@intranefr/superbackend 1.4.4 → 1.5.1

package/src/admin/endpointRegistry.js

@@ -70,6 +70,75 @@ const endpointRegistry = [
       },
     ],
   },
+  {
+    id: "admin-pages",
+    title: "Pages (Admin)",
+    endpoints: [
+      {
+        id: "pages-context-block-definitions-list",
+        method: "GET",
+        path: "/api/admin/pages/context-block-definitions",
+        auth: "basic",
+      },
+      {
+        id: "pages-context-block-definitions-create",
+        method: "POST",
+        path: "/api/admin/pages/context-block-definitions",
+        auth: "basic",
+        bodyExample: {
+          code: "blog-post-by-slug",
+          label: "Blog post by slug",
+          description: "Used by blog post page",
+          type: "context.db_query",
+          props: {
+            assignTo: "post",
+            model: "BlogPost",
+            op: "findOne",
+            filter: { slug: { $ctx: "params.slug" } },
+          },
+        },
+      },
+      {
+        id: "pages-context-block-definitions-get",
+        method: "GET",
+        path: "/api/admin/pages/context-block-definitions/:code",
+        auth: "basic",
+      },
+      {
+        id: "pages-context-block-definitions-update",
+        method: "PUT",
+        path: "/api/admin/pages/context-block-definitions/:code",
+        auth: "basic",
+        bodyExample: {
+          label: "Blog post by slug (updated)",
+          description: "Used by blog post page",
+          type: "context.db_query",
+          props: {
+            assignTo: "post",
+            model: "BlogPost",
+            op: "findOne",
+            filter: { slug: { $ctx: "params.slug" } },
+          },
+        },
+      },
+      {
+        id: "pages-context-block-definitions-delete",
+        method: "DELETE",
+        path: "/api/admin/pages/context-block-definitions/:code",
+        auth: "basic",
+      },
+      {
+        id: "pages-context-blocks-ai-generate",
+        method: "POST",
+        path: "/api/admin/pages/ai/context-blocks/generate",
+        auth: "basic",
+        bodyExample: {
+          prompt: "Load the published BlogPost for params.slug into vars.post. Add cache 30s.",
+          blockType: "context.db_query",
+        },
+      },
+    ],
+  },
   {
     id: "ejs-virtual",
     title: "EJS Virtual Codebase",
@@ -295,6 +364,57 @@ const endpointRegistry = [
       },
     ],
   },
+  {
+    id: "rate-limits",
+    title: "Rate Limiter",
+    endpoints: [
+      {
+        id: "rate-limits-list",
+        method: "GET",
+        path: "/api/admin/rate-limits",
+        auth: "basic",
+      },
+      {
+        id: "rate-limits-config-get",
+        method: "GET",
+        path: "/api/admin/rate-limits/config",
+        auth: "basic",
+      },
+      {
+        id: "rate-limits-config-update",
+        method: "PUT",
+        path: "/api/admin/rate-limits/config",
+        auth: "basic",
+        bodyExample: { jsonRaw: "{\n  \"version\": 1,\n  \"defaults\": {},\n  \"limiters\": {}\n}" },
+      },
+      {
+        id: "rate-limits-metrics",
+        method: "GET",
+        path: "/api/admin/rate-limits/metrics?start=2026-01-01T00:00:00.000Z&end=2026-01-02T00:00:00.000Z",
+        auth: "basic",
+      },
+      {
+        id: "rate-limits-bulk-enabled",
+        method: "POST",
+        path: "/api/admin/rate-limits/bulk-enabled",
+        auth: "basic",
+        bodyExample: { enabled: true, all: true },
+      },
+      {
+        id: "rate-limits-limiter-update",
+        method: "PUT",
+        path: "/api/admin/rate-limits/globalApiLimiter",
+        auth: "basic",
+        bodyExample: { override: { enabled: true, mode: "reportOnly", limit: { max: 60, windowMs: 60000 } } },
+      },
+      {
+        id: "rate-limits-limiter-reset",
+        method: "POST",
+        path: "/api/admin/rate-limits/globalApiLimiter/reset",
+        auth: "basic",
+      },
+    ],
+  },
 ];
 
 module.exports = endpointRegistry;

package/src/controllers/admin.controller.js

@@ -1,5 +1,12 @@
 const User = require('../models/User');
 const StripeWebhookEvent = require('../models/StripeWebhookEvent');
+const Organization = require('../models/Organization');
+const OrganizationMember = require('../models/OrganizationMember');
+const Asset = require('../models/Asset');
+const Notification = require('../models/Notification');
+const Invite = require('../models/Invite');
+const EmailLog = require('../models/EmailLog');
+const FormSubmission = require('../models/FormSubmission');
 const asyncHandler = require('../utils/asyncHandler');
 const fs = require('fs');
 const path = require('path');
@@ -10,12 +17,29 @@ const { auditMiddleware } = require('../services/auditLogger');
 
 // Get all users
 const getUsers = asyncHandler(async (req, res) => {
-  const users = await User.find()
-    .select('-passwordHash')
-    .sort({ createdAt: -1 })
-    .limit(100);
+  const { limit, offset } = req.query;
+  
+  const parsedLimit = Math.min(500, Math.max(1, parseInt(limit, 10) || 50));
+  const parsedOffset = Math.max(0, parseInt(offset, 10) || 0);
+  
+  const [users, total] = await Promise.all([
+    User.find()
+      .select('-passwordHash -passwordResetToken -passwordResetExpiry')
+      .sort({ createdAt: -1 })
+      .limit(parsedLimit)
+      .skip(parsedOffset)
+      .lean(),
+    User.countDocuments()
+  ]);
 
-  res.json(users.map(u => u.toJSON()));
+  res.json({
+    users,
+    pagination: {
+      total,
+      limit: parsedLimit,
+      offset: parsedOffset,
+    },
+  });
 });
 
 // Register new user (admin only)
@@ -353,12 +377,94 @@ const provisionCoolifyDeploy = asyncHandler(async (req, res) => {
   }
 });
 
+// Delete user (admin only)
+const deleteUser = asyncHandler(async (req, res) => {
+  
+  const userId = req.params.id;
+  
+  // 1. Validate user exists
+  const user = await User.findById(userId);
+  if (!user) {
+    return res.status(404).json({ error: 'User not found' });
+  }
+  
+  // 2. Prevent self-deletion
+  // Note: In a real implementation, you'd get the admin ID from req.admin or similar
+  // For now, we'll skip this check as the basic auth doesn't provide user identity
+  
+  // 3. Check if this is the last admin
+  const adminCount = await User.countDocuments({ role: 'admin' });
+  if (user.role === 'admin' && adminCount <= 1) {
+    return res.status(400).json({ error: 'Cannot delete the last admin user' });
+  }
+  
+  // 4. Cleanup dependencies
+  await cleanupUserData(userId);
+  
+  // 5. Delete user
+  await User.findByIdAndDelete(userId);
+  
+  // 6. Log action
+  console.log(`Admin deleted user: ${user.email} (${userId})`);
+  
+  res.json({ message: 'User deleted successfully' });
+});
+
+// Helper function to clean up user data
+async function cleanupUserData(userId) {
+  
+  try {
+    // Handle organizations owned by user
+    const ownedOrgs = await Organization.find({ ownerUserId: userId });
+    for (const org of ownedOrgs) {
+      // Check if organization has other members
+      const memberCount = await OrganizationMember.countDocuments({ 
+        orgId: org._id, 
+        userId: { $ne: userId } 
+      });
+      
+      if (memberCount === 0) {
+        // Delete organization if no other members
+        await Organization.findByIdAndDelete(org._id);
+        console.log(`Deleted organization ${org.name} (${org._id}) - no other members`);
+      } else {
+        // Remove owner but keep organization
+        org.ownerUserId = null;
+        await org.save();
+        console.log(`Removed owner from organization ${org.name} (${org._id}) - has other members`);
+      }
+    }
+    
+    // Remove from all organization memberships
+    await OrganizationMember.deleteMany({ userId: userId });
+    
+    // Delete user's assets
+    await Asset.deleteMany({ ownerUserId: userId });
+    
+    // Delete notifications
+    await Notification.deleteMany({ userId: userId });
+    
+    // Clean up other references
+    await Invite.deleteMany({ createdByUserId: userId });
+    await EmailLog.deleteMany({ userId: userId });
+    await FormSubmission.deleteMany({ userId: userId });
+    
+    // Note: We keep ActivityLog and AuditEvent for audit purposes
+    
+    console.log(`Completed cleanup for user ${userId}`);
+  } catch (error) {
+    console.error('Error during user cleanup:', error);
+    throw error;
+  }
+}
+
 module.exports = {
   getUsers,
   registerUser,
   getUser,
   updateUserSubscription,
   updateUserPassword,
+  deleteUser,
   reconcileUser,
   generateToken,
   getWebhookEvents,

package/src/controllers/adminBlockDefinitions.controller.js

@@ -0,0 +1,127 @@
+const BlockDefinition = require('../models/BlockDefinition');
+
+function parseBool(value, fallback) {
+  if (value === undefined) return fallback;
+  if (typeof value === 'boolean') return value;
+  const v = String(value).trim().toLowerCase();
+  if (v === 'true' || v === '1' || v === 'yes') return true;
+  if (v === 'false' || v === '0' || v === 'no') return false;
+  return fallback;
+}
+
+function normalizeCode(code) {
+  return String(code || '').trim().toLowerCase();
+}
+
+function normalizeFields(fields) {
+  if (!fields) return {};
+  if (typeof fields !== 'object' || Array.isArray(fields)) return null;
+  return fields;
+}
+
+exports.list = async (req, res) => {
+  try {
+    const onlyActive = parseBool(req.query?.active, null);
+    const filter = {};
+    if (onlyActive !== null) filter.isActive = onlyActive;
+
+    const items = await BlockDefinition.find(filter).sort({ updatedAt: -1 }).lean();
+    return res.json({ items });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] list error:', error);
+    return res.status(500).json({ error: 'Failed to list block definitions' });
+  }
+};
+
+exports.create = async (req, res) => {
+  try {
+    const code = normalizeCode(req.body?.code);
+    const label = String(req.body?.label || '').trim();
+    if (!code) return res.status(400).json({ error: 'code is required' });
+    if (!label) return res.status(400).json({ error: 'label is required' });
+
+    const fields = normalizeFields(req.body?.fields);
+    if (fields === null) return res.status(400).json({ error: 'fields must be an object' });
+
+    const doc = await BlockDefinition.create({
+      code,
+      label,
+      description: String(req.body?.description || ''),
+      fields: fields || {},
+      version: Number(req.body?.version || 1) || 1,
+      isActive: parseBool(req.body?.isActive, true),
+    });
+
+    return res.status(201).json({ item: doc.toObject() });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] create error:', error);
+    if (error?.name === 'ValidationError') return res.status(400).json({ error: error.message });
+    if (error?.code === 11000) return res.status(409).json({ error: 'Block already exists' });
+    return res.status(500).json({ error: 'Failed to create block definition' });
+  }
+};
+
+exports.get = async (req, res) => {
+  try {
+    const code = normalizeCode(req.params?.code);
+    const item = await BlockDefinition.findOne({ code }).lean();
+    if (!item) return res.status(404).json({ error: 'Block not found' });
+    return res.json({ item });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] get error:', error);
+    return res.status(500).json({ error: 'Failed to load block definition' });
+  }
+};
+
+exports.update = async (req, res) => {
+  try {
+    const code = normalizeCode(req.params?.code);
+    const doc = await BlockDefinition.findOne({ code });
+    if (!doc) return res.status(404).json({ error: 'Block not found' });
+
+    if (req.body?.label !== undefined) {
+      const label = String(req.body.label || '').trim();
+      if (!label) return res.status(400).json({ error: 'label is required' });
+      doc.label = label;
+    }
+
+    if (req.body?.description !== undefined) doc.description = String(req.body.description || '');
+
+    if (req.body?.fields !== undefined) {
+      const fields = normalizeFields(req.body.fields);
+      if (fields === null) return res.status(400).json({ error: 'fields must be an object' });
+      doc.fields = fields;
+    }
+
+    if (req.body?.version !== undefined) {
+      const v = Number(req.body.version);
+      if (!Number.isFinite(v) || v < 1) return res.status(400).json({ error: 'version must be a positive number' });
+      doc.version = v;
+    } else {
+      doc.version = Number(doc.version || 1) + 1;
+    }
+
+    if (req.body?.isActive !== undefined) doc.isActive = Boolean(req.body.isActive);
+
+    await doc.save();
+    return res.json({ item: doc.toObject() });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] update error:', error);
+    if (error?.name === 'ValidationError') return res.status(400).json({ error: error.message });
+    return res.status(500).json({ error: 'Failed to update block definition' });
+  }
+};
+
+exports.remove = async (req, res) => {
+  try {
+    const code = normalizeCode(req.params?.code);
+    const doc = await BlockDefinition.findOne({ code });
+    if (!doc) return res.status(404).json({ error: 'Block not found' });
+
+    await BlockDefinition.deleteOne({ _id: doc._id });
+    return res.json({ success: true });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] remove error:', error);
+    return res.status(500).json({ error: 'Failed to delete block definition' });
+  }
+};

package/src/controllers/adminBlockDefinitionsAi.controller.js

@@ -0,0 +1,54 @@
+const {
+  generateBlockDefinition,
+  proposeBlockDefinitionEdit,
+} = require('../services/blockDefinitionsAi.service');
+
+const { getBasicAuthActor } = require('../services/audit.service');
+
+function handleError(res, err) {
+  const code = err && err.code;
+  if (code === 'VALIDATION') return res.status(400).json({ error: err.message });
+  if (code === 'NOT_FOUND') return res.status(404).json({ error: err.message });
+  if (code === 'AI_INVALID') return res.status(500).json({ error: err.message });
+  return res.status(500).json({ error: err.message || 'Operation failed' });
+}
+
+exports.generate = async (req, res) => {
+  try {
+    const actor = getBasicAuthActor(req);
+    const { prompt, providerKey, model } = req.body || {};
+
+    const result = await generateBlockDefinition({
+      prompt,
+      providerKey,
+      model,
+      actor,
+    });
+
+    return res.json(result);
+  } catch (err) {
+    console.error('[adminBlockDefinitionsAi] generate error', err);
+    return handleError(res, err);
+  }
+};
+
+exports.propose = async (req, res) => {
+  try {
+    const actor = getBasicAuthActor(req);
+    const { code } = req.params;
+    const { prompt, providerKey, model } = req.body || {};
+
+    const result = await proposeBlockDefinitionEdit({
+      code,
+      prompt,
+      providerKey,
+      model,
+      actor,
+    });
+
+    return res.json(result);
+  } catch (err) {
+    console.error('[adminBlockDefinitionsAi] propose error', err);
+    return handleError(res, err);
+  }
+};