@kyro-cms/admin 0.3.2 → 0.3.5

package/src/lib/db/drizzle-sqlite-auth-adapter.ts

@@ -1,548 +0,0 @@
-import type {
-  AuthAdapter,
-  AuthUser,
-  Session,
-  UserRole,
-  AuditLog,
-  AuditLogFilter,
-} from "@kyro-cms/core";
-import Database from "better-sqlite3";
-import path from "path";
-import fs from "fs";
-import bcrypt from "bcryptjs";
-import { randomBytes } from "crypto";
-
-function getAuthDbPath(): string {
-  return (
-    process.env.AUTH_DB_PATH || path.join(process.cwd(), "data", "auth.db")
-  );
-}
-
-function ensureDbDir(dbPath: string): void {
-  const dir = path.dirname(dbPath);
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
-  }
-}
-
-function getAuthDb() {
-  const dbPath = getAuthDbPath();
-  ensureDbDir(dbPath);
-  const db = new Database(dbPath);
-  db.pragma("journal_mode = WAL");
-  db.pragma("synchronous = NORMAL");
-  db.pragma("cache_size = -64000");
-  db.pragma("foreign_keys = ON");
-  return db;
-}
-
-const db = getAuthDb();
-
-db.exec(`
-  CREATE TABLE IF NOT EXISTS users (
-    id TEXT PRIMARY KEY,
-    email TEXT UNIQUE NOT NULL,
-    password_hash TEXT NOT NULL,
-    name TEXT,
-    role TEXT NOT NULL DEFAULT 'customer',
-    tenant_id TEXT,
-    email_verified INTEGER DEFAULT 0,
-    locked INTEGER DEFAULT 0,
-    last_login TEXT,
-    failed_login_attempts INTEGER DEFAULT 0,
-    locked_until TEXT,
-    created_at TEXT NOT NULL,
-    updated_at TEXT NOT NULL
-  );
-  
-  CREATE TABLE IF NOT EXISTS sessions (
-    id TEXT PRIMARY KEY,
-    token TEXT UNIQUE NOT NULL,
-    refresh_token TEXT,
-    user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-    expires_at TEXT NOT NULL,
-    created_at TEXT NOT NULL
-  );
-  
-  CREATE TABLE IF NOT EXISTS roles (
-    id TEXT PRIMARY KEY,
-    name TEXT UNIQUE NOT NULL,
-    level INTEGER NOT NULL DEFAULT 0,
-    inherits TEXT,
-    permissions TEXT,
-    is_system INTEGER DEFAULT 0,
-    description TEXT,
-    created_at TEXT NOT NULL
-  );
-  
-  CREATE TABLE IF NOT EXISTS audit_logs (
-    id TEXT PRIMARY KEY,
-    action TEXT NOT NULL,
-    user_id TEXT REFERENCES users(id) ON DELETE SET NULL,
-    user_email TEXT,
-    role TEXT,
-    resource TEXT NOT NULL,
-    ip_address TEXT,
-    user_agent TEXT,
-    success INTEGER NOT NULL,
-    error TEXT,
-    metadata TEXT,
-    created_at TEXT NOT NULL
-  );
-  
-  CREATE TABLE IF NOT EXISTS rate_limits (
-    id TEXT PRIMARY KEY,
-    identifier TEXT NOT NULL,
-    action TEXT NOT NULL,
-    attempts INTEGER NOT NULL DEFAULT 1,
-    first_attempt TEXT,
-    last_attempt TEXT,
-    expires_at TEXT,
-    created_at TEXT NOT NULL
-  );
-
-  CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
-  CREATE INDEX IF NOT EXISTS idx_sessions_token ON sessions(token);
-  CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
-  CREATE INDEX IF NOT EXISTS idx_audit_user_id ON audit_logs(user_id);
-  CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_logs(action);
-  CREATE INDEX IF NOT EXISTS idx_audit_created_at ON audit_logs(created_at);
-  CREATE INDEX IF NOT EXISTS idx_rate_identifier ON rate_limits(identifier);
-  CREATE INDEX IF NOT EXISTS idx_rate_expires ON rate_limits(expires_at);
-`);
-
-export interface DrizzleSQLiteAuthAdapterOptions {
-  tokenExpiration?: number;
-  refreshTokenExpiration?: number;
-  saltRounds?: number;
-}
-
-const DEFAULT_TOKEN_EXPIRATION = 86400;
-const DEFAULT_REFRESH_EXPIRATION = 604800;
-
-export class DrizzleSQLiteAuthAdapter implements AuthAdapter {
-  private tokenExpiration: number;
-  private refreshExpiration: number;
-  private saltRounds: number;
-
-  constructor(options: DrizzleSQLiteAuthAdapterOptions = {}) {
-    this.tokenExpiration = options.tokenExpiration || DEFAULT_TOKEN_EXPIRATION;
-    this.refreshExpiration =
-      options.refreshTokenExpiration || DEFAULT_REFRESH_EXPIRATION;
-    this.saltRounds = options.saltRounds || 10;
-  }
-
-  private getTimestamp(): string {
-    return new Date().toISOString();
-  }
-
-  private generateId(): string {
-    return randomBytes(16).toString("hex");
-  }
-
-  async findUserById(id: string): Promise<AuthUser | null> {
-    const user = db.prepare("SELECT * FROM users WHERE id = ?").get(id) as any;
-    if (!user) return null;
-    return {
-      id: user.id,
-      email: user.email,
-      name: user.name || undefined,
-      role: user.role as UserRole,
-      tenantId: user.tenant_id || undefined,
-      createdAt: user.created_at,
-      updatedAt: user.updated_at,
-    };
-  }
-
-  async findUserByEmail(email: string): Promise<AuthUser | null> {
-    if (!email) return null;
-    const user = db
-      .prepare("SELECT * FROM users WHERE LOWER(email) = LOWER(?)")
-      .get(email) as any;
-    if (!user) return null;
-    return {
-      id: user.id,
-      email: user.email,
-      name: user.name || undefined,
-      role: user.role as UserRole,
-      tenantId: user.tenant_id || undefined,
-      createdAt: user.created_at,
-      updatedAt: user.updated_at,
-    };
-  }
-
-  async findAllUsers(): Promise<AuthUser[]> {
-    const users = db
-      .prepare("SELECT * FROM users ORDER BY created_at DESC")
-      .all() as any[];
-    return users.map((user) => ({
-      id: user.id,
-      email: user.email,
-      name: user.name || undefined,
-      role: user.role as UserRole,
-      tenantId: user.tenant_id || undefined,
-      emailVerified: !!user.email_verified,
-      locked: !!user.locked,
-      lastLogin: user.last_login || undefined,
-      createdAt: user.created_at,
-      updatedAt: user.updated_at,
-    }));
-  }
-
-  async createUser(userData: {
-    email: string;
-    password: string;
-    role?: UserRole;
-    tenantId?: string;
-  }): Promise<AuthUser> {
-    const now = this.getTimestamp();
-    const id = this.generateId();
-    const passwordHash = await bcrypt.hash(userData.password, this.saltRounds);
-
-    db.prepare(
-      "INSERT INTO users (id, email, password_hash, name, role, tenant_id, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
-    ).run(
-      id,
-      userData.email.toLowerCase(),
-      passwordHash,
-      null,
-      userData.role || "customer",
-      userData.tenantId || null,
-      now,
-      now,
-    );
-
-    return {
-      id,
-      email: userData.email,
-      role: userData.role || "customer",
-      tenantId: userData.tenantId,
-      createdAt: now,
-      updatedAt: now,
-    };
-  }
-
-  async updateUser(
-    id: string,
-    data: Partial<AuthUser> & { password?: string },
-  ): Promise<AuthUser | null> {
-    const existing = await this.findUserById(id);
-    if (!existing) return null;
-
-    const now = this.getTimestamp();
-    const updates: string[] = ["updated_at = ?"];
-    const values: any[] = [now];
-
-    if (data.email) {
-      updates.push("email = ?");
-      values.push(data.email.toLowerCase());
-    }
-    if (data.name !== undefined) {
-      updates.push("name = ?");
-      values.push(data.name);
-    }
-    if (data.role) {
-      updates.push("role = ?");
-      values.push(data.role);
-    }
-    if (data.tenantId !== undefined) {
-      updates.push("tenant_id = ?");
-      values.push(data.tenantId);
-    }
-    if (data.password) {
-      updates.push("password_hash = ?");
-      values.push(await bcrypt.hash(data.password, this.saltRounds));
-    }
-
-    values.push(id);
-    db.prepare(`UPDATE users SET ${updates.join(", ")} WHERE id = ?`).run(
-      ...values,
-    );
-
-    return this.findUserById(id);
-  }
-
-  async deleteUser(id: string): Promise<boolean> {
-    db.prepare("DELETE FROM users WHERE id = ?").run(id);
-    return true;
-  }
-
-  async verifyPassword(
-    email: string,
-    password: string,
-  ): Promise<AuthUser | null> {
-    const user = await this.findUserByEmail(email);
-    if (!user) return null;
-
-    const stored = db
-      .prepare("SELECT password_hash FROM users WHERE id = ?")
-      .get(user.id) as { password_hash: string } | undefined;
-    if (!stored?.password_hash) return null;
-
-    const valid = await bcrypt.compare(password, stored.password_hash);
-    if (!valid) return null;
-
-    return user;
-  }
-
-  async hashPassword(password: string): Promise<string> {
-    return bcrypt.hash(password, this.saltRounds);
-  }
-
-  async createSession(userId: string): Promise<Session> {
-    const now = new Date();
-    const expiresAt = new Date(now.getTime() + this.tokenExpiration * 1000);
-
-    const id = this.generateId();
-    const token = randomBytes(32).toString("hex");
-    const refreshToken = randomBytes(32).toString("hex");
-
-    db.prepare(
-      "INSERT INTO sessions (id, token, refresh_token, user_id, expires_at, created_at) VALUES (?, ?, ?, ?, ?, ?)",
-    ).run(
-      id,
-      token,
-      refreshToken,
-      userId,
-      expiresAt.toISOString(),
-      now.toISOString(),
-    );
-
-    return {
-      token,
-      refreshToken,
-      expiresAt: expiresAt.toISOString(),
-      userId,
-      createdAt: now.toISOString(),
-    };
-  }
-
-  async findSessionByToken(token: string): Promise<Session | null> {
-    const now = new Date().toISOString();
-    const session = db
-      .prepare("SELECT * FROM sessions WHERE token = ? AND expires_at > ?")
-      .get(token, now) as any;
-    if (!session) return null;
-    return {
-      token: session.token,
-      refreshToken: session.refresh_token || undefined,
-      userId: session.user_id,
-      expiresAt: session.expires_at,
-      createdAt: session.created_at,
-    };
-  }
-
-  async deleteSession(sessionId: string): Promise<boolean> {
-    db.prepare("DELETE FROM sessions WHERE token = ?").run(sessionId);
-    return true;
-  }
-
-  async deleteUserSessions(userId: string): Promise<number> {
-    db.prepare("DELETE FROM sessions WHERE user_id = ?").run(userId);
-    return 1;
-  }
-
-  async hasAnyUsers(): Promise<boolean> {
-    const result = db.prepare("SELECT COUNT(*) as cnt FROM users").get() as {
-      cnt: number;
-    };
-    return (result?.cnt || 0) > 0;
-  }
-
-  async findUserRoles(): Promise<UserRole[]> {
-    const roles = db.prepare("SELECT * FROM roles").all() as any[];
-
-    if (roles.length === 0) {
-      const defaultRoles = [
-        {
-          id: "super_admin",
-          name: "super_admin",
-          level: 100,
-          inherits: ["admin"],
-          permissions: [],
-          isSystem: 1,
-          description: "Full system access",
-        },
-        {
-          id: "admin",
-          name: "admin",
-          level: 90,
-          inherits: ["editor"],
-          permissions: [],
-          isSystem: 1,
-          description: "Full tenant access",
-        },
-        {
-          id: "editor",
-          name: "editor",
-          level: 70,
-          inherits: ["author"],
-          permissions: [],
-          isSystem: 1,
-          description: "Edit and publish content",
-        },
-        {
-          id: "author",
-          name: "author",
-          level: 50,
-          inherits: ["customer"],
-          permissions: [],
-          isSystem: 1,
-          description: "Create and edit own content",
-        },
-        {
-          id: "customer",
-          name: "customer",
-          level: 30,
-          inherits: [],
-          permissions: [],
-          isSystem: 1,
-          description: "Access own data",
-        },
-        {
-          id: "guest",
-          name: "guest",
-          level: 10,
-          inherits: [],
-          permissions: [],
-          isSystem: 1,
-          description: "Public read-only access",
-        },
-      ];
-
-      const now = this.getTimestamp();
-      for (const role of defaultRoles) {
-        db.prepare(
-          "INSERT INTO roles (id, name, level, inherits, permissions, is_system, description, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
-        ).run(
-          role.id,
-          role.name,
-          role.level,
-          JSON.stringify(role.inherits),
-          JSON.stringify(role.permissions),
-          role.isSystem,
-          role.description,
-          now,
-        );
-      }
-
-      return defaultRoles as UserRole[];
-    }
-
-    return roles.map((r) => ({
-      id: r.id,
-      name: r.name,
-      level: r.level,
-      inherits: r.inherits ? JSON.parse(r.inherits) : [],
-      permissions: r.permissions ? JSON.parse(r.permissions) : [],
-      description: r.description || undefined,
-      createdAt: r.created_at,
-    }));
-  }
-
-  async findAuditLogs(
-    filter: AuditLogFilter,
-  ): Promise<{ logs: AuditLog[]; total: number }> {
-    const { limit = 50, offset = 0, action, userId, success } = filter;
-
-    let query = "SELECT * FROM audit_logs";
-    let countQuery = "SELECT COUNT(*) as total FROM audit_logs";
-    const conditions: string[] = [];
-    const params: any[] = [];
-
-    if (action) {
-      if (Array.isArray(action)) {
-        conditions.push(`action IN (${action.map(() => "?").join(",")})`);
-        params.push(...action);
-      } else {
-        conditions.push("action = ?");
-        params.push(action);
-      }
-    }
-
-    if (userId) {
-      conditions.push("user_id = ?");
-      params.push(userId);
-    }
-
-    if (success !== undefined) {
-      conditions.push("success = ?");
-      params.push(success ? 1 : 0);
-    }
-
-    if (conditions.length > 0) {
-      const where = ` WHERE ${conditions.join(" AND ")}`;
-      query += where;
-      countQuery += where;
-    }
-
-    query += " ORDER BY created_at DESC LIMIT ? OFFSET ?";
-
-    const logs = db.prepare(query).all(...params, limit, offset) as any[];
-    const totalResult = db.prepare(countQuery).get(...params) as {
-      total: number;
-    };
-
-    return {
-      logs: logs.map((l) => ({
-        id: l.id,
-        action: l.action as any,
-        userId: l.user_id,
-        userEmail: l.user_email,
-        role: l.role,
-        resource: l.resource,
-        ipAddress: l.ip_address,
-        userAgent: l.user_agent,
-        success: !!l.success,
-        error: l.error,
-        metadata: l.metadata ? JSON.parse(l.metadata) : undefined,
-        timestamp: new Date(l.created_at),
-      })),
-      total: totalResult.total,
-    };
-  }
-
-  async createAuditLog(
-    data: Omit<AuditLog, "id" | "timestamp">,
-  ): Promise<AuditLog> {
-    const id = this.generateId();
-    const now = this.getTimestamp();
-
-    db.prepare(
-      `
-      INSERT INTO audit_logs (
-        id, action, user_id, user_email, role, resource, 
-        ip_address, user_agent, success, error, metadata, created_at
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-    `,
-    ).run(
-      id,
-      data.action,
-      data.userId || null,
-      data.userEmail || null,
-      data.role || null,
-      data.resource,
-      data.ipAddress || null,
-      data.userAgent || null,
-      data.success ? 1 : 0,
-      data.error || null,
-      data.metadata ? JSON.stringify(data.metadata) : null,
-      now,
-    );
-
-    return {
-      ...data,
-      id,
-      timestamp: new Date(now),
-    };
-  }
-}
-
-let sqliteAuthAdapter: DrizzleSQLiteAuthAdapter | null = null;
-
-export function getSQLiteAuthAdapter(): DrizzleSQLiteAuthAdapter {
-  if (!sqliteAuthAdapter) {
-    sqliteAuthAdapter = new DrizzleSQLiteAuthAdapter();
-  }
-  return sqliteAuthAdapter;
-}