@jhits/plugin-users 0.0.13 → 0.0.15

package/package.json

@@ -1,17 +1,17 @@
 {
   "name": "@jhits/plugin-users",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "description": "User management and authentication plugin for the JHITS ecosystem",
   "publishConfig": {
     "access": "public"
   },
-  "main": "./src/index.ts",
-  "types": "./src/index.ts",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "exports": {
     ".": {
-      "types": "./src/index.tsx",
-      "import": "./src/index.tsx",
-      "default": "./src/index.tsx"
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
     },
     "./src": {
       "types": "./src/index.tsx",
@@ -19,9 +19,9 @@
       "default": "./src/index.tsx"
     },
     "./server": {
-      "types": "./src/index.server.ts",
-      "import": "./src/index.server.ts",
-      "default": "./src/index.server.ts"
+      "types": "./dist/index.server.d.ts",
+      "import": "./dist/index.server.js",
+      "default": "./dist/index.server.js"
     }
   },
   "dependencies": {

package/src/api/bridge.ts

@@ -0,0 +1,98 @@
+/**
+ * Plugin Users - Session Bridge API
+ * Handles cross-domain session transfer via secure one-time tokens
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getToken } from 'next-auth/jwt';
+import { randomBytes, createHmac } from 'crypto';
+
+// Token store (in-memory for simplicity, as tokens are extremely short-lived)
+// In a large multi-server setup, this should be in Redis
+const tokenStore = new Map<string, { userId: string; expires: number }>();
+
+// Cleanup expired tokens periodically
+setInterval(() => {
+    const now = Date.now();
+    for (const [token, data] of tokenStore.entries()) {
+        if (data.expires < now) tokenStore.delete(token);
+    }
+}, 60000);
+
+/**
+ * GET /api/plugin-users/bridge/generate - Generate a one-time transfer token
+ * Call this from the "Primary" domain (.com)
+ */
+export async function generateTransferToken(req: NextRequest, config: any) {
+    try {
+        const token = await getToken({ 
+            req, 
+            secret: process.env.NEXTAUTH_SECRET || config.jwtSecret 
+        });
+
+        if (!token || !token.sub) {
+            return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+        }
+
+        const transferToken = randomBytes(32).toString('hex');
+        const expires = Date.now() + 30000; // 30 seconds expiry
+
+        tokenStore.set(transferToken, { 
+            userId: token.sub, 
+            expires 
+        });
+
+        return NextResponse.json({ token: transferToken });
+    } catch (err) {
+        console.error('[BridgeAPI] Generate error:', err);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}
+
+/**
+ * GET /api/plugin-users/bridge/verify - Verify a transfer token and return user data
+ * Call this from the "Target" domain (.nl, .se) via proxy
+ */
+export async function verifyTransferToken(req: NextRequest, config: any) {
+    try {
+        const url = new URL(req.url);
+        const transferToken = url.searchParams.get('token');
+
+        if (!transferToken) {
+            return NextResponse.json({ error: 'Token required' }, { status: 400 });
+        }
+
+        const data = tokenStore.get(transferToken);
+        if (!data || data.expires < Date.now()) {
+            tokenStore.delete(transferToken);
+            return NextResponse.json({ error: 'Invalid or expired token' }, { status: 401 });
+        }
+
+        // Token used, remove it
+        tokenStore.delete(transferToken);
+
+        // Fetch user data
+        const dbConnection = await config.getDb();
+        const db = dbConnection.db();
+        const { ObjectId } = require('mongodb');
+        
+        const user = await db.collection('users').findOne({ 
+            _id: new ObjectId(data.userId) 
+        });
+
+        if (!user) {
+            return NextResponse.json({ error: 'User not found' }, { status: 404 });
+        }
+
+        return NextResponse.json({
+            id: user._id.toString(),
+            email: user.email,
+            name: user.name,
+            role: user.role || 'user',
+            image: user.image || null
+        });
+    } catch (err) {
+        console.error('[BridgeAPI] Verify error:', err);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}

package/src/api/router.ts

@@ -35,56 +35,61 @@ export async function handleUsersApi(
         }
 
         // Route: /api/auth/[...nextauth] - NextAuth routes
-        // When routed from /api/auth, the path contains the nextauth segments
-        // Path structure: /api/auth/session -> path: ['session']
-        // Path structure: /api/auth/signin -> path: ['signin']
-        // Path structure: /api/auth -> path: [] (empty)
-        // We handle this by checking if route is empty (root /api/auth) or if it's a known NextAuth route
         const isNextAuthRoute = route === '' || 
-            ['session', 'signin', 'signout', 'callback', 'csrf', 'providers', 'error'].includes(route);
+            ['session', 'signin', 'signout', 'callback', 'csrf', 'providers', 'error', '_log'].includes(route);
         
         if (isNextAuthRoute) {
-            // This is a NextAuth route - use the path as nextauth segments
-            // For /api/auth, path is [] -> nextauthPath is []
-            // For /api/auth/session, path is ['session'] -> nextauthPath is ['session']
             const nextauthPath = path;
-            
-            // Create NextAuth context
             const nextauthContext = {
                 params: Promise.resolve({ nextauth: nextauthPath })
             };
 
-            if (method === 'GET') {
-                return await AuthGET(req, nextauthContext);
+            if (method === 'GET') return await AuthGET(req, nextauthContext);
+            if (method === 'POST') return await AuthPOST(req, nextauthContext);
+        }
+
+        // Route: /api/plugin-users/bridge (Session Bridge)
+        if (route === 'bridge') {
+            const bridgeModule = await import('./bridge');
+            const subRoute = path.length > 1 ? path[1] : '';
+            if (subRoute === 'generate' && method === 'GET') {
+                return await bridgeModule.generateTransferToken(req, config);
             }
-            if (method === 'POST') {
-                return await AuthPOST(req, nextauthContext);
+            if (subRoute === 'verify' && method === 'GET') {
+                return await bridgeModule.verifyTransferToken(req, config);
             }
         }
 
         // Route: /api/users or /api/plugin-users/users (user management)
         if (route === 'users') {
             if (path.length === 1) {
-                // /api/users or /api/plugin-users/users
-                if (method === 'GET') {
-                    return await GET_USERS(req, config);
-                }
-                if (method === 'POST') {
-                    return await POST_USERS(req, config);
-                }
+                if (method === 'GET') return await GET_USERS(req, config);
+                if (method === 'POST') return await POST_USERS(req, config);
             } else if (path.length === 2) {
-                // /api/users/[id] or /api/plugin-users/users/[id]
                 const userId = path[1];
-                if (method === 'PATCH') {
-                    return await PATCH_USER(req, userId, config);
-                }
-                if (method === 'DELETE') {
-                    return await DELETE_USER(req, userId, config);
-                }
+                if (method === 'PATCH') return await PATCH_USER(req, userId, config);
+                if (method === 'DELETE') return await DELETE_USER(req, userId, config);
             }
         }
 
-        // Method not allowed
+        // Route: /api/plugin-users/bootstrap (Initial Setup)
+        if (route === 'bootstrap' && method === 'POST') {
+            const { BOOTSTRAP_USER } = await import('./users');
+            return await BOOTSTRAP_USER(req, config);
+        }
+
+        // Route: /api/plugin-users/setup-status (Check if setup is needed)
+        if (route === 'setup-status') {
+            const { CHECK_SETUP_STATUS } = await import('./users');
+            return await CHECK_SETUP_STATUS(req, config);
+        }
+
+        // Route: /api/plugin-users/setup-request (Generate temporary key)
+        if (route === 'setup-request') {
+            const { REQUEST_SETUP_KEY } = await import('./users');
+            return await REQUEST_SETUP_KEY(req, config);
+        }
+
         return NextResponse.json(
             { error: `Method ${method} not allowed for route: ${route || '/'}` },
             { status: 405 }
@@ -97,4 +102,3 @@ export async function handleUsersApi(
         );
     }
 }
-

package/src/api/users.ts

@@ -206,3 +206,109 @@ export async function DELETE_USER(
     }
 }
 
+/**
+ * POST /api/plugin-users/setup-request - Generate a temporary setup key
+ */
+export async function REQUEST_SETUP_KEY(req: NextRequest, config: UsersApiConfig): Promise<NextResponse> {
+    if (process.env.NODE_ENV !== 'development') {
+        return NextResponse.json({ error: 'Not available' }, { status: 403 });
+    }
+
+    const key = Math.random().toString(36).substring(2, 8).toUpperCase();
+    const expiry = Date.now() + 60000; // 1 minute
+
+    // Store in global shared store to persist across federated module re-evaluations
+    const g = globalThis as any;
+    if (g.__JHITS_SETUP_STORE__) {
+        g.__JHITS_SETUP_STORE__.key = key;
+        g.__JHITS_SETUP_STORE__.expiry = expiry;
+    } else {
+        // Fallback if provider didn't run yet
+        g.__JHITS_SETUP_STORE__ = { key, expiry };
+    }
+
+    console.log('\n\x1b[41m\x1b[37m [SECURITY] BOOTSTRAP ACCESS REQUESTED \x1b[0m');
+    console.log(`\x1b[31m Temporary Setup Key: \x1b[1m${key}\x1b[0m`);
+    console.log('\x1b[31m This key will expire in 60 seconds.\x1b[0m\n');
+
+    return NextResponse.json({ message: 'Key generated and logged to console' });
+}
+
+/**
+ * GET /api/plugin-users/setup-status - Check if any users exist
+ */
+export async function CHECK_SETUP_STATUS(req: NextRequest, config: UsersApiConfig): Promise<NextResponse> {
+    try {
+        const dbConnection = await config.getDb();
+        const db = dbConnection.db();
+        const users = db.collection(config.collectionName || 'users');
+        const count = await users.countDocuments();
+        
+        return NextResponse.json({ 
+            needsSetup: count === 0,
+            isDev: process.env.NODE_ENV === 'development'
+        });
+    } catch (err) {
+        return NextResponse.json({ needsSetup: false, error: 'DB connection failed' });
+    }
+}
+
+/**
+ * POST /api/plugin-users/bootstrap - Create first admin via secret key
+ */
+export async function BOOTSTRAP_USER(req: NextRequest, config: UsersApiConfig): Promise<NextResponse> {
+    try {
+        const { email, name, password, setupKey } = await req.json();
+        
+        // Security check: validate dynamic key from shared store
+        const g = globalThis as any;
+        const store = g.__JHITS_SETUP_STORE__ || {};
+        const systemSetupKey = store.key;
+        const systemExpiry = store.expiry;
+
+        if (!systemSetupKey || !setupKey || setupKey !== systemSetupKey) {
+            return NextResponse.json({ error: 'Invalid or missing setup key' }, { status: 403 });
+        }
+
+        if (Date.now() > systemExpiry) {
+            if (g.__JHITS_SETUP_STORE__) g.__JHITS_SETUP_STORE__.key = null; 
+            return NextResponse.json({ error: 'Setup key has expired' }, { status: 403 });
+        }
+
+        // Invalidate key immediately after use
+        if (g.__JHITS_SETUP_STORE__) g.__JHITS_SETUP_STORE__.key = null;
+
+        const dbConnection = await config.getDb();
+        const db = dbConnection.db();
+        const users = db.collection(config.collectionName || 'users');
+
+        // Check if any admin already exists (double check)
+        const adminExists = await users.findOne({ role: 'admin' });
+        if (adminExists && process.env.NODE_ENV !== 'development') {
+            return NextResponse.json({ error: 'System already has an administrator' }, { status: 400 });
+        }
+
+        // Hash the password
+        const hashedPassword = await bcrypt.hash(password, 12);
+
+        // Save to DB
+        const result = await users.insertOne({
+            email,
+            name,
+            role: 'admin',
+            password: hashedPassword,
+            createdAt: new Date(),
+        });
+
+        return NextResponse.json({
+            message: 'Bootstrap successful',
+            _id: result.insertedId,
+            email,
+            role: 'admin'
+        }, { status: 201 });
+    } catch (err: any) {
+        console.error('[UsersAPI] Bootstrap error:', err);
+        return NextResponse.json({ error: 'Bootstrap failed', detail: err.message }, { status: 500 });
+    }
+}
+

package/src/index.server.ts

@@ -10,5 +10,6 @@ import 'server-only';
 
 export { handleUsersApi as handleApi } from './api/router';
 export { handleUsersApi } from './api/router'; // Keep original export for backward compatibility
+export { generateTransferToken, verifyTransferToken } from './api/bridge';
 export type { UsersApiConfig } from './api/users';
 

package/src/index.tsx

@@ -5,13 +5,7 @@ import UserManagement from './views/UserManagement';
 
 // User Management Plugin - Always enabled by default
 export const Index: React.FC<any> = ({ subPath = [], siteId, locale: dashboardLocale = 'en' }) => {
-    return (
-        <div className="w-full h-full flex flex-col overflow-hidden">
-            <div className="flex-1 overflow-y-auto">
-                <UserManagement locale={dashboardLocale} />
-            </div>
-        </div>
-    );
+    return <UserManagement locale={dashboardLocale} />;
 };
 
 export default Index;