@dyrected/core 2.5.12 → 2.5.14

package/dist/server.cjs

@@ -248,6 +248,26 @@ var AuditService = class {
   }
 };
 
+// src/auth/password.ts
+var import_node_util = require("util");
+var import_node_crypto = require("crypto");
+var scryptAsync = (0, import_node_util.promisify)(import_node_crypto.scrypt);
+var SALT_LEN = 16;
+var KEY_LEN = 64;
+async function hashPassword(plain) {
+  const salt = (0, import_node_crypto.randomBytes)(SALT_LEN).toString("hex");
+  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
+  return `${salt}:${derivedKey.toString("hex")}`;
+}
+async function verifyPassword(plain, stored) {
+  const [salt, storedHash] = stored.split(":");
+  if (!salt || !storedHash) return false;
+  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
+  const storedBuffer = Buffer.from(storedHash, "hex");
+  if (derivedKey.length !== storedBuffer.length) return false;
+  return (0, import_node_crypto.timingSafeEqual)(derivedKey, storedBuffer);
+}
+
 // src/controllers/collection.controller.ts
 var CollectionController = class {
   collection;
@@ -337,6 +357,9 @@ var CollectionController = class {
       createdBy: user?.sub ?? null,
       updatedBy: user?.sub ?? null
     };
+    if (this.collection.auth && data.password) {
+      data.password = await hashPassword(data.password);
+    }
     const doc = await db.create({ collection: this.collection.slug, data });
     if (this.collection.audit && db) {
       AuditService.log(db, {
@@ -396,11 +419,16 @@ var CollectionController = class {
     if (!id) return c.json({ message: "Missing ID" }, 400);
     const body = await c.req.json();
     const user = c.get("user");
-    const data = {
-      ...body,
+    const data = { ...body };
+    if (this.collection.auth) {
+      delete data.password;
+      delete data.oldPassword;
+      delete data.confirmPassword;
+    }
+    Object.assign(data, {
       updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
       updatedBy: user?.sub ?? null
-    };
+    });
     let before = null;
     if (this.collection.audit) {
       before = await db.findOne({ collection: this.collection.slug, id });
@@ -418,6 +446,77 @@ var CollectionController = class {
     }
     return c.json(doc);
   }
+  /**
+   * POST /api/collections/:slug/:id/change-password
+   *
+   * Dedicated endpoint for password changes. Requires the caller to supply:
+   *   { oldPassword, newPassword, confirmPassword }
+   *
+   * Rules:
+   *  - Only the account owner or an admin may change the password.
+   *  - Non-admin callers MUST provide a valid oldPassword.
+   *  - newPassword and confirmPassword must match.
+   */
+  async changePassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    if (!this.collection.auth) {
+      return c.json({ message: "This collection does not support authentication" }, 400);
+    }
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const user = c.get("user");
+    if (!user) return c.json({ message: "Authentication required" }, 401);
+    const body = await c.req.json().catch(() => null);
+    const { oldPassword, newPassword, confirmPassword } = body ?? {};
+    if (!newPassword) {
+      return c.json({ message: "newPassword is required" }, 400);
+    }
+    if (newPassword !== confirmPassword) {
+      return c.json({ message: "Passwords do not match" }, 400);
+    }
+    if (newPassword.length < 8) {
+      return c.json({ message: "Password must be at least 8 characters" }, 400);
+    }
+    const isAdmin = Array.isArray(user.roles) && user.roles.includes("admin");
+    const isSelf = user.sub === id;
+    if (!isAdmin && !isSelf) {
+      return c.json({ message: "You are not authorised to change this password" }, 403);
+    }
+    if (!isAdmin) {
+      if (!oldPassword) {
+        return c.json({ message: "Current password is required" }, 400);
+      }
+      const existing = await db.findOne({ collection: this.collection.slug, id });
+      if (!existing) return c.json({ message: "User not found" }, 404);
+      const valid = await verifyPassword(oldPassword, existing.password);
+      if (!valid) {
+        return c.json({ message: "Invalid current password" }, 400);
+      }
+    }
+    const hashed = await hashPassword(newPassword);
+    const doc = await db.update({
+      collection: this.collection.slug,
+      id,
+      data: {
+        password: hashed,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        updatedBy: user.sub
+      }
+    });
+    if (this.collection.audit) {
+      AuditService.log(db, {
+        operation: "update",
+        collection: this.collection.slug,
+        documentId: id,
+        user: { id: user.sub, collection: user.collection, email: user.email },
+        before: null,
+        after: { id }
+      });
+    }
+    return c.json({ success: true, message: "Password updated successfully" });
+  }
   async delete(c) {
     const config = c.get("config");
     const db = config.db;
@@ -709,26 +808,6 @@ var MediaController = class {
   }
 };
 
-// src/auth/password.ts
-var import_node_util = require("util");
-var import_node_crypto = require("crypto");
-var scryptAsync = (0, import_node_util.promisify)(import_node_crypto.scrypt);
-var SALT_LEN = 16;
-var KEY_LEN = 64;
-async function hashPassword(plain) {
-  const salt = (0, import_node_crypto.randomBytes)(SALT_LEN).toString("hex");
-  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
-  return `${salt}:${derivedKey.toString("hex")}`;
-}
-async function verifyPassword(plain, stored) {
-  const [salt, storedHash] = stored.split(":");
-  if (!salt || !storedHash) return false;
-  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
-  const storedBuffer = Buffer.from(storedHash, "hex");
-  if (derivedKey.length !== storedBuffer.length) return false;
-  return (0, import_node_crypto.timingSafeEqual)(derivedKey, storedBuffer);
-}
-
 // src/auth/token.ts
 var import_jose = require("jose");
 var import_node_util2 = require("util");
@@ -1638,14 +1717,19 @@ function registerRoutes(app, config) {
       }
       return true;
     };
+    const serializeAccess = async (access) => {
+      if (typeof access === "string") return access;
+      if (typeof access === "boolean") return access;
+      return resolveAccess(access);
+    };
     const filteredCollections = await Promise.all(collections.filter((col) => !siteId || col.shared || !col.siteId || col.siteId === siteId).map(async (col) => ({
       slug: col.slug,
       labels: col.labels,
       access: {
-        read: await resolveAccess(col.access?.read),
-        create: await resolveAccess(col.access?.create),
-        update: await resolveAccess(col.access?.update),
-        delete: await resolveAccess(col.access?.delete)
+        read: await serializeAccess(col.access?.read),
+        create: await serializeAccess(col.access?.create),
+        update: await serializeAccess(col.access?.update),
+        delete: await serializeAccess(col.access?.delete)
       },
       fields: await Promise.all(col.fields.map(async (f) => ({
         name: f.name,
@@ -1660,8 +1744,8 @@ function registerRoutes(app, config) {
         blocks: f.blocks,
         admin: f.admin,
         access: {
-          read: await resolveAccess(f.access?.read),
-          update: await resolveAccess(f.access?.update)
+          read: await serializeAccess(f.access?.read),
+          update: await serializeAccess(f.access?.update)
         }
       }))),
       upload: !!col.upload,
@@ -1672,8 +1756,8 @@ function registerRoutes(app, config) {
       slug: glb.slug,
       label: glb.label,
       access: {
-        read: await resolveAccess(glb.access?.read),
-        update: await resolveAccess(glb.access?.update)
+        read: await serializeAccess(glb.access?.read),
+        update: await serializeAccess(glb.access?.update)
       },
       fields: await Promise.all(glb.fields.map(async (f) => ({
         name: f.name,
@@ -1688,8 +1772,8 @@ function registerRoutes(app, config) {
         blocks: f.blocks,
         admin: f.admin,
         access: {
-          read: await resolveAccess(f.access?.read),
-          update: await resolveAccess(f.access?.update)
+          read: await serializeAccess(f.access?.read),
+          update: await serializeAccess(f.access?.update)
         }
       }))),
       admin: glb.admin
@@ -1751,6 +1835,9 @@ function registerRoutes(app, config) {
     app.patch(`${path}/:id`, accessGate(collection, "update"), (c) => controller.update(c));
     app.delete(`${path}/:id`, accessGate(collection, "delete"), (c) => controller.delete(c));
     app.post(`${path}/seed`, (c) => controller.seed(c));
+    if (collection.auth) {
+      app.post(`${path}/:id/change-password`, requireAuth(), (c) => controller.changePassword(c));
+    }
   }
   for (const global of config.globals) {
     const path = `/api/globals/${global.slug}`;
@@ -1875,23 +1962,102 @@ function normalizeConfig(config) {
   const globals = config?.globals || [];
   const needsAudit = collections.some((col) => col.audit);
   const normalizedCollections = collections.map((col) => {
-    const fields = col.fields || [];
+    let fields = col.fields || [];
     const existingFieldNames = new Set(fields.map((f) => f.name));
-    const fieldsToInject = SYSTEM_FIELDS.filter((f) => !existingFieldNames.has(f.name));
+    if (col.auth) {
+      if (!existingFieldNames.has("email")) {
+        fields = [
+          ...fields,
+          {
+            name: "email",
+            type: "email",
+            label: "Email",
+            required: true,
+            unique: true,
+            promoted: true,
+            access: {
+              update: "!id"
+            }
+          }
+        ];
+      }
+      if (!existingFieldNames.has("password")) {
+        fields = [
+          ...fields,
+          {
+            name: "password",
+            type: "text",
+            label: "Password",
+            required: true,
+            access: {
+              update: "!id || user.id == id"
+            }
+          }
+        ];
+      }
+      if (!existingFieldNames.has("roles")) {
+        fields = [
+          ...fields,
+          {
+            name: "roles",
+            type: "select",
+            label: "Roles",
+            defaultValue: [],
+            options: [
+              { value: "admin", label: "Admin" },
+              { value: "editor", label: "Editor" },
+              { value: "viewer", label: "Viewer" }
+            ],
+            access: {
+              update: "user.roles && 'admin' in user.roles"
+            }
+          }
+        ];
+      }
+      fields = fields.map((field) => {
+        if (field.name === "email") {
+          return {
+            ...field,
+            access: {
+              ...field.access || {},
+              update: "!id"
+            }
+          };
+        }
+        if (field.name === "password") {
+          return {
+            ...field,
+            admin: { ...field.admin || {} },
+            access: {
+              ...field.access || {},
+              update: "!id || user.id == id"
+            }
+          };
+        }
+        if (field.name === "roles") {
+          return {
+            ...field,
+            access: {
+              ...field.access || {},
+              // Must be an admin; cannot edit own roles (no self-elevation).
+              update: "user.roles && 'admin' in user.roles && user.id != id"
+            }
+          };
+        }
+        return field;
+      });
+    }
+    const updatedFieldNames = new Set(fields.map((f) => f.name));
+    const fieldsToInject = SYSTEM_FIELDS.filter((f) => !updatedFieldNames.has(f.name));
     return {
       ...col,
       fields: [...fields, ...fieldsToInject]
     };
   });
-  const hasAuditCollection = normalizedCollections.some(
-    (col) => col.slug === AUDIT_COLLECTION_SLUG
-  );
+  const hasAuditCollection = normalizedCollections.some((col) => col.slug === AUDIT_COLLECTION_SLUG);
   return {
     ...config,
-    collections: [
-      ...normalizedCollections,
-      ...needsAudit && !hasAuditCollection ? [AUDIT_COLLECTION] : []
-    ],
+    collections: [...normalizedCollections, ...needsAudit && !hasAuditCollection ? [AUDIT_COLLECTION] : []],
     globals
   };
 }

package/dist/server.d.cts

@@ -1,5 +1,5 @@
-import { c as DyrectedContext, D as DyrectedConfig, C as CollectionConfig, G as GlobalConfig } from './app-Dk3SzV1a.cjs';
-export { g as createDyrectedApp } from './app-Dk3SzV1a.cjs';
+import { c as DyrectedContext, D as DyrectedConfig, C as CollectionConfig, G as GlobalConfig } from './app-DnX9mNsh.cjs';
+export { g as createDyrectedApp } from './app-DnX9mNsh.cjs';
 import * as hono from 'hono';
 import { Hono, Context } from 'hono';
 import * as hono_utils_http_status from 'hono/utils/http-status';
@@ -140,6 +140,31 @@ declare class CollectionController {
         message: string;
     }, 400, "json">) | (Response & hono.TypedResponse<any, 201, "json">)>;
     update(c: Context<DyrectedContext>): Promise<Response & hono.TypedResponse<any, hono_utils_http_status.ContentfulStatusCode, "json">>;
+    /**
+     * POST /api/collections/:slug/:id/change-password
+     *
+     * Dedicated endpoint for password changes. Requires the caller to supply:
+     *   { oldPassword, newPassword, confirmPassword }
+     *
+     * Rules:
+     *  - Only the account owner or an admin may change the password.
+     *  - Non-admin callers MUST provide a valid oldPassword.
+     *  - newPassword and confirmPassword must match.
+     */
+    changePassword(c: Context<DyrectedContext>): Promise<(Response & hono.TypedResponse<{
+        message: string;
+    }, 500, "json">) | (Response & hono.TypedResponse<{
+        message: string;
+    }, 400, "json">) | (Response & hono.TypedResponse<{
+        message: string;
+    }, 401, "json">) | (Response & hono.TypedResponse<{
+        message: string;
+    }, 403, "json">) | (Response & hono.TypedResponse<{
+        message: string;
+    }, 404, "json">) | (Response & hono.TypedResponse<{
+        success: true;
+        message: string;
+    }, hono_utils_http_status.ContentfulStatusCode, "json">)>;
     delete(c: Context<DyrectedContext>): Promise<Response & hono.TypedResponse<{
         message: string;
     }, hono_utils_http_status.ContentfulStatusCode, "json">>;

package/dist/server.d.ts

@@ -1,5 +1,5 @@
-import { c as DyrectedContext, D as DyrectedConfig, C as CollectionConfig, G as GlobalConfig } from './app-Dk3SzV1a.js';
-export { g as createDyrectedApp } from './app-Dk3SzV1a.js';
+import { c as DyrectedContext, D as DyrectedConfig, C as CollectionConfig, G as GlobalConfig } from './app-DnX9mNsh.js';
+export { g as createDyrectedApp } from './app-DnX9mNsh.js';
 import * as hono from 'hono';
 import { Hono, Context } from 'hono';
 import * as hono_utils_http_status from 'hono/utils/http-status';
@@ -140,6 +140,31 @@ declare class CollectionController {
         message: string;
     }, 400, "json">) | (Response & hono.TypedResponse<any, 201, "json">)>;
     update(c: Context<DyrectedContext>): Promise<Response & hono.TypedResponse<any, hono_utils_http_status.ContentfulStatusCode, "json">>;
+    /**
+     * POST /api/collections/:slug/:id/change-password
+     *
+     * Dedicated endpoint for password changes. Requires the caller to supply:
+     *   { oldPassword, newPassword, confirmPassword }
+     *
+     * Rules:
+     *  - Only the account owner or an admin may change the password.
+     *  - Non-admin callers MUST provide a valid oldPassword.
+     *  - newPassword and confirmPassword must match.
+     */
+    changePassword(c: Context<DyrectedContext>): Promise<(Response & hono.TypedResponse<{
+        message: string;
+    }, 500, "json">) | (Response & hono.TypedResponse<{
+        message: string;
+    }, 400, "json">) | (Response & hono.TypedResponse<{
+        message: string;
+    }, 401, "json">) | (Response & hono.TypedResponse<{
+        message: string;
+    }, 403, "json">) | (Response & hono.TypedResponse<{
+        message: string;
+    }, 404, "json">) | (Response & hono.TypedResponse<{
+        success: true;
+        message: string;
+    }, hono_utils_http_status.ContentfulStatusCode, "json">)>;
     delete(c: Context<DyrectedContext>): Promise<Response & hono.TypedResponse<{
         message: string;
     }, hono_utils_http_status.ContentfulStatusCode, "json">>;

package/dist/server.js

@@ -6,7 +6,7 @@ import {
   PreviewController,
   createDyrectedApp,
   registerRoutes
-} from "./chunk-3VUH2MNW.js";
+} from "./chunk-JJN4J5NS.js";
 export {
   AuthController,
   CollectionController,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dyrected/core",
-  "version": "2.5.12",
+  "version": "2.5.14",
   "type": "module",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",