@kyro-cms/admin 0.1.6 → 0.1.8

package/src/pages/api/auth/audit-logs.ts

@@ -1,62 +1,39 @@
 import type { APIRoute } from "astro";
-import { RedisAuthAdapter } from "@kyro-cms/core";
-import { AuditLogger } from "@kyro-cms/core";
-
-const redisAdapter = new RedisAuthAdapter({
-  url: process.env.REDIS_URL || "redis://localhost:6379",
-});
-
-const auditLogger = new AuditLogger(redisAdapter as any);
-
-async function ensureConnection() {
-  try {
-    await redisAdapter.connect();
-  } catch (e) {
-    // Connection might already be established
-  }
-}
+import { getAuthAdapter } from "../../../lib/db";
 
 export const GET: APIRoute = async ({ url }) => {
-  await ensureConnection();
-
   const page = parseInt(url.searchParams.get("page") || "1");
   const limit = parseInt(url.searchParams.get("limit") || "25");
   const action = url.searchParams.get("action") || "";
   const userId = url.searchParams.get("userId") || "";
-  const success = url.searchParams.get("success");
+  const successParam = url.searchParams.get("success");
+  const resource = url.searchParams.get("resource") || "";
 
   try {
-    const logs = await auditLogger.getLogs({
+    const adapter = await getAuthAdapter();
+    const offset = (page - 1) * limit;
+
+    const { logs, total } = await adapter.findAuditLogs({
+      limit,
+      offset,
       action: action || undefined,
       userId: userId || undefined,
+      resource: resource || undefined,
       success:
-        success === "true" ? true : success === "false" ? false : undefined,
-    });
-
-    const thirtyDaysAgo = new Date();
-    thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
-
-    const filteredLogs = logs.filter((log: any) => {
-      const logDate = new Date(log.timestamp);
-      return logDate >= thirtyDaysAgo;
-    });
-
-    const sortedLogs = filteredLogs.sort(
-      (a: any, b: any) =>
-        new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime(),
-    );
-
-    const totalDocs = sortedLogs.length;
-    const startIndex = (page - 1) * limit;
-    const paginatedLogs = sortedLogs.slice(startIndex, startIndex + limit);
+        successParam === "true"
+          ? true
+          : successParam === "false"
+            ? false
+            : undefined,
+    } as Parameters<typeof adapter.findAuditLogs>[0]);
 
     return new Response(
       JSON.stringify({
-        docs: paginatedLogs,
-        totalDocs,
+        docs: logs,
+        totalDocs: total,
         page,
         limit,
-        totalPages: Math.ceil(totalDocs / limit),
+        totalPages: Math.ceil(total / limit),
       }),
       {
         status: 200,
@@ -72,7 +49,7 @@ export const GET: APIRoute = async ({ url }) => {
         totalDocs: 0,
       }),
       {
-        status: 200,
+        status: 500,
         headers: { "Content-Type": "application/json" },
       },
     );

package/src/pages/api/auth/login.ts

@@ -1,17 +1,84 @@
 import type { APIRoute } from "astro";
-import { SQLiteAuthAdapter } from "@kyro-cms/core";
+import { getAuthAdapter } from "../../../lib/db";
+import { createAuditContext } from "@kyro-cms/core";
+import {
+  checkRateLimit,
+  recordFailedLogin,
+  getAccountLockStatus,
+  resetRateLimit,
+} from "../../../lib/rate-limit";
 import jwt from "jsonwebtoken";
+import { randomBytes } from "crypto";
 
 const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || "24h";
+const REFRESH_SECRET =
+  process.env.REFRESH_SECRET ||
+  process.env.JWT_SECRET ||
+  "change-me-in-production";
 
-async function getAuthApi() {
-  return new SQLiteAuthAdapter({
-    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
-  });
+const ACCESS_TOKEN_EXPIRY = process.env.JWT_EXPIRES_IN || "24h";
+const REFRESH_TOKEN_EXPIRY = process.env.REFRESH_TOKEN_EXPIRY || "7d";
+
+function getClientIp(request: Request): string {
+  const forwarded = request.headers.get("x-forwarded-for");
+  if (forwarded) return forwarded.split(",")[0].trim();
+  return request.headers.get("x-real-ip") || "unknown";
+}
+
+function getExpirySeconds(expiry: string): number {
+  const match = expiry.match(/^(\d+)([smhd])$/);
+  if (!match) return 86400;
+  const value = parseInt(match[1]);
+  const unit = match[2];
+  switch (unit) {
+    case "s":
+      return value;
+    case "m":
+      return value * 60;
+    case "h":
+      return value * 3600;
+    case "d":
+      return value * 86400;
+    default:
+      return 86400;
+  }
+}
+
+function generateTokens(user: { id: string; email: string; role: string }) {
+  const accessToken = jwt.sign(
+    { sub: user.id, email: user.email, role: user.role, type: "access" },
+    JWT_SECRET,
+    { expiresIn: ACCESS_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
+  );
+
+  const refreshToken = jwt.sign(
+    {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      type: "refresh",
+      jti: randomBytes(16).toString("hex"),
+    },
+    REFRESH_SECRET,
+    { expiresIn: REFRESH_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
+  );
+
+  return { accessToken, refreshToken };
+}
+
+function createAuthCookies(token: string, refreshToken: string) {
+  const accessMaxAge = getExpirySeconds(ACCESS_TOKEN_EXPIRY);
+  const refreshMaxAge = getExpirySeconds(REFRESH_TOKEN_EXPIRY);
+
+  return [
+    `auth_token=${token}; Path=/; Max-Age=${accessMaxAge}; HttpOnly; Secure; SameSite=Strict`,
+    `refresh_token=${refreshToken}; Path=/; Max-Age=${refreshMaxAge}; HttpOnly; Secure; SameSite=Strict`,
+  ].join(", ");
 }
 
 export const POST: APIRoute = async ({ request }) => {
+  const clientIp = getClientIp(request);
+
   try {
     const body = (await request.json()) as {
       email?: string;
@@ -26,65 +93,112 @@ export const POST: APIRoute = async ({ request }) => {
       );
     }
 
-    const adapter = await getAuthApi();
-    await adapter.connect();
+    // Check rate limit by IP
+    const ipRateLimit = await checkRateLimit(clientIp, "login_ip");
+    if (!ipRateLimit.allowed) {
+      return new Response(
+        JSON.stringify({
+          error: "Too many login attempts. Please try again later.",
+          retryAfter: Math.ceil(
+            ((ipRateLimit.lockedUntil?.getTime() ?? 0) - Date.now()) / 1000,
+          ),
+        }),
+        {
+          status: 429,
+          headers: { "Content-Type": "application/json", "Retry-After": "900" },
+        },
+      );
+    }
 
-    const user = await adapter.findUserByEmail(email);
-    if (!user || !user.passwordHash) {
-      await adapter.disconnect();
-      return new Response(JSON.stringify({ error: "Invalid credentials" }), {
-        status: 401,
-        headers: { "Content-Type": "application/json" },
-      });
+    // Check rate limit by email
+    const emailRateLimit = await checkRateLimit(email, "login_email");
+    if (!emailRateLimit.allowed) {
+      return new Response(
+        JSON.stringify({
+          error: "Too many login attempts. Please try again later.",
+          retryAfter: Math.ceil(
+            ((emailRateLimit.lockedUntil?.getTime() ?? 0) - Date.now()) / 1000,
+          ),
+        }),
+        {
+          status: 429,
+          headers: { "Content-Type": "application/json", "Retry-After": "900" },
+        },
+      );
     }
 
-    if (user.locked) {
-      await adapter.disconnect();
-      return new Response(JSON.stringify({ error: "Account is locked" }), {
-        status: 403,
-        headers: { "Content-Type": "application/json" },
-      });
+    // Check if account is locked
+    const lockStatus = await getAccountLockStatus(email);
+    if (lockStatus.isLocked) {
+      return new Response(
+        JSON.stringify({
+          error:
+            "Account is temporarily locked due to too many failed attempts.",
+          retryAfter: Math.ceil(
+            ((lockStatus.lockedUntil?.getTime() ?? 0) - Date.now()) / 1000,
+          ),
+        }),
+        { status: 423, headers: { "Content-Type": "application/json" } },
+      );
     }
 
-    const valid = await adapter.verifyPassword(password, user.passwordHash);
-    if (!valid) {
-      await adapter.disconnect();
+    const adapter = await getAuthAdapter();
+    const user = await adapter.verifyPassword(email, password);
+    const context = createAuditContext(request);
+
+    if (!user) {
+      // Record failed attempt
+      await recordFailedLogin(email);
+      await adapter.createAuditLog({
+        action: "login_failed",
+        userEmail: email,
+        resource: "auth",
+        success: false,
+        error: "Invalid credentials",
+        metadata: {
+          reason: "invalid_credentials",
+          attemptTime: new Date().toISOString(),
+          failedAttempts: lockStatus.failedAttempts + 1,
+        },
+        ...context,
+      });
+
       return new Response(JSON.stringify({ error: "Invalid credentials" }), {
         status: 401,
         headers: { "Content-Type": "application/json" },
       });
     }
 
-    const session = await adapter.createSession(user.id, {
-      ipAddress: request.headers.get("x-forwarded-for") || "unknown",
-      userAgent: request.headers.get("user-agent") || "",
-    });
-
-    const token = jwt.sign(
-      {
-        sub: user.id,
-        email: user.email,
-        role: user.role,
-        tenantId: user.tenantId,
-      },
-      JWT_SECRET,
-      { expiresIn: JWT_EXPIRES_IN as jwt.SignOptions["expiresIn"] },
-    );
+    // Reset rate limits on successful login
+    await resetRateLimit(clientIp, "login_ip");
+    await resetRateLimit(email, "login_email");
 
-    await adapter.disconnect();
+    await adapter.createAuditLog({
+      action: "login",
+      userId: user.id,
+      userEmail: user.email,
+      role: user.role,
+      resource: "auth",
+      success: true,
+      metadata: { method: "password" },
+      ...context,
+    });
 
-    const { passwordHash, ...safeUser } = user;
+    const { accessToken, refreshToken } = generateTokens(user);
+    const expiresIn = getExpirySeconds(ACCESS_TOKEN_EXPIRY);
 
     return new Response(
       JSON.stringify({
         success: true,
-        user: safeUser,
-        token,
-        refreshToken: session.refreshToken,
+        user: { id: user.id, email: user.email, role: user.role },
+        expiresIn,
       }),
       {
         status: 200,
-        headers: { "Content-Type": "application/json" },
+        headers: {
+          "Content-Type": "application/json",
+          "Set-Cookie": createAuthCookies(accessToken, refreshToken),
+        },
       },
     );
   } catch (error) {

package/src/pages/api/auth/logout.ts

@@ -1,47 +1,65 @@
 import type { APIRoute } from "astro";
-import { SQLiteAuthAdapter } from "@kyro-cms/core";
+import { getAuthAdapter } from "../../../lib/db";
+import { createAuditContext } from "@kyro-cms/core";
 
-const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-
-async function getAuthApi() {
-  return new SQLiteAuthAdapter({
-    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
-  });
-}
+const CLEAR_COOKIES = [
+  "auth_token=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Strict",
+  "refresh_token=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Strict",
+].join(", ");
 
 export const POST: APIRoute = async ({ request }) => {
   try {
-    // Check Authorization header or cookie for token
-    let token: string | null = null;
     const authHeader = request.headers.get("authorization");
+    let userId: string | null = null;
+
     if (authHeader?.startsWith("Bearer ")) {
-      token = authHeader.slice(7);
-    } else {
-      const cookies = request.headers.get("cookie") || "";
-      const match = cookies.match(/auth_token=([^;]+)/);
-      token = match ? match[1] : null;
-    }
+      const { getAuthAdapter } = await import("../../../lib/db");
+      const adapter = await getAuthAdapter();
+
+      try {
+        const { default: jwt } = await import("jsonwebtoken");
+        const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
+
+        const token = authHeader.slice(7);
+        const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
+        userId = decoded.sub;
+
+        if (userId) {
+          const user = await adapter.findUserById(userId);
+          const context = createAuditContext(request);
 
-    if (token) {
-      const adapter = await getAuthApi();
-      await adapter.connect();
-      await adapter.deleteSession(token);
-      await adapter.disconnect();
+          if (user) {
+            await adapter.createAuditLog({
+              action: "logout",
+              userId: user.id,
+              userEmail: user.email,
+              role: user.role,
+              resource: "auth",
+              success: true,
+              metadata: { method: "jwt" },
+              ...context,
+            });
+          }
+        }
+      } catch {
+        // Invalid or expired token - just clear cookies
+      }
     }
 
     return new Response(JSON.stringify({ success: true }), {
       status: 200,
       headers: {
         "Content-Type": "application/json",
-        "Set-Cookie": "auth_token=; path=/; max-age=0",
+        "Set-Cookie": CLEAR_COOKIES,
       },
     });
-  } catch {
+  } catch (error) {
+    console.error("Logout error:", error);
     return new Response(JSON.stringify({ success: true }), {
       status: 200,
       headers: {
         "Content-Type": "application/json",
-        "Set-Cookie": "auth_token=; path=/; max-age=0",
+        "Set-Cookie": CLEAR_COOKIES,
       },
     });
   }

package/src/pages/api/auth/refresh.ts

@@ -0,0 +1,119 @@
+import type { APIRoute } from "astro";
+import jwt from "jsonwebtoken";
+import { randomBytes } from "crypto";
+
+const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
+const REFRESH_SECRET =
+  process.env.REFRESH_SECRET ||
+  process.env.JWT_SECRET ||
+  "change-me-in-production";
+
+const ACCESS_TOKEN_EXPIRY = process.env.JWT_EXPIRES_IN || "24h";
+const REFRESH_TOKEN_EXPIRY = process.env.REFRESH_TOKEN_EXPIRY || "7d";
+
+function getExpirySeconds(expiry: string): number {
+  const match = expiry.match(/^(\d+)([smhd])$/);
+  if (!match) return 86400;
+  const value = parseInt(match[1]);
+  const unit = match[2];
+  switch (unit) {
+    case "s":
+      return value;
+    case "m":
+      return value * 60;
+    case "h":
+      return value * 3600;
+    case "d":
+      return value * 86400;
+    default:
+      return 86400;
+  }
+}
+
+function generateTokens(user: { id: string; email: string; role: string }) {
+  const accessToken = jwt.sign(
+    { sub: user.id, email: user.email, role: user.role, type: "access" },
+    JWT_SECRET,
+    { expiresIn: ACCESS_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
+  );
+
+  const refreshToken = jwt.sign(
+    {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      type: "refresh",
+      jti: randomBytes(16).toString("hex"),
+    },
+    REFRESH_SECRET,
+    { expiresIn: REFRESH_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
+  );
+
+  return { accessToken, refreshToken };
+}
+
+function createAuthCookies(token: string, refreshToken: string) {
+  const accessMaxAge = getExpirySeconds(ACCESS_TOKEN_EXPIRY);
+  const refreshMaxAge = getExpirySeconds(REFRESH_TOKEN_EXPIRY);
+
+  return [
+    `auth_token=${token}; Path=/; Max-Age=${accessMaxAge}; HttpOnly; Secure; SameSite=Strict`,
+    `refresh_token=${refreshToken}; Path=/; Max-Age=${refreshMaxAge}; HttpOnly; Secure; SameSite=Strict`,
+  ].join(", ");
+}
+
+export const POST: APIRoute = async ({ request }) => {
+  try {
+    const refreshToken = request.headers.get("x-refresh-token");
+
+    if (!refreshToken) {
+      return new Response(JSON.stringify({ error: "Refresh token required" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    const decoded = jwt.verify(refreshToken, REFRESH_SECRET) as {
+      sub: string;
+      email: string;
+      role: string;
+      type: string;
+    };
+
+    if (decoded.type !== "refresh") {
+      return new Response(JSON.stringify({ error: "Invalid token type" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    const user = {
+      id: decoded.sub,
+      email: decoded.email,
+      role: decoded.role,
+    };
+
+    const { accessToken: newAccessToken, refreshToken: newRefreshToken } =
+      generateTokens(user);
+
+    return new Response(
+      JSON.stringify({
+        success: true,
+        expiresIn: getExpirySeconds(ACCESS_TOKEN_EXPIRY),
+      }),
+      {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Set-Cookie": createAuthCookies(newAccessToken, newRefreshToken),
+        },
+      },
+    );
+  } catch (error) {
+    console.error("Refresh error:", error);
+    return new Response(
+      JSON.stringify({ error: "Invalid or expired refresh token" }),
+      { status: 401, headers: { "Content-Type": "application/json" } },
+    );
+  }
+};