@kyro-cms/admin 0.1.6 → 0.1.7

package/src/lib/rate-limit.ts

@@ -0,0 +1,267 @@
+import Database from "better-sqlite3";
+import { randomBytes } from "crypto";
+
+const DB_PATH =
+  process.env.KYRO_AUTH_DB_PATH || process.env.KYRO_DB_PATH || "./data/auth.db";
+
+interface RateLimitConfig {
+  maxAttempts: number;
+  windowMs: number;
+  lockoutMs: number;
+}
+
+interface RateLimitResult {
+  allowed: boolean;
+  remaining: number;
+  resetAt: Date | null;
+  lockedUntil: Date | null;
+}
+
+const DEFAULT_CONFIG: RateLimitConfig = {
+  maxAttempts: 5,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  lockoutMs: 15 * 60 * 1000, // 15 minutes lockout
+};
+
+function getDb() {
+  return new Database(DB_PATH);
+}
+
+export async function checkRateLimit(
+  identifier: string,
+  action: string = "login",
+  config: RateLimitConfig = DEFAULT_CONFIG,
+): Promise<RateLimitResult> {
+  const db = getDb();
+  const now = new Date();
+
+  try {
+    // Clean up expired records first
+    db.prepare(
+      `
+      DELETE FROM rate_limits 
+      WHERE expires_at IS NOT NULL AND expires_at < ?
+    `,
+    ).run(now.toISOString());
+
+    // Get existing record
+    const existing = db
+      .prepare(
+        `
+      SELECT * FROM rate_limits 
+      WHERE identifier = ? AND action = ?
+    `,
+      )
+      .get(identifier, action) as any;
+
+    if (!existing) {
+      // First attempt - create record
+      const id = randomBytes(16).toString("hex");
+      db.prepare(
+        `
+        INSERT INTO rate_limits (id, identifier, action, attempts, first_attempt, last_attempt, created_at)
+        VALUES (?, ?, ?, 1, ?, ?, ?)
+      `,
+      ).run(
+        id,
+        identifier,
+        action,
+        now.toISOString(),
+        now.toISOString(),
+        now.toISOString(),
+      );
+
+      return {
+        allowed: true,
+        remaining: config.maxAttempts - 1,
+        resetAt: new Date(now.getTime() + config.windowMs),
+        lockedUntil: null,
+      };
+    }
+
+    // Check if currently locked
+    if (existing.expires_at && new Date(existing.expires_at) > now) {
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt: null,
+        lockedUntil: new Date(existing.expires_at),
+      };
+    }
+
+    // Check if within window
+    const firstAttempt = existing.first_attempt
+      ? new Date(existing.first_attempt)
+      : now;
+    const windowEnd = new Date(firstAttempt.getTime() + config.windowMs);
+
+    if (now > windowEnd) {
+      // Window expired - reset attempts
+      db.prepare(
+        `
+        UPDATE rate_limits 
+        SET attempts = 1, first_attempt = ?, last_attempt = ?, expires_at = NULL
+        WHERE identifier = ? AND action = ?
+      `,
+      ).run(now.toISOString(), now.toISOString(), identifier, action);
+
+      return {
+        allowed: true,
+        remaining: config.maxAttempts - 1,
+        resetAt: new Date(now.getTime() + config.windowMs),
+        lockedUntil: null,
+      };
+    }
+
+    // Within window - check attempts
+    const attempts = existing.attempts || 0;
+    const remaining = config.maxAttempts - attempts;
+
+    if (attempts >= config.maxAttempts) {
+      // Lock out the user
+      const lockUntil = new Date(now.getTime() + config.lockoutMs);
+      db.prepare(
+        `
+        UPDATE rate_limits 
+        SET last_attempt = ?, expires_at = ?
+        WHERE identifier = ? AND action = ?
+      `,
+      ).run(now.toISOString(), lockUntil.toISOString(), identifier, action);
+
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt: windowEnd,
+        lockedUntil: lockUntil,
+      };
+    }
+
+    // Increment attempts
+    db.prepare(
+      `
+      UPDATE rate_limits 
+      SET attempts = attempts + 1, last_attempt = ?
+      WHERE identifier = ? AND action = ?
+    `,
+    ).run(now.toISOString(), identifier, action);
+
+    return {
+      allowed: true,
+      remaining: remaining - 1,
+      resetAt: windowEnd,
+      lockedUntil: null,
+    };
+  } finally {
+    db.close();
+  }
+}
+
+export async function resetRateLimit(
+  identifier: string,
+  action: string = "login",
+): Promise<void> {
+  const db = getDb();
+
+  try {
+    db.prepare(
+      `
+      DELETE FROM rate_limits WHERE identifier = ? AND action = ?
+    `,
+    ).run(identifier, action);
+  } finally {
+    db.close();
+  }
+}
+
+export async function getAccountLockStatus(email: string): Promise<{
+  isLocked: boolean;
+  lockedUntil: Date | null;
+  failedAttempts: number;
+}> {
+  const db = getDb();
+
+  try {
+    const user = db
+      .prepare(
+        `
+      SELECT locked, locked_until, failed_login_attempts 
+      FROM users 
+      WHERE LOWER(email) = LOWER(?)
+    `,
+      )
+      .get(email) as any;
+
+    if (!user) {
+      return { isLocked: false, lockedUntil: null, failedAttempts: 0 };
+    }
+
+    const now = new Date();
+    const lockedUntil = user.locked_until ? new Date(user.locked_until) : null;
+    const isLocked = user.locked === 1 && (!lockedUntil || lockedUntil > now);
+
+    return {
+      isLocked,
+      lockedUntil: isLocked ? lockedUntil : null,
+      failedAttempts: user.failed_login_attempts || 0,
+    };
+  } finally {
+    db.close();
+  }
+}
+
+export async function recordFailedLogin(email: string): Promise<void> {
+  const db = getDb();
+
+  try {
+    const now = new Date();
+    const user = db
+      .prepare(
+        `
+      SELECT id FROM users WHERE LOWER(email) = LOWER(?)
+    `,
+      )
+      .get(email) as any;
+
+    if (!user) return;
+
+    // Increment failed attempts
+    db.prepare(
+      `
+      UPDATE users 
+      SET failed_login_attempts = COALESCE(failed_login_attempts, 0) + 1,
+          last_login = ?,
+          locked = CASE 
+            WHEN COALESCE(failed_login_attempts, 0) >= 4 THEN 1 
+            ELSE 0 
+          END,
+          locked_until = CASE 
+            WHEN COALESCE(failed_login_attempts, 0) >= 4 THEN ?
+            ELSE NULL 
+          END
+      WHERE id = ?
+    `,
+    ).run(
+      now.toISOString(),
+      new Date(now.getTime() + 15 * 60 * 1000).toISOString(),
+      user.id,
+    );
+  } finally {
+    db.close();
+  }
+}
+
+export async function unlockAccount(email: string): Promise<void> {
+  const db = getDb();
+
+  try {
+    db.prepare(
+      `
+      UPDATE users 
+      SET locked = 0, locked_until = NULL, failed_login_attempts = 0
+      WHERE LOWER(email) = LOWER(?)
+    `,
+    ).run(email);
+  } finally {
+    db.close();
+  }
+}

package/src/lib/storage.ts

@@ -0,0 +1,374 @@
+import path from "path";
+import { getDatabaseConfig } from "@/lib/db";
+
+/**
+ * Extract the Public Dev URL ID from either a full URL or just the ID.
+ * Handles formats like:
+ * - https://bucket.pub-xxx.r2.dev -> pub-xxx
+ * - pub-xxx -> pub-xxx
+ * - empty/undefined -> ""
+ */
+function extractPublicDevUrlId(url?: string): string {
+  if (!url) return "";
+  if (url.startsWith("pub-")) return url; // Already just the ID
+
+  // Extract from URL like https://bucket.pub-xxx.r2.dev
+  const match = url.match(/pub-[a-zA-Z0-9]+/i);
+  return match ? match[0] : "";
+}
+
+export type StorageProviderType =
+  | "local"
+  | "aws"
+  | "r2"
+  | "gcs"
+  | "digitalocean"
+  | "backblaze"
+  | "wasabi"
+  | "bunny"
+  | "cloudinary"
+  | "imgix"
+  | "ftp";
+
+export interface StorageConfig {
+  /** The storage provider type */
+  provider: StorageProviderType;
+  /** The base URL for accessing files */
+  baseUrl: string;
+  /** The filesystem directory (for local storage only) */
+  uploadDir?: string;
+  /** Provider-specific config */
+  config: {
+    bucket?: string;
+    region?: string;
+    accountId?: string;
+    accessKeyId?: string;
+    secretAccessKey?: string;
+    cdnUrl?: string;
+    prefix?: string;
+    publicDevUrl?: string;
+    cloudName?: string;
+    apiKey?: string;
+    apiSecret?: string;
+    folder?: string;
+    uploadPreset?: string;
+    domain?: string;
+    signKey?: string;
+    host?: string;
+    port?: number;
+    user?: string;
+    password?: string;
+    secure?: boolean;
+    storageZone?: string;
+    projectId?: string;
+    type?: string;
+  };
+}
+
+interface RawStorageSettings {
+  provider?: string;
+  local?: {
+    uploadDir?: string;
+    baseUrl?: string;
+  };
+  aws?: Record<string, any>;
+  r2?: Record<string, any>;
+  gcs?: Record<string, any>;
+  digitalocean?: Record<string, any>;
+  backblaze?: Record<string, any>;
+  wasabi?: Record<string, any>;
+  bunny?: Record<string, any>;
+  cloudinary?: Record<string, any>;
+  imgix?: Record<string, any>;
+  ftp?: Record<string, any>;
+  limits?: Record<string, any>;
+  [key: string]: any;
+}
+
+/**
+ * Read the complete storage configuration from the globals table.
+ */
+export async function getStorageConfig(): Promise<StorageConfig> {
+  const dbConfig = getDatabaseConfig();
+  let rawSettings: RawStorageSettings = { provider: "local" };
+
+  try {
+    if (dbConfig.type === "sqlite") {
+      const Database = (await import("better-sqlite3")).default;
+      const db = new Database(dbConfig.contentDbPath || "./data/content.db");
+
+      try {
+        const row = db
+          .prepare("SELECT data FROM globals WHERE slug = ?")
+          .get("storage-settings") as { data: string } | undefined;
+
+        if (row) {
+          rawSettings =
+            typeof row.data === "string" ? JSON.parse(row.data) : row.data;
+        }
+      } finally {
+        db.close();
+      }
+    }
+  } catch {
+    // Use defaults if anything fails
+  }
+
+  const provider = (rawSettings.provider || "local") as StorageProviderType;
+
+  // Build config based on provider type
+  const config: StorageConfig = {
+    provider,
+    baseUrl: "",
+    config: {},
+  };
+
+  switch (provider) {
+    case "local": {
+      const localConfig = rawSettings.local || {};
+      const uploadDirRaw = localConfig.uploadDir || "./public/uploads";
+      const baseUrlRaw = localConfig.baseUrl || "/uploads";
+
+      // Resolve uploadDir
+      let uploadDir: string;
+      if (path.isAbsolute(uploadDirRaw)) {
+        uploadDir = uploadDirRaw;
+      } else if (uploadDirRaw.includes("/") || uploadDirRaw.includes("\\")) {
+        uploadDir = path.resolve(process.cwd(), uploadDirRaw);
+      } else {
+        uploadDir = path.join(process.cwd(), "public", uploadDirRaw);
+      }
+      config.uploadDir = uploadDir;
+
+      // Resolve baseUrl
+      config.baseUrl = baseUrlRaw.startsWith("/")
+        ? baseUrlRaw
+        : `/${baseUrlRaw}`;
+      if (config.baseUrl.length > 1) {
+        config.baseUrl = config.baseUrl.replace(/\/+$/, "");
+      }
+      break;
+    }
+
+    case "aws": {
+      const awsConfig = rawSettings.aws || {};
+      config.baseUrl =
+        awsConfig.cdnUrl ||
+        `https://${awsConfig.bucket}.s3.${awsConfig.region || "us-east-1"}.amazonaws.com`;
+      config.config = {
+        bucket: awsConfig.bucket,
+        region: awsConfig.region || "us-east-1",
+        accessKeyId: awsConfig.accessKeyId,
+        secretAccessKey: awsConfig.secretAccessKey,
+        cdnUrl: awsConfig.cdnUrl,
+        prefix: awsConfig.prefix,
+      };
+      break;
+    }
+
+    case "r2": {
+      const r2Config = rawSettings.r2 || {};
+      // Priority: cdnUrl > publicDevUrl > accountId-based URL
+      let baseUrl: string;
+      if (r2Config.cdnUrl) {
+        baseUrl = r2Config.cdnUrl.replace(/\/$/, "");
+      } else if (r2Config.publicDevUrl) {
+        // Handle both full URL and just the ID
+        const pubId = extractPublicDevUrlId(r2Config.publicDevUrl);
+        baseUrl = pubId ? `https://${pubId}.r2.dev` : "";
+      } else if (r2Config.accountId) {
+        baseUrl = `https://${r2Config.bucket}.${r2Config.accountId}.r2.cloudflarestorage.com`;
+      } else {
+        baseUrl = "";
+      }
+      config.baseUrl = baseUrl;
+      config.config = {
+        bucket: r2Config.bucket,
+        accountId: r2Config.accountId,
+        publicDevUrl: extractPublicDevUrlId(r2Config.publicDevUrl),
+        accessKeyId: r2Config.accessKeyId,
+        secretAccessKey: r2Config.secretAccessKey,
+        cdnUrl: r2Config.cdnUrl,
+        prefix: r2Config.prefix,
+      };
+      break;
+    }
+
+    case "gcs": {
+      const gcsConfig = rawSettings.gcs || {};
+      config.baseUrl =
+        gcsConfig.cdnUrl ||
+        `https://storage.googleapis.com/${gcsConfig.bucket}`;
+      config.config = {
+        bucket: gcsConfig.bucket,
+        projectId: gcsConfig.projectId,
+        accessKeyId: gcsConfig.clientEmail,
+        secretAccessKey: gcsConfig.privateKey,
+        cdnUrl: gcsConfig.cdnUrl,
+        prefix: gcsConfig.prefix,
+      };
+      break;
+    }
+
+    case "digitalocean": {
+      const doConfig = rawSettings.digitalocean || {};
+      const region = doConfig.region || "nyc3";
+      config.baseUrl =
+        doConfig.cdnUrl ||
+        `https://${doConfig.bucket}.${region}.cdn.digitaloceanspaces.com`;
+      config.config = {
+        bucket: doConfig.bucket,
+        region,
+        accessKeyId: doConfig.accessKeyId,
+        secretAccessKey: doConfig.secretAccessKey,
+        cdnUrl: doConfig.cdnUrl,
+        prefix: doConfig.prefix,
+      };
+      break;
+    }
+
+    case "backblaze": {
+      const b2Config = rawSettings.backblaze || {};
+      config.baseUrl = b2Config.cdnUrl || `https://f000.backblazeb2.com`;
+      config.config = {
+        bucket: b2Config.bucket,
+        accountId: b2Config.accountId,
+        accessKeyId: b2Config.applicationKeyId,
+        secretAccessKey: b2Config.applicationKey,
+        cdnUrl: b2Config.cdnUrl,
+        prefix: b2Config.prefix,
+      };
+      break;
+    }
+
+    case "wasabi": {
+      const wasabiConfig = rawSettings.wasabi || {};
+      const region = wasabiConfig.region || "us-east-1";
+      config.baseUrl =
+        wasabiConfig.cdnUrl || `https://s3.${region}.wasabisys.com`;
+      config.config = {
+        bucket: wasabiConfig.bucket,
+        region,
+        accessKeyId: wasabiConfig.accessKeyId,
+        secretAccessKey: wasabiConfig.secretAccessKey,
+        cdnUrl: wasabiConfig.cdnUrl,
+        prefix: wasabiConfig.prefix,
+      };
+      break;
+    }
+
+    case "bunny": {
+      const bunnyConfig = rawSettings.bunny || {};
+      config.baseUrl =
+        bunnyConfig.cdnUrl || `https://${bunnyConfig.storageZone}.b-cdn.net`;
+      config.config = {
+        storageZone: bunnyConfig.storageZone,
+        apiKey: bunnyConfig.apiKey,
+        cdnUrl: bunnyConfig.cdnUrl,
+        prefix: bunnyConfig.prefix,
+      };
+      break;
+    }
+
+    case "cloudinary": {
+      const cloudinaryConfig = rawSettings.cloudinary || {};
+      config.baseUrl = `https://res.cloudinary.com/${cloudinaryConfig.cloudName}/image/upload`;
+      config.config = {
+        cloudName: cloudinaryConfig.cloudName,
+        apiKey: cloudinaryConfig.apiKey,
+        apiSecret: cloudinaryConfig.apiSecret,
+        folder: cloudinaryConfig.folder,
+        uploadPreset: cloudinaryConfig.uploadPreset,
+      };
+      break;
+    }
+
+    case "imgix": {
+      const imgixConfig = rawSettings.imgix || {};
+      config.baseUrl = `https://${imgixConfig.domain}`;
+      config.config = {
+        domain: imgixConfig.domain,
+        signKey: imgixConfig.signKey,
+      };
+      break;
+    }
+
+    case "ftp": {
+      const ftpConfig = rawSettings.ftp || {};
+      config.baseUrl = ftpConfig.baseUrl || "";
+      config.config = {
+        host: ftpConfig.host,
+        port: ftpConfig.port || 22,
+        user: ftpConfig.user,
+        password: ftpConfig.password,
+        secure: ftpConfig.secure,
+        prefix: ftpConfig.prefix,
+        type: "sftp",
+      };
+      break;
+    }
+
+    default:
+      // Fallback to local
+      config.provider = "local";
+      config.uploadDir = path.join(process.cwd(), "public", "uploads");
+      config.baseUrl = "/uploads";
+  }
+
+  return config;
+}
+
+/**
+ * Construct a media URL from filename and optional folder using current storage settings.
+ * For cloud providers, this includes the full base URL. For local, it uses relative path.
+ */
+export async function constructMediaUrl(
+  filename: string,
+  folder?: string | null,
+): Promise<string> {
+  const config = await getStorageConfig();
+  return constructMediaUrlSync(config.baseUrl, filename, folder);
+}
+
+/**
+ * Construct a media URL synchronously.
+ */
+export function constructMediaUrlSync(
+  baseUrl: string,
+  filename: string,
+  folder?: string | null,
+): string {
+  // Cloudinary stores full URL in the database - just return it if baseUrl matches
+  // The filename for cloud storage already contains folder path
+  if (baseUrl.startsWith("http") && filename.startsWith("http")) {
+    // Already a full URL (e.g., from Cloudinary upload response)
+    return filename;
+  }
+
+  // Ensure baseUrl has trailing slash for proper URL construction
+  const normalizedBaseUrl = baseUrl.endsWith("/") ? baseUrl : baseUrl + "/";
+  const folderPrefix = folder ? `${folder}/` : "";
+
+  // For local/relative URLs
+  return `${normalizedBaseUrl}${folderPrefix}${filename}`;
+}
+
+/**
+ * Get provider display name
+ */
+export function getProviderDisplayName(provider: string): string {
+  const names: Record<string, string> = {
+    local: "Local Server",
+    aws: "AWS S3",
+    r2: "Cloudflare R2",
+    gcs: "Google Cloud Storage",
+    digitalocean: "DigitalOcean Spaces",
+    backblaze: "Backblaze B2",
+    wasabi: "Wasabi",
+    bunny: "Bunny.net",
+    cloudinary: "Cloudinary",
+    imgix: "Imgix",
+    ftp: "FTP",
+  };
+  return names[provider] || provider;
+}

package/src/lib/store.ts

@@ -0,0 +1,85 @@
+import { create } from 'zustand';
+
+interface EditorState {
+  editor: any;
+  setEditor: (editor: any) => void;
+  
+  blockDrawerOpen: boolean;
+  openBlockDrawer: (options?: { targetColumn?: number; targetNodePos?: number }) => void;
+  closeBlockDrawer: () => void;
+  toggleBlockDrawer: () => void;
+  
+  selectedBlock: string | null;
+  setSelectedBlock: (block: string | null) => void;
+  
+  pendingInsertPos: number | null;
+  pendingTargetColumn: number | null;
+  pendingTargetStack: number | null;
+  pendingTargetGroup: number | null;
+  pendingTargetCard: number | null;
+  pendingTargetRepeater: number | null;
+  setPendingInsert: (pos: number | null, column?: number | null) => void;
+  clearPendingTargets: () => void;
+}
+
+export const useEditorStore = create<EditorState>((set) => ({
+  editor: null,
+  setEditor: (editor) => set({ editor }),
+  
+  blockDrawerOpen: false,
+  openBlockDrawer: (options) => set({ 
+    blockDrawerOpen: true,
+    pendingTargetColumn: options?.targetColumn ?? null 
+  }),
+  closeBlockDrawer: () => set({ 
+    blockDrawerOpen: false,
+    pendingTargetColumn: null,
+    pendingInsertPos: null,
+    pendingTargetStack: null,
+    pendingTargetGroup: null,
+    pendingTargetCard: null,
+    pendingTargetRepeater: null,
+  }),
+  toggleBlockDrawer: () => set((state) => ({ blockDrawerOpen: !state.blockDrawerOpen })),
+  
+  selectedBlock: null,
+  setSelectedBlock: (block) => set({ selectedBlock: block }),
+  
+  pendingInsertPos: null,
+  pendingTargetColumn: null,
+  pendingTargetStack: null,
+  pendingTargetGroup: null,
+  pendingTargetCard: null,
+  pendingTargetRepeater: null,
+  setPendingInsert: (pos, column) => set({ 
+    pendingInsertPos: pos,
+    pendingTargetColumn: column ?? null 
+  }),
+  clearPendingTargets: () => set({
+    pendingTargetColumn: null,
+    pendingTargetStack: null,
+    pendingTargetGroup: null,
+    pendingTargetCard: null,
+    pendingTargetRepeater: null,
+  }),
+}));
+
+interface UIState {
+  sidebarOpen: boolean;
+  toggleSidebar: () => void;
+  setSidebarOpen: (open: boolean) => void;
+  
+  activeModal: string | null;
+  openModal: (modal: string) => void;
+  closeModal: () => void;
+}
+
+export const useUIStore = create<UIState>((set) => ({
+  sidebarOpen: true,
+  toggleSidebar: () => set((state) => ({ sidebarOpen: !state.sidebarOpen })),
+  setSidebarOpen: (open) => set({ sidebarOpen: open }),
+  
+  activeModal: null,
+  openModal: (modal) => set({ activeModal: modal }),
+  closeModal: () => set({ activeModal: null }),
+}));