select({ authorId: contentItems.authorId })
+    .from(contentItems)
+    .where(and(eq(contentItems.id, id), eq(contentItems.authorId, user.id)))
+    .limit(1);
+
+  if (!content) {
+    throw createError({ statusCode: 403, statusMessage: 'Not authorized to modify this content' });
+  }
+
+  const result = await addContentProduct(db, id, input);
+
+  if (!result) {
+    throw createError({ statusCode: 404, statusMessage: 'Product not found or already linked' });
+  }
+
+  return result;
+});

package/server/api/content/[id]/publish.post.ts

@@ -0,0 +1,17 @@
+import { publishContent, onContentPublished } from '@commonpub/server';
+import type { ContentDetail } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<ContentDetail> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  const content = await publishContent(db, id, user.id);
+  if (!content) {
+    throw createError({ statusCode: 404, statusMessage: 'Content not found or not owned by you' });
+  }
+
+  await onContentPublished(db, id, config);
+  return content;
+});

package/server/api/content/[id]/report.post.ts

@@ -0,0 +1,17 @@
+import { createReport } from '@commonpub/server';
+import { createReportSchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<{ id: string }> => {
+  const db = useDB();
+  const user = requireAuth(event);
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  const body = await readBody(event);
+  const parsed = createReportSchema.safeParse({ ...body, targetId: id });
+
+  if (!parsed.success) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid input', data: parsed.error.flatten() });
+  }
+
+  return createReport(db, user.id, parsed.data);
+});

package/server/api/content/[id]/versions.get.ts

@@ -0,0 +1,9 @@
+import { listContentVersions } from '@commonpub/server';
+import type { ContentVersionItem } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<ContentVersionItem[]> => {
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  return listContentVersions(db, id);
+});

package/server/api/content/[id]/view.post.ts

@@ -0,0 +1,34 @@
+import { incrementViewCount } from '@commonpub/server';
+
+// Simple in-memory dedup — tracks IP+contentId pairs for 5 minutes
+const recentViews = new Map<string, number>();
+const VIEW_COOLDOWN_MS = 5 * 60 * 1000;
+
+// Periodic cleanup every 2 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, ts] of recentViews) {
+    if (now - ts > VIEW_COOLDOWN_MS) recentViews.delete(key);
+  }
+}, 120_000);
+
+export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  // De-duplicate views per IP + content within cooldown window
+  const ip = getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
+    || getRequestHeader(event, 'x-real-ip')
+    || 'unknown';
+  const dedupKey = `${ip}:${id}`;
+  const lastView = recentViews.get(dedupKey);
+
+  if (lastView && Date.now() - lastView < VIEW_COOLDOWN_MS) {
+    // Already counted recently — skip but return success
+    return { success: true };
+  }
+
+  recentViews.set(dedupKey, Date.now());
+  await incrementViewCount(db, id);
+  return { success: true };
+});

package/server/api/content/index.get.ts

@@ -0,0 +1,23 @@
+import { listContent } from '@commonpub/server';
+import type { PaginatedResponse, ContentListItem } from '@commonpub/server';
+import { contentFiltersSchema } from '@commonpub/schema';
+
+export default defineEventHandler(async (event): Promise<PaginatedResponse<ContentListItem>> => {
+  const db = useDB();
+  const user = getOptionalUser(event);
+  const filters = parseQueryParams(event, contentFiltersSchema);
+
+  const isOwnContent = filters.authorId && user?.id === filters.authorId;
+
+  const config = useConfig();
+
+  return listContent(db, {
+    ...filters,
+    status: isOwnContent ? filters.status : (filters.status ?? 'published'),
+    // Only show public content unless viewing own content
+    visibility: isOwnContent ? filters.visibility : 'public',
+  }, {
+    includeFederated: config.features.seamlessFederation,
+    allowedContentTypes: config.instance.contentTypes,
+  });
+});