@kyro-cms/admin 0.1.2

package/src/pages/api/[collection]/index.ts

@@ -0,0 +1,289 @@
+import type { APIRoute } from "astro";
+import { dataStore } from "@/lib/dataStore";
+import { collections } from "@/lib/config";
+
+dataStore.initialize(collections);
+
+const AUTH_COLLECTIONS = ["users", "roles", "audit_logs"];
+
+async function getAuthApi() {
+  const { RedisAuthAdapter } = await import("@kyro-cms/core");
+  return new RedisAuthAdapter({
+    url: process.env.REDIS_URL || "redis://localhost:6379",
+    tls: process.env.REDIS_TLS === "true",
+  });
+}
+
+export const GET: APIRoute = async ({ params, url }) => {
+  const collection = params.collection as string;
+
+  if (AUTH_COLLECTIONS.includes(collection)) {
+    const page = parseInt(url.searchParams.get("page") || "1");
+    const limit = parseInt(url.searchParams.get("limit") || "25");
+    const search = url.searchParams.get("search") || "";
+
+    try {
+      const adapter = await getAuthApi();
+      await adapter.connect();
+
+      if (collection === "users") {
+        const pattern = search ? `*${search.toLowerCase()}*` : "*";
+        let cursor = "0";
+        const users: any[] = [];
+        const seenIds = new Set<string>();
+
+        do {
+          const [nextCursor, keys] = await (adapter as any).redis.scan(
+            cursor,
+            "MATCH",
+            "kyro:auth:users:email:*",
+            "COUNT",
+            100,
+          );
+          cursor = nextCursor;
+
+          for (const key of keys) {
+            const userId = await (adapter as any).redis.get(key);
+            if (userId && !seenIds.has(userId)) {
+              seenIds.add(userId);
+              const user = await adapter.findUserById(userId);
+              if (user) {
+                const { passwordHash, ...safeUser } = user;
+                users.push(safeUser);
+              }
+            }
+          }
+        } while (cursor !== "0");
+
+        const totalDocs = users.length;
+        const startIndex = (page - 1) * limit;
+        const paginatedUsers = users.slice(startIndex, startIndex + limit);
+
+        await adapter.disconnect();
+
+        return new Response(
+          JSON.stringify({
+            docs: paginatedUsers,
+            totalDocs,
+            page,
+            limit,
+            totalPages: Math.ceil(totalDocs / limit),
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      if (collection === "roles") {
+        const defaultRoles = [
+          {
+            id: "super_admin",
+            name: "super_admin",
+            level: 100,
+            inherits: ["admin"],
+            description: "Full system access across all tenants",
+          },
+          {
+            id: "admin",
+            name: "admin",
+            level: 90,
+            inherits: ["editor"],
+            description: "Full tenant access with all content permissions",
+          },
+          {
+            id: "editor",
+            name: "editor",
+            level: 70,
+            inherits: ["author"],
+            description: "Edit and publish all content",
+          },
+          {
+            id: "author",
+            name: "author",
+            level: 50,
+            inherits: ["customer"],
+            description: "Create and edit own content",
+          },
+          {
+            id: "customer",
+            name: "customer",
+            level: 30,
+            inherits: [],
+            description: "Access own data and make purchases",
+          },
+          {
+            id: "guest",
+            name: "guest",
+            level: 10,
+            inherits: [],
+            description: "Public read-only access",
+          },
+        ];
+
+        await adapter.disconnect();
+
+        return new Response(
+          JSON.stringify({
+            docs: defaultRoles,
+            totalDocs: defaultRoles.length,
+            page,
+            limit,
+            totalPages: 1,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      if (collection === "audit_logs") {
+        const logs = await (adapter as any).redis.keys("kyro:auth:audit:*");
+        const auditLogs: any[] = [];
+
+        for (const key of logs.slice(0, 100)) {
+          const logData = await (adapter as any).redis.hgetall(key);
+          if (logData) {
+            auditLogs.push({
+              id: logData.id,
+              action: logData.action,
+              userId: logData.userId,
+              userEmail: logData.userEmail,
+              role: logData.role,
+              resource: logData.resource,
+              ipAddress: logData.ipAddress,
+              userAgent: logData.userAgent,
+              success: logData.success === "true",
+              error: logData.error,
+              timestamp: logData.timestamp,
+            });
+          }
+        }
+
+        const sortedLogs = auditLogs.sort(
+          (a, b) =>
+            new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime(),
+        );
+
+        const totalDocs = sortedLogs.length;
+        const startIndex = (page - 1) * limit;
+        const paginatedLogs = sortedLogs.slice(startIndex, startIndex + limit);
+
+        await adapter.disconnect();
+
+        return new Response(
+          JSON.stringify({
+            docs: paginatedLogs,
+            totalDocs,
+            page,
+            limit,
+            totalPages: Math.ceil(totalDocs / limit) || 1,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      await adapter.disconnect();
+    } catch (error) {
+      console.error(`Error fetching ${collection}:`, error);
+      return new Response(
+        JSON.stringify({
+          error: `Failed to fetch ${collection}`,
+          docs: [],
+          totalDocs: 0,
+        }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    }
+  }
+
+  const page = parseInt(url.searchParams.get("page") || "1");
+  const limit = parseInt(url.searchParams.get("limit") || "25");
+
+  try {
+    const result = dataStore.find(collection, { page, limit });
+    return new Response(JSON.stringify(result), {
+      status: 200,
+      headers: { "Content-Type": "application/json" },
+    });
+  } catch (error) {
+    return new Response(
+      JSON.stringify({ error: "Failed to fetch documents" }),
+      { status: 500, headers: { "Content-Type": "application/json" } },
+    );
+  }
+};
+
+export const POST: APIRoute = async ({ params, request }) => {
+  const collection = params.collection as string;
+
+  if (AUTH_COLLECTIONS.includes(collection)) {
+    try {
+      const adapter = await getAuthApi();
+      await adapter.connect();
+
+      const body = await request.json();
+
+      if (collection === "users") {
+        const { email, password, role, tenantId } = body;
+
+        if (!email || !password) {
+          await adapter.disconnect();
+          return new Response(
+            JSON.stringify({ error: "Email and password are required" }),
+            { status: 400, headers: { "Content-Type": "application/json" } },
+          );
+        }
+
+        const existing = await adapter.findUserByEmail(email);
+        if (existing) {
+          await adapter.disconnect();
+          return new Response(
+            JSON.stringify({ error: "Email already exists" }),
+            { status: 400, headers: { "Content-Type": "application/json" } },
+          );
+        }
+
+        const passwordHash = await adapter.hashPassword(password);
+        const user = await adapter.createUser({
+          email,
+          passwordHash,
+          role: role || "customer",
+          tenantId,
+        });
+
+        await adapter.disconnect();
+
+        const { passwordHash: _, ...safeUser } = user;
+        return new Response(JSON.stringify({ data: safeUser }), {
+          status: 201,
+          headers: { "Content-Type": "application/json" },
+        });
+      }
+
+      await adapter.disconnect();
+      return new Response(
+        JSON.stringify({
+          error: `Collection ${collection} does not support POST`,
+        }),
+        { status: 405, headers: { "Content-Type": "application/json" } },
+      );
+    } catch (error) {
+      console.error(`Error creating ${collection}:`, error);
+      return new Response(
+        JSON.stringify({ error: `Failed to create ${collection}` }),
+        { status: 500, headers: { "Content-Type": "application/json" } },
+      );
+    }
+  }
+
+  try {
+    const body = await request.json();
+    const doc = dataStore.create(collection, body);
+    return new Response(JSON.stringify({ data: doc }), {
+      status: 201,
+      headers: { "Content-Type": "application/json" },
+    });
+  } catch (error) {
+    return new Response(
+      JSON.stringify({ error: "Failed to create document" }),
+      { status: 500, headers: { "Content-Type": "application/json" } },
+    );
+  }
+};

package/src/pages/api/auth/[id].ts

@@ -0,0 +1,142 @@
+import type { APIRoute } from "astro";
+import { RedisAuthAdapter } from "@kyro-cms/core";
+import { AuditLogger } from "@kyro-cms/core";
+import { createAuditContext } from "@kyro-cms/core";
+import bcrypt from "bcryptjs";
+
+const redisAdapter = new RedisAuthAdapter({
+  url: process.env.REDIS_URL || "redis://localhost:6379",
+});
+
+const auditLogger = new AuditLogger(redisAdapter as any);
+
+async function ensureConnection() {
+  try {
+    await redisAdapter.connect();
+  } catch (e) {
+    // Connection might already be established
+  }
+}
+
+export const GET: APIRoute = async ({ params }) => {
+  await ensureConnection();
+
+  const { id } = params;
+
+  try {
+    const user = await redisAdapter.findUserById(id!);
+
+    if (!user) {
+      return new Response(JSON.stringify({ error: "User not found" }), {
+        status: 404,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    const { passwordHash, ...safeUser } = user;
+    return new Response(JSON.stringify({ data: safeUser }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" },
+    });
+  } catch (error) {
+    console.error("Error fetching user:", error);
+    return new Response(JSON.stringify({ error: "Failed to fetch user" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+};
+
+export const PUT: APIRoute = async ({ params, request }) => {
+  await ensureConnection();
+
+  const { id } = params;
+  const { ipAddress, userAgent } = createAuditContext(request as any);
+
+  try {
+    const body = await request.json();
+    const { email, role, tenantId, locked, emailVerified } = body;
+
+    const existing = await redisAdapter.findUserById(id!);
+    if (!existing) {
+      return new Response(JSON.stringify({ error: "User not found" }), {
+        status: 404,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    const updateData: any = {};
+    if (email !== undefined) updateData.email = email;
+    if (role !== undefined) updateData.role = role;
+    if (tenantId !== undefined) updateData.tenantId = tenantId;
+    if (locked !== undefined) updateData.locked = locked;
+    if (emailVerified !== undefined) updateData.emailVerified = emailVerified;
+
+    const user = await redisAdapter.updateUser(id!, updateData);
+
+    await auditLogger.log({
+      action: "user_update",
+      userId: id,
+      userEmail: existing.email,
+      role: existing.role,
+      resource: "users",
+      ipAddress,
+      userAgent,
+      success: true,
+      metadata: { updateData },
+    });
+
+    const { passwordHash, ...safeUser } = user!;
+    return new Response(JSON.stringify({ data: safeUser }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" },
+    });
+  } catch (error) {
+    console.error("Error updating user:", error);
+    return new Response(JSON.stringify({ error: "Failed to update user" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+};
+
+export const DELETE: APIRoute = async ({ params, request }) => {
+  await ensureConnection();
+
+  const { id } = params;
+  const { ipAddress, userAgent } = createAuditContext(request as any);
+
+  try {
+    const existing = await redisAdapter.findUserById(id!);
+    if (!existing) {
+      return new Response(JSON.stringify({ error: "User not found" }), {
+        status: 404,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    await redisAdapter.deleteUser(id!);
+
+    await auditLogger.log({
+      action: "user_delete",
+      userId: id,
+      userEmail: existing.email,
+      role: existing.role,
+      resource: "users",
+      ipAddress,
+      userAgent,
+      success: true,
+    });
+
+    return new Response(JSON.stringify({ success: true }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" },
+    });
+  } catch (error) {
+    console.error("Error deleting user:", error);
+    return new Response(JSON.stringify({ error: "Failed to delete user" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+};

package/src/pages/api/auth/audit-logs.ts

@@ -0,0 +1,80 @@
+import type { APIRoute } from "astro";
+import { RedisAuthAdapter } from "@kyro-cms/core";
+import { AuditLogger } from "@kyro-cms/core";
+
+const redisAdapter = new RedisAuthAdapter({
+  url: process.env.REDIS_URL || "redis://localhost:6379",
+});
+
+const auditLogger = new AuditLogger(redisAdapter as any);
+
+async function ensureConnection() {
+  try {
+    await redisAdapter.connect();
+  } catch (e) {
+    // Connection might already be established
+  }
+}
+
+export const GET: APIRoute = async ({ url }) => {
+  await ensureConnection();
+
+  const page = parseInt(url.searchParams.get("page") || "1");
+  const limit = parseInt(url.searchParams.get("limit") || "25");
+  const action = url.searchParams.get("action") || "";
+  const userId = url.searchParams.get("userId") || "";
+  const success = url.searchParams.get("success");
+
+  try {
+    const logs = await auditLogger.getLogs({
+      action: action || undefined,
+      userId: userId || undefined,
+      success:
+        success === "true" ? true : success === "false" ? false : undefined,
+    });
+
+    const thirtyDaysAgo = new Date();
+    thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
+
+    const filteredLogs = logs.filter((log: any) => {
+      const logDate = new Date(log.timestamp);
+      return logDate >= thirtyDaysAgo;
+    });
+
+    const sortedLogs = filteredLogs.sort(
+      (a: any, b: any) =>
+        new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime(),
+    );
+
+    const totalDocs = sortedLogs.length;
+    const startIndex = (page - 1) * limit;
+    const paginatedLogs = sortedLogs.slice(startIndex, startIndex + limit);
+
+    return new Response(
+      JSON.stringify({
+        docs: paginatedLogs,
+        totalDocs,
+        page,
+        limit,
+        totalPages: Math.ceil(totalDocs / limit),
+      }),
+      {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      },
+    );
+  } catch (error) {
+    console.error("Error fetching audit logs:", error);
+    return new Response(
+      JSON.stringify({
+        error: "Failed to fetch audit logs",
+        docs: [],
+        totalDocs: 0,
+      }),
+      {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      },
+    );
+  }
+};

package/src/pages/api/auth/login.ts

@@ -0,0 +1,101 @@
+import type { APIRoute } from "astro";
+import { RedisAuthAdapter } from "@kyro-cms/core";
+import jwt from "jsonwebtoken";
+
+const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
+const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || "24h";
+
+async function getAuthApi() {
+  return new RedisAuthAdapter({
+    url: process.env.REDIS_URL || "redis://localhost:6379",
+    tls: process.env.REDIS_TLS === "true",
+  });
+}
+
+export const POST: APIRoute = async ({ request }) => {
+  try {
+    const body = (await request.json()) as {
+      email?: string;
+      password?: string;
+    };
+    const { email, password } = body;
+
+    if (!email || !password) {
+      return new Response(
+        JSON.stringify({ error: "Email and password required" }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    const adapter = await getAuthApi();
+    await adapter.connect();
+
+    const user = await adapter.findUserByEmail(email);
+    if (!user || !user.passwordHash) {
+      await adapter.disconnect();
+      return new Response(JSON.stringify({ error: "Invalid credentials" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    if (user.locked) {
+      await adapter.disconnect();
+      return new Response(JSON.stringify({ error: "Account is locked" }), {
+        status: 403,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    const valid = await adapter.verifyPassword(password, user.passwordHash);
+    if (!valid) {
+      await adapter.recordFailedAttempt(user.id);
+      await adapter.disconnect();
+      return new Response(JSON.stringify({ error: "Invalid credentials" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    await adapter.resetAttempts(user.id);
+
+    const session = await adapter.createSession(user.id, {
+      ipAddress: request.headers.get("x-forwarded-for") || "unknown",
+      userAgent: request.headers.get("user-agent") || "",
+    });
+
+    const token = jwt.sign(
+      {
+        sub: user.id,
+        email: user.email,
+        role: user.role,
+        tenantId: user.tenantId,
+      },
+      JWT_SECRET,
+      { expiresIn: JWT_EXPIRES_IN as jwt.SignOptions["expiresIn"] },
+    );
+
+    await adapter.disconnect();
+
+    const { passwordHash, ...safeUser } = user;
+
+    return new Response(
+      JSON.stringify({
+        success: true,
+        user: safeUser,
+        token,
+        refreshToken: session.refreshToken,
+      }),
+      {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      },
+    );
+  } catch (error) {
+    console.error("Login error:", error);
+    return new Response(JSON.stringify({ error: "Login failed" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+};

package/src/pages/api/auth/logout.ts

@@ -0,0 +1,48 @@
+import type { APIRoute } from "astro";
+import { RedisAuthAdapter } from "@kyro-cms/core";
+
+async function getAuthApi() {
+  return new RedisAuthAdapter({
+    url: process.env.REDIS_URL || "redis://localhost:6379",
+    tls: process.env.REDIS_TLS === "true",
+  });
+}
+
+export const POST: APIRoute = async ({ request }) => {
+  try {
+    const body = (await request.json()) as { refreshToken?: string };
+    const { refreshToken } = body;
+
+    if (!refreshToken) {
+      return new Response(JSON.stringify({ error: "Refresh token required" }), {
+        status: 400,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    const adapter = await getAuthApi();
+    await adapter.connect();
+
+    const session = await adapter.findSessionByToken(refreshToken);
+    if (!session) {
+      await adapter.disconnect();
+      return new Response(JSON.stringify({ error: "Invalid refresh token" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    await adapter.disconnect();
+
+    return new Response(JSON.stringify({ success: true, session }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" },
+    });
+  } catch (error) {
+    console.error("Logout error:", error);
+    return new Response(JSON.stringify({ error: "Logout failed" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+};

package/src/pages/api/auth/me.ts

@@ -0,0 +1,36 @@
+import type { APIRoute } from "astro";
+import jwt from "jsonwebtoken";
+
+const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
+
+export const GET: APIRoute = async ({ request }) => {
+  const authHeader = request.headers.get("authorization");
+  const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+  if (!token) {
+    return new Response(JSON.stringify({ error: "Not authenticated" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  try {
+    const payload = jwt.verify(token, JWT_SECRET) as jwt.JwtPayload;
+    return new Response(
+      JSON.stringify({
+        user: {
+          id: payload.sub,
+          email: (payload as any).email,
+          role: (payload as any).role,
+          tenantId: (payload as any).tenantId,
+        },
+      }),
+      { status: 200, headers: { "Content-Type": "application/json" } },
+    );
+  } catch {
+    return new Response(JSON.stringify({ error: "Invalid token" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+};