@kyro-cms/admin 0.1.4 → 0.1.6

package/README.md

@@ -0,0 +1,171 @@
+# @kyro-cms/admin
+
+Admin dashboard for Kyro CMS — a React-based admin interface built with Astro.
+
+## Features
+
+- **Authentication** — JWT-based login/logout with SQLite auth backend
+- **Collection Management** — Create, edit, and manage content collections
+- **User Management** — Manage users, roles, and permissions
+- **Settings** — Configure CMS settings, globals, and plugins
+- **Responsive** — Mobile-friendly dashboard with Tailwind CSS
+
+## Quick Start
+
+### Prerequisites
+
+- Node.js 18+
+- A Kyro CMS project with `@kyro-cms/core` installed
+
+### Development
+
+```bash
+# Install dependencies
+npm install
+
+# Start dev server
+npm run dev
+
+# Build for production
+npm run build
+
+# Preview production build
+npm run preview
+
+# Type check
+npm run check
+```
+
+### Integration with Kyro CMS
+
+The admin dashboard is designed to work alongside a Kyro CMS project. In your Astro project:
+
+1. Install the admin package:
+
+   ```bash
+   npm install @kyro-cms/admin
+   ```
+
+2. Create an admin page at `src/pages/admin/index.astro`:
+
+   ```astro
+   ---
+   import { Admin } from '@kyro-cms/admin';
+   import config from '../../../kyro.config';
+   ---
+   <!DOCTYPE html>
+   <html lang="en">
+     <head>
+       <meta charset="UTF-8" />
+       <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+       <title>Admin - My Kyro CMS</title>
+     </head>
+     <body>
+       <Admin client:load config={config} />
+     </body>
+   </html>
+   ```
+
+3. Configure your `astro.config.mjs` with the Node adapter:
+
+   ```js
+   import { defineConfig } from "astro/config";
+   import node from "@astrojs/node";
+
+   export default defineConfig({
+     output: "server",
+     adapter: node({ mode: "standalone" }),
+   });
+   ```
+
+## Authentication
+
+The admin uses SQLite for auth by default (stored at `./data/auth.db`). No Redis or external services required.
+
+### Creating Your First Admin User
+
+1. Start the dev server: `npm run dev`
+2. Visit `http://localhost:4321/admin`
+3. Register with your email and password
+4. The first user automatically gets the `super_admin` role
+
+### Environment Variables
+
+| Variable                  | Description                                | Default                   |
+| ------------------------- | ------------------------------------------ | ------------------------- |
+| `JWT_SECRET`              | Secret for signing JWT tokens              | `change-me-in-production` |
+| `JWT_EXPIRES_IN`          | Token expiration time                      | `24h`                     |
+| `KYRO_AUTH_DB_PATH`       | Path to auth SQLite database               | `./data/auth.db`          |
+| `KYRO_ALLOW_REGISTRATION` | Allow public registration after first user | `true`                    |
+
+### Auth API Endpoints
+
+| Endpoint             | Method | Description                  |
+| -------------------- | ------ | ---------------------------- |
+| `/api/auth/login`    | POST   | Authenticate user            |
+| `/api/auth/register` | POST   | Register new user            |
+| `/api/auth/logout`   | POST   | Invalidate session           |
+| `/api/auth/me`       | GET    | Get current user info        |
+| `/api/auth/users`    | GET    | List all users (admin only)  |
+| `/api/auth/users`    | POST   | Create new user (admin only) |
+
+## Project Structure
+
+```
+admin/
+├── src/
+│   ├── components/     # React UI components
+│   ├── pages/          # Astro pages + API routes
+│   │   └── api/        # REST API endpoints
+│   │       └── auth/   # Authentication endpoints
+│   ├── collections/    # Auth collection config
+│   └── middleware.ts   # Auth middleware
+├── public/             # Static assets
+└── astro.config.mjs    # Astro configuration
+```
+
+## Security
+
+- **Password Hashing** — bcryptjs with 12 salt rounds
+- **JWT Tokens** — Signed tokens with configurable expiration
+- **Session Management** — Server-side session tracking via SQLite
+- **Middleware Protection** — All non-auth routes require valid JWT
+- **Password Policy** — Minimum 12 characters with complexity requirements
+
+## Scalability
+
+### Default Setup (Single Instance)
+
+SQLite auth adapter handles everything in a single `./data/auth.db` file. Perfect for:
+
+- Development
+- Small to medium projects
+- Single-server deployments
+
+### Multi-Instance / Horizontal Scaling
+
+When running multiple Kyro CMS instances behind a load balancer, configure:
+
+```bash
+# Shared auth database path (mounted volume, NFS, etc.)
+KYRO_AUTH_DB_PATH=/shared/data/auth.db
+
+# Enable write-ahead logging for concurrent access
+# (automatically enabled by SQLiteAuthAdapter)
+```
+
+### High-Scale Production
+
+For high-traffic deployments with many concurrent users:
+
+1. **Connection Pooling** — SQLite handles concurrent reads well, but writes are serialized. For write-heavy workloads, consider PostgreSQL with the Drizzle auth adapter.
+
+2. **Session Caching** — JWT tokens are self-contained, so session validation doesn't require database reads on every request.
+
+3. **Rate Limiting** — Currently in-memory per instance. For distributed rate limiting, use Redis or a shared SQLite file on fast storage.
+
+4. **Audit Logs** — Stored in SQLite. For high-volume audit logging, consider exporting to a dedicated log store.
+
+## License
+
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kyro-cms/admin",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "private": false,
   "type": "module",
   "description": "Admin dashboard for Kyro CMS",
@@ -25,7 +25,7 @@
   "dependencies": {
     "@astrojs/node": "^9.5.5",
     "@astrojs/react": "^4.2.0",
-    "@kyro-cms/core": "^0.1.2",
+    "@kyro-cms/core": "^0.1.6",
     "@tailwindcss/vite": "^4.0.0",
     "astro": "^5.4.0",
     "lucide-react": "^0.475.0",
@@ -41,4 +41,4 @@
   "peerDependencies": {
     "@kyro-cms/core": "^0.1.2"
   }
-}
+}

package/src/layouts/AuthLayout.astro

@@ -0,0 +1,33 @@
+---
+import "../styles/main.css";
+
+interface Props {
+  title: string;
+}
+
+const { title } = Astro.props;
+---
+
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>{title} - Kyro CMS</title>
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+  </head>
+  <body class="bg-[#eaeff2] antialiased text-[#0b1222]">
+    <div class="min-h-screen flex items-center justify-center p-6">
+      <div class="w-full">
+        <!-- Logo -->
+        <div class="text-center mb-8">
+          <a href="/" class="inline-block">
+            <span class="text-4xl font-black tracking-tighter text-[#0b1222]">KYRO.</span>
+          </a>
+        </div>
+        
+        <slot />
+      </div>
+    </div>
+  </body>
+</html>

package/src/middleware.ts

@@ -10,6 +10,8 @@ const PUBLIC_PATHS = [
   "/api/auth/me",
   "/api/auth/users",
   "/api/health",
+  "/login",
+  "/register",
   "/favicon.svg",
 ];
 
@@ -18,6 +20,75 @@ const PUBLIC_PREFIXES = ["/api/collections/", "/api/auth/"];
 export const onRequest: MiddlewareHandler = async ({ request, url }, next) => {
   const pathname = new URL(url).pathname;
 
+  // Helper to extract token from cookie or header
+  const getToken = (): string | null => {
+    // Check Authorization header first
+    const authHeader = request.headers.get("authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+      return authHeader.slice(7);
+    }
+    // Check cookie
+    const cookies = request.headers.get("cookie") || "";
+    const match = cookies.match(/auth_token=([^;]+)/);
+    return match ? match[1] : null;
+  };
+
+  const token = getToken();
+
+  // Handle root path - redirect to admin for authenticated users
+  if (pathname === "/") {
+    if (!token) {
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: "/login",
+        },
+      });
+    }
+
+    // Token exists - redirect to admin dashboard
+    try {
+      jwt.verify(token, JWT_SECRET);
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: "/admin",
+        },
+      });
+    } catch {
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: "/login",
+        },
+      });
+    }
+  }
+
+  // Handle /admin path - main dashboard
+  if (pathname === "/admin") {
+    if (!token) {
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: "/login",
+        },
+      });
+    }
+
+    try {
+      jwt.verify(token, JWT_SECRET);
+      return next();
+    } catch {
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: "/login",
+        },
+      });
+    }
+  }
+
   if (PUBLIC_PATHS.includes(pathname)) {
     return next();
   }
@@ -28,9 +99,6 @@ export const onRequest: MiddlewareHandler = async ({ request, url }, next) => {
     }
   }
 
-  const authHeader = request.headers.get("authorization");
-  const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-
   if (!token) {
     return new Response(JSON.stringify({ error: "Authentication required" }), {
       status: 401,
@@ -39,7 +107,7 @@ export const onRequest: MiddlewareHandler = async ({ request, url }, next) => {
   }
 
   try {
-    const payload = jwt.verify(token, JWT_SECRET) as jwt.JwtPayload;
+    jwt.verify(token, JWT_SECRET);
     return next();
   } catch {
     return new Response(JSON.stringify({ error: "Invalid or expired token" }), {

package/src/pages/{index.astro → admin/index.astro}

@@ -1,6 +1,6 @@
 ---
-import AdminLayout from '../layouts/AdminLayout.astro';
-import { collections } from "../lib/config";
+import AdminLayout from '../../layouts/AdminLayout.astro';
+import { collections } from "../../lib/config";
 
 const authCollections = ['users', 'roles', 'audit_logs'];
 const authItems = authCollections.map(slug => ({

package/src/pages/api/auth/login.ts

@@ -1,14 +1,13 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
 import jwt from "jsonwebtoken";
 
 const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
 const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || "24h";
 
 async function getAuthApi() {
-  return new RedisAuthAdapter({
-    url: process.env.REDIS_URL || "redis://localhost:6379",
-    tls: process.env.REDIS_TLS === "true",
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
   });
 }
 
@@ -49,7 +48,6 @@ export const POST: APIRoute = async ({ request }) => {
 
     const valid = await adapter.verifyPassword(password, user.passwordHash);
     if (!valid) {
-      await adapter.recordFailedAttempt(user.id);
       await adapter.disconnect();
       return new Response(JSON.stringify({ error: "Invalid credentials" }), {
         status: 401,
@@ -57,8 +55,6 @@ export const POST: APIRoute = async ({ request }) => {
       });
     }
 
-    await adapter.resetAttempts(user.id);
-
     const session = await adapter.createSession(user.id, {
       ipAddress: request.headers.get("x-forwarded-for") || "unknown",
       userAgent: request.headers.get("user-agent") || "",

package/src/pages/api/auth/logout.ts

@@ -1,48 +1,48 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
+
+const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
 
 async function getAuthApi() {
-  return new RedisAuthAdapter({
-    url: process.env.REDIS_URL || "redis://localhost:6379",
-    tls: process.env.REDIS_TLS === "true",
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
   });
 }
 
 export const POST: APIRoute = async ({ request }) => {
   try {
-    const body = (await request.json()) as { refreshToken?: string };
-    const { refreshToken } = body;
-
-    if (!refreshToken) {
-      return new Response(JSON.stringify({ error: "Refresh token required" }), {
-        status: 400,
-        headers: { "Content-Type": "application/json" },
-      });
+    // Check Authorization header or cookie for token
+    let token: string | null = null;
+    const authHeader = request.headers.get("authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+      token = authHeader.slice(7);
+    } else {
+      const cookies = request.headers.get("cookie") || "";
+      const match = cookies.match(/auth_token=([^;]+)/);
+      token = match ? match[1] : null;
     }
 
-    const adapter = await getAuthApi();
-    await adapter.connect();
-
-    const session = await adapter.findSessionByToken(refreshToken);
-    if (!session) {
+    if (token) {
+      const adapter = await getAuthApi();
+      await adapter.connect();
+      await adapter.deleteSession(token);
       await adapter.disconnect();
-      return new Response(JSON.stringify({ error: "Invalid refresh token" }), {
-        status: 401,
-        headers: { "Content-Type": "application/json" },
-      });
     }
 
-    await adapter.disconnect();
-
-    return new Response(JSON.stringify({ success: true, session }), {
+    return new Response(JSON.stringify({ success: true }), {
       status: 200,
-      headers: { "Content-Type": "application/json" },
+      headers: {
+        "Content-Type": "application/json",
+        "Set-Cookie": "auth_token=; path=/; max-age=0",
+      },
     });
-  } catch (error) {
-    console.error("Logout error:", error);
-    return new Response(JSON.stringify({ error: "Logout failed" }), {
-      status: 500,
-      headers: { "Content-Type": "application/json" },
+  } catch {
+    return new Response(JSON.stringify({ success: true }), {
+      status: 200,
+      headers: {
+        "Content-Type": "application/json",
+        "Set-Cookie": "auth_token=; path=/; max-age=0",
+      },
     });
   }
 };

package/src/pages/api/auth/register.ts

@@ -1,5 +1,5 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
 import jwt from "jsonwebtoken";
 
 const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
@@ -7,9 +7,8 @@ const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || "24h";
 const ALLOW_REGISTRATION = process.env.KYRO_ALLOW_REGISTRATION !== "false";
 
 async function getAuthApi() {
-  return new RedisAuthAdapter({
-    url: process.env.REDIS_URL || "redis://localhost:6379",
-    tls: process.env.REDIS_TLS === "true",
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
   });
 }
 
@@ -55,7 +54,7 @@ export const POST: APIRoute = async ({ request }) => {
       );
     }
 
-    const isFirstUser = await checkIsFirstUser(adapter);
+    const isFirstUser = !(await adapter.hasAnyUsers());
 
     if (!isFirstUser && !ALLOW_REGISTRATION) {
       await adapter.disconnect();
@@ -117,17 +116,3 @@ export const POST: APIRoute = async ({ request }) => {
     });
   }
 };
-
-async function checkIsFirstUser(adapter: RedisAuthAdapter): Promise<boolean> {
-  try {
-    const redis = (adapter as any).redis;
-    if (!redis) return true;
-
-    const pattern = "kyro:auth:users:email:*";
-    const result = await redis.scan("0", "MATCH", pattern, "COUNT", "1");
-    const keys = result[1];
-    return keys.length === 0;
-  } catch {
-    return true;
-  }
-}

package/src/pages/api/auth/users.ts

@@ -1,72 +1,103 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
-import { AuditLogger } from "@kyro-cms/core";
-import { createAuditContext } from "@kyro-cms/core";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
 import bcrypt from "bcryptjs";
-import { randomBytes } from "crypto";
 
-const redisAdapter = new RedisAuthAdapter({
-  url: process.env.REDIS_URL || "redis://localhost:6379",
-});
-
-const auditLogger = new AuditLogger(redisAdapter as any);
-
-async function ensureConnection() {
-  try {
-    await redisAdapter.connect();
-  } catch (e) {
-    // Connection might already be established
-  }
+async function getAuthApi() {
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
+  });
 }
 
-export const GET: APIRoute = async ({ url, request }) => {
-  await ensureConnection();
-
+export const GET: APIRoute = async ({ url }) => {
   const page = parseInt(url.searchParams.get("page") || "1");
   const limit = parseInt(url.searchParams.get("limit") || "25");
   const search = url.searchParams.get("search") || "";
 
   try {
-    const pattern = search ? `*${search.toLowerCase()}*` : "*";
+    const adapter = await getAuthApi();
+    await adapter.connect();
 
-    let cursor = "0";
+    // Get all users - SQLite doesn't have scan, so we need to query differently
+    // For now, we'll use a simple approach with email search
     const users: any[] = [];
-    const seenIds = new Set<string>();
-
-    do {
-      const [nextCursor, keys] = await (redisAdapter as any).redis.scan(
-        cursor,
-        "MATCH",
-        "kyro:auth:users:email:*",
-        "COUNT",
-        100,
-      );
-      cursor = nextCursor;
-
-      for (const key of keys) {
-        const userId = await (redisAdapter as any).redis.get(key);
-        if (userId && !seenIds.has(userId)) {
-          seenIds.add(userId);
-          const user = await redisAdapter.findUserById(userId);
-          if (user) {
-            const { passwordHash, ...safeUser } = user;
-            users.push(safeUser);
-          }
-        }
+
+    // If searching, we need to find matching emails
+    if (search) {
+      const result = (adapter as any).db
+        .prepare("SELECT * FROM kyro_users WHERE email LIKE ? LIMIT ? OFFSET ?")
+        .all(`%${search}%`, limit, (page - 1) * limit);
+
+      for (const row of result) {
+        const { password_hash, ...safeUser } = row;
+        users.push({
+          id: row.id,
+          email: row.email,
+          role: row.role,
+          tenantId: row.tenant_id,
+          emailVerified: row.email_verified === 1,
+          locked: row.locked === 1,
+          lastLogin: row.last_login,
+          failedLoginAttempts: row.failed_login_attempts || 0,
+          createdAt: row.created_at,
+          updatedAt: row.updated_at,
+        });
       }
-    } while (cursor !== "0");
 
-    const totalDocs = users.length;
-    const startIndex = (page - 1) * limit;
-    const paginatedUsers = users.slice(startIndex, startIndex + limit);
+      const totalResult = (adapter as any).db
+        .prepare("SELECT COUNT(*) as count FROM kyro_users WHERE email LIKE ?")
+        .get(`%${search}%`) as { count: number };
+
+      await adapter.disconnect();
+
+      return new Response(
+        JSON.stringify({
+          docs: users,
+          totalDocs: totalResult.count,
+          page,
+          limit,
+          totalPages: Math.ceil(totalResult.count / limit),
+        }),
+        {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        },
+      );
+    }
+
+    // Get all users with pagination
+    const result = (adapter as any).db
+      .prepare("SELECT * FROM kyro_users LIMIT ? OFFSET ?")
+      .all(limit, (page - 1) * limit);
+
+    for (const row of result) {
+      const { password_hash, ...safeUser } = row;
+      users.push({
+        id: row.id,
+        email: row.email,
+        role: row.role,
+        tenantId: row.tenant_id,
+        emailVerified: row.email_verified === 1,
+        locked: row.locked === 1,
+        lastLogin: row.last_login,
+        failedLoginAttempts: row.failed_login_attempts || 0,
+        createdAt: row.created_at,
+        updatedAt: row.updated_at,
+      });
+    }
+
+    const totalResult = (adapter as any).db
+      .prepare("SELECT COUNT(*) as count FROM kyro_users")
+      .get() as { count: number };
+
+    await adapter.disconnect();
 
     return new Response(
       JSON.stringify({
-        docs: paginatedUsers,
-        totalDocs,
+        docs: users,
+        totalDocs: totalResult.count,
         page,
         limit,
-        totalPages: Math.ceil(totalDocs / limit),
+        totalPages: Math.ceil(totalResult.count / limit),
       }),
       {
         status: 200,
@@ -90,10 +121,6 @@ export const GET: APIRoute = async ({ url, request }) => {
 };
 
 export const POST: APIRoute = async ({ request }) => {
-  await ensureConnection();
-
-  const { ipAddress, userAgent } = createAuditContext(request as any);
-
   try {
     const body = await request.json();
     const { email, password, role, tenantId } = body;
@@ -108,8 +135,12 @@ export const POST: APIRoute = async ({ request }) => {
       );
     }
 
-    const existing = await redisAdapter.findUserByEmail(email);
+    const adapter = await getAuthApi();
+    await adapter.connect();
+
+    const existing = await adapter.findUserByEmail(email);
     if (existing) {
+      await adapter.disconnect();
       return new Response(JSON.stringify({ error: "Email already exists" }), {
         status: 400,
         headers: { "Content-Type": "application/json" },
@@ -117,23 +148,14 @@ export const POST: APIRoute = async ({ request }) => {
     }
 
     const passwordHash = await bcrypt.hash(password, 12);
-    const user = await redisAdapter.createUser({
+    const user = await adapter.createUser({
       email,
       passwordHash,
       role: role || "customer",
       tenantId,
     });
 
-    await auditLogger.log({
-      action: "user_create",
-      userId: user.id,
-      userEmail: user.email,
-      role: user.role,
-      resource: "users",
-      ipAddress,
-      userAgent,
-      success: true,
-    });
+    await adapter.disconnect();
 
     const { passwordHash: _, ...safeUser } = user;
     return new Response(JSON.stringify({ data: safeUser }), {

package/src/pages/api/health.ts

@@ -0,0 +1,49 @@
+import type { APIRoute } from "astro";
+import { SQLiteAuthAdapter } from "@kyro-cms/core";
+
+async function getAuthApi() {
+  return new SQLiteAuthAdapter({
+    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
+  });
+}
+
+export const GET: APIRoute = async () => {
+  try {
+    const adapter = await getAuthApi();
+    await adapter.connect();
+
+    const stats = await adapter.getStats();
+    await adapter.disconnect();
+
+    return new Response(
+      JSON.stringify({
+        status: "healthy",
+        auth: {
+          storage: "sqlite",
+          userCount: stats.userCount,
+          activeSessionCount: stats.activeSessionCount,
+          auditLogCount: stats.auditLogCount,
+        },
+        uptime: process.uptime(),
+        memory: process.memoryUsage(),
+        timestamp: new Date().toISOString(),
+      }),
+      {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      },
+    );
+  } catch (error) {
+    return new Response(
+      JSON.stringify({
+        status: "unhealthy",
+        error: error instanceof Error ? error.message : "Unknown error",
+        timestamp: new Date().toISOString(),
+      }),
+      {
+        status: 503,
+        headers: { "Content-Type": "application/json" },
+      },
+    );
+  }
+};

package/src/pages/login.astro

@@ -0,0 +1,82 @@
+---
+import AuthLayout from '../layouts/AuthLayout.astro';
+---
+
+<AuthLayout title="Sign In">
+  <div class="surface-tile p-8 w-full max-w-md">
+    <div class="text-center mb-8">
+      <h1 class="text-2xl font-black tracking-tight text-[#0b1222]">Welcome back</h1>
+      <p class="text-sm text-[#64748b] mt-2">Sign in to your account</p>
+    </div>
+
+    <form id="login-form" class="space-y-4">
+      <div>
+        <label for="email" class="block text-sm font-bold text-[#0b1222] mb-2">Email</label>
+        <input type="email" id="email" name="email" required 
+          class="w-full px-4 py-3 border border-gray-200 rounded-xl text-sm font-medium focus:outline-none focus:ring-2 focus:ring-[#0b1222]/20 focus:border-[#0b1222]" 
+          placeholder="admin@example.com" />
+      </div>
+
+      <div>
+        <label for="password" class="block text-sm font-bold text-[#0b1222] mb-2">Password</label>
+        <input type="password" id="password" name="password" required 
+          class="w-full px-4 py-3 border border-gray-200 rounded-xl text-sm font-medium focus:outline-none focus:ring-2 focus:ring-[#0b1222]/20 focus:border-[#0b1222]" 
+          placeholder="••••••••" />
+      </div>
+
+      <div id="form-message" class="hidden p-3 rounded-xl text-sm font-bold"></div>
+
+      <button type="submit" class="w-full py-3 bg-[#0b1222] text-white rounded-xl text-sm font-bold hover:bg-[#1a2332] transition-colors">
+        Sign In
+      </button>
+    </form>
+
+    <p class="text-center text-sm text-[#64748b] mt-6">
+      Don't have an account? <a href="/register" class="font-bold text-[#0b1222] hover:underline">Register</a>
+    </p>
+  </div>
+
+  <script is:inline>
+    document.getElementById('login-form')?.addEventListener('submit', async (e) => {
+      e.preventDefault();
+      const form = e.target;
+      const message = document.getElementById('form-message');
+      const button = form.querySelector('button[type="submit"]');
+      
+      const email = form.email.value;
+      const password = form.password.value;
+      
+      button.disabled = true;
+      button.textContent = 'Signing in...';
+      
+      try {
+        const res = await fetch('/api/auth/login', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ email, password })
+        });
+        
+        const data = await res.json();
+        
+        if (res.ok && data.success) {
+          // Set cookie for server-side auth
+          document.cookie = `auth_token=${data.token}; path=/; max-age=${60*60*24}; samesite=strict`;
+          localStorage.setItem('user', JSON.stringify(data.user));
+          message.textContent = 'Success! Redirecting...';
+          message.className = 'block p-3 rounded-xl text-sm font-bold bg-green-50 text-green-600';
+          setTimeout(() => { window.location.href = '/admin'; }, 500);
+        } else {
+          message.textContent = data.error || 'Login failed';
+          message.className = 'block p-3 rounded-xl text-sm font-bold bg-red-50 text-red-600';
+          button.disabled = false;
+          button.textContent = 'Sign In';
+        }
+      } catch (err) {
+        message.textContent = 'Connection error';
+        message.className = 'block p-3 rounded-xl text-sm font-bold bg-red-50 text-red-600';
+        button.disabled = false;
+        button.textContent = 'Sign In';
+      }
+    });
+  </script>
+</AuthLayout>

package/src/pages/register.astro

@@ -0,0 +1,102 @@
+---
+import AuthLayout from '../layouts/AuthLayout.astro';
+---
+
+<AuthLayout title="Create Account">
+  <div class="surface-tile p-8 w-full max-w-md">
+    <div class="text-center mb-8">
+      <h1 class="text-2xl font-black tracking-tight text-[#0b1222]">Create your account</h1>
+      <p class="text-sm text-[#64748b] mt-2">Get started with Kyro CMS</p>
+    </div>
+
+    <form id="register-form" class="space-y-4">
+      <div>
+        <label for="email" class="block text-sm font-bold text-[#0b1222] mb-2">Email</label>
+        <input type="email" id="email" name="email" required 
+          class="w-full px-4 py-3 border border-gray-200 rounded-xl text-sm font-medium focus:outline-none focus:ring-2 focus:ring-[#0b1222]/20 focus:border-[#0b1222]" 
+          placeholder="admin@example.com" />
+      </div>
+
+      <div>
+        <label for="password" class="block text-sm font-bold text-[#0b1222] mb-2">Password</label>
+        <input type="password" id="password" name="password" required minlength="8"
+          class="w-full px-4 py-3 border border-gray-200 rounded-xl text-sm font-medium focus:outline-none focus:ring-2 focus:ring-[#0b1222]/20 focus:border-[#0b1222]" 
+          placeholder="Minimum 8 characters" />
+      </div>
+
+      <div>
+        <label for="confirmPassword" class="block text-sm font-bold text-[#0b1222] mb-2">Confirm Password</label>
+        <input type="password" id="confirmPassword" name="confirmPassword" required minlength="8"
+          class="w-full px-4 py-3 border border-gray-200 rounded-xl text-sm font-medium focus:outline-none focus:ring-2 focus:ring-[#0b1222]/20 focus:border-[#0b1222]" 
+          placeholder="Confirm your password" />
+      </div>
+
+      <div id="form-message" class="hidden p-3 rounded-xl text-sm font-bold"></div>
+
+      <button type="submit" class="w-full py-3 bg-[#0b1222] text-white rounded-xl text-sm font-bold hover:bg-[#1a2332] transition-colors">
+        Create Account
+      </button>
+    </form>
+
+    <p class="text-center text-sm text-[#64748b] mt-6">
+      Already have an account? <a href="/login" class="font-bold text-[#0b1222] hover:underline">Sign in</a>
+    </p>
+  </div>
+
+  <script is:inline>
+    document.getElementById('register-form')?.addEventListener('submit', async (e) => {
+      e.preventDefault();
+      const form = e.target;
+      const message = document.getElementById('form-message');
+      const button = form.querySelector('button[type="submit"]');
+      
+      const email = form.email.value;
+      const password = form.password.value;
+      const confirmPassword = form.confirmPassword.value;
+      
+      if (password !== confirmPassword) {
+        message.textContent = 'Passwords do not match';
+        message.className = 'block p-3 rounded-xl text-sm font-bold bg-red-50 text-red-600';
+        return;
+      }
+      
+      if (password.length < 8) {
+        message.textContent = 'Password must be at least 8 characters';
+        message.className = 'block p-3 rounded-xl text-sm font-bold bg-red-50 text-red-600';
+        return;
+      }
+      
+      button.disabled = true;
+      button.textContent = 'Creating account...';
+      
+      try {
+        const res = await fetch('/api/auth/register', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ email, password, confirmPassword })
+        });
+        
+        const data = await res.json();
+        
+        if (res.ok && data.success) {
+          // Set cookie for server-side auth
+          document.cookie = `auth_token=${data.token}; path=/; max-age=${60*60*24}; samesite=strict`;
+          localStorage.setItem('user', JSON.stringify(data.user));
+          message.textContent = data.isFirstUser ? 'Super admin account created!' : 'Account created successfully!';
+          message.className = 'block p-3 rounded-xl text-sm font-bold bg-green-50 text-green-600';
+          setTimeout(() => { window.location.href = '/admin'; }, 1000);
+        } else {
+          message.textContent = data.error || 'Registration failed';
+          message.className = 'block p-3 rounded-xl text-sm font-bold bg-red-50 text-red-600';
+          button.disabled = false;
+          button.textContent = 'Create Account';
+        }
+      } catch (err) {
+        message.textContent = 'Connection error';
+        message.className = 'block p-3 rounded-xl text-sm font-bold bg-red-50 text-red-600';
+        button.disabled = false;
+        button.textContent = 'Create Account';
+      }
+    });
+  </script>
+</AuthLayout>