@kyro-cms/admin 0.1.5 → 0.1.7

package/src/lib/db/schema/sqlite-auth.ts

@@ -0,0 +1,112 @@
+import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
+
+export const users = sqliteTable("users", {
+  id: text("id").primaryKey(),
+  email: text("email").notNull().unique(),
+  passwordHash: text("password_hash").notNull(),
+  name: text("name"),
+  role: text("role").notNull().default("customer"),
+  tenantId: text("tenant_id"),
+  emailVerified: integer("email_verified", { mode: "boolean" }).default(false),
+  locked: integer("locked", { mode: "boolean" }).default(false),
+  lastLogin: text("last_login"),
+  failedLoginAttempts: integer("failed_login_attempts").default(0),
+  lockedUntil: text("locked_until"),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export const sessions = sqliteTable(
+  "sessions",
+  {
+    id: text("id").primaryKey(),
+    token: text("token").notNull().unique(),
+    refreshToken: text("refresh_token"),
+    userId: text("user_id")
+      .notNull()
+      .references(() => users.id, { onDelete: "cascade" }),
+    expiresAt: text("expires_at").notNull(),
+    createdAt: text("created_at").notNull(),
+  },
+  (table) => {
+    return {
+      userIdIdx: index("idx_sessions_user_id").on(table.userId),
+      tokenIdx: index("idx_sessions_token").on(table.token),
+      expiresIdx: index("idx_sessions_expires").on(table.expiresAt),
+    };
+  },
+);
+
+export const roles = sqliteTable("roles", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull().unique(),
+  level: integer("level").notNull().default(0),
+  inherits: text("inherits").$type<string[]>(),
+  permissions: text("permissions").$type<string[]>(),
+  isSystem: integer("is_system", { mode: "boolean" }).default(false),
+  description: text("description"),
+  createdAt: text("created_at").notNull(),
+});
+
+export const auditLogs = sqliteTable(
+  "audit_logs",
+  {
+    id: text("id").primaryKey(),
+    action: text("action").notNull(),
+    userId: text("user_id").references(() => users.id, {
+      onDelete: "set null",
+    }),
+    userEmail: text("user_email"),
+    role: text("role"),
+    resource: text("resource").notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    success: integer("success", { mode: "boolean" }).notNull(),
+    error: text("error"),
+    metadata: text("metadata").$type<Record<string, unknown>>(),
+    createdAt: text("created_at").notNull(),
+  },
+  (table) => {
+    return {
+      userIdIdx: index("idx_audit_user_id").on(table.userId),
+      actionIdx: index("idx_audit_action").on(table.action),
+      createdAtIdx: index("idx_audit_created_at").on(table.createdAt),
+    };
+  },
+);
+
+export const passwordHistory = sqliteTable(
+  "password_history",
+  {
+    id: text("id").primaryKey(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => users.id, { onDelete: "cascade" }),
+    passwordHash: text("password_hash").notNull(),
+    createdAt: text("created_at").notNull(),
+  },
+  (table) => {
+    return {
+      userIdIdx: index("idx_password_history_user_id").on(table.userId),
+    };
+  },
+);
+
+export const lockouts = sqliteTable("lockouts", {
+  id: text("id").primaryKey(),
+  userId: text("user_id")
+    .notNull()
+    .references(() => users.id, { onDelete: "cascade" }),
+  ipAddress: text("ip_address"),
+  lockedUntil: text("locked_until").notNull(),
+  createdAt: text("created_at").notNull(),
+});
+
+export type User = typeof users.$inferSelect;
+export type NewUser = typeof users.$inferInsert;
+export type Session = typeof sessions.$inferSelect;
+export type NewSession = typeof sessions.$inferInsert;
+export type Role = typeof roles.$inferSelect;
+export type NewRole = typeof roles.$inferInsert;
+export type AuditLog = typeof auditLogs.$inferSelect;
+export type NewAuditLog = typeof auditLogs.$inferInsert;

package/src/lib/db/schema/sqlite-content.ts

@@ -0,0 +1,20 @@
+import { sqliteTable, text, integer } from "drizzle-orm/sqlite-core";
+
+export const documents = sqliteTable("documents", {
+  id: text("id").primaryKey(),
+  collection: text("collection").notNull(),
+  data: text("data").notNull().$type<Record<string, unknown>>(),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export const globals = sqliteTable("globals", {
+  slug: text("slug").primaryKey(),
+  data: text("data").notNull().$type<Record<string, unknown>>(),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export type Document = typeof documents.$inferSelect;
+export type NewDocument = typeof documents.$inferInsert;
+export type Global = typeof globals.$inferSelect;
+export type NewGlobal = typeof globals.$inferInsert;

package/src/lib/graphql/index.ts

@@ -0,0 +1 @@
+export { executeGraphQL, schemaString } from "./schema";

package/src/lib/graphql/schema.ts

@@ -0,0 +1,443 @@
+import { buildSchema, graphql } from "graphql";
+import { dataStore } from "../dataStore";
+import { collections, globals } from "../config";
+import type { CollectionConfig, GlobalConfig } from "@kyro-cms/core";
+import jwt from "jsonwebtoken";
+
+const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
+
+function generateSchemaTypes() {
+  const queryLines: string[] = [
+    `_schema: SchemaInfo!`,
+    `ping: String!`,
+    `collections: [CollectionInfo!]!`,
+    `globals: [GlobalInfo!]!`,
+  ];
+
+  for (const [slug, collection] of Object.entries(collections)) {
+    if (slug === "roles") continue;
+    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
+    queryLines.push(`${safeSlug}(page: Int, limit: Int): CollectionResult!`);
+    queryLines.push(`${safeSlug}ById(id: ID!): JSON`);
+    queryLines.push(`${safeSlug}BySlug(slug: String!): JSON`);
+  }
+
+  for (const slug of Object.keys(globals)) {
+    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
+    queryLines.push(`${safeSlug}: GlobalResult!`);
+  }
+
+  const mutationLines: string[] = [];
+  mutationLines.push(`login(email: String!, password: String!): AuthPayload!`);
+  mutationLines.push(
+    `register(email: String!, password: String!): AuthPayload!`,
+  );
+
+  for (const slug of Object.keys(collections)) {
+    if (slug === "roles" || slug === "users") continue;
+    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
+    const name = capitalize(safeSlug);
+    mutationLines.push(`create${name}(input: JSON!): JSON!`);
+    mutationLines.push(`update${name}(id: ID!, input: JSON!): JSON!`);
+    mutationLines.push(`delete${name}(id: ID!): Boolean!`);
+  }
+
+  for (const slug of Object.keys(globals)) {
+    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
+    const name = capitalize(safeSlug);
+    mutationLines.push(`update${name}(input: JSON!): GlobalResult!`);
+  }
+
+  return `
+    scalar JSON
+
+    type Query {
+      ${queryLines.join("\n      ")}
+    }
+
+    type Mutation {
+      ${mutationLines.join("\n      ")}
+    }
+
+    type Meta {
+      page: Int!
+      limit: Int!
+      totalDocs: Int!
+      totalPages: Int!
+    }
+
+    type CollectionResult {
+      docs: [JSON!]!
+      totalDocs: Int!
+      totalPages: Int!
+      page: Int!
+    }
+
+    type GlobalResult {
+      data: JSON
+      success: Boolean!
+    }
+
+    type AuthPayload {
+      token: String
+      user: JSON
+      error: String
+    }
+
+    type SchemaInfo {
+      types: [TypeInfo!]!
+    }
+
+    type TypeInfo {
+      name: String!
+      fields: [FieldInfo!]!
+    }
+
+    type FieldInfo {
+      name: String!
+      type: String!
+      required: Boolean!
+    }
+
+    type CollectionInfo {
+      slug: String!
+      name: String
+      fields: [String!]!
+    }
+
+    type GlobalInfo {
+      slug: String!
+      name: String
+    }
+  `;
+}
+
+const schemaString = generateSchemaTypes();
+const typeDefs = buildSchema(schemaString);
+
+function capitalize(str: string): string {
+  return str.charAt(0).toUpperCase() + str.slice(1);
+}
+
+interface Context {
+  user?: {
+    id: string;
+    email: string;
+    role: string;
+  };
+  apiKeyId?: string;
+  permissions?: string[];
+}
+
+const rootValue = {
+  _schema: () => {
+    const types = Object.entries(collections).map(([slug, collection]) => ({
+      name: capitalize(slug),
+      fields: collection.fields.map((f: any) => ({
+        name: f.name,
+        type: getGraphQLType(f.type),
+        required: f.required || false,
+      })),
+    }));
+    return { types };
+  },
+
+  ping: () => "pong",
+
+  collections: () => {
+    return Object.entries(collections).map(([slug, collection]) => ({
+      slug,
+      name: (collection as CollectionConfig).label || slug,
+      fields: (collection as CollectionConfig).fields.map((f: any) => f.name),
+    }));
+  },
+
+  globals: () => {
+    return Object.entries(globals).map(([slug, global]) => ({
+      slug,
+      name: (global as GlobalConfig).label || slug,
+    }));
+  },
+
+  ...generateQueryResolvers(),
+
+  ...generateMutationResolvers(),
+};
+
+function getGraphQLType(fieldType: string): string {
+  const typeMap: Record<string, string> = {
+    text: "String",
+    richtext: "String",
+    email: "String",
+    password: "String",
+    url: "String",
+    number: "Float",
+    integer: "Int",
+    boolean: "Boolean",
+    select: "String",
+    multiselect: "[String!]!",
+    date: "String",
+    datetime: "String",
+    media: "String",
+    reference: "String",
+    array: "[String!]!",
+    json: "JSON",
+    code: "String",
+    markdown: "String",
+    slug: "String",
+  };
+  return typeMap[fieldType] || "String";
+}
+
+function generateQueryResolvers() {
+  const resolvers: Record<string, any> = {};
+
+  for (const slug of Object.keys(collections)) {
+    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
+    resolvers[safeSlug] = async ({
+      page,
+      limit,
+    }: {
+      page?: number;
+      limit?: number;
+    }) => {
+      return await dataStore.find(slug, {
+        page: page || 1,
+        limit: limit || 25,
+      });
+    };
+
+    resolvers[`${safeSlug}ById`] = async ({ id }: { id: string }) => {
+      return await dataStore.findById(slug, id);
+    };
+
+    resolvers[`${safeSlug}BySlug`] = async ({
+      slug: itemSlug,
+    }: {
+      slug: string;
+    }) => {
+      const docs = await dataStore.find(slug, { limit: 100 });
+      return docs.docs.find((d: any) => d.slug === itemSlug) || null;
+    };
+  }
+
+  for (const slug of Object.keys(globals)) {
+    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
+    resolvers[safeSlug] = async () => {
+      return { data: await dataStore.findGlobal(slug), success: true };
+    };
+  }
+
+  return resolvers;
+}
+
+function generateMutationResolvers() {
+  return {
+    login: async ({ email, password }: { email: string; password: string }) => {
+      try {
+        const { SQLiteAuthAdapter } = await import("../auth/sqlite-adapter");
+        const adapter = new SQLiteAuthAdapter();
+
+        const user = await adapter.findUserByEmail(email);
+        if (!user) {
+          return { error: "Invalid credentials" };
+        }
+
+        const valid = await adapter.verifyPassword(
+          password,
+          user.passwordHash || "",
+        );
+        if (!valid) {
+          return { error: "Invalid credentials" };
+        }
+
+        const { passwordHash, ...safeUser } = user;
+        const token = jwt.sign(
+          {
+            sub: safeUser.id,
+            email: safeUser.email,
+            role: safeUser.role,
+            tenantId: safeUser.tenantId,
+          },
+          JWT_SECRET,
+          { expiresIn: "7d" },
+        );
+
+        return { token, user: safeUser };
+      } catch {
+        return { error: "Authentication failed" };
+      }
+    },
+
+    register: async ({
+      email,
+      password,
+    }: {
+      email: string;
+      password: string;
+    }) => {
+      try {
+        const { SQLiteAuthAdapter } = await import("../auth/sqlite-adapter");
+        const adapter = new SQLiteAuthAdapter();
+
+        const existing = await adapter.findUserByEmail(email);
+        if (existing) {
+          return { error: "Email already exists" };
+        }
+
+        const passwordHash = await adapter.hashPassword(password);
+        const user = await adapter.createUser({
+          email,
+          passwordHash,
+          role: "customer",
+        });
+
+        const { passwordHash: _, ...safeUser } = user;
+        const token = jwt.sign(
+          {
+            sub: safeUser.id,
+            email: safeUser.email,
+            role: safeUser.role,
+            tenantId: safeUser.tenantId,
+          },
+          JWT_SECRET,
+          { expiresIn: "7d" },
+        );
+
+        return { token, user: safeUser };
+      } catch {
+        return { error: "Registration failed" };
+      }
+    },
+  };
+}
+
+function generateCollectionMutations() {
+  const resolvers: Record<string, any> = {};
+
+  for (const slug of Object.keys(collections)) {
+    if (slug === "roles" || slug === "users") continue;
+    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
+    const name = capitalize(safeSlug);
+
+    resolvers[`create${name}`] = async ({ input }: { input: any }) => {
+      return await dataStore.create(slug, input);
+    };
+
+    resolvers[`update${name}`] = async ({
+      id,
+      input,
+    }: {
+      id: string;
+      input: any;
+    }) => {
+      return await dataStore.update(slug, id, input);
+    };
+
+    resolvers[`delete${name}`] = async ({ id }: { id: string }) => {
+      return await dataStore.delete(slug, id);
+    };
+  }
+
+  for (const slug of Object.keys(globals)) {
+    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
+    const name = capitalize(safeSlug);
+
+    resolvers[`update${name}`] = async ({ input }: { input: any }) => {
+      await dataStore.updateGlobal(slug, input);
+      return { data: await dataStore.findGlobal(slug), success: true };
+    };
+  }
+
+  return resolvers;
+}
+
+export async function executeGraphQL(
+  query: string,
+  variables?: Record<string, any>,
+  authToken?: string,
+  apiKey?: string,
+) {
+  let context: Context = {};
+
+  if (apiKey) {
+    try {
+      const result = await validateApiKeyFromDataStore(apiKey);
+      if (result.valid && result.user) {
+        context.user = {
+          id: result.userId as string,
+          email: result.user.email,
+          role: result.user.role,
+        };
+        context.apiKeyId = result.apiKeyId;
+        context.permissions = result.permissions;
+      }
+    } catch {
+      // Invalid API key, continue without auth
+    }
+  } else if (authToken) {
+    try {
+      const payload = jwt.verify(authToken, JWT_SECRET) as jwt.JwtPayload;
+      context.user = {
+        id: payload.sub as string,
+        email: (payload as any).email,
+        role: (payload as any).role,
+      };
+    } catch {
+      // Invalid token, continue without auth
+    }
+  }
+
+  const result = await graphql({
+    schema: typeDefs,
+    source: query,
+    rootValue,
+    contextValue: context,
+    variableValues: variables,
+  } as any);
+
+  return result;
+}
+
+async function validateApiKeyFromDataStore(apiKey: string) {
+  if (!apiKey.startsWith("kyro_")) {
+    return { valid: false };
+  }
+
+  const keyPrefix = apiKey.substring(0, 8);
+  const result = await dataStore.find("_api_keys", { limit: 100 });
+  const keys = (result.docs || []).filter(
+    (k: any) => k.keyPrefix === keyPrefix,
+  );
+
+  for (const record of keys) {
+    if (record.key === apiKey) {
+      if (record.expiresAt && new Date(record.expiresAt) < new Date()) {
+        return { valid: false, error: "API key expired" };
+      }
+
+      try {
+        await dataStore.update("_api_keys", record.id, {
+          lastUsedAt: new Date().toISOString(),
+        });
+      } catch {}
+
+      return {
+        valid: true,
+        userId: record.userId,
+        user: {
+          id: record.userId,
+          email: record.email,
+          role: record.role || "author",
+          tenantId: record.tenantId,
+        },
+        permissions: record.permissions || [],
+        apiKeyId: record.id,
+      };
+    }
+  }
+
+  return { valid: false };
+}
+
+export { schemaString };