npm - @edge-base/server - Versions diffs - 0.1.5 → 0.2.1 - Mend

@edge-base/server 0.1.5 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

package/src/routes/auth.ts CHANGED Viewed

@@ -29,7 +29,7 @@ import {
 } from '../lib/auth-redirect.js';
 import {
   signAccessToken, signRefreshToken, verifyRefreshTokenWithFallback,
-  parseDuration, decodeTokenUnsafe, TokenExpiredError,
+  parseDuration, TokenExpiredError,
 } from '../lib/jwt.js';
 import { generateId } from '../lib/uuid.js';
 import { captchaMiddleware } from '../middleware/captcha-verify.js';
@@ -108,6 +108,15 @@ authRoute.onError((err, c) => {
 // ─── Helpers ───
+function isReleaseMode(env: Env): boolean {
+  return parseConfig(env)?.release ?? false;
+}
+function shouldExposeAuthTestSecrets(env: Env): boolean {
+  return env.EDGEBASE_TEST === '1'
+    || env.EDGEBASE_TEST === 'true';
+}
 function requireAuth(auth: AuthContext | null): string {
   if (!auth) {
     throw new EdgeBaseError(401, 'Authentication required.', undefined, 'unauthenticated');
@@ -500,6 +509,13 @@ async function createSessionAndTokens(
     metadata,
   });
+  // Update lastSignedInAt on the user record
+  try {
+    await db.run('UPDATE _users SET lastSignedInAt = ? WHERE id = ?', [now, userId]);
+  } catch {
+    // Non-critical: don't block sign-in if this column doesn't exist yet
+  }
   return { accessToken, refreshToken, sessionId };
 }
@@ -1288,6 +1304,7 @@ authRoute.openapi(signinMagicLink, async (c) => {
   const record = await lookupEmail(getAuthDb(c), body.email);
   const db = getAuthDb(c);
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
   let debugToken: string | undefined;
   let debugActionUrl: string | undefined;
@@ -1327,9 +1344,12 @@ authRoute.openapi(signinMagicLink, async (c) => {
       type: 'magic-link',
       state: redirect.state,
     });
+    if (exposeTestSecrets) {
+      debugToken = token;
+      debugActionUrl = magicLinkUrl;
+    }
     if (!provider) {
-      const release = config?.release ?? false;
-      if (!release) {
+      if (!isReleaseMode(c.env)) {
         console.warn('[MagicLink] Email provider not configured. Token:', token);
         debugToken = token;
         debugActionUrl = magicLinkUrl;
@@ -1417,6 +1437,10 @@ authRoute.openapi(signinMagicLink, async (c) => {
         type: 'magic-link',
         state: redirect.state,
       });
+      if (exposeTestSecrets) {
+        debugToken = token;
+        debugActionUrl = magicLinkUrl;
+      }
       if (provider) {
         const locale = resolveEmailLocale(c.env, reqLocale);
         const html = renderMagicLink({
@@ -1431,8 +1455,7 @@ authRoute.openapi(signinMagicLink, async (c) => {
           resolveSubject(c.env, 'magicLink', defaultSubject, locale), html, locale,
         ).catch(() => {});
       } else {
-        const release = config?.release ?? false;
-        if (!release) {
+        if (!isReleaseMode(c.env)) {
           debugToken = token;
           debugActionUrl = magicLinkUrl;
         }
@@ -1591,6 +1614,7 @@ authRoute.openapi(signinPhone, async (c) => {
   // Look up phone in D1
   const record = await lookupPhone(getAuthDb(c), phone);
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
   let devCode: string | undefined;
   const db = getAuthDb(c);
@@ -1602,6 +1626,7 @@ authRoute.openapi(signinPhone, async (c) => {
     if (!user) return c.json({ ok: true });
     const code = generateOTP();
+    if (exposeTestSecrets) devCode = code;
     // Store OTP in KV with 5 min TTL
     await c.env.KV.put(
@@ -1623,8 +1648,7 @@ authRoute.openapi(signinPhone, async (c) => {
         `Your ${appName} verification code is: ${code}. Valid for 5 minutes.`,
       );
     } else {
-      const release = parseConfig(c.env)?.release ?? false;
-      if (!release) {
+      if (!isReleaseMode(c.env)) {
         console.warn('[Phone] SMS provider not configured. OTP:', code);
         devCode = code;
       }
@@ -1654,6 +1678,7 @@ authRoute.openapi(signinPhone, async (c) => {
       await authService.updateUser(db, userId, { phone, phoneVerified: false });
       const code = generateOTP();
+      if (exposeTestSecrets) devCode = code;
       // Store OTP in KV
       await c.env.KV.put(
@@ -1675,8 +1700,7 @@ authRoute.openapi(signinPhone, async (c) => {
           `Your ${appName} verification code is: ${code}. Valid for 5 minutes.`,
         );
       } else {
-        const release = parseConfig(c.env)?.release ?? false;
-        if (!release) {
+        if (!isReleaseMode(c.env)) {
           console.warn('[Phone] SMS provider not configured. OTP:', code);
           devCode = code;
         }
@@ -1690,8 +1714,7 @@ authRoute.openapi(signinPhone, async (c) => {
   }
   // Return OTP code only in dev mode (SMS provider not configured) for testing
-  const release = parseConfig(c.env)?.release ?? false;
-  return c.json(devCode && !release ? { ok: true, code: devCode } : { ok: true });
+  return c.json(devCode ? { ok: true, code: devCode } : { ok: true });
 });
 // POST /verify-phone — verify OTP → create session
@@ -1871,6 +1894,7 @@ authRoute.openapi(linkPhone, async (c) => {
   }
   const code = generateOTP();
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
   // Store link OTP in KV (separate key pattern)
   await c.env.KV.put(
@@ -1891,14 +1915,13 @@ authRoute.openapi(linkPhone, async (c) => {
       phone,
       `Your ${appName} phone linking code is: ${code}. Valid for 5 minutes.`,
     );
-    return c.json({ ok: true });
+    return c.json(exposeTestSecrets ? { ok: true, code } : { ok: true });
   } else {
-    const release = parseConfig(c.env)?.release ?? false;
-    if (!release) {
+    if (!isReleaseMode(c.env)) {
       console.warn('[Phone] SMS provider not configured. Link OTP:', code);
       return c.json({ ok: true, code });
     }
-    return c.json({ ok: true });
+    return c.json(exposeTestSecrets ? { ok: true, code } : { ok: true });
   }
 });
@@ -2048,6 +2071,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
   // Look up email in D1
   const record = await lookupEmail(getAuthDb(c), email);
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
   let devCode: string | undefined;
   const db = getAuthDb(c);
@@ -2059,6 +2083,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
     if (!user) return c.json({ ok: true });
     const code = generateOTP();
+    if (exposeTestSecrets) devCode = code;
     // Store OTP in KV with 5 min TTL
     await c.env.KV.put(
@@ -2079,8 +2104,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
         resolveSubject(c.env, 'emailOtp', defaultSubject, locale), html, locale,
       );
     } else {
-      const release = parseConfig(c.env)?.release ?? false;
-      if (!release) {
+      if (!isReleaseMode(c.env)) {
         console.warn('[EmailOTP] Email provider not configured. OTP:', code);
         devCode = code;
       }
@@ -2117,6 +2141,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
       });
       const code = generateOTP();
+      if (exposeTestSecrets) devCode = code;
       // Store OTP in KV
       await c.env.KV.put(
@@ -2137,8 +2162,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
           resolveSubject(c.env, 'emailOtp', defaultSubject, locale), html, locale,
         );
       } else {
-        const release = parseConfig(c.env)?.release ?? false;
-        if (!release) {
+        if (!isReleaseMode(c.env)) {
           console.warn('[EmailOTP] Email provider not configured. OTP:', code);
           devCode = code;
         }
@@ -2152,8 +2176,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
   }
   // Return OTP code only in dev mode (email provider not configured) for testing
-  const release = parseConfig(c.env)?.release ?? false;
-  return c.json(devCode && !release ? { ok: true, code: devCode } : { ok: true });
+  return c.json(devCode ? { ok: true, code: devCode } : { ok: true });
 });
 // POST /verify-email-otp — verify OTP → create session
@@ -2754,11 +2777,27 @@ authRoute.openapi(signout, async (c) => {
     refreshToken: body.refreshToken,
   });
-  const payload = decodeTokenUnsafe(body.refreshToken);
-  if (!payload?.sub) throw new EdgeBaseError(401, 'Invalid refresh token.', undefined, 'invalid-refresh-token');
   const db = getAuthDb(c);
-  const userId = payload.sub as string;
+  let tokenPayload;
+  try {
+    tokenPayload = await verifyRefreshTokenWithFallback(
+      body.refreshToken,
+      getUserSecret(c.env),
+      c.env.JWT_USER_SECRET_OLD,
+      c.env.JWT_USER_SECRET_OLD_AT,
+    );
+  } catch (err) {
+    if (err instanceof TokenExpiredError) {
+      throw new EdgeBaseError(401, 'Refresh token expired.', undefined, 'refresh-token-expired');
+    }
+    throw new EdgeBaseError(401, 'Invalid refresh token.', undefined, 'invalid-refresh-token');
+  }
+  const userId = tokenPayload.sub;
+  const sessionResult = await authService.getSessionByRefreshToken(db, body.refreshToken, userId);
+  if (!sessionResult) {
+    throw new EdgeBaseError(401, 'Invalid refresh token.', undefined, 'invalid-refresh-token');
+  }
   // beforeSignOut hook — blocking
   await executeAuthHook(c.env, c.executionCtx, 'beforeSignOut', { userId }, { blocking: true, workerUrl: getWorkerUrl(c.req.url, c.env) });
@@ -2991,8 +3030,8 @@ authRoute.openapi(changeEmail, async (c) => {
     }
   }
-  const release = parseConfig(c.env)?.release ?? false;
-  if (!release) {
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
+  if (exposeTestSecrets || !isReleaseMode(c.env)) {
     const emailCfg = getEmailConfig(c.env);
     const fallbackVerifyUrl = emailCfg?.emailChangeUrl
       ? emailCfg.emailChangeUrl.replace('{token}', token)
@@ -3970,8 +4009,7 @@ authRoute.openapi(requestEmailVerification, async (c) => {
   const provider = createEmailProvider(getEmailConfig(c.env), c.env);
   if (!provider) {
-    const release = parseConfig(c.env)?.release ?? false;
-    if (!release) {
+    if (shouldExposeAuthTestSecrets(c.env) || !isReleaseMode(c.env)) {
       console.warn('[VerifyEmail] Email provider not configured. Verification email not sent. Token:', token);
       return c.json({ ok: true, message: 'Email provider not configured.', token, actionUrl: verifyUrl });
     }
@@ -3992,7 +4030,9 @@ authRoute.openapi(requestEmailVerification, async (c) => {
     resolveSubject(c.env, 'verification', defaultSubject, locale), html, locale,
   );
-  return c.json({ ok: result.success, messageId: result.messageId });
+  return c.json(shouldExposeAuthTestSecrets(c.env)
+    ? { ok: result.success, messageId: result.messageId, token, actionUrl: verifyUrl }
+    : { ok: result.success, messageId: result.messageId });
 });
 // POST /verify-email — KV token→shardId lookup → direct Shard call
@@ -4123,8 +4163,7 @@ authRoute.openapi(requestPasswordReset, async (c) => {
   const provider = createEmailProvider(getEmailConfig(c.env), c.env);
   if (!provider) {
-    const release = parseConfig(c.env)?.release ?? false;
-    if (!release) {
+    if (shouldExposeAuthTestSecrets(c.env) || !isReleaseMode(c.env)) {
       console.warn('[Auth] Email provider not configured. Reset email not sent. Token:', token);
       return c.json({ ok: true, message: 'Email provider not configured.', token, actionUrl: resetUrl });
     }
@@ -4145,7 +4184,9 @@ authRoute.openapi(requestPasswordReset, async (c) => {
     resolveSubject(c.env, 'passwordReset', defaultSubject, locale), html, locale,
   );
-  return c.json({ ok: result.success, messageId: result.messageId });
+  return c.json(shouldExposeAuthTestSecrets(c.env)
+    ? { ok: result.success, messageId: result.messageId, token, actionUrl: resetUrl }
+    : { ok: result.success, messageId: result.messageId });
 });
 // POST /reset-password — KV token→shardId lookup → direct Shard call

package/src/routes/room.ts CHANGED Viewed

@@ -70,6 +70,12 @@ const roomRealtimeCreateSessionBodySchema = z.object({
   thirdparty: z.boolean().optional().openapi({ description: 'Forward Cloudflare Realtime thirdparty mode' }),
   sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
 });
+const roomCloudflareRealtimeKitCreateSessionBodySchema = z.object({
+  connectionId: z.string().optional().openapi({ description: 'Specific room connection ID to bind the Cloudflare RealtimeKit participant to' }),
+  customParticipantId: z.string().optional().openapi({ description: 'Optional custom participant identifier for the provisioned RealtimeKit participant' }),
+  name: z.string().optional().openapi({ description: 'Optional display name for the provisioned RealtimeKit participant' }),
+  picture: z.string().optional().openapi({ description: 'Optional avatar URL for the provisioned RealtimeKit participant' }),
+});
 const roomRealtimeCreateSessionResponseSchema = z.object({
   sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
   sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
@@ -78,6 +84,15 @@ const roomRealtimeCreateSessionResponseSchema = z.object({
   connectionId: z.string().optional().openapi({ description: 'Room connection ID associated with the session' }),
   reused: z.boolean().optional().openapi({ description: 'Whether an existing provider session was reused' }),
 });
+const roomCloudflareRealtimeKitCreateSessionResponseSchema = z.object({
+  sessionId: z.string().openapi({ description: 'Cloudflare RealtimeKit participant ID' }),
+  meetingId: z.string().openapi({ description: 'Cloudflare RealtimeKit meeting ID backing the room session' }),
+  participantId: z.string().openapi({ description: 'Cloudflare RealtimeKit participant ID' }),
+  authToken: z.string().openapi({ description: 'RealtimeKit auth token for the provisioned participant' }),
+  presetName: z.string().optional().openapi({ description: 'RealtimeKit preset used for the provisioned participant' }),
+  connectionId: z.string().optional().openapi({ description: 'Room connection ID associated with the session' }),
+  reused: z.boolean().optional().openapi({ description: 'Whether an existing provider participant was reused' }),
+});
 const roomRealtimeSessionStateSchema = z.object({
   sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
   connectionId: z.string().optional().openapi({ description: 'Room connection ID associated with the session' }),
@@ -525,6 +540,27 @@ const createRoomRealtimeSession = createRoute({
   },
 });
+const createRoomCloudflareRealtimeKitSession = createRoute({
+  operationId: 'createRoomCloudflareRealtimeKitSession',
+  method: 'post',
+  path: '/media/cloudflare_realtimekit/session',
+  tags: ['client'],
+  summary: 'Create a room Cloudflare RealtimeKit session',
+  description: 'Creates a Cloudflare RealtimeKit session for the authenticated room member.',
+  request: {
+    query: roomQuerySchema,
+    body: { content: { 'application/json': { schema: roomCloudflareRealtimeKitCreateSessionBodySchema } }, required: false },
+  },
+  responses: {
+    200: { description: 'Cloudflare RealtimeKit session created', content: { 'application/json': { schema: roomCloudflareRealtimeKitCreateSessionResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Authentication required', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'Room runtime not found', content: { 'application/json': { schema: errorResponseSchema } } },
+    409: { description: 'Conflicting existing published media', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
 const createRoomRealtimeIceServers = createRoute({
   operationId: 'createRoomRealtimeIceServers',
   method: 'post',
@@ -637,3 +673,9 @@ roomRoute.openapi(closeRoomRealtimeTracks, async (c) =>
     requireAuth: true,
     validatedJson: c.req.valid('json'),
   }));
+roomRoute.openapi(createRoomCloudflareRealtimeKitSession, async (c) =>
+  proxyRoomDoRequest(c, '/media/cloudflare_realtimekit/session', 'POST', {
+    requireAuth: true,
+    validatedJson: c.req.valid('json'),
+  }));

package/src/types.ts CHANGED Viewed

@@ -68,6 +68,8 @@ export interface Env {
   CAPTCHA_SITE_KEY?: string;
   /** Cloudflare Realtime app ID for SFU session control. */
   CF_REALTIME_APP_ID?: string;
+  /** Cloudflare RealtimeKit preset name used when creating participant tokens. */
+  CF_REALTIME_PRESET_NAME?: string;
   /** Cloudflare Realtime app secret for SFU session control. */
   CF_REALTIME_APP_SECRET?: string;
   /** Optional override for the Cloudflare Realtime API base URL. */
@@ -92,6 +94,10 @@ export interface Env {
   EDGEBASE_EMAIL_API_URL?: string;
   /** Optional override for SMS delivery in deployed/local mock environments. */
   EDGEBASE_SMS_API_URL?: string;
+  /** Test-only flag set by wrangler.test.toml for SDK E2E flows. */
+  EDGEBASE_TEST?: string;
+  /** Test-only flag that prefers the bundled test config at startup. */
+  EDGEBASE_USE_TEST_CONFIG?: string;
   // ─── Dev Mode ───
   /** Schema Editor sidecar port — set by CLI dev command via --var */

package/admin-build/_app/immutable/assets/TableSqlTab.BHquaMBM.css DELETED Viewed

@@ -1 +0,0 @@

- .sql-editor-wrap.svelte-392xt8{border:1px solid var(--color-border);border-radius:var(--radius-md);overflow:hidden}.sql-editor-wrap.svelte-392xt8 .cm-editor{min-height:120px}.sql-editor-wrap.svelte-392xt8 .cm-editor.cm-focused{border-color:var(--color-primary);box-shadow:0 0 0 2px color-mix(in srgb,var(--color-primary) 20%,transparent)}.table-sql.svelte-1syrthj{display:flex;flex-direction:column;gap:var(--space-4)}.table-sql__toolbar.svelte-1syrthj{display:flex;align-items:center;gap:var(--space-3);flex-wrap:wrap}.table-sql__target.svelte-1syrthj{display:inline-flex;align-items:center;gap:var(--space-2);padding:var(--space-2) var(--space-3);border:1px solid var(--color-border);border-radius:var(--radius-md);background:var(--color-bg-secondary);font-size:12px}.table-sql__target-label.svelte-1syrthj{color:var(--color-text-tertiary);text-transform:uppercase;letter-spacing:.04em}.table-sql__target.svelte-1syrthj code:where(.svelte-1syrthj){font-family:var(--font-mono);color:var(--color-text)}.table-sql__shortcut.svelte-1syrthj{font-size:12px;color:var(--color-text-tertiary);margin-left:auto}.table-sql__result-tabs.svelte-1syrthj{display:flex;flex-wrap:wrap;gap:var(--space-2)}.table-sql__result-tab.svelte-1syrthj{display:inline-flex;align-items:center;gap:var(--space-2);padding:var(--space-2) var(--space-3);border:1px solid var(--color-border);border-radius:var(--radius-md);background:var(--color-bg-secondary);color:var(--color-text-secondary);cursor:pointer}.table-sql__result-tab--active.svelte-1syrthj{border-color:var(--color-primary);color:var(--color-primary)}.table-sql__result-open.svelte-1syrthj{border:none;background:transparent;color:inherit;cursor:pointer;padding:0;font:inherit}.table-sql__result-close.svelte-1syrthj{border:none;background:transparent;color:inherit;cursor:pointer;padding:0;line-height:1}.table-sql__result-panel.svelte-1syrthj{border:1px solid var(--color-border);border-radius:var(--radius-md);padding:var(--space-4);background:var(--color-bg)}.table-sql__result-meta.svelte-1syrthj{margin-bottom:var(--space-3);font-size:12px;color:var(--color-text-secondary)}.table-sql__result-error.svelte-1syrthj{color:var(--color-danger, #ef4444)}.table-sql__error-block.svelte-1syrthj,.table-sql__empty.svelte-1syrthj{margin:0;padding:var(--space-4);border-radius:var(--radius-md);background:var(--color-bg-secondary);color:var(--color-text-secondary);font-size:13px}