@kyro-cms/admin 0.3.2 → 0.3.5

package/src/lib/graphql/schema.ts

@@ -1,443 +0,0 @@
-import { buildSchema, graphql } from "graphql";
-import { dataStore } from "../dataStore";
-import { collections, globals } from "../config";
-import type { CollectionConfig, GlobalConfig } from "@kyro-cms/core";
-import jwt from "jsonwebtoken";
-
-const JWT_SECRET = process.env.JWT_SECRET || "change-me-in-production";
-
-function generateSchemaTypes() {
-  const queryLines: string[] = [
-    `_schema: SchemaInfo!`,
-    `ping: String!`,
-    `collections: [CollectionInfo!]!`,
-    `globals: [GlobalInfo!]!`,
-  ];
-
-  for (const [slug, collection] of Object.entries(collections)) {
-    if (slug === "roles") continue;
-    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
-    queryLines.push(`${safeSlug}(page: Int, limit: Int): CollectionResult!`);
-    queryLines.push(`${safeSlug}ById(id: ID!): JSON`);
-    queryLines.push(`${safeSlug}BySlug(slug: String!): JSON`);
-  }
-
-  for (const slug of Object.keys(globals)) {
-    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
-    queryLines.push(`${safeSlug}: GlobalResult!`);
-  }
-
-  const mutationLines: string[] = [];
-  mutationLines.push(`login(email: String!, password: String!): AuthPayload!`);
-  mutationLines.push(
-    `register(email: String!, password: String!): AuthPayload!`,
-  );
-
-  for (const slug of Object.keys(collections)) {
-    if (slug === "roles" || slug === "users") continue;
-    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
-    const name = capitalize(safeSlug);
-    mutationLines.push(`create${name}(input: JSON!): JSON!`);
-    mutationLines.push(`update${name}(id: ID!, input: JSON!): JSON!`);
-    mutationLines.push(`delete${name}(id: ID!): Boolean!`);
-  }
-
-  for (const slug of Object.keys(globals)) {
-    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
-    const name = capitalize(safeSlug);
-    mutationLines.push(`update${name}(input: JSON!): GlobalResult!`);
-  }
-
-  return `
-    scalar JSON
-
-    type Query {
-      ${queryLines.join("\n      ")}
-    }
-
-    type Mutation {
-      ${mutationLines.join("\n      ")}
-    }
-
-    type Meta {
-      page: Int!
-      limit: Int!
-      totalDocs: Int!
-      totalPages: Int!
-    }
-
-    type CollectionResult {
-      docs: [JSON!]!
-      totalDocs: Int!
-      totalPages: Int!
-      page: Int!
-    }
-
-    type GlobalResult {
-      data: JSON
-      success: Boolean!
-    }
-
-    type AuthPayload {
-      token: String
-      user: JSON
-      error: String
-    }
-
-    type SchemaInfo {
-      types: [TypeInfo!]!
-    }
-
-    type TypeInfo {
-      name: String!
-      fields: [FieldInfo!]!
-    }
-
-    type FieldInfo {
-      name: String!
-      type: String!
-      required: Boolean!
-    }
-
-    type CollectionInfo {
-      slug: String!
-      name: String
-      fields: [String!]!
-    }
-
-    type GlobalInfo {
-      slug: String!
-      name: String
-    }
-  `;
-}
-
-const schemaString = generateSchemaTypes();
-const typeDefs = buildSchema(schemaString);
-
-function capitalize(str: string): string {
-  return str.charAt(0).toUpperCase() + str.slice(1);
-}
-
-interface Context {
-  user?: {
-    id: string;
-    email: string;
-    role: string;
-  };
-  apiKeyId?: string;
-  permissions?: string[];
-}
-
-const rootValue = {
-  _schema: () => {
-    const types = Object.entries(collections).map(([slug, collection]) => ({
-      name: capitalize(slug),
-      fields: collection.fields.map((f: any) => ({
-        name: f.name,
-        type: getGraphQLType(f.type),
-        required: f.required || false,
-      })),
-    }));
-    return { types };
-  },
-
-  ping: () => "pong",
-
-  collections: () => {
-    return Object.entries(collections).map(([slug, collection]) => ({
-      slug,
-      name: (collection as CollectionConfig).label || slug,
-      fields: (collection as CollectionConfig).fields.map((f: any) => f.name),
-    }));
-  },
-
-  globals: () => {
-    return Object.entries(globals).map(([slug, global]) => ({
-      slug,
-      name: (global as GlobalConfig).label || slug,
-    }));
-  },
-
-  ...generateQueryResolvers(),
-
-  ...generateMutationResolvers(),
-};
-
-function getGraphQLType(fieldType: string): string {
-  const typeMap: Record<string, string> = {
-    text: "String",
-    richtext: "String",
-    email: "String",
-    password: "String",
-    url: "String",
-    number: "Float",
-    integer: "Int",
-    boolean: "Boolean",
-    select: "String",
-    multiselect: "[String!]!",
-    date: "String",
-    datetime: "String",
-    media: "String",
-    reference: "String",
-    array: "[String!]!",
-    json: "JSON",
-    code: "String",
-    markdown: "String",
-    slug: "String",
-  };
-  return typeMap[fieldType] || "String";
-}
-
-function generateQueryResolvers() {
-  const resolvers: Record<string, any> = {};
-
-  for (const slug of Object.keys(collections)) {
-    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
-    resolvers[safeSlug] = async ({
-      page,
-      limit,
-    }: {
-      page?: number;
-      limit?: number;
-    }) => {
-      return await dataStore.find(slug, {
-        page: page || 1,
-        limit: limit || 25,
-      });
-    };
-
-    resolvers[`${safeSlug}ById`] = async ({ id }: { id: string }) => {
-      return await dataStore.findById(slug, id);
-    };
-
-    resolvers[`${safeSlug}BySlug`] = async ({
-      slug: itemSlug,
-    }: {
-      slug: string;
-    }) => {
-      const docs = await dataStore.find(slug, { limit: 100 });
-      return docs.docs.find((d: any) => d.slug === itemSlug) || null;
-    };
-  }
-
-  for (const slug of Object.keys(globals)) {
-    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
-    resolvers[safeSlug] = async () => {
-      return { data: await dataStore.findGlobal(slug), success: true };
-    };
-  }
-
-  return resolvers;
-}
-
-function generateMutationResolvers() {
-  return {
-    login: async ({ email, password }: { email: string; password: string }) => {
-      try {
-        const { SQLiteAuthAdapter } = await import("../auth/sqlite-adapter");
-        const adapter = new SQLiteAuthAdapter();
-
-        const user = await adapter.findUserByEmail(email);
-        if (!user) {
-          return { error: "Invalid credentials" };
-        }
-
-        const valid = await adapter.verifyPassword(
-          password,
-          user.passwordHash || "",
-        );
-        if (!valid) {
-          return { error: "Invalid credentials" };
-        }
-
-        const { passwordHash, ...safeUser } = user;
-        const token = jwt.sign(
-          {
-            sub: safeUser.id,
-            email: safeUser.email,
-            role: safeUser.role,
-            tenantId: safeUser.tenantId,
-          },
-          JWT_SECRET,
-          { expiresIn: "7d" },
-        );
-
-        return { token, user: safeUser };
-      } catch {
-        return { error: "Authentication failed" };
-      }
-    },
-
-    register: async ({
-      email,
-      password,
-    }: {
-      email: string;
-      password: string;
-    }) => {
-      try {
-        const { SQLiteAuthAdapter } = await import("../auth/sqlite-adapter");
-        const adapter = new SQLiteAuthAdapter();
-
-        const existing = await adapter.findUserByEmail(email);
-        if (existing) {
-          return { error: "Email already exists" };
-        }
-
-        const passwordHash = await adapter.hashPassword(password);
-        const user = await adapter.createUser({
-          email,
-          passwordHash,
-          role: "customer",
-        });
-
-        const { passwordHash: _, ...safeUser } = user;
-        const token = jwt.sign(
-          {
-            sub: safeUser.id,
-            email: safeUser.email,
-            role: safeUser.role,
-            tenantId: safeUser.tenantId,
-          },
-          JWT_SECRET,
-          { expiresIn: "7d" },
-        );
-
-        return { token, user: safeUser };
-      } catch {
-        return { error: "Registration failed" };
-      }
-    },
-  };
-}
-
-function generateCollectionMutations() {
-  const resolvers: Record<string, any> = {};
-
-  for (const slug of Object.keys(collections)) {
-    if (slug === "roles" || slug === "users") continue;
-    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
-    const name = capitalize(safeSlug);
-
-    resolvers[`create${name}`] = async ({ input }: { input: any }) => {
-      return await dataStore.create(slug, input);
-    };
-
-    resolvers[`update${name}`] = async ({
-      id,
-      input,
-    }: {
-      id: string;
-      input: any;
-    }) => {
-      return await dataStore.update(slug, id, input);
-    };
-
-    resolvers[`delete${name}`] = async ({ id }: { id: string }) => {
-      return await dataStore.delete(slug, id);
-    };
-  }
-
-  for (const slug of Object.keys(globals)) {
-    const safeSlug = slug.replace(/[^a-zA-Z0-9_]/g, "_");
-    const name = capitalize(safeSlug);
-
-    resolvers[`update${name}`] = async ({ input }: { input: any }) => {
-      await dataStore.updateGlobal(slug, input);
-      return { data: await dataStore.findGlobal(slug), success: true };
-    };
-  }
-
-  return resolvers;
-}
-
-export async function executeGraphQL(
-  query: string,
-  variables?: Record<string, any>,
-  authToken?: string,
-  apiKey?: string,
-) {
-  let context: Context = {};
-
-  if (apiKey) {
-    try {
-      const result = await validateApiKeyFromDataStore(apiKey);
-      if (result.valid && result.user) {
-        context.user = {
-          id: result.userId as string,
-          email: result.user.email,
-          role: result.user.role,
-        };
-        context.apiKeyId = result.apiKeyId;
-        context.permissions = result.permissions;
-      }
-    } catch {
-      // Invalid API key, continue without auth
-    }
-  } else if (authToken) {
-    try {
-      const payload = jwt.verify(authToken, JWT_SECRET) as jwt.JwtPayload;
-      context.user = {
-        id: payload.sub as string,
-        email: (payload as any).email,
-        role: (payload as any).role,
-      };
-    } catch {
-      // Invalid token, continue without auth
-    }
-  }
-
-  const result = await graphql({
-    schema: typeDefs,
-    source: query,
-    rootValue,
-    contextValue: context,
-    variableValues: variables,
-  } as any);
-
-  return result;
-}
-
-async function validateApiKeyFromDataStore(apiKey: string) {
-  if (!apiKey.startsWith("kyro_")) {
-    return { valid: false };
-  }
-
-  const keyPrefix = apiKey.substring(0, 8);
-  const result = await dataStore.find("_api_keys", { limit: 100 });
-  const keys = (result.docs || []).filter(
-    (k: any) => k.keyPrefix === keyPrefix,
-  );
-
-  for (const record of keys) {
-    if (record.key === apiKey) {
-      if (record.expiresAt && new Date(record.expiresAt) < new Date()) {
-        return { valid: false, error: "API key expired" };
-      }
-
-      try {
-        await dataStore.update("_api_keys", record.id, {
-          lastUsedAt: new Date().toISOString(),
-        });
-      } catch {}
-
-      return {
-        valid: true,
-        userId: record.userId,
-        user: {
-          id: record.userId,
-          email: record.email,
-          role: record.role || "author",
-          tenantId: record.tenantId,
-        },
-        permissions: record.permissions || [],
-        apiKeyId: record.id,
-      };
-    }
-  }
-
-  return { valid: false };
-}
-
-export { schemaString };

package/src/lib/rate-limit.ts

@@ -1,267 +0,0 @@
-import Database from "better-sqlite3";
-import { randomBytes } from "crypto";
-
-const DB_PATH =
-  process.env.KYRO_AUTH_DB_PATH || process.env.KYRO_DB_PATH || "./data/auth.db";
-
-interface RateLimitConfig {
-  maxAttempts: number;
-  windowMs: number;
-  lockoutMs: number;
-}
-
-interface RateLimitResult {
-  allowed: boolean;
-  remaining: number;
-  resetAt: Date | null;
-  lockedUntil: Date | null;
-}
-
-const DEFAULT_CONFIG: RateLimitConfig = {
-  maxAttempts: 5,
-  windowMs: 15 * 60 * 1000, // 15 minutes
-  lockoutMs: 15 * 60 * 1000, // 15 minutes lockout
-};
-
-function getDb() {
-  return new Database(DB_PATH);
-}
-
-export async function checkRateLimit(
-  identifier: string,
-  action: string = "login",
-  config: RateLimitConfig = DEFAULT_CONFIG,
-): Promise<RateLimitResult> {
-  const db = getDb();
-  const now = new Date();
-
-  try {
-    // Clean up expired records first
-    db.prepare(
-      `
-      DELETE FROM rate_limits 
-      WHERE expires_at IS NOT NULL AND expires_at < ?
-    `,
-    ).run(now.toISOString());
-
-    // Get existing record
-    const existing = db
-      .prepare(
-        `
-      SELECT * FROM rate_limits 
-      WHERE identifier = ? AND action = ?
-    `,
-      )
-      .get(identifier, action) as any;
-
-    if (!existing) {
-      // First attempt - create record
-      const id = randomBytes(16).toString("hex");
-      db.prepare(
-        `
-        INSERT INTO rate_limits (id, identifier, action, attempts, first_attempt, last_attempt, created_at)
-        VALUES (?, ?, ?, 1, ?, ?, ?)
-      `,
-      ).run(
-        id,
-        identifier,
-        action,
-        now.toISOString(),
-        now.toISOString(),
-        now.toISOString(),
-      );
-
-      return {
-        allowed: true,
-        remaining: config.maxAttempts - 1,
-        resetAt: new Date(now.getTime() + config.windowMs),
-        lockedUntil: null,
-      };
-    }
-
-    // Check if currently locked
-    if (existing.expires_at && new Date(existing.expires_at) > now) {
-      return {
-        allowed: false,
-        remaining: 0,
-        resetAt: null,
-        lockedUntil: new Date(existing.expires_at),
-      };
-    }
-
-    // Check if within window
-    const firstAttempt = existing.first_attempt
-      ? new Date(existing.first_attempt)
-      : now;
-    const windowEnd = new Date(firstAttempt.getTime() + config.windowMs);
-
-    if (now > windowEnd) {
-      // Window expired - reset attempts
-      db.prepare(
-        `
-        UPDATE rate_limits 
-        SET attempts = 1, first_attempt = ?, last_attempt = ?, expires_at = NULL
-        WHERE identifier = ? AND action = ?
-      `,
-      ).run(now.toISOString(), now.toISOString(), identifier, action);
-
-      return {
-        allowed: true,
-        remaining: config.maxAttempts - 1,
-        resetAt: new Date(now.getTime() + config.windowMs),
-        lockedUntil: null,
-      };
-    }
-
-    // Within window - check attempts
-    const attempts = existing.attempts || 0;
-    const remaining = config.maxAttempts - attempts;
-
-    if (attempts >= config.maxAttempts) {
-      // Lock out the user
-      const lockUntil = new Date(now.getTime() + config.lockoutMs);
-      db.prepare(
-        `
-        UPDATE rate_limits 
-        SET last_attempt = ?, expires_at = ?
-        WHERE identifier = ? AND action = ?
-      `,
-      ).run(now.toISOString(), lockUntil.toISOString(), identifier, action);
-
-      return {
-        allowed: false,
-        remaining: 0,
-        resetAt: windowEnd,
-        lockedUntil: lockUntil,
-      };
-    }
-
-    // Increment attempts
-    db.prepare(
-      `
-      UPDATE rate_limits 
-      SET attempts = attempts + 1, last_attempt = ?
-      WHERE identifier = ? AND action = ?
-    `,
-    ).run(now.toISOString(), identifier, action);
-
-    return {
-      allowed: true,
-      remaining: remaining - 1,
-      resetAt: windowEnd,
-      lockedUntil: null,
-    };
-  } finally {
-    db.close();
-  }
-}
-
-export async function resetRateLimit(
-  identifier: string,
-  action: string = "login",
-): Promise<void> {
-  const db = getDb();
-
-  try {
-    db.prepare(
-      `
-      DELETE FROM rate_limits WHERE identifier = ? AND action = ?
-    `,
-    ).run(identifier, action);
-  } finally {
-    db.close();
-  }
-}
-
-export async function getAccountLockStatus(email: string): Promise<{
-  isLocked: boolean;
-  lockedUntil: Date | null;
-  failedAttempts: number;
-}> {
-  const db = getDb();
-
-  try {
-    const user = db
-      .prepare(
-        `
-      SELECT locked, locked_until, failed_login_attempts 
-      FROM users 
-      WHERE LOWER(email) = LOWER(?)
-    `,
-      )
-      .get(email) as any;
-
-    if (!user) {
-      return { isLocked: false, lockedUntil: null, failedAttempts: 0 };
-    }
-
-    const now = new Date();
-    const lockedUntil = user.locked_until ? new Date(user.locked_until) : null;
-    const isLocked = user.locked === 1 && (!lockedUntil || lockedUntil > now);
-
-    return {
-      isLocked,
-      lockedUntil: isLocked ? lockedUntil : null,
-      failedAttempts: user.failed_login_attempts || 0,
-    };
-  } finally {
-    db.close();
-  }
-}
-
-export async function recordFailedLogin(email: string): Promise<void> {
-  const db = getDb();
-
-  try {
-    const now = new Date();
-    const user = db
-      .prepare(
-        `
-      SELECT id FROM users WHERE LOWER(email) = LOWER(?)
-    `,
-      )
-      .get(email) as any;
-
-    if (!user) return;
-
-    // Increment failed attempts
-    db.prepare(
-      `
-      UPDATE users 
-      SET failed_login_attempts = COALESCE(failed_login_attempts, 0) + 1,
-          last_login = ?,
-          locked = CASE 
-            WHEN COALESCE(failed_login_attempts, 0) >= 4 THEN 1 
-            ELSE 0 
-          END,
-          locked_until = CASE 
-            WHEN COALESCE(failed_login_attempts, 0) >= 4 THEN ?
-            ELSE NULL 
-          END
-      WHERE id = ?
-    `,
-    ).run(
-      now.toISOString(),
-      new Date(now.getTime() + 15 * 60 * 1000).toISOString(),
-      user.id,
-    );
-  } finally {
-    db.close();
-  }
-}
-
-export async function unlockAccount(email: string): Promise<void> {
-  const db = getDb();
-
-  try {
-    db.prepare(
-      `
-      UPDATE users 
-      SET locked = 0, locked_until = NULL, failed_login_attempts = 0
-      WHERE LOWER(email) = LOWER(?)
-    `,
-    ).run(email);
-  } finally {
-    db.close();
-  }
-}