@commonpub/layer 0.3.19 → 0.3.21

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commonpub/layer",
-  "version": "0.3.19",
+  "version": "0.3.21",
   "type": "module",
   "main": "./nuxt.config.ts",
   "files": [
@@ -45,12 +45,12 @@
     "vue-router": "^4.3.0",
     "zod": "^4.3.6",
     "@commonpub/auth": "0.5.0",
-    "@commonpub/docs": "0.5.2",
     "@commonpub/config": "0.7.0",
+    "@commonpub/docs": "0.5.2",
     "@commonpub/editor": "0.5.0",
     "@commonpub/learning": "0.5.0",
     "@commonpub/protocol": "0.9.4",
-    "@commonpub/server": "2.13.0",
+    "@commonpub/server": "2.13.1",
     "@commonpub/schema": "0.8.12",
     "@commonpub/ui": "0.7.1"
   },

package/pages/admin/federation.vue

@@ -2,7 +2,7 @@
 definePageMeta({ layout: 'admin', middleware: 'auth' });
 useSeoMeta({ title: `Federation — Admin — ${useSiteName()}` });
 
-const activeTab = ref<'activity' | 'mirrors' | 'clients' | 'tools'>('activity');
+const activeTab = ref<'activity' | 'mirrors' | 'clients' | 'trusted' | 'tools'>('activity');
 
 const { data: statsData } = await useFetch('/api/admin/federation/stats', {
   default: () => ({ inbound: 0, outbound: 0, pending: 0, failed: 0, followers: 0, following: 0 }),
@@ -21,6 +21,38 @@ const { data: clientsData } = await useFetch<any[]>('/api/admin/federation/clien
   default: () => [],
 });
 
+// Trusted instances
+const { data: trustedData, refresh: refreshTrusted } = await useFetch<{ configDomains: string[]; storedDomains: string[] }>('/api/admin/federation/trusted-instances', {
+  default: () => ({ configDomains: [], storedDomains: [] }),
+});
+
+const newTrustedDomain = ref('');
+const trustedAdding = ref(false);
+
+async function addTrusted(): Promise<void> {
+  const domain = newTrustedDomain.value.trim().toLowerCase();
+  if (!domain) return;
+  trustedAdding.value = true;
+  try {
+    await $fetch('/api/admin/federation/trusted-instances', {
+      method: 'POST',
+      body: { domain },
+    });
+    newTrustedDomain.value = '';
+    await refreshTrusted();
+  } finally {
+    trustedAdding.value = false;
+  }
+}
+
+async function removeTrusted(domain: string): Promise<void> {
+  await $fetch('/api/admin/federation/trusted-instances', {
+    method: 'DELETE',
+    body: { domain },
+  });
+  await refreshTrusted();
+}
+
 // Mirror creation
 const newMirrorDomain = ref('');
 const newMirrorActorUri = ref('');
@@ -179,6 +211,7 @@ async function refederate(): Promise<void> {
       <button :class="{ active: activeTab === 'activity' }" @click="activeTab = 'activity'">Activity</button>
       <button :class="{ active: activeTab === 'mirrors' }" @click="activeTab = 'mirrors'">Mirrors</button>
       <button :class="{ active: activeTab === 'clients' }" @click="activeTab = 'clients'">OAuth Clients</button>
+      <button :class="{ active: activeTab === 'trusted' }" @click="activeTab = 'trusted'">Trusted Instances</button>
       <button :class="{ active: activeTab === 'tools' }" @click="activeTab = 'tools'">Tools</button>
     </div>
 
@@ -282,6 +315,36 @@ async function refederate(): Promise<void> {
       </p>
     </div>
 
+    <!-- Trusted Instances Tab -->
+    <div v-if="activeTab === 'trusted'">
+      <p class="cpub-fed-info-text" style="margin-bottom: 12px;">
+        Trusted instances can use cross-instance SSO to authenticate users on this instance.
+        Domains from the config file cannot be removed here.
+      </p>
+
+      <div class="cpub-fed-form">
+        <input v-model="newTrustedDomain" placeholder="instance.example.com" class="cpub-fed-input" @keydown.enter.prevent="addTrusted" />
+        <button :disabled="trustedAdding || !newTrustedDomain.trim()" class="cpub-fed-btn" @click="addTrusted">
+          {{ trustedAdding ? 'Adding...' : 'Add Instance' }}
+        </button>
+      </div>
+
+      <div class="cpub-fed-activity-list">
+        <div v-if="!trustedData.configDomains.length && !trustedData.storedDomains.length" class="cpub-fed-empty">No trusted instances configured.</div>
+
+        <div v-for="domain in trustedData.configDomains" :key="'config-' + domain" class="cpub-fed-activity-row">
+          <span class="cpub-fed-type">{{ domain }}</span>
+          <span class="cpub-fed-status processed">config</span>
+        </div>
+
+        <div v-for="domain in trustedData.storedDomains" :key="'stored-' + domain" class="cpub-fed-activity-row">
+          <span class="cpub-fed-type">{{ domain }}</span>
+          <span class="cpub-fed-status pending">admin</span>
+          <button class="cpub-fed-btn-sm cpub-fed-btn-danger" @click="removeTrusted(domain)">Remove</button>
+        </div>
+      </div>
+    </div>
+
     <!-- Tools Tab -->
     <div v-if="activeTab === 'tools'">
       <div class="cpub-fed-tools">

package/server/api/admin/federation/trusted-instances.delete.ts

@@ -0,0 +1,17 @@
+import { removeTrustedInstance } from '@commonpub/server';
+import { z } from 'zod';
+
+const removeSchema = z.object({
+  domain: z.string().min(3).max(255),
+});
+
+export default defineEventHandler(async (event) => {
+  requireFeature('admin');
+  requireAdmin(event);
+  const db = useDB();
+  const { domain } = await parseBody(event, removeSchema);
+
+  await removeTrustedInstance(db, domain.toLowerCase());
+
+  return { success: true };
+});

package/server/api/admin/federation/trusted-instances.get.ts

@@ -0,0 +1,16 @@
+import { getStoredTrustedInstances } from '@commonpub/server';
+
+export default defineEventHandler(async (event) => {
+  requireFeature('admin');
+  requireAdmin(event);
+  const db = useDB();
+  const config = useConfig();
+
+  const stored = await getStoredTrustedInstances(db);
+  const configDomains = config.auth.trustedInstances ?? [];
+
+  return {
+    configDomains,
+    storedDomains: stored,
+  };
+});

package/server/api/admin/federation/trusted-instances.post.ts

@@ -0,0 +1,17 @@
+import { addTrustedInstance } from '@commonpub/server';
+import { z } from 'zod';
+
+const addSchema = z.object({
+  domain: z.string().min(3).max(255).regex(/^[a-zA-Z0-9][a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/, 'Invalid domain format'),
+});
+
+export default defineEventHandler(async (event) => {
+  requireFeature('admin');
+  requireAdmin(event);
+  const db = useDB();
+  const { domain } = await parseBody(event, addSchema);
+
+  await addTrustedInstance(db, domain.toLowerCase());
+
+  return { success: true, domain: domain.toLowerCase() };
+});

package/server/api/auth/federated/login.post.ts

@@ -1,5 +1,5 @@
-import { discoverOAuthEndpoint, isTrustedInstance } from '@commonpub/auth';
-import { storeOAuthState } from '@commonpub/server';
+import { discoverOAuthEndpoint } from '@commonpub/auth';
+import { storeOAuthState, isDomainTrusted } from '@commonpub/server';
 import { z } from 'zod';
 
 const loginSchema = z.object({
@@ -19,7 +19,8 @@ export default defineEventHandler(async (event) => {
   const db = useDB();
   const { instanceDomain, clientId, clientSecret } = await parseBody(event, loginSchema);
 
-  if (!isTrustedInstance(config, instanceDomain)) {
+  const trusted = await isDomainTrusted(db, config, instanceDomain);
+  if (!trusted) {
     throw createError({
       statusCode: 403,
       statusMessage: `Instance ${instanceDomain} is not in the trusted instances list`,

package/server/middleware/auth.ts

@@ -145,8 +145,12 @@ export default defineEventHandler(async (event) => {
     return;
   }
 
-  // Handle auth API routes
-  if (pathname.startsWith('/api/auth')) {
+  // Handle auth API routes — skip our custom federated/oauth2 routes (Nitro handles those)
+  const isBetterAuthRoute = pathname.startsWith('/api/auth')
+    && !pathname.startsWith('/api/auth/federated/')
+    && !pathname.startsWith('/api/auth/oauth2/');
+
+  if (isBetterAuthRoute) {
     try {
       const response = await middleware.handleAuthRoute(
         toWebRequest(event),