@kyro-cms/admin 0.3.2 → 0.3.4

package/src/pages/api/auth/login.ts

@@ -1,211 +0,0 @@
-import type { APIRoute } from "astro";
-import { getAuthAdapter } from "../../../lib/db";
-import { createAuditContext } from "@kyro-cms/core";
-import {
-  checkRateLimit,
-  recordFailedLogin,
-  getAccountLockStatus,
-  resetRateLimit,
-} from "../../../lib/rate-limit";
-import jwt from "jsonwebtoken";
-import { randomBytes } from "crypto";
-
-const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-const REFRESH_SECRET =
-  process.env.REFRESH_SECRET ||
-  process.env.JWT_SECRET ||
-  "change-me-in-production";
-
-const ACCESS_TOKEN_EXPIRY = process.env.JWT_EXPIRES_IN || "24h";
-const REFRESH_TOKEN_EXPIRY = process.env.REFRESH_TOKEN_EXPIRY || "7d";
-
-function getClientIp(request: Request): string {
-  const forwarded = request.headers.get("x-forwarded-for");
-  if (forwarded) return forwarded.split(",")[0].trim();
-  return request.headers.get("x-real-ip") || "unknown";
-}
-
-function getExpirySeconds(expiry: string): number {
-  const match = expiry.match(/^(\d+)([smhd])$/);
-  if (!match) return 86400;
-  const value = parseInt(match[1]);
-  const unit = match[2];
-  switch (unit) {
-    case "s":
-      return value;
-    case "m":
-      return value * 60;
-    case "h":
-      return value * 3600;
-    case "d":
-      return value * 86400;
-    default:
-      return 86400;
-  }
-}
-
-function generateTokens(user: { id: string; email: string; role: string }) {
-  const accessToken = jwt.sign(
-    { sub: user.id, email: user.email, role: user.role, type: "access" },
-    JWT_SECRET,
-    { expiresIn: ACCESS_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
-  );
-
-  const refreshToken = jwt.sign(
-    {
-      sub: user.id,
-      email: user.email,
-      role: user.role,
-      type: "refresh",
-      jti: randomBytes(16).toString("hex"),
-    },
-    REFRESH_SECRET,
-    { expiresIn: REFRESH_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
-  );
-
-  return { accessToken, refreshToken };
-}
-
-function createAuthCookies(token: string, refreshToken: string) {
-  const accessMaxAge = getExpirySeconds(ACCESS_TOKEN_EXPIRY);
-  const refreshMaxAge = getExpirySeconds(REFRESH_TOKEN_EXPIRY);
-
-  return [
-    `auth_token=${token}; Path=/; Max-Age=${accessMaxAge}; HttpOnly; Secure; SameSite=Strict`,
-    `refresh_token=${refreshToken}; Path=/; Max-Age=${refreshMaxAge}; HttpOnly; Secure; SameSite=Strict`,
-  ].join(", ");
-}
-
-export const POST: APIRoute = async ({ request }) => {
-  const clientIp = getClientIp(request);
-
-  try {
-    const body = (await request.json()) as {
-      email?: string;
-      password?: string;
-    };
-    const { email, password } = body;
-
-    if (!email || !password) {
-      return new Response(
-        JSON.stringify({ error: "Email and password required" }),
-        { status: 400, headers: { "Content-Type": "application/json" } },
-      );
-    }
-
-    // Check rate limit by IP
-    const ipRateLimit = await checkRateLimit(clientIp, "login_ip");
-    if (!ipRateLimit.allowed) {
-      return new Response(
-        JSON.stringify({
-          error: "Too many login attempts. Please try again later.",
-          retryAfter: Math.ceil(
-            ((ipRateLimit.lockedUntil?.getTime() ?? 0) - Date.now()) / 1000,
-          ),
-        }),
-        {
-          status: 429,
-          headers: { "Content-Type": "application/json", "Retry-After": "900" },
-        },
-      );
-    }
-
-    // Check rate limit by email
-    const emailRateLimit = await checkRateLimit(email, "login_email");
-    if (!emailRateLimit.allowed) {
-      return new Response(
-        JSON.stringify({
-          error: "Too many login attempts. Please try again later.",
-          retryAfter: Math.ceil(
-            ((emailRateLimit.lockedUntil?.getTime() ?? 0) - Date.now()) / 1000,
-          ),
-        }),
-        {
-          status: 429,
-          headers: { "Content-Type": "application/json", "Retry-After": "900" },
-        },
-      );
-    }
-
-    // Check if account is locked
-    const lockStatus = await getAccountLockStatus(email);
-    if (lockStatus.isLocked) {
-      return new Response(
-        JSON.stringify({
-          error:
-            "Account is temporarily locked due to too many failed attempts.",
-          retryAfter: Math.ceil(
-            ((lockStatus.lockedUntil?.getTime() ?? 0) - Date.now()) / 1000,
-          ),
-        }),
-        { status: 423, headers: { "Content-Type": "application/json" } },
-      );
-    }
-
-    const adapter = await getAuthAdapter();
-    const user = await adapter.verifyPassword(email, password);
-    const context = createAuditContext(request);
-
-    if (!user) {
-      // Record failed attempt
-      await recordFailedLogin(email);
-      await adapter.createAuditLog({
-        action: "login_failed",
-        userEmail: email,
-        resource: "auth",
-        success: false,
-        error: "Invalid credentials",
-        metadata: {
-          reason: "invalid_credentials",
-          attemptTime: new Date().toISOString(),
-          failedAttempts: lockStatus.failedAttempts + 1,
-        },
-        ...context,
-      });
-
-      return new Response(JSON.stringify({ error: "Invalid credentials" }), {
-        status: 401,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-
-    // Reset rate limits on successful login
-    await resetRateLimit(clientIp, "login_ip");
-    await resetRateLimit(email, "login_email");
-
-    await adapter.createAuditLog({
-      action: "login",
-      userId: user.id,
-      userEmail: user.email,
-      role: user.role,
-      resource: "auth",
-      success: true,
-      metadata: { method: "password" },
-      ...context,
-    });
-
-    const { accessToken, refreshToken } = generateTokens(user);
-    const expiresIn = getExpirySeconds(ACCESS_TOKEN_EXPIRY);
-
-    return new Response(
-      JSON.stringify({
-        success: true,
-        user: { id: user.id, email: user.email, role: user.role },
-        expiresIn,
-      }),
-      {
-        status: 200,
-        headers: {
-          "Content-Type": "application/json",
-          "Set-Cookie": createAuthCookies(accessToken, refreshToken),
-        },
-      },
-    );
-  } catch (error) {
-    console.error("Login error:", error);
-    return new Response(JSON.stringify({ error: "Login failed" }), {
-      status: 500,
-      headers: { "Content-Type": "application/json" },
-    });
-  }
-};

package/src/pages/api/auth/logout.ts

@@ -1,66 +0,0 @@
-import type { APIRoute } from "astro";
-import { getAuthAdapter } from "../../../lib/db";
-import { createAuditContext } from "@kyro-cms/core";
-
-const CLEAR_COOKIES = [
-  "auth_token=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Strict",
-  "refresh_token=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Strict",
-].join(", ");
-
-export const POST: APIRoute = async ({ request }) => {
-  try {
-    const authHeader = request.headers.get("authorization");
-    let userId: string | null = null;
-
-    if (authHeader?.startsWith("Bearer ")) {
-      const { getAuthAdapter } = await import("../../../lib/db");
-      const adapter = await getAuthAdapter();
-
-      try {
-        const { default: jwt } = await import("jsonwebtoken");
-        const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-
-        const token = authHeader.slice(7);
-        const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
-        userId = decoded.sub;
-
-        if (userId) {
-          const user = await adapter.findUserById(userId);
-          const context = createAuditContext(request);
-
-          if (user) {
-            await adapter.createAuditLog({
-              action: "logout",
-              userId: user.id,
-              userEmail: user.email,
-              role: user.role,
-              resource: "auth",
-              success: true,
-              metadata: { method: "jwt" },
-              ...context,
-            });
-          }
-        }
-      } catch {
-        // Invalid or expired token - just clear cookies
-      }
-    }
-
-    return new Response(JSON.stringify({ success: true }), {
-      status: 200,
-      headers: {
-        "Content-Type": "application/json",
-        "Set-Cookie": CLEAR_COOKIES,
-      },
-    });
-  } catch (error) {
-    console.error("Logout error:", error);
-    return new Response(JSON.stringify({ success: true }), {
-      status: 200,
-      headers: {
-        "Content-Type": "application/json",
-        "Set-Cookie": CLEAR_COOKIES,
-      },
-    });
-  }
-};

package/src/pages/api/auth/me.ts

@@ -1,36 +0,0 @@
-import type { APIRoute } from "astro";
-import jwt from "jsonwebtoken";
-
-const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-
-export const GET: APIRoute = async ({ request }) => {
-  const authHeader = request.headers.get("authorization");
-  const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-
-  if (!token) {
-    return new Response(JSON.stringify({ error: "Not authenticated" }), {
-      status: 401,
-      headers: { "Content-Type": "application/json" },
-    });
-  }
-
-  try {
-    const payload = jwt.verify(token, JWT_SECRET) as jwt.JwtPayload;
-    return new Response(
-      JSON.stringify({
-        user: {
-          id: payload.sub,
-          email: (payload as any).email,
-          role: (payload as any).role,
-          tenantId: (payload as any).tenantId,
-        },
-      }),
-      { status: 200, headers: { "Content-Type": "application/json" } },
-    );
-  } catch {
-    return new Response(JSON.stringify({ error: "Invalid token" }), {
-      status: 401,
-      headers: { "Content-Type": "application/json" },
-    });
-  }
-};

package/src/pages/api/auth/refresh.ts

@@ -1,119 +0,0 @@
-import type { APIRoute } from "astro";
-import jwt from "jsonwebtoken";
-import { randomBytes } from "crypto";
-
-const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-const REFRESH_SECRET =
-  process.env.REFRESH_SECRET ||
-  process.env.JWT_SECRET ||
-  "change-me-in-production";
-
-const ACCESS_TOKEN_EXPIRY = process.env.JWT_EXPIRES_IN || "24h";
-const REFRESH_TOKEN_EXPIRY = process.env.REFRESH_TOKEN_EXPIRY || "7d";
-
-function getExpirySeconds(expiry: string): number {
-  const match = expiry.match(/^(\d+)([smhd])$/);
-  if (!match) return 86400;
-  const value = parseInt(match[1]);
-  const unit = match[2];
-  switch (unit) {
-    case "s":
-      return value;
-    case "m":
-      return value * 60;
-    case "h":
-      return value * 3600;
-    case "d":
-      return value * 86400;
-    default:
-      return 86400;
-  }
-}
-
-function generateTokens(user: { id: string; email: string; role: string }) {
-  const accessToken = jwt.sign(
-    { sub: user.id, email: user.email, role: user.role, type: "access" },
-    JWT_SECRET,
-    { expiresIn: ACCESS_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
-  );
-
-  const refreshToken = jwt.sign(
-    {
-      sub: user.id,
-      email: user.email,
-      role: user.role,
-      type: "refresh",
-      jti: randomBytes(16).toString("hex"),
-    },
-    REFRESH_SECRET,
-    { expiresIn: REFRESH_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
-  );
-
-  return { accessToken, refreshToken };
-}
-
-function createAuthCookies(token: string, refreshToken: string) {
-  const accessMaxAge = getExpirySeconds(ACCESS_TOKEN_EXPIRY);
-  const refreshMaxAge = getExpirySeconds(REFRESH_TOKEN_EXPIRY);
-
-  return [
-    `auth_token=${token}; Path=/; Max-Age=${accessMaxAge}; HttpOnly; Secure; SameSite=Strict`,
-    `refresh_token=${refreshToken}; Path=/; Max-Age=${refreshMaxAge}; HttpOnly; Secure; SameSite=Strict`,
-  ].join(", ");
-}
-
-export const POST: APIRoute = async ({ request }) => {
-  try {
-    const refreshToken = request.headers.get("x-refresh-token");
-
-    if (!refreshToken) {
-      return new Response(JSON.stringify({ error: "Refresh token required" }), {
-        status: 401,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-
-    const decoded = jwt.verify(refreshToken, REFRESH_SECRET) as {
-      sub: string;
-      email: string;
-      role: string;
-      type: string;
-    };
-
-    if (decoded.type !== "refresh") {
-      return new Response(JSON.stringify({ error: "Invalid token type" }), {
-        status: 401,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-
-    const user = {
-      id: decoded.sub,
-      email: decoded.email,
-      role: decoded.role,
-    };
-
-    const { accessToken: newAccessToken, refreshToken: newRefreshToken } =
-      generateTokens(user);
-
-    return new Response(
-      JSON.stringify({
-        success: true,
-        expiresIn: getExpirySeconds(ACCESS_TOKEN_EXPIRY),
-      }),
-      {
-        status: 200,
-        headers: {
-          "Content-Type": "application/json",
-          "Set-Cookie": createAuthCookies(newAccessToken, newRefreshToken),
-        },
-      },
-    );
-  } catch (error) {
-    console.error("Refresh error:", error);
-    return new Response(
-      JSON.stringify({ error: "Invalid or expired refresh token" }),
-      { status: 401, headers: { "Content-Type": "application/json" } },
-    );
-  }
-};

package/src/pages/api/auth/register.ts

@@ -1,188 +0,0 @@
-import type { APIRoute } from "astro";
-import { getAuthAdapter } from "../../../lib/db";
-import { createAuditContext } from "@kyro-cms/core";
-import jwt from "jsonwebtoken";
-import { randomBytes } from "crypto";
-
-const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-const REFRESH_SECRET =
-  process.env.REFRESH_SECRET ||
-  process.env.JWT_SECRET ||
-  "change-me-in-production";
-
-const ACCESS_TOKEN_EXPIRY = process.env.JWT_EXPIRES_IN || "24h";
-const REFRESH_TOKEN_EXPIRY = process.env.REFRESH_TOKEN_EXPIRY || "7d";
-const ALLOW_REGISTRATION = process.env.KYRO_ALLOW_REGISTRATION !== "false";
-
-function getExpirySeconds(expiry: string): number {
-  const match = expiry.match(/^(\d+)([smhd])$/);
-  if (!match) return 86400;
-  const value = parseInt(match[1]);
-  const unit = match[2];
-  switch (unit) {
-    case "s":
-      return value;
-    case "m":
-      return value * 60;
-    case "h":
-      return value * 3600;
-    case "d":
-      return value * 86400;
-    default:
-      return 86400;
-  }
-}
-
-function generateTokens(user: { id: string; email: string; role: string }) {
-  const accessToken = jwt.sign(
-    { sub: user.id, email: user.email, role: user.role, type: "access" },
-    JWT_SECRET,
-    { expiresIn: ACCESS_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
-  );
-
-  const refreshToken = jwt.sign(
-    {
-      sub: user.id,
-      email: user.email,
-      role: user.role,
-      type: "refresh",
-      jti: randomBytes(16).toString("hex"),
-    },
-    REFRESH_SECRET,
-    { expiresIn: REFRESH_TOKEN_EXPIRY as jwt.SignOptions["expiresIn"] },
-  );
-
-  return { accessToken, refreshToken };
-}
-
-function createAuthCookies(token: string, refreshToken: string) {
-  const accessMaxAge = getExpirySeconds(ACCESS_TOKEN_EXPIRY);
-  const refreshMaxAge = getExpirySeconds(REFRESH_TOKEN_EXPIRY);
-
-  return [
-    `auth_token=${token}; Path=/; Max-Age=${accessMaxAge}; HttpOnly; Secure; SameSite=Strict`,
-    `refresh_token=${refreshToken}; Path=/; Max-Age=${refreshMaxAge}; HttpOnly; Secure; SameSite=Strict`,
-  ].join(", ");
-}
-
-export const POST: APIRoute = async ({ request }) => {
-  try {
-    const body = (await request.json()) as {
-      email?: string;
-      password?: string;
-      confirmPassword?: string;
-    };
-    const { email, password, confirmPassword } = body;
-
-    if (!email || !password) {
-      return new Response(
-        JSON.stringify({ error: "Email and password required" }),
-        { status: 400, headers: { "Content-Type": "application/json" } },
-      );
-    }
-
-    if (password !== confirmPassword) {
-      return new Response(JSON.stringify({ error: "Passwords do not match" }), {
-        status: 400,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-
-    // Password strength validation
-    const passwordErrors: string[] = [];
-
-    if (password.length < 8) {
-      passwordErrors.push("at least 8 characters");
-    }
-    if (!/[a-z]/.test(password)) {
-      passwordErrors.push("one lowercase letter");
-    }
-    if (!/[A-Z]/.test(password)) {
-      passwordErrors.push("one uppercase letter");
-    }
-    if (!/[0-9]/.test(password)) {
-      passwordErrors.push("one number");
-    }
-    if (!/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
-      passwordErrors.push('one special character (!@#$%^&*(),.?":{}|<>)');
-    }
-
-    if (passwordErrors.length > 0) {
-      return new Response(
-        JSON.stringify({
-          error:
-            "Password is too weak. Must contain: " + passwordErrors.join(", "),
-        }),
-        { status: 400, headers: { "Content-Type": "application/json" } },
-      );
-    }
-
-    const adapter = await getAuthAdapter();
-
-    const existingUser = await adapter.findUserByEmail(email);
-    if (existingUser) {
-      return new Response(
-        JSON.stringify({ error: "Email already registered" }),
-        { status: 409, headers: { "Content-Type": "application/json" } },
-      );
-    }
-
-    const isFirstUser = !(await adapter.hasAnyUsers?.());
-
-    if (!isFirstUser && !ALLOW_REGISTRATION) {
-      return new Response(
-        JSON.stringify({ error: "Registration is disabled" }),
-        { status: 403, headers: { "Content-Type": "application/json" } },
-      );
-    }
-
-    const user = await adapter.createUser({
-      email,
-      password,
-      role: isFirstUser ? "super_admin" : "customer",
-    });
-
-    const context = createAuditContext(request);
-    await adapter.createAuditLog({
-      action: "register",
-      userId: user.id,
-      userEmail: user.email,
-      role: user.role,
-      resource: "auth",
-      success: true,
-      metadata: {
-        method: "password",
-        isFirstUser,
-      },
-      ...context,
-    });
-
-    const { accessToken, refreshToken } = generateTokens(user);
-
-    return new Response(
-      JSON.stringify({
-        success: true,
-        isFirstUser,
-        user: {
-          id: user.id,
-          email: user.email,
-          role: user.role,
-        },
-        expiresIn: getExpirySeconds(ACCESS_TOKEN_EXPIRY),
-      }),
-      {
-        status: 201,
-        headers: {
-          "Content-Type": "application/json",
-          "Set-Cookie": createAuthCookies(accessToken, refreshToken),
-        },
-      },
-    );
-  } catch (error) {
-    console.error("Registration error:", error);
-    return new Response(JSON.stringify({ error: "Registration failed" }), {
-      status: 500,
-      headers: { "Content-Type": "application/json" },
-    });
-  }
-};