@glw907/cairn-cms 0.3.0 → 0.4.0

package/src/lib/auth/schema.ts

@@ -0,0 +1,112 @@
+import { relations, sql } from "drizzle-orm";
+import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
+
+export const user = sqliteTable("user", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  email: text("email").notNull().unique(),
+  emailVerified: integer("email_verified", { mode: "boolean" })
+    .default(false)
+    .notNull(),
+  image: text("image"),
+  createdAt: integer("created_at", { mode: "timestamp_ms" })
+    .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+    .notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+    .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+    .$onUpdate(() => /* @__PURE__ */ new Date())
+    .notNull(),
+  role: text("role"),
+  banned: integer("banned", { mode: "boolean" }).default(false),
+  banReason: text("ban_reason"),
+  banExpires: integer("ban_expires", { mode: "timestamp_ms" }),
+});
+
+export const session = sqliteTable(
+  "session",
+  {
+    id: text("id").primaryKey(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+      .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    impersonatedBy: text("impersonated_by"),
+  },
+  (table) => [index("session_userId_idx").on(table.userId)],
+);
+
+export const account = sqliteTable(
+  "account",
+  {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: integer("access_token_expires_at", {
+      mode: "timestamp_ms",
+    }),
+    refreshTokenExpiresAt: integer("refresh_token_expires_at", {
+      mode: "timestamp_ms",
+    }),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+      .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("account_userId_idx").on(table.userId)],
+);
+
+export const verification = sqliteTable(
+  "verification",
+  {
+    id: text("id").primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+      .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("verification_identifier_idx").on(table.identifier)],
+);
+
+export const userRelations = relations(user, ({ many }) => ({
+  sessions: many(session),
+  accounts: many(account),
+}));
+
+export const sessionRelations = relations(session, ({ one }) => ({
+  user: one(user, {
+    fields: [session.userId],
+    references: [user.id],
+  }),
+}));
+
+export const accountRelations = relations(account, ({ one }) => ({
+  user: one(user, {
+    fields: [account.userId],
+    references: [user.id],
+  }),
+}));

package/src/lib/components/AdminLayout.svelte

@@ -7,13 +7,13 @@
   // (the login page lives under this layout) it falls back to a minimal centered shell.
   // Each site's `admin/+layout.svelte` is a one-line shim that forwards `data` + `children`.
   import type { Snippet } from 'svelte';
-  import type { Editor } from '../auth';
+  import type { CairnUser } from '../auth';
 
   let {
     data,
     children,
   }: {
-    data: { siteName: string; editor: Editor | null; pathname: string };
+    data: { siteName: string; user: CairnUser | null; pathname: string };
     children: Snippet;
   } = $props();
 
@@ -41,7 +41,7 @@
       active: data.pathname.startsWith('/admin/admins'),
     },
   ]);
-  const visibleNav = $derived(nav.filter((item) => !item.owner || data.editor?.role === 'owner'));
+  const visibleNav = $derived(nav.filter((item) => !item.owner || data.user?.role === 'owner'));
 
   // Close the slide-over after a nav tap on mobile (no-op on desktop where it's pinned open).
   function closeDrawer(): void {
@@ -68,7 +68,7 @@
   <meta name="robots" content="noindex, nofollow" />
 </svelte:head>
 
-{#if data.editor}
+{#if data.user}
   <div class="drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
     <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
 
@@ -111,8 +111,8 @@
         </ul>
 
         <div class="border-t border-base-300 p-4">
-          <p class="text-sm font-medium">{data.editor.name}</p>
-          <p class="text-xs opacity-60">{data.editor.email}</p>
+          <p class="text-sm font-medium">{data.user.name}</p>
+          <p class="text-xs opacity-60">{data.user.email}</p>
           <form method="POST" action="/admin/auth/logout" class="mt-3">
             <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">Sign out</button>
           </form>

package/src/lib/components/ConfirmPage.svelte

@@ -0,0 +1,31 @@
+<script lang="ts">
+  // The scanner-safe confirm surface (C2). A GET renders this static page — nothing is consumed.
+  // The token rides in a hidden field; only the explicit form POST (the route's default action →
+  // confirmSignIn) verifies it. Mail scanners GET URLs but don't submit forms, so prefetch can't
+  // burn the link. JS-free by design.
+  interface Props {
+    data: { token: string; siteName: string; error: string | null };
+  }
+  let { data }: Props = $props();
+</script>
+
+<svelte:head>
+  <title>Confirm sign-in · {data.siteName} CMS</title>
+</svelte:head>
+
+<div class="mx-auto mt-16 max-w-md rounded-box border border-base-300 bg-base-100 p-8">
+  <h1 class="text-2xl font-bold">Confirm sign-in</h1>
+  <p class="mt-1 text-sm opacity-70">to {data.siteName} CMS</p>
+
+  {#if data.error || !data.token}
+    <div class="alert alert-error mt-6">
+      <span>This sign-in link is invalid or expired. Request a new one.</span>
+    </div>
+    <a href="/admin/login" class="btn btn-primary mt-6">Back to sign-in</a>
+  {:else}
+    <form method="POST" class="mt-6 flex flex-col gap-3">
+      <input type="hidden" name="token" value={data.token} />
+      <button type="submit" class="btn btn-primary">Confirm sign-in</button>
+    </form>
+  {/if}
+</div>

package/src/lib/components/LoginPage.svelte

@@ -1,17 +1,33 @@
 <script lang="ts">
-  // The magic-link sign-in page. Posts the email to /admin/auth/request; `sent`/`error` come
-  // from `loginLoad` (querystring) merged with `adminLayoutLoad` (siteName).
+  // The magic-link sign-in page. Requests a link via the better-auth client (client-side, same
+  // origin). To avoid enumeration the UI shows the SAME neutral copy whether or not the email is
+  // on the allowlist — the server only emails actual editors (see auth/config.ts send gate).
+  import { createAuthClient } from 'better-auth/svelte';
+  import { magicLinkClient } from 'better-auth/client/plugins';
+
+  // The browser client lives in the one component that needs it (requesting a link). Sign-out
+  // and editor management go through server endpoints, so no shared client module is needed —
+  // and a component-local const keeps better-auth's deep client types out of the packaged .d.ts.
+  const authClient = createAuthClient({ plugins: [magicLinkClient()] });
+
   interface Props {
-    data: { siteName: string; sent: boolean; error: string | null };
+    data: { siteName: string };
   }
   let { data }: Props = $props();
 
-  const errorMessages: Record<string, string> = {
-    invalid: 'Please enter a valid email address.',
-    denied: 'That email is not on the editor allowlist.',
-    expired: 'That sign-in link has expired or was already used. Request a new one.',
-    config: 'Sign-in is not configured. Contact the site admin.',
-  };
+  let email = $state('');
+  let requested = $state(false);
+  let busy = $state(false);
+
+  async function request(event: SubmitEvent) {
+    event.preventDefault();
+    busy = true;
+    // The magic-link email points at our /admin/auth/confirm page (built in config.ts), not a
+    // GET-verify URL — so the result is the same regardless of allowlist membership.
+    await authClient.signIn.magicLink({ email });
+    busy = false;
+    requested = true;
+  }
 </script>
 
 <svelte:head>
@@ -22,26 +38,27 @@
   <h1 class="text-2xl font-bold">{data.siteName} CMS</h1>
   <p class="mt-1 text-sm opacity-70">Sign in with your editor email.</p>
 
-  {#if data.sent}
+  {#if requested}
     <div class="alert alert-success mt-6">
-      <span>Check your inbox — a sign-in link is on its way. It expires in 10 minutes.</span>
+      <span>
+        If that address is on the editor list, a sign-in link is on its way. It expires in 10
+        minutes.
+      </span>
     </div>
   {:else}
-    {#if data.error}
-      <div class="alert alert-error mt-6">
-        <span>{errorMessages[data.error] ?? 'Something went wrong. Try again.'}</span>
-      </div>
-    {/if}
-    <form method="POST" action="/admin/auth/request" class="mt-6 flex flex-col gap-3">
+    <form onsubmit={request} class="mt-6 flex flex-col gap-3">
       <input
         type="email"
         name="email"
+        bind:value={email}
         required
         autocomplete="email"
         placeholder="you@example.com"
         class="input w-full"
       />
-      <button type="submit" class="btn btn-primary">Email me a sign-in link</button>
+      <button type="submit" class="btn btn-primary" disabled={busy}>
+        {busy ? 'Sending…' : 'Email me a sign-in link'}
+      </button>
     </form>
   {/if}
 </div>

package/src/lib/components/ManageAdmins.svelte

@@ -3,7 +3,7 @@
   // ones. Reuses the same neutral DaisyUI chrome as the rest of the admin (panels, alerts,
   // table, buttons). Data comes from `adminsLoad` merged with `adminLayoutLoad` (siteName);
   // mutations post to the page's named form actions (`?/add`, `?/remove`, `?/setRole`).
-  import type { AdminsData } from '../sveltekit';
+  import type { AdminsData } from '../auth';
 
   interface Props {
     data: AdminsData & { siteName: string };

package/src/lib/components/index.ts

@@ -3,5 +3,6 @@
 export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
+export { default as ConfirmPage } from './ConfirmPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
 export { default as ManageAdmins } from './ManageAdmins.svelte';

package/src/lib/email.ts

@@ -25,11 +25,18 @@ export async function sendMagicLink(
   from: string,
 ): Promise<void> {
   const expiry = "This link expires in 10 minutes and works only once. If you didn't request it, ignore this email.";
-  await sender.send({
-    to,
-    from,
-    subject: `Your ${siteName} sign-in link`,
-    text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
-    html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Sign in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
-  });
+  try {
+    await sender.send({
+      to,
+      from,
+      subject: `Your ${siteName} sign-in link`,
+      text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
+      html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Confirm sign-in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
+    });
+  } catch (err) {
+    // H6: Email Sending is beta + the sole auth channel. Surface + audit; a Resend fallback
+    // can slot in behind this same signature if Sending proves unreliable.
+    console.error(`magic-link email send failed for ${to}:`, err);
+    throw err;
+  }
 }

package/src/lib/index.ts

@@ -1,5 +1,5 @@
-// cairn-cms public API. Consumers import everything from 'cairn-cms'.
-export * from './auth';
+// cairn-cms public API. Consumers import content/email/github/adapter from 'cairn-cms';
+// auth (better-auth factory, guards, manage-editors) lives at the 'cairn-cms/auth' subpath.
 export * from './email';
 export * from './github';
 export * from './carta';