@kyro-cms/admin 0.1.4 → 0.1.5

package/README.md

@@ -0,0 +1,171 @@
+# @kyro-cms/admin
+
+Admin dashboard for Kyro CMS — a React-based admin interface built with Astro.
+
+## Features
+
+- **Authentication** — JWT-based login/logout with SQLite auth backend
+- **Collection Management** — Create, edit, and manage content collections
+- **User Management** — Manage users, roles, and permissions
+- **Settings** — Configure CMS settings, globals, and plugins
+- **Responsive** — Mobile-friendly dashboard with Tailwind CSS
+
+## Quick Start
+
+### Prerequisites
+
+- Node.js 18+
+- A Kyro CMS project with `@kyro-cms/core` installed
+
+### Development
+
+```bash
+# Install dependencies
+npm install
+
+# Start dev server
+npm run dev
+
+# Build for production
+npm run build
+
+# Preview production build
+npm run preview
+
+# Type check
+npm run check
+```
+
+### Integration with Kyro CMS
+
+The admin dashboard is designed to work alongside a Kyro CMS project. In your Astro project:
+
+1. Install the admin package:
+
+   ```bash
+   npm install @kyro-cms/admin
+   ```
+
+2. Create an admin page at `src/pages/admin/index.astro`:
+
+   ```astro
+   ---
+   import { Admin } from '@kyro-cms/admin';
+   import config from '../../../kyro.config';
+   ---
+   <!DOCTYPE html>
+   <html lang="en">
+     <head>
+       <meta charset="UTF-8" />
+       <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+       <title>Admin - My Kyro CMS</title>
+     </head>
+     <body>
+       <Admin client:load config={config} />
+     </body>
+   </html>
+   ```
+
+3. Configure your `astro.config.mjs` with the Node adapter:
+
+   ```js
+   import { defineConfig } from "astro/config";
+   import node from "@astrojs/node";
+
+   export default defineConfig({
+     output: "server",
+     adapter: node({ mode: "standalone" }),
+   });
+   ```
+
+## Authentication
+
+The admin uses SQLite for auth by default (stored at `./data/auth.db`). No Redis or external services required.
+
+### Creating Your First Admin User
+
+1. Start the dev server: `npm run dev`
+2. Visit `http://localhost:4321/admin`
+3. Register with your email and password
+4. The first user automatically gets the `super_admin` role
+
+### Environment Variables
+
+| Variable                  | Description                                | Default                   |
+| ------------------------- | ------------------------------------------ | ------------------------- |
+| `JWT_SECRET`              | Secret for signing JWT tokens              | `change-me-in-production` |
+| `JWT_EXPIRES_IN`          | Token expiration time                      | `24h`                     |
+| `KYRO_AUTH_DB_PATH`       | Path to auth SQLite database               | `./data/auth.db`          |
+| `KYRO_ALLOW_REGISTRATION` | Allow public registration after first user | `true`                    |
+
+### Auth API Endpoints
+
+| Endpoint             | Method | Description                  |
+| -------------------- | ------ | ---------------------------- |
+| `/api/auth/login`    | POST   | Authenticate user            |
+| `/api/auth/register` | POST   | Register new user            |
+| `/api/auth/logout`   | POST   | Invalidate session           |
+| `/api/auth/me`       | GET    | Get current user info        |
+| `/api/auth/users`    | GET    | List all users (admin only)  |
+| `/api/auth/users`    | POST   | Create new user (admin only) |
+
+## Project Structure
+
+```
+admin/
+├── src/
+│   ├── components/     # React UI components
+│   ├── pages/          # Astro pages + API routes
+│   │   └── api/        # REST API endpoints
+│   │       └── auth/   # Authentication endpoints
+│   ├── collections/    # Auth collection config
+│   └── middleware.ts   # Auth middleware
+├── public/             # Static assets
+└── astro.config.mjs    # Astro configuration
+```
+
+## Security
+
+- **Password Hashing** — bcryptjs with 12 salt rounds
+- **JWT Tokens** — Signed tokens with configurable expiration
+- **Session Management** — Server-side session tracking via SQLite
+- **Middleware Protection** — All non-auth routes require valid JWT
+- **Password Policy** — Minimum 12 characters with complexity requirements
+
+## Scalability
+
+### Default Setup (Single Instance)
+
+SQLite auth adapter handles everything in a single `./data/auth.db` file. Perfect for:
+
+- Development
+- Small to medium projects
+- Single-server deployments
+
+### Multi-Instance / Horizontal Scaling
+
+When running multiple Kyro CMS instances behind a load balancer, configure:
+
+```bash
+# Shared auth database path (mounted volume, NFS, etc.)
+KYRO_AUTH_DB_PATH=/shared/data/auth.db
+
+# Enable write-ahead logging for concurrent access
+# (automatically enabled by SQLiteAuthAdapter)
+```
+
+### High-Scale Production
+
+For high-traffic deployments with many concurrent users:
+
+1. **Connection Pooling** — SQLite handles concurrent reads well, but writes are serialized. For write-heavy workloads, consider PostgreSQL with the Drizzle auth adapter.
+
+2. **Session Caching** — JWT tokens are self-contained, so session validation doesn't require database reads on every request.
+
+3. **Rate Limiting** — Currently in-memory per instance. For distributed rate limiting, use Redis or a shared SQLite file on fast storage.
+
+4. **Audit Logs** — Stored in SQLite. For high-volume audit logging, consider exporting to a dedicated log store.
+
+## License
+
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kyro-cms/admin",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "private": false,
   "type": "module",
   "description": "Admin dashboard for Kyro CMS",

package/src/middleware.ts

@@ -18,6 +18,45 @@ const PUBLIC_PREFIXES = ["/api/collections/", "/api/auth/"];
 export const onRequest: MiddlewareHandler = async ({ request, url }, next) => {
   const pathname = new URL(url).pathname;
 
+  // Handle root path redirection
+  if (pathname === "/") {
+    const authHeader = request.headers.get("authorization");
+    const token = authHeader?.startsWith("Bearer ")
+      ? authHeader.slice(7)
+      : null;
+
+    if (!token) {
+      // Redirect to admin login if not authenticated
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: "/admin",
+        },
+      });
+    }
+
+    try {
+      // Verify token to get user info
+      const payload = jwt.verify(token, JWT_SECRET) as jwt.JwtPayload;
+
+      // Redirect to dashboard if authenticated
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: "/admin/dashboard",
+        },
+      });
+    } catch {
+      // Invalid token, redirect to login
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: "/admin",
+        },
+      });
+    }
+  }
+
   if (PUBLIC_PATHS.includes(pathname)) {
     return next();
   }

package/src/pages/api/auth/login.ts

@@ -1,14 +1,13 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
 import jwt from "jsonwebtoken";
 
 const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
 const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || "24h";
 
 async function getAuthApi() {
-  return new RedisAuthAdapter({
-    url: process.env.REDIS_URL || "redis://localhost:6379",
-    tls: process.env.REDIS_TLS === "true",
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
   });
 }
 
@@ -49,7 +48,6 @@ export const POST: APIRoute = async ({ request }) => {
 
     const valid = await adapter.verifyPassword(password, user.passwordHash);
     if (!valid) {
-      await adapter.recordFailedAttempt(user.id);
       await adapter.disconnect();
       return new Response(JSON.stringify({ error: "Invalid credentials" }), {
         status: 401,
@@ -57,8 +55,6 @@ export const POST: APIRoute = async ({ request }) => {
       });
     }
 
-    await adapter.resetAttempts(user.id);
-
     const session = await adapter.createSession(user.id, {
       ipAddress: request.headers.get("x-forwarded-for") || "unknown",
       userAgent: request.headers.get("user-agent") || "",

package/src/pages/api/auth/logout.ts

@@ -1,47 +1,35 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
+
+const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
 
 async function getAuthApi() {
-  return new RedisAuthAdapter({
-    url: process.env.REDIS_URL || "redis://localhost:6379",
-    tls: process.env.REDIS_TLS === "true",
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
   });
 }
 
 export const POST: APIRoute = async ({ request }) => {
   try {
-    const body = (await request.json()) as { refreshToken?: string };
-    const { refreshToken } = body;
-
-    if (!refreshToken) {
-      return new Response(JSON.stringify({ error: "Refresh token required" }), {
-        status: 400,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
+    const authHeader = request.headers.get("authorization");
+    const token = authHeader?.startsWith("Bearer ")
+      ? authHeader.slice(7)
+      : null;
 
-    const adapter = await getAuthApi();
-    await adapter.connect();
-
-    const session = await adapter.findSessionByToken(refreshToken);
-    if (!session) {
+    if (token) {
+      const adapter = await getAuthApi();
+      await adapter.connect();
+      await adapter.deleteSession(token);
       await adapter.disconnect();
-      return new Response(JSON.stringify({ error: "Invalid refresh token" }), {
-        status: 401,
-        headers: { "Content-Type": "application/json" },
-      });
     }
 
-    await adapter.disconnect();
-
-    return new Response(JSON.stringify({ success: true, session }), {
+    return new Response(JSON.stringify({ success: true }), {
       status: 200,
       headers: { "Content-Type": "application/json" },
     });
-  } catch (error) {
-    console.error("Logout error:", error);
-    return new Response(JSON.stringify({ error: "Logout failed" }), {
-      status: 500,
+  } catch {
+    return new Response(JSON.stringify({ success: true }), {
+      status: 200,
       headers: { "Content-Type": "application/json" },
     });
   }

package/src/pages/api/auth/register.ts

@@ -1,5 +1,5 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
 import jwt from "jsonwebtoken";
 
 const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
@@ -7,9 +7,8 @@ const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || "24h";
 const ALLOW_REGISTRATION = process.env.KYRO_ALLOW_REGISTRATION !== "false";
 
 async function getAuthApi() {
-  return new RedisAuthAdapter({
-    url: process.env.REDIS_URL || "redis://localhost:6379",
-    tls: process.env.REDIS_TLS === "true",
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
   });
 }
 
@@ -55,7 +54,7 @@ export const POST: APIRoute = async ({ request }) => {
       );
     }
 
-    const isFirstUser = await checkIsFirstUser(adapter);
+    const isFirstUser = !(await adapter.hasAnyUsers());
 
     if (!isFirstUser && !ALLOW_REGISTRATION) {
       await adapter.disconnect();
@@ -117,17 +116,3 @@ export const POST: APIRoute = async ({ request }) => {
     });
   }
 };
-
-async function checkIsFirstUser(adapter: RedisAuthAdapter): Promise<boolean> {
-  try {
-    const redis = (adapter as any).redis;
-    if (!redis) return true;
-
-    const pattern = "kyro:auth:users:email:*";
-    const result = await redis.scan("0", "MATCH", pattern, "COUNT", "1");
-    const keys = result[1];
-    return keys.length === 0;
-  } catch {
-    return true;
-  }
-}

package/src/pages/api/auth/users.ts

@@ -1,72 +1,103 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
-import { AuditLogger } from "@kyro-cms/core";
-import { createAuditContext } from "@kyro-cms/core";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
 import bcrypt from "bcryptjs";
-import { randomBytes } from "crypto";
 
-const redisAdapter = new RedisAuthAdapter({
-  url: process.env.REDIS_URL || "redis://localhost:6379",
-});
-
-const auditLogger = new AuditLogger(redisAdapter as any);
-
-async function ensureConnection() {
-  try {
-    await redisAdapter.connect();
-  } catch (e) {
-    // Connection might already be established
-  }
+async function getAuthApi() {
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
+  });
 }
 
-export const GET: APIRoute = async ({ url, request }) => {
-  await ensureConnection();
-
+export const GET: APIRoute = async ({ url }) => {
   const page = parseInt(url.searchParams.get("page") || "1");
   const limit = parseInt(url.searchParams.get("limit") || "25");
   const search = url.searchParams.get("search") || "";
 
   try {
-    const pattern = search ? `*${search.toLowerCase()}*` : "*";
+    const adapter = await getAuthApi();
+    await adapter.connect();
 
-    let cursor = "0";
+    // Get all users - SQLite doesn't have scan, so we need to query differently
+    // For now, we'll use a simple approach with email search
     const users: any[] = [];
-    const seenIds = new Set<string>();
-
-    do {
-      const [nextCursor, keys] = await (redisAdapter as any).redis.scan(
-        cursor,
-        "MATCH",
-        "kyro:auth:users:email:*",
-        "COUNT",
-        100,
-      );
-      cursor = nextCursor;
-
-      for (const key of keys) {
-        const userId = await (redisAdapter as any).redis.get(key);
-        if (userId && !seenIds.has(userId)) {
-          seenIds.add(userId);
-          const user = await redisAdapter.findUserById(userId);
-          if (user) {
-            const { passwordHash, ...safeUser } = user;
-            users.push(safeUser);
-          }
-        }
+
+    // If searching, we need to find matching emails
+    if (search) {
+      const result = (adapter as any).db
+        .prepare("SELECT * FROM kyro_users WHERE email LIKE ? LIMIT ? OFFSET ?")
+        .all(`%${search}%`, limit, (page - 1) * limit);
+
+      for (const row of result) {
+        const { password_hash, ...safeUser } = row;
+        users.push({
+          id: row.id,
+          email: row.email,
+          role: row.role,
+          tenantId: row.tenant_id,
+          emailVerified: row.email_verified === 1,
+          locked: row.locked === 1,
+          lastLogin: row.last_login,
+          failedLoginAttempts: row.failed_login_attempts || 0,
+          createdAt: row.created_at,
+          updatedAt: row.updated_at,
+        });
       }
-    } while (cursor !== "0");
 
-    const totalDocs = users.length;
-    const startIndex = (page - 1) * limit;
-    const paginatedUsers = users.slice(startIndex, startIndex + limit);
+      const totalResult = (adapter as any).db
+        .prepare("SELECT COUNT(*) as count FROM kyro_users WHERE email LIKE ?")
+        .get(`%${search}%`) as { count: number };
+
+      await adapter.disconnect();
+
+      return new Response(
+        JSON.stringify({
+          docs: users,
+          totalDocs: totalResult.count,
+          page,
+          limit,
+          totalPages: Math.ceil(totalResult.count / limit),
+        }),
+        {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        },
+      );
+    }
+
+    // Get all users with pagination
+    const result = (adapter as any).db
+      .prepare("SELECT * FROM kyro_users LIMIT ? OFFSET ?")
+      .all(limit, (page - 1) * limit);
+
+    for (const row of result) {
+      const { password_hash, ...safeUser } = row;
+      users.push({
+        id: row.id,
+        email: row.email,
+        role: row.role,
+        tenantId: row.tenant_id,
+        emailVerified: row.email_verified === 1,
+        locked: row.locked === 1,
+        lastLogin: row.last_login,
+        failedLoginAttempts: row.failed_login_attempts || 0,
+        createdAt: row.created_at,
+        updatedAt: row.updated_at,
+      });
+    }
+
+    const totalResult = (adapter as any).db
+      .prepare("SELECT COUNT(*) as count FROM kyro_users")
+      .get() as { count: number };
+
+    await adapter.disconnect();
 
     return new Response(
       JSON.stringify({
-        docs: paginatedUsers,
-        totalDocs,
+        docs: users,
+        totalDocs: totalResult.count,
         page,
         limit,
-        totalPages: Math.ceil(totalDocs / limit),
+        totalPages: Math.ceil(totalResult.count / limit),
       }),
       {
         status: 200,
@@ -90,10 +121,6 @@ export const GET: APIRoute = async ({ url, request }) => {
 };
 
 export const POST: APIRoute = async ({ request }) => {
-  await ensureConnection();
-
-  const { ipAddress, userAgent } = createAuditContext(request as any);
-
   try {
     const body = await request.json();
     const { email, password, role, tenantId } = body;
@@ -108,8 +135,12 @@ export const POST: APIRoute = async ({ request }) => {
       );
     }
 
-    const existing = await redisAdapter.findUserByEmail(email);
+    const adapter = await getAuthApi();
+    await adapter.connect();
+
+    const existing = await adapter.findUserByEmail(email);
     if (existing) {
+      await adapter.disconnect();
       return new Response(JSON.stringify({ error: "Email already exists" }), {
         status: 400,
         headers: { "Content-Type": "application/json" },
@@ -117,23 +148,14 @@ export const POST: APIRoute = async ({ request }) => {
     }
 
     const passwordHash = await bcrypt.hash(password, 12);
-    const user = await redisAdapter.createUser({
+    const user = await adapter.createUser({
       email,
       passwordHash,
       role: role || "customer",
       tenantId,
     });
 
-    await auditLogger.log({
-      action: "user_create",
-      userId: user.id,
-      userEmail: user.email,
-      role: user.role,
-      resource: "users",
-      ipAddress,
-      userAgent,
-      success: true,
-    });
+    await adapter.disconnect();
 
     const { passwordHash: _, ...safeUser } = user;
     return new Response(JSON.stringify({ data: safeUser }), {

package/src/pages/api/health.ts

@@ -0,0 +1,49 @@
+import type { APIRoute } from "astro";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
+
+async function getAuthApi() {
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
+  });
+}
+
+export const GET: APIRoute = async () => {
+  try {
+    const adapter = await getAuthApi();
+    await adapter.connect();
+
+    const stats = await adapter.getStats();
+    await adapter.disconnect();
+
+    return new Response(
+      JSON.stringify({
+        status: "healthy",
+        auth: {
+          storage: "sqlite",
+          userCount: stats.userCount,
+          activeSessionCount: stats.activeSessionCount,
+          auditLogCount: stats.auditLogCount,
+        },
+        uptime: process.uptime(),
+        memory: process.memoryUsage(),
+        timestamp: new Date().toISOString(),
+      }),
+      {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      },
+    );
+  } catch (error) {
+    return new Response(
+      JSON.stringify({
+        status: "unhealthy",
+        error: error instanceof Error ? error.message : "Unknown error",
+        timestamp: new Date().toISOString(),
+      }),
+      {
+        status: 503,
+        headers: { "Content-Type": "application/json" },
+      },
+    );
+  }
+};