@donkeylabs/cli 1.1.12 → 1.1.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@donkeylabs/cli",
-  "version": "1.1.12",
+  "version": "1.1.14",
   "type": "module",
   "description": "CLI for @donkeylabs/server - project scaffolding and code generation",
   "main": "./src/index.ts",

package/templates/starter/.env.example

@@ -1,3 +1,44 @@
-DATABASE_URL=app.db
+# =============================================================================
+# DATABASE
+# =============================================================================
+
+# SQLite database path (relative to project root)
+# Use ":memory:" for in-memory database during development
+DATABASE_URL=":memory:"
+
+# For production, use a file path:
+# DATABASE_URL="./data/app.db"
+
+# =============================================================================
+# SERVER
+# =============================================================================
+
+# Port for the API server
 PORT=3000
+
+# Node environment
 NODE_ENV=development
+
+# =============================================================================
+# AUTHENTICATION (if using auth plugin)
+# =============================================================================
+
+# JWT secret for signing tokens (generate with: openssl rand -base64 32)
+# JWT_SECRET=your-secret-key-here
+
+# =============================================================================
+# EXTERNAL SERVICES (examples)
+# =============================================================================
+
+# Email service
+# RESEND_API_KEY=re_xxxxxxxxxxxx
+
+# Payment processing
+# STRIPE_SECRET_KEY=sk_test_xxxxxxxxxxxx
+
+# =============================================================================
+# FEATURE FLAGS
+# =============================================================================
+
+# Enable debug logging
+# DEBUG=true

package/templates/sveltekit-app/.env.example

@@ -1,3 +1,57 @@
-PORT=3000
-DATABASE_URL=app.db
+# =============================================================================
+# DATABASE
+# =============================================================================
+
+# SQLite database path (relative to project root)
+# Use ":memory:" for in-memory database during development
+DATABASE_URL=":memory:"
+
+# For production, use a file path:
+# DATABASE_URL="./data/app.db"
+
+# =============================================================================
+# SERVER
+# =============================================================================
+
+# Port for the API server (optional, defaults to 3000)
+# PORT=3000
+
+# Node environment
 NODE_ENV=development
+
+# =============================================================================
+# AUTHENTICATION (if using auth plugin)
+# =============================================================================
+
+# JWT secret for signing tokens (generate with: openssl rand -base64 32)
+# JWT_SECRET=your-secret-key-here
+
+# Session duration in seconds (default: 7 days)
+# SESSION_DURATION=604800
+
+# =============================================================================
+# EXTERNAL SERVICES (examples)
+# =============================================================================
+
+# Email service (e.g., Resend, SendGrid)
+# RESEND_API_KEY=re_xxxxxxxxxxxx
+
+# Payment processing (e.g., Stripe)
+# STRIPE_SECRET_KEY=sk_test_xxxxxxxxxxxx
+# STRIPE_WEBHOOK_SECRET=whsec_xxxxxxxxxxxx
+
+# File storage (e.g., S3, Cloudflare R2)
+# S3_BUCKET=my-bucket
+# S3_REGION=us-east-1
+# S3_ACCESS_KEY=xxxxxxxxxxxx
+# S3_SECRET_KEY=xxxxxxxxxxxx
+
+# =============================================================================
+# FEATURE FLAGS
+# =============================================================================
+
+# Enable debug logging
+# DEBUG=true
+
+# Enable SSE real-time updates
+# ENABLE_SSE=true

package/templates/sveltekit-app/src/server/index.ts

@@ -5,8 +5,10 @@ import { BunSqliteDialect } from "kysely-bun-sqlite";
 import { Database } from "bun:sqlite";
 import { demoPlugin } from "./plugins/demo";
 import { workflowDemoPlugin } from "./plugins/workflow-demo";
+import { authPlugin } from "./plugins/auth";
 import demoRoutes from "./routes/demo";
 import { exampleRouter } from "./routes/example";
+import { authRouter } from "./routes/auth";
 
 // Simple in-memory database
 const db = new Kysely<{}>({
@@ -23,10 +25,12 @@ export const server = new AppServer({
 });
 
 // Register plugins
+server.registerPlugin(authPlugin);  // Auth first - other plugins may depend on it
 server.registerPlugin(demoPlugin);
 server.registerPlugin(workflowDemoPlugin);
 
 // Register routes
+server.use(authRouter);
 server.use(demoRoutes);
 server.use(exampleRouter);
 

package/templates/sveltekit-app/src/server/plugins/auth/index.ts

@@ -0,0 +1,396 @@
+/**
+ * Auth Plugin - User authentication with sessions
+ *
+ * Provides:
+ * - User registration and login
+ * - Password hashing with bcrypt
+ * - Session-based authentication
+ * - Auth middleware for protected routes
+ */
+
+import { createPlugin, createMiddleware } from "@donkeylabs/server";
+import type { ColumnType } from "kysely";
+
+// =============================================================================
+// DATABASE SCHEMA TYPES
+// =============================================================================
+
+interface UsersTable {
+  id: string;
+  email: string;
+  password_hash: string;
+  name: string | null;
+  created_at: ColumnType<string, string | undefined, never>;
+  updated_at: string;
+}
+
+interface SessionsTable {
+  id: string;
+  user_id: string;
+  expires_at: string;
+  created_at: ColumnType<string, string | undefined, never>;
+}
+
+interface AuthSchema {
+  users: UsersTable;
+  sessions: SessionsTable;
+}
+
+// =============================================================================
+// TYPES
+// =============================================================================
+
+export interface AuthUser {
+  id: string;
+  email: string;
+  name: string | null;
+}
+
+export interface Session {
+  id: string;
+  userId: string;
+  expiresAt: Date;
+}
+
+// =============================================================================
+// PLUGIN DEFINITION
+// =============================================================================
+
+export const authPlugin = createPlugin
+  .withSchema<AuthSchema>()
+  .define({
+    name: "auth",
+
+    // Custom errors for auth failures
+    customErrors: {
+      InvalidCredentials: {
+        status: 401,
+        code: "INVALID_CREDENTIALS",
+        message: "Invalid email or password",
+      },
+      EmailAlreadyExists: {
+        status: 409,
+        code: "EMAIL_EXISTS",
+        message: "An account with this email already exists",
+      },
+      SessionExpired: {
+        status: 401,
+        code: "SESSION_EXPIRED",
+        message: "Your session has expired. Please log in again.",
+      },
+    },
+
+    service: async (ctx) => {
+      const SESSION_DURATION_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+      return {
+        /**
+         * Register a new user
+         */
+        register: async (data: {
+          email: string;
+          password: string;
+          name?: string;
+        }): Promise<{ user: AuthUser; sessionId: string }> => {
+          const { email, password, name } = data;
+
+          // Check if email already exists
+          const existing = await ctx.db
+            .selectFrom("users")
+            .where("email", "=", email.toLowerCase())
+            .selectAll()
+            .executeTakeFirst();
+
+          if (existing) {
+            throw ctx.errors.EmailAlreadyExists();
+          }
+
+          // Hash password
+          const passwordHash = await Bun.password.hash(password, {
+            algorithm: "bcrypt",
+            cost: 10,
+          });
+
+          const userId = crypto.randomUUID();
+          const now = new Date().toISOString();
+
+          // Create user
+          await ctx.db
+            .insertInto("users")
+            .values({
+              id: userId,
+              email: email.toLowerCase(),
+              password_hash: passwordHash,
+              name: name || null,
+              created_at: now,
+              updated_at: now,
+            })
+            .execute();
+
+          // Create session
+          const sessionId = crypto.randomUUID();
+          const expiresAt = new Date(Date.now() + SESSION_DURATION_MS);
+
+          await ctx.db
+            .insertInto("sessions")
+            .values({
+              id: sessionId,
+              user_id: userId,
+              expires_at: expiresAt.toISOString(),
+              created_at: now,
+            })
+            .execute();
+
+          ctx.core.logger.info("User registered", { userId, email });
+
+          return {
+            user: { id: userId, email: email.toLowerCase(), name: name || null },
+            sessionId,
+          };
+        },
+
+        /**
+         * Login with email and password
+         */
+        login: async (data: {
+          email: string;
+          password: string;
+        }): Promise<{ user: AuthUser; sessionId: string }> => {
+          const { email, password } = data;
+
+          // Find user
+          const user = await ctx.db
+            .selectFrom("users")
+            .where("email", "=", email.toLowerCase())
+            .selectAll()
+            .executeTakeFirst();
+
+          if (!user) {
+            throw ctx.errors.InvalidCredentials();
+          }
+
+          // Verify password
+          const valid = await Bun.password.verify(password, user.password_hash);
+          if (!valid) {
+            throw ctx.errors.InvalidCredentials();
+          }
+
+          // Create session
+          const sessionId = crypto.randomUUID();
+          const expiresAt = new Date(Date.now() + SESSION_DURATION_MS);
+
+          await ctx.db
+            .insertInto("sessions")
+            .values({
+              id: sessionId,
+              user_id: user.id,
+              expires_at: expiresAt.toISOString(),
+              created_at: new Date().toISOString(),
+            })
+            .execute();
+
+          ctx.core.logger.info("User logged in", { userId: user.id });
+
+          return {
+            user: { id: user.id, email: user.email, name: user.name },
+            sessionId,
+          };
+        },
+
+        /**
+         * Logout - invalidate session
+         */
+        logout: async (sessionId: string): Promise<void> => {
+          await ctx.db
+            .deleteFrom("sessions")
+            .where("id", "=", sessionId)
+            .execute();
+        },
+
+        /**
+         * Validate session and get user
+         */
+        validateSession: async (sessionId: string): Promise<AuthUser | null> => {
+          const session = await ctx.db
+            .selectFrom("sessions")
+            .where("id", "=", sessionId)
+            .selectAll()
+            .executeTakeFirst();
+
+          if (!session) {
+            return null;
+          }
+
+          // Check if expired
+          if (new Date(session.expires_at) < new Date()) {
+            // Clean up expired session
+            await ctx.db
+              .deleteFrom("sessions")
+              .where("id", "=", sessionId)
+              .execute();
+            return null;
+          }
+
+          // Get user
+          const user = await ctx.db
+            .selectFrom("users")
+            .where("id", "=", session.user_id)
+            .selectAll()
+            .executeTakeFirst();
+
+          if (!user) {
+            return null;
+          }
+
+          return {
+            id: user.id,
+            email: user.email,
+            name: user.name,
+          };
+        },
+
+        /**
+         * Get user by ID
+         */
+        getUserById: async (userId: string): Promise<AuthUser | null> => {
+          const user = await ctx.db
+            .selectFrom("users")
+            .where("id", "=", userId)
+            .selectAll()
+            .executeTakeFirst();
+
+          if (!user) {
+            return null;
+          }
+
+          return {
+            id: user.id,
+            email: user.email,
+            name: user.name,
+          };
+        },
+
+        /**
+         * Update user profile
+         */
+        updateProfile: async (
+          userId: string,
+          data: { name?: string; email?: string }
+        ): Promise<AuthUser> => {
+          const updates: Record<string, string> = {
+            updated_at: new Date().toISOString(),
+          };
+
+          if (data.name !== undefined) {
+            updates.name = data.name;
+          }
+
+          if (data.email !== undefined) {
+            // Check if email is taken by another user
+            const existing = await ctx.db
+              .selectFrom("users")
+              .where("email", "=", data.email.toLowerCase())
+              .where("id", "!=", userId)
+              .selectAll()
+              .executeTakeFirst();
+
+            if (existing) {
+              throw ctx.errors.EmailAlreadyExists();
+            }
+
+            updates.email = data.email.toLowerCase();
+          }
+
+          await ctx.db
+            .updateTable("users")
+            .set(updates)
+            .where("id", "=", userId)
+            .execute();
+
+          const user = await ctx.db
+            .selectFrom("users")
+            .where("id", "=", userId)
+            .selectAll()
+            .executeTakeFirstOrThrow();
+
+          return {
+            id: user.id,
+            email: user.email,
+            name: user.name,
+          };
+        },
+
+        /**
+         * Delete all expired sessions (cleanup job)
+         */
+        cleanupExpiredSessions: async (): Promise<number> => {
+          const result = await ctx.db
+            .deleteFrom("sessions")
+            .where("expires_at", "<", new Date().toISOString())
+            .executeTakeFirst();
+
+          const count = Number(result.numDeletedRows);
+          if (count > 0) {
+            ctx.core.logger.info("Cleaned up expired sessions", { count });
+          }
+          return count;
+        },
+      };
+    },
+
+    /**
+     * Auth middleware - validates session from cookie/header
+     */
+    middleware: (ctx, service) => ({
+      /**
+       * Require authentication middleware
+       * Sets ctx.user if valid session found
+       * Returns 401 if required and no valid session
+       */
+      auth: createMiddleware<{ required?: boolean }>(
+        async (req, reqCtx, next, config) => {
+          // Get session ID from cookie or Authorization header
+          const cookies = req.headers.get("cookie") || "";
+          const cookieMatch = cookies.match(/session=([^;]+)/);
+          const headerToken = req.headers.get("authorization")?.replace("Bearer ", "");
+
+          const sessionId = cookieMatch?.[1] || headerToken;
+
+          if (sessionId) {
+            const user = await service.validateSession(sessionId);
+            if (user) {
+              // Set user on request context
+              (reqCtx as any).user = user;
+              (reqCtx as any).sessionId = sessionId;
+            }
+          }
+
+          // If auth is required and no user, return 401
+          if (config?.required && !(reqCtx as any).user) {
+            return Response.json(
+              { error: "Unauthorized", code: "UNAUTHORIZED" },
+              { status: 401 }
+            );
+          }
+
+          return next();
+        }
+      ),
+    }),
+
+    /**
+     * Initialize cleanup cron job
+     */
+    init: async (ctx, service) => {
+      // Clean up expired sessions daily at 3am
+      ctx.core.cron.schedule(
+        "0 3 * * *",
+        async () => {
+          await service.cleanupExpiredSessions();
+        },
+        { name: "auth-session-cleanup" }
+      );
+
+      ctx.core.logger.info("Auth plugin initialized");
+    },
+  });

package/templates/sveltekit-app/src/server/plugins/auth/migrations/001_create_users.ts

@@ -0,0 +1,25 @@
+import type { Kysely } from "kysely";
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable("users")
+    .ifNotExists()
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("email", "text", (col) => col.notNull().unique())
+    .addColumn("password_hash", "text", (col) => col.notNull())
+    .addColumn("name", "text")
+    .addColumn("created_at", "text", (col) => col.notNull().defaultTo("CURRENT_TIMESTAMP"))
+    .addColumn("updated_at", "text", (col) => col.notNull())
+    .execute();
+
+  await db.schema
+    .createIndex("idx_users_email")
+    .ifNotExists()
+    .on("users")
+    .column("email")
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable("users").ifExists().execute();
+}

package/templates/sveltekit-app/src/server/plugins/auth/migrations/002_create_sessions.ts

@@ -0,0 +1,32 @@
+import type { Kysely } from "kysely";
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable("sessions")
+    .ifNotExists()
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("user_id", "text", (col) =>
+      col.notNull().references("users.id").onDelete("cascade")
+    )
+    .addColumn("expires_at", "text", (col) => col.notNull())
+    .addColumn("created_at", "text", (col) => col.notNull().defaultTo("CURRENT_TIMESTAMP"))
+    .execute();
+
+  await db.schema
+    .createIndex("idx_sessions_user_id")
+    .ifNotExists()
+    .on("sessions")
+    .column("user_id")
+    .execute();
+
+  await db.schema
+    .createIndex("idx_sessions_expires_at")
+    .ifNotExists()
+    .on("sessions")
+    .column("expires_at")
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable("sessions").ifExists().execute();
+}

package/templates/sveltekit-app/src/server/routes/auth/auth.schemas.ts

@@ -0,0 +1,52 @@
+import { z } from "zod";
+
+// =============================================================================
+// INPUT SCHEMAS
+// =============================================================================
+
+export const registerSchema = z.object({
+  email: z.string().email("Invalid email address"),
+  password: z.string().min(8, "Password must be at least 8 characters"),
+  name: z.string().min(1).optional(),
+});
+
+export const loginSchema = z.object({
+  email: z.string().email("Invalid email address"),
+  password: z.string().min(1, "Password is required"),
+});
+
+export const updateProfileSchema = z.object({
+  name: z.string().min(1).optional(),
+  email: z.string().email().optional(),
+});
+
+// =============================================================================
+// OUTPUT SCHEMAS
+// =============================================================================
+
+export const userSchema = z.object({
+  id: z.string(),
+  email: z.string(),
+  name: z.string().nullable(),
+});
+
+export const authResponseSchema = z.object({
+  user: userSchema,
+  sessionId: z.string(),
+});
+
+export const meResponseSchema = userSchema.nullable();
+
+export const logoutResponseSchema = z.object({
+  success: z.boolean(),
+});
+
+// =============================================================================
+// DERIVED TYPES
+// =============================================================================
+
+export type RegisterInput = z.infer<typeof registerSchema>;
+export type LoginInput = z.infer<typeof loginSchema>;
+export type UpdateProfileInput = z.infer<typeof updateProfileSchema>;
+export type User = z.infer<typeof userSchema>;
+export type AuthResponse = z.infer<typeof authResponseSchema>;

package/templates/sveltekit-app/src/server/routes/auth/handlers/login.handler.ts

@@ -0,0 +1,20 @@
+import type { Handler, Routes, AppContext } from "$server/api";
+
+/**
+ * Login Handler - Authenticate user and create session
+ */
+export class LoginHandler implements Handler<Routes.Auth.Login> {
+  constructor(private ctx: AppContext) {}
+
+  async handle(input: Routes.Auth.Login.Input): Promise<Routes.Auth.Login.Output> {
+    const result = await this.ctx.plugins.auth.login({
+      email: input.email,
+      password: input.password,
+    });
+
+    return {
+      user: result.user,
+      sessionId: result.sessionId,
+    };
+  }
+}

package/templates/sveltekit-app/src/server/routes/auth/handlers/logout.handler.ts

@@ -0,0 +1,19 @@
+import type { Handler, Routes, AppContext } from "$server/api";
+
+/**
+ * Logout Handler - Invalidate current session
+ */
+export class LogoutHandler implements Handler<Routes.Auth.Logout> {
+  constructor(private ctx: AppContext) {}
+
+  async handle(_input: Routes.Auth.Logout.Input): Promise<Routes.Auth.Logout.Output> {
+    // Get session ID from request context (set by auth middleware)
+    const sessionId = (this.ctx as any).sessionId;
+
+    if (sessionId) {
+      await this.ctx.plugins.auth.logout(sessionId);
+    }
+
+    return { success: true };
+  }
+}

package/templates/sveltekit-app/src/server/routes/auth/handlers/me.handler.ts

@@ -0,0 +1,23 @@
+import type { Handler, Routes, AppContext } from "$server/api";
+
+/**
+ * Me Handler - Get current authenticated user
+ */
+export class MeHandler implements Handler<Routes.Auth.Me> {
+  constructor(private ctx: AppContext) {}
+
+  async handle(_input: Routes.Auth.Me.Input): Promise<Routes.Auth.Me.Output> {
+    // Get user from request context (set by auth middleware)
+    const user = (this.ctx as any).user;
+
+    if (!user) {
+      return null;
+    }
+
+    return {
+      id: user.id,
+      email: user.email,
+      name: user.name,
+    };
+  }
+}

package/templates/sveltekit-app/src/server/routes/auth/handlers/register.handler.ts

@@ -0,0 +1,21 @@
+import type { Handler, Routes, AppContext } from "$server/api";
+
+/**
+ * Register Handler - Create a new user account
+ */
+export class RegisterHandler implements Handler<Routes.Auth.Register> {
+  constructor(private ctx: AppContext) {}
+
+  async handle(input: Routes.Auth.Register.Input): Promise<Routes.Auth.Register.Output> {
+    const result = await this.ctx.plugins.auth.register({
+      email: input.email,
+      password: input.password,
+      name: input.name,
+    });
+
+    return {
+      user: result.user,
+      sessionId: result.sessionId,
+    };
+  }
+}

package/templates/sveltekit-app/src/server/routes/auth/handlers/update-profile.handler.ts

@@ -0,0 +1,24 @@
+import type { Handler, Routes, AppContext } from "$server/api";
+
+/**
+ * Update Profile Handler - Update current user's profile
+ */
+export class UpdateProfileHandler implements Handler<Routes.Auth.UpdateProfile> {
+  constructor(private ctx: AppContext) {}
+
+  async handle(input: Routes.Auth.UpdateProfile.Input): Promise<Routes.Auth.UpdateProfile.Output> {
+    // Get user from request context (set by auth middleware)
+    const user = (this.ctx as any).user;
+
+    if (!user) {
+      throw this.ctx.errors.Unauthorized("Not authenticated");
+    }
+
+    const updated = await this.ctx.plugins.auth.updateProfile(user.id, {
+      name: input.name,
+      email: input.email,
+    });
+
+    return updated;
+  }
+}

package/templates/sveltekit-app/src/server/routes/auth/index.ts

@@ -0,0 +1,63 @@
+/**
+ * Auth Router - Authentication endpoints
+ *
+ * Provides:
+ * - auth.register - Create new account
+ * - auth.login - Login and get session
+ * - auth.logout - Invalidate session (requires auth)
+ * - auth.me - Get current user (optional auth)
+ * - auth.updateProfile - Update profile (requires auth)
+ */
+
+import { createRouter } from "@donkeylabs/server";
+import { z } from "zod";
+import {
+  registerSchema,
+  loginSchema,
+  updateProfileSchema,
+  authResponseSchema,
+  userSchema,
+  logoutResponseSchema,
+} from "./auth.schemas";
+import { RegisterHandler } from "./handlers/register.handler";
+import { LoginHandler } from "./handlers/login.handler";
+import { LogoutHandler } from "./handlers/logout.handler";
+import { MeHandler } from "./handlers/me.handler";
+import { UpdateProfileHandler } from "./handlers/update-profile.handler";
+
+export const authRouter = createRouter("auth")
+
+  // Public routes
+  .route("register").typed({
+    input: registerSchema,
+    output: authResponseSchema,
+    handle: RegisterHandler,
+  })
+
+  .route("login").typed({
+    input: loginSchema,
+    output: authResponseSchema,
+    handle: LoginHandler,
+  })
+
+  // Optional auth - returns user if logged in, null otherwise
+  .middleware.auth({ required: false })
+  .route("me").typed({
+    input: z.object({}),
+    output: userSchema.nullable(),
+    handle: MeHandler,
+  })
+
+  // Protected routes - require authentication
+  .middleware.auth({ required: true })
+  .route("logout").typed({
+    input: z.object({}),
+    output: logoutResponseSchema,
+    handle: LogoutHandler,
+  })
+
+  .route("updateProfile").typed({
+    input: updateProfileSchema,
+    output: userSchema,
+    handle: UpdateProfileHandler,
+  });