@crowi/api 2.0.0-alpha.0

package/dist/hono/handlers/activation.d.ts

@@ -0,0 +1,117 @@
+import type { OpenAPIHono } from '@hono/zod-openapi';
+import type Crowi from '../../crowi';
+import type { CrowiHonoBindings } from '../app';
+export declare const registerActivationRoutes: <E extends OpenAPIHono<CrowiHonoBindings>>(app: E, crowi: Crowi) => OpenAPIHono<CrowiHonoBindings, {
+    "/auth/activate": {
+        $get: {
+            input: {
+                query: {
+                    token: string;
+                };
+            };
+            output: {
+                ok: true;
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                query: {
+                    token: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {
+                query: {
+                    token: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        };
+    };
+} & {
+    "/auth/activate": {
+        $post: {
+            input: {
+                json: {
+                    token: string;
+                };
+            };
+            output: {
+                accessToken: string;
+                refreshToken: string;
+                expiresIn: number;
+                user: {
+                    id: string;
+                    username: string;
+                    email: string;
+                    name: string;
+                    image?: string | undefined;
+                    admin?: boolean | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                json: {
+                    token: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {
+                json: {
+                    token: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 404;
+        } | {
+            input: {
+                json: {
+                    token: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        };
+    };
+}, "/">;

package/dist/hono/handlers/activation.js

@@ -0,0 +1,77 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerActivationRoutes = void 0;
+/**
+ * Public account-activation (email confirmation) handler.
+ *
+ *   GET  /auth/activate?token= — validate token for the page preflight
+ *   POST /auth/activate        — confirm email, activate, sign in
+ *
+ * The signed activation token (purpose `'activate'`, minted during
+ * self-registration) is the credential, so both routes are public.
+ */
+const api_contract_1 = require("@crowi/api-contract");
+const debug_1 = __importDefault(require("debug"));
+const jwt_1 = require("../../util/jwt");
+const mail_token_1 = require("../../util/mail-token");
+const errors_1 = require("./_helpers/errors");
+const user_shape_1 = require("./_helpers/user-shape");
+const debug = (0, debug_1.default)('crowi:hono:handlers:activation');
+const INVALID_TOKEN_BODY = {
+    error: { code: 'INVALID_ACTIVATION_TOKEN', message: 'Activation token is invalid or expired' },
+};
+const registerActivationRoutes = (app, crowi) => {
+    const User = crowi.model('User');
+    const jwtUtil = (0, jwt_1.createJwtUtil)(crowi);
+    const mailTokenUtil = (0, mail_token_1.createMailTokenUtil)();
+    return app
+        .openapi(api_contract_1.activationRoutes.validateActivationTokenRoute, async (c) => {
+        const { token } = c.req.valid('query');
+        const payload = mailTokenUtil.verifyMailToken(token, 'activate');
+        if (!payload) {
+            return c.json(INVALID_TOKEN_BODY, 401);
+        }
+        return c.json({ ok: true }, 200);
+    })
+        .openapi(api_contract_1.activationRoutes.activateAccountRoute, async (c) => {
+        const { token } = c.req.valid('json');
+        try {
+            const payload = mailTokenUtil.verifyMailToken(token, 'activate');
+            if (!payload) {
+                return c.json(INVALID_TOKEN_BODY, 401);
+            }
+            const user = await User.findById(payload.userId);
+            if (!user) {
+                return c.json({ error: { code: 'USER_NOT_FOUND', message: 'User no longer exists' } }, 404);
+            }
+            // Idempotent: a second click on a still-valid link just signs in.
+            if (user.emailConfirmedAt == null) {
+                user.emailConfirmedAt = new Date();
+            }
+            // Becoming ACTIVE must go through statusActivate so the 'activated'
+            // event fires and the user's wiki page is created at confirmation
+            // time (the same hook admin approval uses). A plain save() would
+            // skip it, leaving confirmed users without a user page.
+            let saved;
+            if (user.status === User.STATUS_REGISTERED) {
+                saved = await new Promise((resolve, reject) => {
+                    user.statusActivate((err, userData) => (err ? reject(err) : resolve(userData)));
+                });
+            }
+            else {
+                saved = await user.save();
+            }
+            const tokens = jwtUtil.generateTokens(saved);
+            return c.json({ ...tokens, user: (0, user_shape_1.toAuthUser)(saved) }, 200);
+        }
+        catch (error) {
+            debug('activation error:', error);
+            return c.json(errors_1.INTERNAL_ERROR_BODY, 500);
+        }
+    });
+};
+exports.registerActivationRoutes = registerActivationRoutes;
+//# sourceMappingURL=activation.js.map

package/dist/hono/handlers/activation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"activation.js","sourceRoot":"","sources":["../../../src/hono/handlers/activation.ts"],"names":[],"mappings":";;;;;;AAAA;;;;;;;;GAQG;AACH,sDAAuD;AAEvD,kDAA0B;AAI1B,sCAA6C;AAC7C,oDAA0D;AAI1D,8CAAwD;AACxD,sDAAmD;AAEnD,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,gCAAgC,CAAC,CAAC;AAEtD,MAAM,kBAAkB,GAAG;IACzB,KAAK,EAAE,EAAE,IAAI,EAAE,0BAAmC,EAAE,OAAO,EAAE,wCAAiD,EAAE;CACjH,CAAC;AAEK,MAAM,wBAAwB,GAAG,CAA2C,GAAM,EAAE,KAAY,EAAE,EAAE;IACzG,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,IAAA,mBAAa,EAAC,KAAK,CAAC,CAAC;IACrC,MAAM,aAAa,GAAG,IAAA,gCAAmB,GAAE,CAAC;IAE5C,OAAO,GAAG;SACP,OAAO,CAAC,+BAAgB,CAAC,4BAA4B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAClE,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,aAAa,CAAC,eAAe,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACjE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,CAAC,IAAI,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAa,EAAE,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC;SACD,OAAO,CAAC,+BAAgB,CAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1D,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEtC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,aAAa,CAAC,eAAe,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;YACjE,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,CAAC,IAAI,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;YACzC,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,gBAAyB,EAAE,OAAO,EAAE,uBAAuB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YACvG,CAAC;YAED,kEAAkE;YAClE,IAAI,IAAI,CAAC,gBAAgB,IAAI,IAAI,EAAE,CAAC;gBAClC,IAAI,CAAC,gBAAgB,GAAG,IAAI,IAAI,EAAE,CAAC;YACrC,CAAC;YAED,oEAAoE;YACpE,kEAAkE;YAClE,iEAAiE;YACjE,wDAAwD;YACxD,IAAI,KAAmB,CAAC;YACxB,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC3C,KAAK,GAAG,MAAM,IAAI,OAAO,CAAe,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBAC1D,IAAI,CAAC,cAAc,CAAC,CAAC,GAAiB,EAAE,QAAsB,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;gBAC9G,CAAC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,CAAC;YAED,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAC7C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,IAAA,uBAAU,EAAC,KAAK,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAC7D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,KAAK,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;YAClC,OAAO,CAAC,CAAC,IAAI,CAAC,4BAAmB,EAAE,GAAG,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC,CAAC;AArDW,QAAA,wBAAwB,4BAqDnC"}

package/dist/hono/handlers/admin/app.d.ts

@@ -0,0 +1,123 @@
+import type { OpenAPIHono } from '@hono/zod-openapi';
+import type Crowi from '../../../crowi';
+import type { CrowiHonoBindings } from '../../app';
+export declare const registerAdminAppRoutes: <E extends OpenAPIHono<CrowiHonoBindings>>(app: E, crowi: Crowi) => OpenAPIHono<CrowiHonoBindings, {
+    "/admin/app": {
+        $get: {
+            input: {};
+            output: {
+                app: {
+                    title: string;
+                    confidential: string;
+                };
+                isUploadable: boolean;
+                registrationMode: {
+                    [x: string]: string;
+                };
+                setupChecklistDismissed: boolean;
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {};
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED";
+                    message: "Authentication is required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {};
+            output: {
+                error: {
+                    code: "ADMIN_REQUIRED";
+                    message: "Admin permission required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 403;
+        };
+    };
+} & {
+    "/admin/app": {
+        $put: {
+            input: {
+                json: {
+                    app?: {
+                        title?: string | undefined;
+                        confidential?: string | undefined;
+                    } | undefined;
+                    setupChecklistDismissed?: boolean | undefined;
+                };
+            };
+            output: {
+                ok: true;
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                json: {
+                    app?: {
+                        title?: string | undefined;
+                        confidential?: string | undefined;
+                    } | undefined;
+                    setupChecklistDismissed?: boolean | undefined;
+                };
+            };
+            output: {
+                bodyResult: {
+                    issues: {
+                        path: (string | number)[];
+                        message: string;
+                    }[];
+                    name?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 400;
+        } | {
+            input: {
+                json: {
+                    app?: {
+                        title?: string | undefined;
+                        confidential?: string | undefined;
+                    } | undefined;
+                    setupChecklistDismissed?: boolean | undefined;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED";
+                    message: "Authentication is required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {
+                json: {
+                    app?: {
+                        title?: string | undefined;
+                        confidential?: string | undefined;
+                    } | undefined;
+                    setupChecklistDismissed?: boolean | undefined;
+                };
+            };
+            output: {
+                error: {
+                    code: "ADMIN_REQUIRED";
+                    message: "Admin permission required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 403;
+        };
+    };
+}, "/">;

package/dist/hono/handlers/admin/app.js

@@ -0,0 +1,76 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerAdminAppRoutes = void 0;
+/**
+ * RFC-0006 Phase 4 Batch 9 — `admin.app` resource Hono port.
+ *
+ * Replaces `packages/api/src/routes/ts-rest/admin/app.ts`. Two
+ * admin-only endpoints:
+ *
+ *   GET /admin/app   — read the current `app:*` slice (plus derived
+ *                       fields the App admin page header displays)
+ *   PUT /admin/app   — partial update of `app:*`
+ *
+ * Auth:
+ *   - Both endpoints are admin-only. The handler installs
+ *     `createJwtAdminRequired(crowi)` broadly on `/admin/app/*` and the
+ *     bare `/admin/app` literal (no nested routes today, but the broad
+ *     apply future-proofs sub-paths). Same install pattern as the other
+ *     8 Batch 9 admin sub-contracts.
+ *
+ * Wire-format parity:
+ *   - The 503-shaped validation envelope follows the legacy `bodyResult`
+ *     shape via the contract's `hook` override (see
+ *     `contracts/admin/app.ts:appSettingsValidationHook`).
+ */
+const api_contract_1 = require("@crowi/api-contract");
+const debug_1 = __importDefault(require("debug"));
+const admin_config_1 = require("../../../util/admin-config");
+const admin_1 = require("../../middleware/admin");
+const config_1 = require("../../../models/config");
+const debug = (0, debug_1.default)('crowi:hono:handlers:admin:app');
+const registerAdminAppRoutes = (app, crowi) => {
+    const Config = crowi.model('Config');
+    // `/admin/app/*` plus the bare `/admin/app` literal. Hono routes the
+    // bare path separately from the wildcard family (the `*` matches one
+    // or more segments), so both installs are required.
+    app.use('/admin/app/*', (0, admin_1.createJwtAdminRequired)(crowi));
+    app.use('/admin/app', (0, admin_1.createJwtAdminRequired)(crowi));
+    return app
+        .openapi(api_contract_1.adminAppRoutes.getAppSettingsRoute, async (c) => {
+        const crowiNs = (0, admin_config_1.getCrowiConfigNamespace)(crowi);
+        const isUploadable = Config.isUploadable();
+        return c.json({
+            app: {
+                title: (0, admin_config_1.coerceString)(crowiNs['app:title']),
+                confidential: (0, admin_config_1.coerceString)(crowiNs['app:confidential']),
+            },
+            isUploadable,
+            registrationMode: config_1.registrationMode,
+            setupChecklistDismissed: (0, admin_config_1.coerceBoolean)(crowiNs['app:setupChecklistDismissed']),
+        }, 200);
+    })
+        .openapi(api_contract_1.adminAppRoutes.updateAppSettingsRoute, async (c) => {
+        const body = c.req.valid('json');
+        const updates = {};
+        if (body.app) {
+            if (body.app.title !== undefined)
+                updates['app:title'] = body.app.title;
+            if (body.app.confidential !== undefined)
+                updates['app:confidential'] = body.app.confidential;
+        }
+        if (body.setupChecklistDismissed !== undefined) {
+            updates['app:setupChecklistDismissed'] = body.setupChecklistDismissed;
+        }
+        if (Object.keys(updates).length > 0) {
+            debug('updateAppSettings keys=%o', Object.keys(updates));
+            await crowi.getConfigService().saveConfig('crowi', updates);
+        }
+        return c.json({ ok: true }, 200);
+    });
+};
+exports.registerAdminAppRoutes = registerAdminAppRoutes;
+//# sourceMappingURL=app.js.map

package/dist/hono/handlers/admin/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../../../../src/hono/handlers/admin/app.ts"],"names":[],"mappings":";;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,sDAAqD;AAErD,kDAA0B;AAG1B,wDAA6F;AAG7F,kDAAgE;AAChE,8CAAqD;AAErD,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,+BAA+B,CAAC,CAAC;AAE9C,MAAM,sBAAsB,GAAG,CAA2C,GAAM,EAAE,KAAY,EAAE,EAAE;IACvG,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAErC,qEAAqE;IACrE,qEAAqE;IACrE,oDAAoD;IACpD,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,IAAA,8BAAsB,EAAC,KAAK,CAAC,CAAC,CAAC;IACvD,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,IAAA,8BAAsB,EAAC,KAAK,CAAC,CAAC,CAAC;IAErD,OAAO,GAAG;SACP,OAAO,CAAC,6BAAc,CAAC,mBAAmB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACvD,MAAM,OAAO,GAAG,IAAA,sCAAuB,EAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC;QAC3C,OAAO,CAAC,CAAC,IAAI,CACX;YACE,GAAG,EAAE;gBACH,KAAK,EAAE,IAAA,2BAAY,EAAC,OAAO,CAAC,WAAW,CAAC,CAAC;gBACzC,YAAY,EAAE,IAAA,2BAAY,EAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;aACxD;YACD,YAAY;YACZ,gBAAgB,EAAhB,yBAAgB;YAChB,uBAAuB,EAAE,IAAA,4BAAa,EAAC,OAAO,CAAC,6BAA6B,CAAC,CAAC;SAC/E,EACD,GAAG,CACJ,CAAC;IACJ,CAAC,CAAC;SACD,OAAO,CAAC,6BAAc,CAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1D,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,OAAO,GAA4B,EAAE,CAAC;QAE5C,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,KAAK,SAAS;gBAAE,OAAO,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;YACxE,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,KAAK,SAAS;gBAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC;QAC/F,CAAC;QAED,IAAI,IAAI,CAAC,uBAAuB,KAAK,SAAS,EAAE,CAAC;YAC/C,OAAO,CAAC,6BAA6B,CAAC,GAAG,IAAI,CAAC,uBAAuB,CAAC;QACxE,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,KAAK,CAAC,2BAA2B,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YACzD,MAAM,KAAK,CAAC,gBAAgB,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAa,EAAE,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACP,CAAC,CAAC;AA9CW,QAAA,sBAAsB,0BA8CjC"}

package/dist/hono/handlers/admin/auth.d.ts

@@ -0,0 +1,127 @@
+import type { OpenAPIHono } from '@hono/zod-openapi';
+import type Crowi from '../../../crowi';
+import type { CrowiHonoBindings } from '../../app';
+export declare const registerAdminAuthRoutes: <E extends OpenAPIHono<CrowiHonoBindings>>(app: E, crowi: Crowi) => OpenAPIHono<CrowiHonoBindings, {
+    "/admin/auth": {
+        $get: {
+            input: {};
+            output: {
+                requireThirdPartyAuth: boolean;
+                disablePasswordAuth: boolean;
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {};
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED";
+                    message: "Authentication is required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {};
+            output: {
+                error: {
+                    code: "ADMIN_REQUIRED";
+                    message: "Admin permission required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 403;
+        } | {
+            input: {};
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        };
+    };
+} & {
+    "/admin/auth": {
+        $put: {
+            input: {
+                json: {
+                    requireThirdPartyAuth: boolean;
+                    disablePasswordAuth: boolean;
+                };
+            };
+            output: {
+                requireThirdPartyAuth: boolean;
+                disablePasswordAuth: boolean;
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                json: {
+                    requireThirdPartyAuth: boolean;
+                    disablePasswordAuth: boolean;
+                };
+            };
+            output: {
+                error: {
+                    code: "THIRD_PARTY_AUTH_UNAVAILABLE";
+                    message: string;
+                };
+            };
+            outputFormat: "json";
+            status: 400;
+        } | {
+            input: {
+                json: {
+                    requireThirdPartyAuth: boolean;
+                    disablePasswordAuth: boolean;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED";
+                    message: "Authentication is required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {
+                json: {
+                    requireThirdPartyAuth: boolean;
+                    disablePasswordAuth: boolean;
+                };
+            };
+            output: {
+                error: {
+                    code: "ADMIN_REQUIRED";
+                    message: "Admin permission required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 403;
+        } | {
+            input: {
+                json: {
+                    requireThirdPartyAuth: boolean;
+                    disablePasswordAuth: boolean;
+                };
+            };
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        };
+    };
+}, "/">;

package/dist/hono/handlers/admin/auth.js

@@ -0,0 +1,91 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerAdminAuthRoutes = void 0;
+/**
+ * RFC-0006 Phase 4 Batch 9 — `admin.auth` resource Hono port.
+ *
+ * Replaces `packages/api/src/routes/ts-rest/admin/auth.ts`. Two
+ * admin-only endpoints:
+ *
+ *   GET /admin/auth   — read the two `auth:*` settings
+ *   PUT /admin/auth   — persist them (with inert-setting 400 guard)
+ *
+ * Auth:
+ *   - Admin-only via broad `createJwtAdminRequired(crowi)` apply on
+ *     `/admin/auth/*` + the bare `/admin/auth` path.
+ *
+ * Inert-setting guard (2.0.0-alpha):
+ *   - `requireThirdPartyAuth` / `disablePasswordAuth` both depend on
+ *     third-party (Google / GitHub) sign-in, which was removed from core.
+ *     `User.hasValidThirdPartyId()` is now permanently false, so enabling
+ *     either would lock every account out of password login with no
+ *     recovery path. The config keys + schema are kept (inert) for a future
+ *     auth provider plugin, but the endpoint hard-rejects enabling them with
+ *     400 `THIRD_PARTY_AUTH_UNAVAILABLE`. The admin UI hides the toggles, so
+ *     only direct API callers hit this guard.
+ */
+const api_contract_1 = require("@crowi/api-contract");
+const debug_1 = __importDefault(require("debug"));
+const admin_config_1 = require("../../../util/admin-config");
+const admin_1 = require("../../middleware/admin");
+const errors_1 = require("../_helpers/errors");
+const debug = (0, debug_1.default)('crowi:hono:handlers:admin:auth');
+const KEY_REQUIRE_THIRD_PARTY_AUTH = 'auth:requireThirdPartyAuth';
+const KEY_DISABLE_PASSWORD_AUTH = 'auth:disablePasswordAuth';
+const readAuthSettings = (crowi) => {
+    const ns = (0, admin_config_1.getCrowiConfigNamespace)(crowi);
+    return {
+        requireThirdPartyAuth: (0, admin_config_1.coerceBoolean)(ns[KEY_REQUIRE_THIRD_PARTY_AUTH]),
+        disablePasswordAuth: (0, admin_config_1.coerceBoolean)(ns[KEY_DISABLE_PASSWORD_AUTH]),
+    };
+};
+const registerAdminAuthRoutes = (app, crowi) => {
+    app.use('/admin/auth/*', (0, admin_1.createJwtAdminRequired)(crowi));
+    app.use('/admin/auth', (0, admin_1.createJwtAdminRequired)(crowi));
+    return app
+        .openapi(api_contract_1.adminAuthRoutes.getAuthSettingsRoute, async (c) => {
+        try {
+            return c.json(readAuthSettings(crowi), 200);
+        }
+        catch (err) {
+            debug('Error reading auth settings:', err.message);
+            return c.json(errors_1.INTERNAL_ERROR_BODY, 500);
+        }
+    })
+        .openapi(api_contract_1.adminAuthRoutes.updateAuthSettingsRoute, async (c) => {
+        const body = c.req.valid('json');
+        // Third-party (Google / GitHub) sign-in was removed from core in the
+        // 2.0.0-alpha line, so `hasValidThirdPartyId()` is now permanently
+        // false. Enabling either of these settings would lock every account out
+        // of password login with no third-party recovery path. The config keys
+        // and schema are kept (inert) for a future auth plugin, but the endpoint
+        // hard-rejects turning them on so a direct API caller can't self-lock.
+        // The admin UI hides both toggles, so the UI never reaches this branch.
+        if (body.requireThirdPartyAuth || body.disablePasswordAuth) {
+            return c.json({
+                error: {
+                    code: 'THIRD_PARTY_AUTH_UNAVAILABLE',
+                    message: 'Third-party sign-in was removed from core, so requireThirdPartyAuth and disablePasswordAuth cannot be enabled. They will return when an auth provider plugin is installed.',
+                },
+            }, 400);
+        }
+        // Past the guard both toggles are guaranteed false, so this only ever
+        // persists the (inert) disabled state.
+        try {
+            await crowi.getConfigService().saveConfig('crowi', {
+                [KEY_REQUIRE_THIRD_PARTY_AUTH]: body.requireThirdPartyAuth,
+                [KEY_DISABLE_PASSWORD_AUTH]: body.disablePasswordAuth,
+            });
+        }
+        catch (err) {
+            debug('Error saving auth settings:', err.message);
+            return c.json(errors_1.INTERNAL_ERROR_BODY, 500);
+        }
+        return c.json(readAuthSettings(crowi), 200);
+    });
+};
+exports.registerAdminAuthRoutes = registerAdminAuthRoutes;
+//# sourceMappingURL=auth.js.map

package/dist/hono/handlers/admin/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../../src/hono/handlers/admin/auth.ts"],"names":[],"mappings":";;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,sDAAyE;AAEzE,kDAA0B;AAG1B,wDAA+E;AAG/E,kDAAgE;AAChE,+CAAyD;AAEzD,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,gCAAgC,CAAC,CAAC;AAEtD,MAAM,4BAA4B,GAAG,4BAA4B,CAAC;AAClE,MAAM,yBAAyB,GAAG,0BAA0B,CAAC;AAE7D,MAAM,gBAAgB,GAAG,CAAC,KAAY,EAAgB,EAAE;IACtD,MAAM,EAAE,GAAG,IAAA,sCAAuB,EAAC,KAAK,CAAC,CAAC;IAC1C,OAAO;QACL,qBAAqB,EAAE,IAAA,4BAAa,EAAC,EAAE,CAAC,4BAA4B,CAAC,CAAC;QACtE,mBAAmB,EAAE,IAAA,4BAAa,EAAC,EAAE,CAAC,yBAAyB,CAAC,CAAC;KAClE,CAAC;AACJ,CAAC,CAAC;AAEK,MAAM,uBAAuB,GAAG,CAA2C,GAAM,EAAE,KAAY,EAAE,EAAE;IACxG,GAAG,CAAC,GAAG,CAAC,eAAe,EAAE,IAAA,8BAAsB,EAAC,KAAK,CAAC,CAAC,CAAC;IACxD,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,IAAA,8BAAsB,EAAC,KAAK,CAAC,CAAC,CAAC;IAEtD,OAAO,GAAG;SACP,OAAO,CAAC,8BAAe,CAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACzD,IAAI,CAAC;YACH,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,8BAA8B,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;YAC9D,OAAO,CAAC,CAAC,IAAI,CAAC,4BAAmB,EAAE,GAAG,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC;SACD,OAAO,CAAC,8BAAe,CAAC,uBAAuB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC5D,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEjC,qEAAqE;QACrE,mEAAmE;QACnE,wEAAwE;QACxE,uEAAuE;QACvE,yEAAyE;QACzE,uEAAuE;QACvE,wEAAwE;QACxE,IAAI,IAAI,CAAC,qBAAqB,IAAI,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC3D,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,KAAK,EAAE;oBACL,IAAI,EAAE,8BAAuC;oBAC7C,OAAO,EACL,4KAA4K;iBAC/K;aACF,EACD,GAAG,CACJ,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,uCAAuC;QACvC,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,gBAAgB,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE;gBACjD,CAAC,4BAA4B,CAAC,EAAE,IAAI,CAAC,qBAAqB;gBAC1D,CAAC,yBAAyB,CAAC,EAAE,IAAI,CAAC,mBAAmB;aACtD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,6BAA6B,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;YAC7D,OAAO,CAAC,CAAC,IAAI,CAAC,4BAAmB,EAAE,GAAG,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACP,CAAC,CAAC;AAlDW,QAAA,uBAAuB,2BAkDlC"}