@etus/bhono-app 0.1.5 → 0.1.7

package/templates/base/src/server/middleware/account.ts

@@ -1,10 +1,9 @@
 // src/middleware/account.ts
 import { createMiddleware } from 'hono/factory'
 import { HTTPException } from 'hono/http-exception'
-import { userAccounts } from '../db/schema'
-import { eq, and } from 'drizzle-orm'
 import type { HonoEnv } from '../types'
 import type { Role } from '../auth/roles'
+import { queryOne } from '../db/sql'
 
 export const accountMiddleware = createMiddleware<HonoEnv>(async (c, next) => {
   // Check account-id header (required)
@@ -36,21 +35,15 @@ export const accountMiddleware = createMiddleware<HonoEnv>(async (c, next) => {
 
   // Check user-account membership in database
   const db = c.get('db')
-  if (!db) {
+  const accountDb = c.env.DB ?? db
+  if (!accountDb) {
     throw new HTTPException(500, { message: 'Database not initialized' })
   }
-  const membershipResults = await db
-    .select()
-    .from(userAccounts)
-    .where(
-      and(
-        eq(userAccounts.userId, user.id),
-        eq(userAccounts.accountId, accountId)
-      )
-    )
-    .limit(1)
-
-  const membership = membershipResults.at(0)
+  const membership = await queryOne<{ role: Role }>(
+    accountDb,
+    `SELECT role FROM user_accounts WHERE user_id = ? AND account_id = ? LIMIT 1`,
+    [user.id, accountId]
+  )
   if (!membership) {
     throw new HTTPException(403, {
       message: 'Forbidden: User does not have access to this account',
@@ -59,7 +52,7 @@ export const accountMiddleware = createMiddleware<HonoEnv>(async (c, next) => {
 
   // Set accountId and userRole in context
   c.set('accountId', accountId)
-  c.set('userRole', membership.role as Role)
+  c.set('userRole', membership.role)
   c.set('isSystemAdminAccess', false)
 
   await next()

package/templates/base/src/server/middleware/auth.ts

@@ -2,10 +2,9 @@
 import { createMiddleware } from 'hono/factory'
 import { verify } from 'hono/jwt'
 import { HTTPException } from 'hono/http-exception'
-import { users } from '../db/schema'
-import { eq, and, isNull } from 'drizzle-orm'
 import type { HonoEnv } from '../types'
 import { getSession } from '../lib/session'
+import { queryOne, toStringValue, toNullableString, type SqlRow } from '../db/sql'
 
 interface JWTPayload {
   sub: string
@@ -14,6 +13,63 @@ interface JWTPayload {
   exp: number
 }
 
+
+const USER_SELECT_COLUMNS = `
+  id,
+  email,
+  name,
+  status,
+  provider_ids as providerIds,
+  is_super_admin as isSuperAdmin,
+  created_at as createdAt,
+  updated_at as updatedAt,
+  deleted_at as deletedAt
+`
+
+
+function parseProviderIds(value: unknown): string[] {
+  if (!value) return []
+  if (Array.isArray(value)) return value.map((item) => String(item))
+  if (typeof value === 'string') {
+    try {
+      const parsed = JSON.parse(value) as unknown
+      if (Array.isArray(parsed)) {
+        return parsed.map((item) => String(item))
+      }
+    } catch {
+      return []
+    }
+  }
+  return []
+}
+
+function toBoolean(value: unknown): boolean {
+  if (typeof value === 'boolean') return value
+  if (typeof value === 'number') return value !== 0
+  if (typeof value === 'string') return value === '1' || value.toLowerCase() === 'true'
+  return false
+}
+
+function mapUserRow(row: SqlRow) {
+  const providerIds = row.providerIds ?? row.provider_ids
+  const isSuperAdmin = row.isSuperAdmin ?? row.is_super_admin
+  const createdAt = row.createdAt ?? row.created_at
+  const updatedAt = row.updatedAt ?? row.updated_at
+  const deletedAt = row.deletedAt ?? row.deleted_at
+
+  return {
+    id: toStringValue(row.id),
+    email: toStringValue(row.email),
+    name: toStringValue(row.name),
+    status: row.status === 'inactive' ? 'inactive' : 'active',
+    providerIds: parseProviderIds(providerIds),
+    isSuperAdmin: toBoolean(isSuperAdmin),
+    createdAt: toStringValue(createdAt),
+    updatedAt: toStringValue(updatedAt),
+    deletedAt: toNullableString(deletedAt),
+  }
+}
+
 /**
  * Session-based authentication middleware
  * Validates session from cookie and loads user from database
@@ -29,23 +85,27 @@ export const sessionAuth = createMiddleware<HonoEnv>(async (c, next) => {
 
   // Look up user in database to ensure they still exist and are active
   const db = c.get('db')
-  if (!db) {
+  const authDb = c.env.DB ?? db
+  if (!authDb) {
     throw new HTTPException(500, { message: 'Database not initialized' })
   }
-  const userResults = await db
-    .select()
-    .from(users)
-    .where(and(eq(users.id, session.userId), isNull(users.deletedAt)))
-    .limit(1)
-
-  const user = userResults.at(0)
+  const user = await queryOne(
+    authDb,
+    `SELECT ${USER_SELECT_COLUMNS}
+     FROM users
+     WHERE id = ? AND deleted_at IS NULL
+     LIMIT 1`,
+    [session.userId]
+  )
   if (!user) {
     throw new HTTPException(401, {
       message: 'User not found',
     })
   }
 
-  if (user.status !== 'active') {
+  const mappedUser = mapUserRow(user)
+
+  if (mappedUser.status !== 'active') {
     throw new HTTPException(401, {
       message: 'User account is not active',
     })
@@ -53,15 +113,15 @@ export const sessionAuth = createMiddleware<HonoEnv>(async (c, next) => {
 
   // Set user in context
   c.set('user', {
-    id: user.id,
-    email: user.email,
-    name: user.name,
-    status: user.status,
-    providerIds: user.providerIds ?? [],
-    isSuperAdmin: user.isSuperAdmin,
-    createdAt: user.createdAt,
-    updatedAt: user.updatedAt,
-    deletedAt: user.deletedAt,
+    id: mappedUser.id,
+    email: mappedUser.email,
+    name: mappedUser.name,
+    status: mappedUser.status,
+    providerIds: mappedUser.providerIds,
+    isSuperAdmin: mappedUser.isSuperAdmin,
+    createdAt: mappedUser.createdAt,
+    updatedAt: mappedUser.updatedAt,
+    deletedAt: mappedUser.deletedAt,
   })
 
   await next()
@@ -107,23 +167,27 @@ export const jwtAuth = createMiddleware<HonoEnv>(async (c, next) => {
 
   // Look up user in database by ID (from sub claim)
   const db = c.get('db')
-  if (!db) {
+  const authDb = c.env.DB ?? db
+  if (!authDb) {
     throw new HTTPException(500, { message: 'Database not initialized' })
   }
-  const userResults = await db
-    .select()
-    .from(users)
-    .where(and(eq(users.id, payload.sub), isNull(users.deletedAt)))
-    .limit(1)
-
-  const user = userResults.at(0)
+  const user = await queryOne(
+    authDb,
+    `SELECT ${USER_SELECT_COLUMNS}
+     FROM users
+     WHERE id = ? AND deleted_at IS NULL
+     LIMIT 1`,
+    [payload.sub]
+  )
   if (!user) {
     throw new HTTPException(401, {
       message: 'User not found',
     })
   }
 
-  if (user.status !== 'active') {
+  const mappedUser = mapUserRow(user)
+
+  if (mappedUser.status !== 'active') {
     throw new HTTPException(401, {
       message: 'User account is not active',
     })
@@ -131,15 +195,15 @@ export const jwtAuth = createMiddleware<HonoEnv>(async (c, next) => {
 
   // Set user in context
   c.set('user', {
-    id: user.id,
-    email: user.email,
-    name: user.name,
-    status: user.status,
-    providerIds: user.providerIds ?? [],
-    isSuperAdmin: user.isSuperAdmin,
-    createdAt: user.createdAt,
-    updatedAt: user.updatedAt,
-    deletedAt: user.deletedAt,
+    id: mappedUser.id,
+    email: mappedUser.email,
+    name: mappedUser.name,
+    status: mappedUser.status,
+    providerIds: mappedUser.providerIds,
+    isSuperAdmin: mappedUser.isSuperAdmin,
+    createdAt: mappedUser.createdAt,
+    updatedAt: mappedUser.updatedAt,
+    deletedAt: mappedUser.deletedAt,
   })
 
   await next()

package/templates/base/src/server/middleware/rate-limit.ts

@@ -49,11 +49,8 @@ class RateLimitStore {
   private cleanupInterval: ReturnType<typeof setInterval> | null = null
   private lastCleanup = 0
 
-  constructor() {
-    // Don't use setInterval at construction time - Cloudflare Workers
-    // don't allow async I/O at global scope. Instead, we'll cleanup
-    // lazily during request processing.
-  }
+  // Note: Don't use setInterval at construction time - Cloudflare Workers
+  // don't allow async I/O at global scope. Instead, we cleanup lazily.
 
   /**
    * Start periodic cleanup (call from within a handler, not at global scope)
@@ -240,8 +237,13 @@ export function rateLimit(options: RateLimitOptions = {}) {
 export function authRateLimit() {
   return rateLimit({
     windowMs: 60000, // 1 minute
-    max: 10, // 10 requests per minute for auth endpoints
+    max: 10, // 10 requests per minute for login endpoints (brute force protection)
     message: 'Too many authentication attempts, please try again later',
+    // Use separate key prefix to not conflict with global rate limit
+    keyGenerator: (c) => {
+      const ip = c.get('ip') ?? c.req.header('x-forwarded-for')?.split(',')[0].trim() ?? 'unknown'
+      return `auth:${ip}` // Different prefix than global rate limit
+    },
   })
 }
 

package/templates/base/src/server/routes/accounts/handlers.ts

@@ -13,6 +13,7 @@ import type {
 export const listAccountsHandler: RouteHandler<typeof listAccountsRoute, HonoEnv> = async (c) => {
   const query = c.req.valid('query')
   const db = c.get('db')
+  const envDb = c.env.DB
   const accountId = c.get('accountId')
   const user = c.get('user')
   const transactionId = c.get('transactionId')
@@ -31,7 +32,8 @@ export const listAccountsHandler: RouteHandler<typeof listAccountsRoute, HonoEnv
     userAgent,
   }
 
-  const result = await accountsService.findAll(db, ctx, {
+  const accountsDb = envDb ?? db
+  const result = await accountsService.findAll(accountsDb, ctx, {
     page: query.page,
     limit: query.limit,
     sortBy: query.sortBy,
@@ -45,6 +47,7 @@ export const listAccountsHandler: RouteHandler<typeof listAccountsRoute, HonoEnv
 export const getAccountHandler: RouteHandler<typeof getAccountRoute, HonoEnv> = async (c) => {
   const { id } = c.req.valid('param')
   const db = c.get('db')
+  const envDb = c.env.DB
   const accountId = c.get('accountId')
   const user = c.get('user')
   const transactionId = c.get('transactionId')
@@ -63,13 +66,15 @@ export const getAccountHandler: RouteHandler<typeof getAccountRoute, HonoEnv> =
     userAgent,
   }
 
-  const account = await accountsService.findById(db, ctx, id)
+  const accountsDb = envDb ?? db
+  const account = await accountsService.findById(accountsDb, ctx, id)
   return c.json({ data: account }, 200)
 }
 
 export const createAccountHandler: RouteHandler<typeof createAccountRoute, HonoEnv> = async (c) => {
   const data = c.req.valid('json')
   const db = c.get('db')
+  const envDb = c.env.DB
   const accountId = c.get('accountId')
   const user = c.get('user')
   const transactionId = c.get('transactionId')
@@ -88,7 +93,8 @@ export const createAccountHandler: RouteHandler<typeof createAccountRoute, HonoE
     userAgent,
   }
 
-  const newAccount = await accountsService.create(db, ctx, {
+  const accountsDb = envDb ?? db
+  const newAccount = await accountsService.create(accountsDb, ctx, {
     name: data.name,
     description: data.description,
     domain: data.domain,
@@ -101,6 +107,7 @@ export const updateAccountHandler: RouteHandler<typeof updateAccountRoute, HonoE
   const { id } = c.req.valid('param')
   const data = c.req.valid('json')
   const db = c.get('db')
+  const envDb = c.env.DB
   const accountId = c.get('accountId')
   const user = c.get('user')
   const transactionId = c.get('transactionId')
@@ -119,7 +126,8 @@ export const updateAccountHandler: RouteHandler<typeof updateAccountRoute, HonoE
     userAgent,
   }
 
-  const updatedAccount = await accountsService.update(db, ctx, id, {
+  const accountsDb = envDb ?? db
+  const updatedAccount = await accountsService.update(accountsDb, ctx, id, {
     name: data.name,
     description: data.description,
     domain: data.domain,
@@ -131,6 +139,7 @@ export const updateAccountHandler: RouteHandler<typeof updateAccountRoute, HonoE
 export const deleteAccountHandler: RouteHandler<typeof deleteAccountRoute, HonoEnv> = async (c) => {
   const { id } = c.req.valid('param')
   const db = c.get('db')
+  const envDb = c.env.DB
   const accountId = c.get('accountId')
   const user = c.get('user')
   const transactionId = c.get('transactionId')
@@ -149,13 +158,15 @@ export const deleteAccountHandler: RouteHandler<typeof deleteAccountRoute, HonoE
     userAgent,
   }
 
-  await accountsService.delete(db, ctx, id)
+  const accountsDb = envDb ?? db
+  await accountsService.delete(accountsDb, ctx, id)
   return c.body(null, 204)
 }
 
 export const restoreAccountHandler: RouteHandler<typeof restoreAccountRoute, HonoEnv> = async (c) => {
   const { id } = c.req.valid('param')
   const db = c.get('db')
+  const envDb = c.env.DB
   const accountId = c.get('accountId')
   const user = c.get('user')
   const transactionId = c.get('transactionId')
@@ -174,6 +185,7 @@ export const restoreAccountHandler: RouteHandler<typeof restoreAccountRoute, Hon
     userAgent,
   }
 
-  const result = await accountsService.restore(db, ctx, id)
+  const accountsDb = envDb ?? db
+  const result = await accountsService.restore(accountsDb, ctx, id)
   return c.json({ data: result }, 200)
 }

package/templates/base/src/server/routes/audits/handlers.ts

@@ -7,6 +7,7 @@ import type { listAuditLogsRoute } from './routes'
 export const listAuditLogsHandler: RouteHandler<typeof listAuditLogsRoute, HonoEnv> = async (c) => {
   const query = c.req.valid('query')
   const db = c.get('db')
+  const envDb = c.env.DB
   const accountId = c.get('accountId')
   const user = c.get('user')
   const transactionId = c.get('transactionId')
@@ -25,7 +26,8 @@ export const listAuditLogsHandler: RouteHandler<typeof listAuditLogsRoute, HonoE
     userAgent,
   }
 
-  const result = await auditsService.findAll(db, ctx, {
+  const auditsDb = envDb ?? db
+  const result = await auditsService.findAll(auditsDb, ctx, {
     page: query.page,
     limit: query.limit,
     entity: query.entity,

package/templates/base/src/server/routes/auth/handlers.ts

@@ -64,9 +64,11 @@ export const callbackHandler: RouteHandler<typeof callbackRoute, HonoEnv> = asyn
   const { code, state } = c.req.valid('query')
   const ctx = getAuthContext(c)
 
-  if (!db) {
+  const authDb = env.DB ?? db
+  if (!authDb) {
     throw new HTTPException(500, { message: 'Database not initialized' })
   }
+  const inviteDb = authDb
 
   // Get stored OAuth state
   const oauthCookie = getCookie(c, 'oauth_state')
@@ -99,16 +101,16 @@ export const callbackHandler: RouteHandler<typeof callbackRoute, HonoEnv> = asyn
   const googleUser = decodeIdToken(tokens.id_token)
 
   // Find or create user
-  const result = await authService.findOrCreateUser(db, env, googleUser, ctx)
+  const result = await authService.findOrCreateUser(authDb, env, googleUser, ctx)
 
   // Check for pending invitation
   const pendingInvitation = getCookie(c, 'pending_invitation')
   if (pendingInvitation) {
     deleteCookie(c, 'pending_invitation')
 
-    const invitation = await invitationsService.getByToken(db, pendingInvitation)
+    const invitation = await invitationsService.getByToken(inviteDb, pendingInvitation)
     if (invitation) {
-      await invitationsService.accept(db, invitation.id, result.user.id, ctx)
+      await invitationsService.accept(inviteDb, invitation.id, result.user.id, ctx)
     }
   }
 
@@ -131,9 +133,10 @@ export const callbackHandler: RouteHandler<typeof callbackRoute, HonoEnv> = asyn
 export const refreshHandler: RouteHandler<typeof refreshRoute, HonoEnv> = async (c) => {
   const db = c.get('db')
   const env = c.env
+  const authDb = env.DB ?? db
   const refreshToken = getCookie(c, 'refresh_token')
 
-  if (!db) {
+  if (!db || !authDb) {
     throw new HTTPException(500, { message: 'Database not initialized' })
   }
 
@@ -142,24 +145,25 @@ export const refreshHandler: RouteHandler<typeof refreshRoute, HonoEnv> = async
   }
 
   const ctx = getAuthContext(c)
-  const tokens = await authService.refreshAccessToken(db, env, refreshToken, ctx)
+  const tokens = await authService.refreshAccessToken(authDb, env, refreshToken, ctx)
 
   return c.json({ tokens }, 200)
 }
 
 export const logoutHandler: RouteHandler<typeof logoutRoute, HonoEnv> = async (c) => {
   const db = c.get('db')
+  const authDb = c.env.DB ?? db
   const ctx = getAuthContext(c)
   const session = getSession(c)
 
-  if (!db) {
+  if (!db || !authDb) {
     throw new HTTPException(500, { message: 'Database not initialized' })
   }
 
   // Log logout event if we have a session
   if (session) {
     const { logAuthEvent } = await import('../../lib/audit')
-    await logAuthEvent(db, ctx, 'LOGOUT', session.userId, {})
+    await logAuthEvent(authDb, ctx, 'LOGOUT', session.userId, {})
   }
 
   // Destroy session (removes from KV and clears cookie)
@@ -195,14 +199,15 @@ export const inviteHandler: RouteHandler<typeof inviteRoute, HonoEnv> = async (c
   const env = c.env
   const { token } = c.req.valid('param')
 
-  if (!db) {
+  const inviteDb = env.DB ?? db
+  if (!inviteDb) {
     throw new HTTPException(500, { message: 'Database not initialized' })
   }
 
   const isProduction = env.ENVIRONMENT === 'production'
 
   // Validate invitation
-  const invitation = await invitationsService.getByToken(db, token)
+  const invitation = await invitationsService.getByToken(inviteDb, token)
 
   if (!invitation) {
     throw new HTTPException(400, { message: 'Invalid or expired invitation' })

package/templates/base/src/server/routes/auth/test-login.ts

@@ -1,9 +1,9 @@
 // src/server/routes/auth/test-login.ts
 import type { RouteHandler } from '@hono/zod-openapi'
 import { createRoute, z } from '@hono/zod-openapi'
-import { eq } from 'drizzle-orm'
 import { HTTPException } from 'hono/http-exception'
-import { users, accounts, userAccounts, type UserRecord } from '../../db/schema'
+import { execute, queryOne, toStringValue, toNullableString, type SqlRow } from '../../db/sql'
+import type { UserRecord } from '../../db/records'
 import { createSession } from '../../lib/session'
 import type { HonoEnv } from '../../types'
 
@@ -12,6 +12,42 @@ const TestLoginSchema = z.object({
   name: z.string().optional(),
 })
 
+const USER_SELECT_COLUMNS = `
+  id,
+  google_id as googleId,
+  email,
+  name,
+  avatar_url as avatarUrl,
+  status,
+  is_super_admin as isSuperAdmin,
+  created_at as createdAt,
+  updated_at as updatedAt,
+  deleted_at as deletedAt
+`
+
+function toBoolean(value: unknown): boolean {
+  if (typeof value === 'boolean') return value
+  if (typeof value === 'number') return value !== 0
+  if (typeof value === 'string') return value === '1' || value.toLowerCase() === 'true'
+  return false
+}
+
+function mapUserRow(row: SqlRow): UserRecord {
+  return {
+    id: toStringValue(row.id),
+    googleId: toStringValue(row.googleId ?? row.google_id),
+    email: toStringValue(row.email),
+    name: toStringValue(row.name),
+    avatarUrl: toNullableString(row.avatarUrl),
+    status: row.status === 'inactive' ? 'inactive' : 'active',
+    providerIds: [],
+    isSuperAdmin: toBoolean(row.isSuperAdmin ?? row.is_super_admin),
+    createdAt: toStringValue(row.createdAt ?? row.created_at),
+    updatedAt: toStringValue(row.updatedAt ?? row.updated_at),
+    deletedAt: toNullableString(row.deletedAt),
+  }
+}
+
 export const testLoginRoute = createRoute({
   method: 'post',
   path: '/test-login',
@@ -61,20 +97,23 @@ export const testLoginHandler: RouteHandler<typeof testLoginRoute, HonoEnv> = as
   }
 
   const { email, name } = c.req.valid('json')
-  const db = c.get('db')
+  const db = c.env.DB ?? c.get('db')
 
   if (!db) {
     throw new Error('Database not initialized')
   }
 
   // Find or create user
-  const existingUsers = await db
-    .select()
-    .from(users)
-    .where(eq(users.email, email))
-    .limit(1)
+  const existingUser = await queryOne(
+    db,
+    `SELECT ${USER_SELECT_COLUMNS}
+     FROM users
+     WHERE email = ? AND deleted_at IS NULL
+     LIMIT 1`,
+    [email]
+  )
 
-  let user: UserRecord | undefined = existingUsers.at(0)
+  let user: UserRecord | undefined = existingUser ? mapUserRow(existingUser) : undefined
   let defaultAccountId: string | null = null
 
   if (user === undefined) {
@@ -82,49 +121,64 @@ export const testLoginHandler: RouteHandler<typeof testLoginRoute, HonoEnv> = as
     const userId = crypto.randomUUID()
     const now = new Date().toISOString()
 
-    await db.insert(users).values({
-      id: userId,
-      email,
-      name: name ?? 'E2E Test User',
-      googleId: `test-${userId}`,
-      status: 'active',
-      createdAt: now,
-      updatedAt: now,
-    })
-
-    const createdUsers = await db
-      .select()
-      .from(users)
-      .where(eq(users.id, userId))
-      .limit(1)
-
-    user = createdUsers.at(0)
+    await execute(
+      db,
+      `INSERT INTO users (
+        id,
+        email,
+        name,
+        google_id,
+        status,
+        is_super_admin,
+        created_at,
+        updated_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+      [
+        userId,
+        email,
+        name ?? 'E2E Test User',
+        `test-${userId}`,
+        'active',
+        0,
+        now,
+        now,
+      ]
+    )
+
+    const createdUser = await queryOne(
+      db,
+      `SELECT ${USER_SELECT_COLUMNS}
+       FROM users
+       WHERE id = ?
+       LIMIT 1`,
+      [userId]
+    )
+
+    user = createdUser ? mapUserRow(createdUser) : undefined
 
     // Create a default account for the user
     defaultAccountId = crypto.randomUUID()
-    await db.insert(accounts).values({
-      id: defaultAccountId,
-      name: `${name ?? 'Test'}'s Workspace`,
-      createdAt: now,
-      updatedAt: now,
-    })
+    await execute(
+      db,
+      `INSERT INTO accounts (id, name, created_at, updated_at) VALUES (?, ?, ?, ?)`,
+      [defaultAccountId, `${name ?? 'Test'}'s Workspace`, now, now]
+    )
 
     // Link user to account as ADMIN
-    await db.insert(userAccounts).values({
-      userId,
-      accountId: defaultAccountId,
-      role: 'ADMIN',
-    })
+    await execute(
+      db,
+      `INSERT INTO user_accounts (user_id, account_id, role) VALUES (?, ?, ?)`,
+      [userId, defaultAccountId, 'ADMIN']
+    )
   } else {
     // Get the user's first account
-    const userAccountResults = await db
-      .select()
-      .from(userAccounts)
-      .where(eq(userAccounts.userId, user.id))
-      .limit(1)
-
-    const userAccount = userAccountResults.at(0)
-    if (userAccount !== undefined) {
+    const userAccount = await queryOne<{ accountId: string }>(
+      db,
+      `SELECT account_id as accountId FROM user_accounts WHERE user_id = ? LIMIT 1`,
+      [user.id]
+    )
+
+    if (userAccount?.accountId) {
       defaultAccountId = userAccount.accountId
     }
   }