@kyro-cms/admin 0.1.6 → 0.1.8

package/src/pages/api/auth/register.ts

@@ -1,15 +1,68 @@
 import type { APIRoute } from "astro";
-import { SQLiteAuthAdapter } from "@kyro-cms/core";
+import { getAuthAdapter } from "../../../lib/db";
+import { createAuditContext } from "@kyro-cms/core";
 import jwt from "jsonwebtoken";
+import { randomBytes } from "crypto";
 
 const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || "24h";
+const REFRESH_SECRET =
+  process.env.REFRESH_SECRET ||
+  process.env.JWT_SECRET ||
+  "change-me-in-production";
+
+const ACCESS_TOKEN_EXPIRY = process.env.JWT_EXPIRES_IN || "24h";
+const REFRESH_TOKEN_EXPIRY = process.env.REFRESH_TOKEN_EXPIRY || "7d";
 const ALLOW_REGISTRATION = process.env.KYRO_ALLOW_REGISTRATION !== "false";
 
-async function getAuthApi() {
-  return new SQLiteAuthAdapter({
-    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
-  });
+function getExpirySeconds(expiry: string): number {
+  const match = expiry.match(/^(\d+)([smhd])$/);
+  if (!match) return 86400;
+  const value = parseInt(match[1]);
+  const unit = match[2];
+  switch (unit) {
+    case "s":
+      return value;
+    case "m":
+      return value * 60;
+    case "h":
+      return value * 3600;
+    case "d":
+      return value * 86400;
+    default:
+      return 86400;
+  }
+}
+
+function generateTokens(user: { id: string; email: string; role: string }) {
+  const accessToken = jwt.sign(
+    { sub: user.id, email: user.email, role: user.role, type: "access" },
+    JWT_SECRET,
+    { expiresIn: ACCESS_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
+  );
+
+  const refreshToken = jwt.sign(
+    {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      type: "refresh",
+      jti: randomBytes(16).toString("hex"),
+    },
+    REFRESH_SECRET,
+    { expiresIn: REFRESH_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
+  );
+
+  return { accessToken, refreshToken };
+}
+
+function createAuthCookies(token: string, refreshToken: string) {
+  const accessMaxAge = getExpirySeconds(ACCESS_TOKEN_EXPIRY);
+  const refreshMaxAge = getExpirySeconds(REFRESH_TOKEN_EXPIRY);
+
+  return [
+    `auth_token=${token}; Path=/; Max-Age=${accessMaxAge}; HttpOnly; Secure; SameSite=Strict`,
+    `refresh_token=${refreshToken}; Path=/; Max-Age=${refreshMaxAge}; HttpOnly; Secure; SameSite=Strict`,
+  ].join(", ");
 }
 
 export const POST: APIRoute = async ({ request }) => {
@@ -35,77 +88,94 @@ export const POST: APIRoute = async ({ request }) => {
       });
     }
 
+    // Password strength validation
+    const passwordErrors: string[] = [];
+
     if (password.length < 8) {
+      passwordErrors.push("at least 8 characters");
+    }
+    if (!/[a-z]/.test(password)) {
+      passwordErrors.push("one lowercase letter");
+    }
+    if (!/[A-Z]/.test(password)) {
+      passwordErrors.push("one uppercase letter");
+    }
+    if (!/[0-9]/.test(password)) {
+      passwordErrors.push("one number");
+    }
+    if (!/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
+      passwordErrors.push('one special character (!@#$%^&*(),.?":{}|<>)');
+    }
+
+    if (passwordErrors.length > 0) {
       return new Response(
-        JSON.stringify({ error: "Password must be at least 8 characters" }),
+        JSON.stringify({
+          error:
+            "Password is too weak. Must contain: " + passwordErrors.join(", "),
+        }),
         { status: 400, headers: { "Content-Type": "application/json" } },
       );
     }
 
-    const adapter = await getAuthApi();
-    await adapter.connect();
+    const adapter = await getAuthAdapter();
 
     const existingUser = await adapter.findUserByEmail(email);
     if (existingUser) {
-      await adapter.disconnect();
       return new Response(
         JSON.stringify({ error: "Email already registered" }),
         { status: 409, headers: { "Content-Type": "application/json" } },
       );
     }
 
-    const isFirstUser = !(await adapter.hasAnyUsers());
+    const isFirstUser = !(await adapter.hasAnyUsers?.());
 
     if (!isFirstUser && !ALLOW_REGISTRATION) {
-      await adapter.disconnect();
       return new Response(
         JSON.stringify({ error: "Registration is disabled" }),
         { status: 403, headers: { "Content-Type": "application/json" } },
       );
     }
 
-    const passwordHash = await adapter.hashPassword(password);
     const user = await adapter.createUser({
       email,
-      passwordHash,
-      role: isFirstUser ? "super_admin" : "editor",
-    });
-
-    if (isFirstUser) {
-      await adapter.updateUser(user.id, { emailVerified: true });
-    }
-
-    const session = await adapter.createSession(user.id, {
-      ipAddress: request.headers.get("x-forwarded-for") || "unknown",
-      userAgent: request.headers.get("user-agent") || "",
+      password,
+      role: isFirstUser ? "super_admin" : "customer",
     });
 
-    const token = jwt.sign(
-      {
-        sub: user.id,
-        email: user.email,
-        role: user.role,
-        tenantId: user.tenantId,
+    const context = createAuditContext(request);
+    await adapter.createAuditLog({
+      action: "register",
+      userId: user.id,
+      userEmail: user.email,
+      role: user.role,
+      resource: "auth",
+      success: true,
+      metadata: {
+        method: "password",
+        isFirstUser,
       },
-      JWT_SECRET,
-      { expiresIn: JWT_EXPIRES_IN as jwt.SignOptions["expiresIn"] },
-    );
-
-    await adapter.disconnect();
+      ...context,
+    });
 
-    const { passwordHash: _, ...safeUser } = user;
+    const { accessToken, refreshToken } = generateTokens(user);
 
     return new Response(
       JSON.stringify({
         success: true,
         isFirstUser,
-        user: safeUser,
-        token,
-        refreshToken: session.refreshToken,
+        user: {
+          id: user.id,
+          email: user.email,
+          role: user.role,
+        },
+        expiresIn: getExpirySeconds(ACCESS_TOKEN_EXPIRY),
       }),
       {
         status: 201,
-        headers: { "Content-Type": "application/json" },
+        headers: {
+          "Content-Type": "application/json",
+          "Set-Cookie": createAuthCookies(accessToken, refreshToken),
+        },
       },
     );
   } catch (error) {

package/src/pages/api/auth/users.ts

@@ -1,12 +1,5 @@
 import type { APIRoute } from "astro";
-import { SQLiteAuthAdapter } from "@kyro-cms/core";
-import bcrypt from "bcryptjs";
-
-async function getAuthApi() {
-  return new SQLiteAuthAdapter({
-    path: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
-  });
-}
+import { getAuthAdapter } from "../../../lib/db";
 
 export const GET: APIRoute = async ({ url }) => {
   const page = parseInt(url.searchParams.get("page") || "1");
@@ -14,90 +7,28 @@ export const GET: APIRoute = async ({ url }) => {
   const search = url.searchParams.get("search") || "";
 
   try {
-    const adapter = await getAuthApi();
-    await adapter.connect();
-
-    // Get all users - SQLite doesn't have scan, so we need to query differently
-    // For now, we'll use a simple approach with email search
-    const users: any[] = [];
-
-    // If searching, we need to find matching emails
-    if (search) {
-      const result = (adapter as any).db
-        .prepare("SELECT * FROM kyro_users WHERE email LIKE ? LIMIT ? OFFSET ?")
-        .all(`%${search}%`, limit, (page - 1) * limit);
-
-      for (const row of result) {
-        const { password_hash, ...safeUser } = row;
-        users.push({
-          id: row.id,
-          email: row.email,
-          role: row.role,
-          tenantId: row.tenant_id,
-          emailVerified: row.email_verified === 1,
-          locked: row.locked === 1,
-          lastLogin: row.last_login,
-          failedLoginAttempts: row.failed_login_attempts || 0,
-          createdAt: row.created_at,
-          updatedAt: row.updated_at,
-        });
-      }
-
-      const totalResult = (adapter as any).db
-        .prepare("SELECT COUNT(*) as count FROM kyro_users WHERE email LIKE ?")
-        .get(`%${search}%`) as { count: number };
-
-      await adapter.disconnect();
-
-      return new Response(
-        JSON.stringify({
-          docs: users,
-          totalDocs: totalResult.count,
-          page,
-          limit,
-          totalPages: Math.ceil(totalResult.count / limit),
-        }),
-        {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        },
-      );
-    }
-
-    // Get all users with pagination
-    const result = (adapter as any).db
-      .prepare("SELECT * FROM kyro_users LIMIT ? OFFSET ?")
-      .all(limit, (page - 1) * limit);
-
-    for (const row of result) {
-      const { password_hash, ...safeUser } = row;
-      users.push({
-        id: row.id,
-        email: row.email,
-        role: row.role,
-        tenantId: row.tenant_id,
-        emailVerified: row.email_verified === 1,
-        locked: row.locked === 1,
-        lastLogin: row.last_login,
-        failedLoginAttempts: row.failed_login_attempts || 0,
-        createdAt: row.created_at,
-        updatedAt: row.updated_at,
-      });
-    }
-
-    const totalResult = (adapter as any).db
-      .prepare("SELECT COUNT(*) as count FROM kyro_users")
-      .get() as { count: number };
-
-    await adapter.disconnect();
+    const adapter = await getAuthAdapter();
+    const allUsers = await adapter.findAllUsers();
+
+    const users = allUsers.map((u) => ({
+      id: u.id,
+      email: u.email,
+      name: u.name,
+      role: u.role,
+      tenantId: u.tenantId,
+      emailVerified: u.emailVerified,
+      locked: u.locked,
+      lastLogin: u.lastLogin,
+      createdAt: u.createdAt,
+    }));
 
     return new Response(
       JSON.stringify({
         docs: users,
-        totalDocs: totalResult.count,
+        totalDocs: users.length,
         page,
         limit,
-        totalPages: Math.ceil(totalResult.count / limit),
+        totalPages: Math.ceil(users.length / limit),
       }),
       {
         status: 200,
@@ -123,7 +54,7 @@ export const GET: APIRoute = async ({ url }) => {
 export const POST: APIRoute = async ({ request }) => {
   try {
     const body = await request.json();
-    const { email, password, role, tenantId } = body;
+    const { email, password, name, role } = body;
 
     if (!email || !password) {
       return new Response(
@@ -135,30 +66,24 @@ export const POST: APIRoute = async ({ request }) => {
       );
     }
 
-    const adapter = await getAuthApi();
-    await adapter.connect();
+    const adapter = await getAuthAdapter();
 
     const existing = await adapter.findUserByEmail(email);
     if (existing) {
-      await adapter.disconnect();
       return new Response(JSON.stringify({ error: "Email already exists" }), {
         status: 400,
         headers: { "Content-Type": "application/json" },
       });
     }
 
-    const passwordHash = await bcrypt.hash(password, 12);
     const user = await adapter.createUser({
       email,
-      passwordHash,
+      password,
+      name,
       role: role || "customer",
-      tenantId,
     });
 
-    await adapter.disconnect();
-
-    const { passwordHash: _, ...safeUser } = user;
-    return new Response(JSON.stringify({ data: safeUser }), {
+    return new Response(JSON.stringify({ data: user }), {
       status: 201,
       headers: { "Content-Type": "application/json" },
     });

package/src/pages/api/collections.ts

@@ -0,0 +1,59 @@
+import type { APIRoute } from "astro";
+import { collections } from "@/lib/config";
+
+export const GET: APIRoute = async () => {
+  try {
+    const collectionList = Object.entries(collections).map(
+      ([slug, config]) => ({
+        name: config.label || slug,
+        slug,
+        description:
+          config.admin?.description ||
+          `Manage ${config.label || slug} documents`,
+        fields: Object.keys(config.fields || {}).length,
+        endpoints: {
+          list: `/api/${slug}`,
+          create: `POST /api/${slug}`,
+          read: `GET /api/${slug}/:id`,
+          update: `PATCH /api/${slug}/:id`,
+          delete: `DELETE /api/${slug}/:id`,
+        },
+      }),
+    );
+
+    return new Response(
+      JSON.stringify({
+        name: "Kyro CMS API",
+        version: "1.0.0",
+        description: "Headless CMS REST API",
+        timestamp: new Date().toISOString(),
+        endpoints: {
+          collections: "/api/collections",
+          health: "/api/health",
+          upload: "/api/upload",
+          graphql: "/api/graphql",
+        },
+        collections: collectionList,
+        globals: [],
+      }),
+      {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Access-Control-Allow-Origin": "*",
+        },
+      },
+    );
+  } catch (error) {
+    return new Response(
+      JSON.stringify({
+        error: error instanceof Error ? error.message : "Unknown error",
+        timestamp: new Date().toISOString(),
+      }),
+      {
+        status: 500,
+        headers: { "Content-Type": "application/json" },
+      },
+    );
+  }
+};

package/src/pages/api/globals/[slug]/test.ts

@@ -0,0 +1,172 @@
+import type { APIRoute } from "astro";
+import { dataStore } from "@/lib/dataStore";
+import nodemailer, { createTransport } from "nodemailer";
+
+export const POST: APIRoute = async ({ params, request }) => {
+  const slug = params.slug as string;
+
+  let body;
+  try {
+    body = await request.json();
+  } catch (e) {
+    body = {};
+  }
+
+  try {
+    const globalConfig = await dataStore.findGlobal(slug);
+
+    const testEmail = body?.email || globalConfig?.testEmail;
+
+    if (!testEmail) {
+      return new Response(
+        JSON.stringify({ error: "Please enter a test email address" }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(testEmail)) {
+      return new Response(
+        JSON.stringify({ error: "Invalid email address format" }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    const emailSettings = globalConfig;
+    const provider = emailSettings?.provider;
+
+    if (!provider) {
+      return new Response(
+        JSON.stringify({
+          error:
+            "No email provider configured. Please configure your email settings first.",
+        }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    let transporter;
+
+    const transporterOptions = {
+      timeout: 10000, // 10 second timeout
+    };
+
+    if (provider === "smtp" && emailSettings?.smtp) {
+      transporter = createTransport({
+        ...transporterOptions,
+        host: emailSettings.smtp.host,
+        port: parseInt(emailSettings.smtp.port) || 587,
+        secure: emailSettings.smtp.secure || false,
+        auth: {
+          user: emailSettings.smtp.username,
+          pass: emailSettings.smtp.password,
+        },
+      });
+    } else if (provider === "ses" && emailSettings?.ses) {
+      transporter = createTransport({
+        ...transporterOptions,
+        host: `email-smtp.${emailSettings.ses.region}.amazonaws.com`,
+        port: 587,
+        secure: false,
+        auth: {
+          user: emailSettings.ses.accessKeyId,
+          pass: emailSettings.ses.secretAccessKey,
+        },
+      });
+    } else if (provider === "resend" && emailSettings?.resend?.apiKey) {
+      transporter = createTransport({
+        ...transporterOptions,
+        host: "smtp.resend.com",
+        port: 587,
+        secure: false,
+        auth: {
+          user: "resend",
+          pass: emailSettings.resend.apiKey,
+        },
+      });
+    } else if (provider === "sendgrid" && emailSettings?.sendgrid?.apiKey) {
+      transporter = createTransport({
+        ...transporterOptions,
+        host: "smtp.sendgrid.net",
+        port: 587,
+        secure: false,
+        auth: {
+          user: "apikey",
+          pass: emailSettings.sendgrid.apiKey,
+        },
+      });
+    } else {
+      return new Response(
+        JSON.stringify({
+          error: `Provider ${provider} not supported or not configured`,
+        }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }
+
+    const fromEmail =
+      emailSettings?.fromEmail || emailSettings?.from || "noreply@example.com";
+    const fromName = emailSettings?.fromName || "Kyro CMS";
+
+    const info = await transporter.sendMail({
+      from: `"${fromName}" <${fromEmail}>`,
+      to: testEmail,
+      subject: "Test Email - Kyro CMS",
+      html: `
+        <!DOCTYPE html>
+        <html>
+        <head>
+          <meta charset="utf-8">
+          <meta name="viewport" content="width=device-width, initial-scale=1">
+          <title>Test Email</title>
+        </head>
+        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333;">
+          <div style="max-width:600px; margin:0 auto; padding:20px;">
+            <h1 style="color:#0b1222;">Test Email Successful!</h1>
+            <p>This is a test email from <strong>Kyro CMS</strong>.</p>
+            <p>If you received this email, your email settings are configured correctly.</p>
+            <hr style="border:none; border-top:1px solid #e2e8f0; margin:20px 0;">
+            <p style="font-size:12px; color:#666;">
+              Sent to: ${testEmail}<br>
+              Provider: ${provider}
+            </p>
+          </div>
+        </body>
+        </html>
+      `,
+      text: `Test Email Successful!\n\nThis is a test email from Kyro CMS.\nIf you received this email, your email settings are configured correctly.\n\nSent to: ${testEmail}\nProvider: ${provider}`,
+    });
+
+    console.log(info);
+    return new Response(
+      JSON.stringify({
+        success: true,
+        message: `Test email sent to ${testEmail}`,
+        messageId: info.messageId,
+      }),
+      { status: 200, headers: { "Content-Type": "application/json" } },
+    );
+
+  } catch (error: any) {
+    console.log(error);
+    let errorMessage = "Failed to send test email";
+
+    if (error.code === "ECONNREFUSED") {
+      errorMessage = "Connection refused. Check your SMTP host and port.";
+    } else if (error.code === "ETIMEDOUT") {
+      errorMessage = "Connection timed out. Check your SMTP host and port.";
+    } else if (error.code === "ENOTFOUND") {
+      errorMessage = "Host not found. Check your SMTP hostname.";
+    } else if (error.code === "EAUTH") {
+      errorMessage = "Authentication failed. Check your username/password.";
+    } else if (error.message) {
+      errorMessage = error.message;
+    }
+
+    console.error("[test-email] Error:", errorMessage, error.stack);
+    return new Response(JSON.stringify({ error: errorMessage }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+};

package/src/pages/api/globals/[slug].ts

@@ -0,0 +1,42 @@
+import type { APIRoute } from "astro";
+import { dataStore } from "@/lib/dataStore";
+import { globals } from "@/lib/config";
+
+export const GET: APIRoute = async ({ params }) => {
+  const slug = params.slug as string;
+
+  if (!globals[slug]) {
+    return new Response(JSON.stringify({ error: "Global not found" }), {
+      status: 404,
+    });
+  }
+
+  const data = await dataStore.findGlobal(slug);
+  return new Response(JSON.stringify({ data }), {
+    status: 200,
+    headers: { "Content-Type": "application/json" },
+  });
+};
+
+export const PATCH: APIRoute = async ({ params, request }) => {
+  const slug = params.slug as string;
+
+  if (!globals[slug]) {
+    return new Response(JSON.stringify({ error: "Global not found" }), {
+      status: 404,
+    });
+  }
+
+  try {
+    const body = await request.json();
+    const data = await dataStore.updateGlobal(slug, body);
+    return new Response(JSON.stringify({ data }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" },
+    });
+  } catch (error) {
+    return new Response(JSON.stringify({ error: "Failed to update global" }), {
+      status: 500,
+    });
+  }
+};