@goscribe/server 1.0.2 → 1.0.4

package/dist/routers/workspace.js

@@ -1,45 +1,144 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.workspace = void 0;
-const zod_1 = require("zod");
-const trpc_1 = require("../trpc");
-exports.workspace = (0, trpc_1.router)({
+import { z } from 'zod';
+import { router, authedProcedure } from '../trpc.js';
+import { bucket } from '../lib/storage.js';
+export const workspace = router({
     // Mutation with Zod input
-    list: trpc_1.publicProcedure
+    list: authedProcedure
         .query(async ({ ctx, input }) => {
+        const workspaces = await ctx.db.workspace.findMany({
+            where: {
+                ownerId: ctx.session?.user.id,
+            },
+        });
+        return workspaces;
     }),
-    create: trpc_1.publicProcedure
-        .input(zod_1.z.object({}))
-        .mutation(({ input }) => {
+    create: authedProcedure
+        .input(z.object({
+        name: z.string().min(1).max(100),
+        description: z.string().max(500).optional(),
+    }))
+        .mutation(({ ctx, input }) => {
+        return ctx.db.workspace.create({
+            data: {
+                title: input.name,
+                description: input.description,
+                ownerId: ctx.session?.user.id,
+            },
+        });
     }),
-    get: trpc_1.publicProcedure
-        .input(zod_1.z.object({
-        id: zod_1.z.string().uuid(),
+    get: authedProcedure
+        .input(z.object({
+        id: z.string().uuid(),
     }))
-        .query(({ input }) => {
+        .query(({ ctx, input }) => {
+        return ctx.db.workspace.findUnique({
+            where: {
+                id: input.id,
+            },
+        });
     }),
-    update: trpc_1.publicProcedure
-        .input(zod_1.z.object({
-        id: zod_1.z.string().uuid(),
+    update: authedProcedure
+        .input(z.object({
+        id: z.string().uuid(),
+        name: z.string().min(1).max(100).optional(),
+        description: z.string().max(500).optional(),
     }))
-        .mutation(({ input }) => {
+        .mutation(({ ctx, input }) => {
+        return ctx.db.workspace.update({
+            where: {
+                id: input.id,
+            },
+            data: {
+                title: input.name,
+                description: input.description,
+            },
+        });
     }),
-    delete: trpc_1.publicProcedure
-        .input(zod_1.z.object({
-        id: zod_1.z.string().uuid(),
+    delete: authedProcedure
+        .input(z.object({
+        id: z.string().uuid(),
     }))
-        .mutation(({ input }) => {
+        .mutation(({ ctx, input }) => {
+        ctx.db.workspace.delete({
+            where: {
+                id: input.id,
+            },
+        });
+        return true;
     }),
-    upload: trpc_1.publicProcedure
-        .input(zod_1.z.object({
-        file: zod_1.z.string(),
+    uploadFiles: authedProcedure
+        .input(z.object({
+        id: z.string().uuid(),
+        files: z.array(z.object({
+            filename: z.string().min(1).max(255),
+            contentType: z.string().min(1).max(100),
+            size: z.number().min(1), // size in bytes
+        })),
     }))
-        .mutation(({ input }) => {
+        .mutation(async ({ ctx, input }) => {
+        const results = [];
+        for (const file of input.files) {
+            // 1. Insert into DB
+            const record = await ctx.db.fileAsset.create({
+                data: {
+                    userId: ctx.session.user.id,
+                    name: file.filename,
+                    mimeType: file.contentType,
+                    size: file.size,
+                    workspaceId: input.id,
+                },
+            });
+            // 2. Generate signed URL for direct upload
+            const [url] = await bucket
+                .file(`${ctx.session.user.id}/${record.id}-${file.filename}`)
+                .getSignedUrl({
+                action: "write",
+                expires: Date.now() + 5 * 60 * 1000, // 5 min
+                contentType: file.contentType,
+            });
+            // 3. Update record with bucket info
+            await ctx.db.fileAsset.update({
+                where: { id: record.id },
+                data: {
+                    bucket: bucket.name,
+                    objectKey: `${ctx.session.user.id}/${record.id}-${file.filename}`,
+                },
+            });
+            results.push({
+                fileId: record.id,
+                uploadUrl: url,
+            });
+        }
+        return results;
     }),
-    deleteFile: trpc_1.publicProcedure
-        .input(zod_1.z.object({
-        fileId: zod_1.z.string().uuid(),
+    deleteFiles: authedProcedure
+        .input(z.object({
+        fileId: z.array(z.string().uuid()),
+        id: z.string().uuid(),
     }))
-        .mutation(({ input }) => {
+        .mutation(({ ctx, input }) => {
+        const files = ctx.db.fileAsset.findMany({
+            where: {
+                id: { in: input.fileId },
+                workspaceId: input.id,
+            },
+        });
+        // Delete from GCS
+        files.then((fileRecords) => {
+            fileRecords.forEach((file) => {
+                if (file.bucket && file.objectKey) {
+                    const gcsFile = bucket.file(file.objectKey);
+                    gcsFile.delete({ ignoreNotFound: true }).catch((err) => {
+                        console.error(`Error deleting file ${file.objectKey} from bucket ${file.bucket}:`, err);
+                    });
+                }
+            });
+        });
+        return ctx.db.fileAsset.deleteMany({
+            where: {
+                id: { in: input.fileId },
+                workspaceId: input.id,
+            },
+        });
     }),
 });

package/dist/server.d.ts

@@ -1,2 +1 @@
 export {};
-//# sourceMappingURL=server.d.ts.map

package/dist/server.js

@@ -1,68 +1,31 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const express_1 = __importDefault(require("express"));
-const cors_1 = __importDefault(require("cors"));
-const helmet_1 = __importDefault(require("helmet"));
-const morgan_1 = __importDefault(require("morgan"));
-const compression_1 = __importDefault(require("compression"));
-const trpcExpress = __importStar(require("@trpc/server/adapters/express"));
-const auth_1 = require("./lib/auth");
-const _app_1 = require("./routers/_app");
-const context_1 = require("./context");
+import express from 'express';
+import cors from 'cors';
+import helmet from 'helmet';
+import morgan from 'morgan';
+import compression from 'compression';
+import * as trpcExpress from '@trpc/server/adapters/express';
+import { appRouter } from './routers/_app.js';
+import { createContext } from './context.js';
 const PORT = process.env.PORT ? Number(process.env.PORT) : 3001;
 async function main() {
-    const app = (0, express_1.default)();
+    const app = express();
     // Middlewares
-    app.use((0, helmet_1.default)());
-    app.use((0, cors_1.default)({ origin: true, credentials: true }));
-    app.use((0, morgan_1.default)('dev'));
-    app.use((0, compression_1.default)());
-    app.use(express_1.default.json());
-    app.use("/auth", auth_1.authRouter); // Auth routes live under /auth/*
+    app.use(helmet());
+    app.use(cors({
+        origin: "http://localhost:3000", // your Next.js dev URL
+        credentials: true, // allow cookies
+    }));
+    app.use(morgan('dev'));
+    app.use(compression());
+    app.use(express.json());
     // Health (plain Express)
     app.get('/', (_req, res) => {
         res.json({ ok: true, service: 'trpc-express', ts: Date.now() });
     });
     // tRPC mounted under /trpc
     app.use('/trpc', trpcExpress.createExpressMiddleware({
-        router: _app_1.appRouter,
-        createContext: context_1.createContext,
+        router: appRouter,
+        createContext,
     }));
     app.listen(PORT, () => {
         console.log(`✅ Server ready on http://localhost:${PORT}`);

package/dist/trpc.d.ts

@@ -1,41 +1,42 @@
 export declare const router: import("@trpc/server").TRPCRouterBuilder<{
     ctx: {
-        db: import("src/generated/prisma").PrismaClient<import("src/generated/prisma").Prisma.PrismaClientOptions, never, import("src/generated/prisma/runtime/library").DefaultArgs>;
+        db: import("@prisma/client").PrismaClient<import("@prisma/client").Prisma.PrismaClientOptions, never, import("@prisma/client/runtime/library").DefaultArgs>;
         session: any;
         req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
         res: import("express").Response<any, Record<string, any>>;
+        cookies: Record<string, string | undefined>;
     };
     meta: object;
     errorShape: import("@trpc/server").TRPCDefaultErrorShape;
     transformer: true;
 }>;
 export declare const middleware: <$ContextOverrides>(fn: import("@trpc/server").TRPCMiddlewareFunction<{
-    db: import("src/generated/prisma").PrismaClient<import("src/generated/prisma").Prisma.PrismaClientOptions, never, import("src/generated/prisma/runtime/library").DefaultArgs>;
+    db: import("@prisma/client").PrismaClient<import("@prisma/client").Prisma.PrismaClientOptions, never, import("@prisma/client/runtime/library").DefaultArgs>;
     session: any;
     req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
     res: import("express").Response<any, Record<string, any>>;
+    cookies: Record<string, string | undefined>;
 }, object, object, $ContextOverrides, unknown>) => import("@trpc/server").TRPCMiddlewareBuilder<{
-    db: import("src/generated/prisma").PrismaClient<import("src/generated/prisma").Prisma.PrismaClientOptions, never, import("src/generated/prisma/runtime/library").DefaultArgs>;
+    db: import("@prisma/client").PrismaClient<import("@prisma/client").Prisma.PrismaClientOptions, never, import("@prisma/client/runtime/library").DefaultArgs>;
     session: any;
     req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
     res: import("express").Response<any, Record<string, any>>;
+    cookies: Record<string, string | undefined>;
 }, object, $ContextOverrides, unknown>;
 export declare const publicProcedure: import("@trpc/server").TRPCProcedureBuilder<{
-    db: import("src/generated/prisma").PrismaClient<import("src/generated/prisma").Prisma.PrismaClientOptions, never, import("src/generated/prisma/runtime/library").DefaultArgs>;
+    db: import("@prisma/client").PrismaClient<import("@prisma/client").Prisma.PrismaClientOptions, never, import("@prisma/client/runtime/library").DefaultArgs>;
     session: any;
     req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
     res: import("express").Response<any, Record<string, any>>;
+    cookies: Record<string, string | undefined>;
 }, object, object, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, false>;
 /** Exported authed procedure */
 export declare const authedProcedure: import("@trpc/server").TRPCProcedureBuilder<{
-    db: import("src/generated/prisma").PrismaClient<import("src/generated/prisma").Prisma.PrismaClientOptions, never, import("src/generated/prisma/runtime/library").DefaultArgs>;
+    db: import("@prisma/client").PrismaClient<import("@prisma/client").Prisma.PrismaClientOptions, never, import("@prisma/client/runtime/library").DefaultArgs>;
     session: any;
     req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
     res: import("express").Response<any, Record<string, any>>;
+    cookies: Record<string, string | undefined>;
 }, object, {
-    req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
-    res: import("express").Response<any, Record<string, any>>;
-    db: import("src/generated/prisma").PrismaClient<import("src/generated/prisma").Prisma.PrismaClientOptions, never, import("src/generated/prisma/runtime/library").DefaultArgs>;
     session: any;
 }, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, false>;
-//# sourceMappingURL=trpc.d.ts.map

package/dist/trpc.js

@@ -1,38 +1,25 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.authedProcedure = exports.publicProcedure = exports.middleware = exports.router = void 0;
-const server_1 = require("@trpc/server");
-const superjson_1 = __importDefault(require("superjson"));
-const t = server_1.initTRPC.context().create({
-    transformer: superjson_1.default,
+import { initTRPC, TRPCError } from "@trpc/server";
+import superjson from "superjson";
+const t = initTRPC.context().create({
+    transformer: superjson,
     errorFormatter({ shape }) {
         return shape;
     },
 });
-exports.router = t.router;
-exports.middleware = t.middleware;
-exports.publicProcedure = t.procedure;
+export const router = t.router;
+export const middleware = t.middleware;
+export const publicProcedure = t.procedure;
 /** Middleware that enforces authentication */
-const isAuthed = (0, exports.middleware)(({ ctx, next }) => {
-    if (!ctx.session?.user?.id) {
-        throw new server_1.TRPCError({ code: "UNAUTHORIZED" });
+const isAuthed = middleware(({ ctx, next }) => {
+    const hasUser = Boolean(ctx.session?.user?.id);
+    if (!ctx.session || !hasUser) {
+        throw new TRPCError({ code: "UNAUTHORIZED" });
     }
     return next({
         ctx: {
-            ...ctx,
-            // refine ctx: session is guaranteed, user.id is string
-            session: {
-                ...ctx.session,
-                user: {
-                    ...ctx.session.user,
-                    id: ctx.session.user.id, // typed non-null
-                },
-            },
+            session: ctx.session,
         },
     });
 });
 /** Exported authed procedure */
-exports.authedProcedure = exports.publicProcedure.use(isAuthed);
+export const authedProcedure = publicProcedure.use(isAuthed);

package/package.json

@@ -1,9 +1,10 @@
 {
   "name": "@goscribe/server",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "type": "module",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
@@ -12,18 +13,21 @@
   },
   "scripts": {
     "dev": "ts-node-dev --respawn --transpile-only src/server.ts",
-    "build": "tsc -p .",
-    "start": "node dist/server.js"
+    "build": "npx prisma generate && tsc -p .",
+    "start": "node --experimental-specifier-resolution=node dist/server.js"
   },
   "author": "",
   "license": "MIT",
   "dependencies": {
     "@auth/express": "^0.11.0",
     "@auth/prisma-adapter": "^2.10.0",
+    "@google-cloud/storage": "^7.17.0",
     "@prisma/client": "^6.14.0",
     "@trpc/server": "^11.5.0",
+    "@types/cookie": "^1.0.0",
     "bcryptjs": "^3.0.2",
     "compression": "^1.8.1",
+    "cookie": "^1.0.2",
     "cors": "^2.8.5",
     "express": "^5.1.0",
     "helmet": "^8.1.0",
@@ -40,6 +44,9 @@
     "@types/node": "^24.3.0",
     "ts-node": "^10.9.2",
     "ts-node-dev": "^2.0.0",
-    "typescript": "^5.9.2"
+    "tsc-alias": "^1.8.16",
+    "tsc-esm-fix": "^3.1.2",
+    "typescript": "^5.9.2",
+    "typescript-transform-paths": "^3.5.5"
   }
 }

package/prisma/schema.prisma

@@ -1,12 +1,12 @@
 
 generator client {
   provider = "prisma-client-js"
-  output   = "../src/generated/prisma"
 }
 
 datasource db {
   provider = "postgresql"
   url      = env("DATABASE_URL")
+  directUrl = env("DIRECT_URL") // for shadow db in migrations
 }
 
 //
@@ -36,6 +36,7 @@ model User {
   emailVerified DateTime?
   passwordHash  String?   // for credentials login
   image         String?
+  session       Session[]
 
   // Ownership
   folders       Folder[]          @relation("UserFolders")
@@ -44,30 +45,15 @@ model User {
   artifacts     Artifact[]        @relation("UserArtifacts")
   versions      ArtifactVersion[] @relation("UserArtifactVersions")
 
-  accounts      Account[]
-
   createdAt     DateTime  @default(now())
   updatedAt     DateTime  @updatedAt
 }
 
-model Account {
-  id                String  @id @default(cuid())
-  userId            String
-  type              String
-  provider          String
-  providerAccountId String
-
-  refresh_token     String?
-  access_token      String?
-  expires_at        Int?
-  token_type        String?
-  scope             String?
-  id_token          String?
-  session_state     String?
-
-  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
-
-  @@unique([provider, providerAccountId])
+model Session {
+  id String @id @default(cuid())
+  userId String
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+  expires DateTime
 }
 
 model VerificationToken {

package/src/context.ts

@@ -1,11 +1,19 @@
 // src/server/trpc/context.ts
 import type { CreateExpressContextOptions } from "@trpc/server/adapters/express";
-import { prisma } from "./lib/prisma";
+import { prisma } from "./lib/prisma.js";
+import { verifyCustomAuthCookie } from "./lib/auth.js";
+import cookie from "cookie";
 
 export async function createContext({ req, res }: CreateExpressContextOptions) {
-  const session = (req as any).auth ?? null;
-  
-  return { db: prisma, session, req, res };
+  const cookies = cookie.parse(req.headers.cookie ?? "");
+
+  // Only use custom auth cookie
+  const custom = verifyCustomAuthCookie(cookies["auth_token"]);
+  if (custom) {
+    return { db: prisma, session: { user: { id: custom.userId } } as any, req, res, cookies };
+  }
+
+  return { db: prisma, session: null, req, res, cookies };
 }
 
 export type Context = Awaited<ReturnType<typeof createContext>>;

package/src/index.ts

@@ -1,3 +1,3 @@
-export type { AppRouter } from "./routers/_app";
-export type { RouterInputs } from "./routers/_app";
-export type { RouterOutputs } from "./routers/_app";
+export type { AppRouter } from "./routers/_app.js";
+export type { RouterInputs } from "./routers/_app.js";
+export type { RouterOutputs } from "./routers/_app.js";

package/src/lib/auth.ts

@@ -1,34 +1,39 @@
 // src/server/auth.ts
-import { ExpressAuth } from "@auth/express";
-import { PrismaAdapter } from "@auth/prisma-adapter";
-import { prisma } from "../lib/prisma";
-import Google from "@auth/core/providers/google";
-import Credentials from "@auth/core/providers/credentials";
+import crypto from "node:crypto";
 
-export const authRouter = ExpressAuth({
-    providers: [
-      Google({
-        clientId: process.env.GOOGLE_CLIENT_ID!,
-        clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-      }),
-      Credentials({
-        name: "credentials",
-        credentials: {
-          email: { label: "Email", type: "email" },
-          password: { label: "Password", type: "password" },
-        },
-        async authorize(credentials) {
-          if (
-            credentials?.email === "demo@example.com" &&
-            credentials?.password === "demo"
-          ) {
-            return { id: "1", email: "demo@example.com", name: "Demo User" };
-          }
-          return null;
-        },
-      }),
-    ],
-    adapter: PrismaAdapter(prisma),
-    secret: process.env.AUTH_SECRET!,
-    session: { strategy: "jwt" },
-  })
+// Custom HMAC cookie: auth_token = base64(userId).hex(hmacSHA256(base64(userId), secret))
+export function verifyCustomAuthCookie(cookieValue: string | undefined): { userId: string } | null {
+  if (!cookieValue) return null;
+  const secret = process.env.CUSTOM_AUTH_SECRET;
+  if (!secret) return null;
+
+  const parts = cookieValue.split(".");
+  if (parts.length !== 2) return null;
+  const [base64UserId, signatureHex] = parts;
+
+  let userId: string;
+  try {
+    const buf = Buffer.from(base64UserId, "base64url");
+    userId = buf.toString("utf8");
+  } catch {
+    return null;
+  }
+
+  const hmac = crypto.createHmac("sha256", secret);
+  hmac.update(base64UserId);
+  const expected = hmac.digest("hex");
+  if (!timingSafeEqualHex(signatureHex, expected)) return null;
+
+  return { userId };
+}
+
+function timingSafeEqualHex(a: string, b: string): boolean {
+  try {
+    const ab = Buffer.from(a, "hex");
+    const bb = Buffer.from(b, "hex");
+    if (ab.length !== bb.length) return false;
+    return crypto.timingSafeEqual(ab, bb);
+  } catch {
+    return false;
+  }
+}

package/src/lib/prisma.ts

@@ -1,4 +1,4 @@
-import { PrismaClient } from "../generated/prisma";
+import { PrismaClient } from "@prisma/client";
 
 const globalForPrisma = globalThis as unknown as { prisma?: PrismaClient };
 

package/src/routers/_app.ts

@@ -1,7 +1,7 @@
 import { inferRouterInputs, inferRouterOutputs } from '@trpc/server';
-import { router } from '../trpc';
-import { auth } from './auth';
-import { workspace } from './workspace';
+import { router } from '../trpc.js';
+import { auth } from './auth.js';
+import { workspace } from './workspace.js';
 
 export const appRouter = router({
   auth,