@leadertechie/personal-site-kit 0.1.0-alpha.4 → 0.1.0-alpha.5

package/dist/api/handlers/auth-handler.d.ts

@@ -0,0 +1,2 @@
+export declare function handleAuth(request: Request, env: any, subpath: string): Promise<Response>;
+//# sourceMappingURL=auth-handler.d.ts.map

package/dist/api/handlers/auth-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../../src/api/handlers/auth-handler.ts"],"names":[],"mappings":"AAkBA,wBAAsB,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAkC/F"}

package/dist/api/handlers/auth.d.ts

@@ -0,0 +1,23 @@
+declare const AUTH_KV = "auth_store";
+declare const RATE_LIMIT_KV = "rate_limit";
+declare const MAX_ATTEMPTS = 5;
+declare const BASE_DELAY_MS = 1000;
+interface AuthStore {
+    username: string;
+    passwordHash: string;
+    salt: string;
+}
+declare function hashPassword(password: string, salt: string): Promise<string>;
+declare function generateSalt(): Promise<string>;
+declare function checkRateLimit(env: any, ip: string): Promise<{
+    allowed: boolean;
+    delayMs: number;
+}>;
+declare function recordFailedAttempt(env: any, ip: string): Promise<void>;
+declare function clearRateLimit(env: any, ip: string): Promise<void>;
+declare function getAuthStore(env: any): Promise<AuthStore | null>;
+declare function setupAuth(env: any, username: string, password: string): Promise<void>;
+declare function verifyCredentials(env: any, username: string, password: string): Promise<boolean>;
+declare function getClientIP(request: Request): string;
+export { hashPassword, generateSalt, checkRateLimit, recordFailedAttempt, clearRateLimit, getAuthStore, setupAuth, verifyCredentials, getClientIP, AUTH_KV, RATE_LIMIT_KV, MAX_ATTEMPTS, BASE_DELAY_MS };
+//# sourceMappingURL=auth.d.ts.map

package/dist/api/handlers/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/api/handlers/auth.ts"],"names":[],"mappings":"AAAA,QAAA,MAAM,OAAO,eAAe,CAAC;AAC7B,QAAA,MAAM,aAAa,eAAe,CAAC;AACnC,QAAA,MAAM,YAAY,IAAI,CAAC;AACvB,QAAA,MAAM,aAAa,OAAO,CAAC;AAG3B,UAAU,SAAS;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;CACd;AAQD,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAuB3E;AAED,iBAAe,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC,CAG7C;AAED,iBAAe,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA2BlG;AAED,iBAAe,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBtE;AAED,iBAAe,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAGjE;AAED,iBAAe,YAAY,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAG/D;AAED,iBAAe,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CASpF;AAED,iBAAe,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAa/F;AAED,iBAAS,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAI7C;AAED,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,mBAAmB,EACnB,cAAc,EACd,YAAY,EACZ,SAAS,EACT,iBAAiB,EACjB,WAAW,EACX,OAAO,EACP,aAAa,EACb,YAAY,EACZ,aAAa,EACd,CAAC"}

package/dist/api/handlers/content.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"content.d.ts","sourceRoot":"","sources":["../../../src/api/handlers/content.ts"],"names":[],"mappings":"AAEA,wBAAsB,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAqElG"}
+{"version":3,"file":"content.d.ts","sourceRoot":"","sources":["../../../src/api/handlers/content.ts"],"names":[],"mappings":"AAkBA,wBAAsB,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAiElG"}

package/dist/api/index.d.ts

@@ -1,6 +1,8 @@
 import { WebsiteAPI } from './website-api';
 export { WebsiteAPI };
 export type { APIHandler } from './website-api';
+export * from './handlers/auth';
+export * from './handlers/auth-handler';
 declare const defaultAPI: WebsiteAPI;
 export default defaultAPI;
 //# sourceMappingURL=index.d.ts.map

package/dist/api/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/api/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,CAAC;AACtB,YAAY,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAGhD,QAAA,MAAM,UAAU,YAAmB,CAAC;AACpC,eAAe,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/api/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,CAAC;AACtB,YAAY,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AAGxC,QAAA,MAAM,UAAU,YAAmB,CAAC;AACpC,eAAe,UAAU,CAAC"}

package/dist/api/website-api.d.ts

@@ -3,8 +3,8 @@ export declare class WebsiteAPI {
     private customHandlers;
     registerHandler(route: string, handler: APIHandler): void;
     private addCORSHeaders;
+    private addAdminCORSHeaders;
     private handleCORS;
-    private requireAuth;
     fetch(request: Request, env: any): Promise<Response>;
 }
 //# sourceMappingURL=website-api.d.ts.map

package/dist/api/website-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"website-api.d.ts","sourceRoot":"","sources":["../../src/api/website-api.ts"],"names":[],"mappings":"AASA,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAE3E,qBAAa,UAAU;IACrB,OAAO,CAAC,cAAc,CAAiC;IAEhD,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU;IAIzD,OAAO,CAAC,cAAc;IAOtB,OAAO,CAAC,UAAU;IAYlB,OAAO,CAAC,WAAW;IAYN,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC;CA0ElE"}
+{"version":3,"file":"website-api.d.ts","sourceRoot":"","sources":["../../src/api/website-api.ts"],"names":[],"mappings":"AAWA,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAE3E,qBAAa,UAAU;IACrB,OAAO,CAAC,cAAc,CAAiC;IAEhD,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU;IAIzD,OAAO,CAAC,cAAc;IAOtB,OAAO,CAAC,mBAAmB;IAQ3B,OAAO,CAAC,UAAU;IAYL,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC;CAkFlE"}

package/dist/api.js

@@ -1,6 +1,21 @@
-import { W as WebsiteAPI } from "./chunks/website-api-CVsi-OLc.js";
+import { W as WebsiteAPI } from "./chunks/website-api-DI3muo2s.js";
+import { A, B, M, R, c, a, g, b, d, h, e, r, s, v } from "./chunks/website-api-DI3muo2s.js";
 const defaultAPI = new WebsiteAPI();
 export {
+  A as AUTH_KV,
+  B as BASE_DELAY_MS,
+  M as MAX_ATTEMPTS,
+  R as RATE_LIMIT_KV,
   WebsiteAPI,
-  defaultAPI as default
+  c as checkRateLimit,
+  a as clearRateLimit,
+  defaultAPI as default,
+  g as generateSalt,
+  b as getAuthStore,
+  d as getClientIP,
+  h as handleAuth,
+  e as hashPassword,
+  r as recordFailedAttempt,
+  s as setupAuth,
+  v as verifyCredentials
 };

package/dist/chunks/{website-api-CVsi-OLc.js → website-api-DI3muo2s.js}

@@ -147,13 +147,171 @@ async function handleInfo() {
     ]
   });
 }
+const AUTH_KV = "auth_store";
+const RATE_LIMIT_KV = "rate_limit";
+const MAX_ATTEMPTS = 5;
+const BASE_DELAY_MS = 1e3;
+const MAX_DELAY_MS = 6e4;
+async function hashPassword(password, salt) {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const saltBuffer = encoder.encode(salt);
+  const derivedBits = await crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt: saltBuffer,
+      iterations: 1e5,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    256
+  );
+  return btoa(String.fromCharCode(...new Uint8Array(derivedBits)));
+}
+async function generateSalt() {
+  const saltBytes = crypto.getRandomValues(new Uint8Array(16));
+  return btoa(String.fromCharCode(...saltBytes));
+}
+async function checkRateLimit(env, ip) {
+  const kvKey = `rate:${ip}`;
+  const entry = await env.KV.get(kvKey, "json");
+  if (!entry) {
+    return { allowed: true, delayMs: 0 };
+  }
+  const now = Date.now();
+  const windowMs = 15 * 60 * 1e3;
+  if (now - entry.firstAttempt > windowMs) {
+    return { allowed: true, delayMs: 0 };
+  }
+  if (entry.attempts >= MAX_ATTEMPTS) {
+    const delayMs = Math.min(BASE_DELAY_MS * Math.pow(2, entry.attempts - MAX_ATTEMPTS), MAX_DELAY_MS);
+    const timeSinceLast = now - entry.lastAttempt;
+    if (timeSinceLast < delayMs) {
+      return { allowed: false, delayMs: delayMs - timeSinceLast };
+    }
+  }
+  return { allowed: true, delayMs: 0 };
+}
+async function recordFailedAttempt(env, ip) {
+  const kvKey = `rate:${ip}`;
+  const entry = await env.KV.get(kvKey, "json");
+  const now = Date.now();
+  const windowMs = 15 * 60 * 1e3;
+  if (!entry || now - entry.firstAttempt > windowMs) {
+    await env.KV.put(kvKey, JSON.stringify({
+      attempts: 1,
+      firstAttempt: now,
+      lastAttempt: now
+    }), { expirationTtl: Math.ceil(windowMs / 1e3) + 60 });
+  } else {
+    entry.attempts++;
+    entry.lastAttempt = now;
+    await env.KV.put(kvKey, JSON.stringify(entry), {
+      expirationTtl: Math.ceil(windowMs / 1e3) + 60
+    });
+  }
+}
+async function clearRateLimit(env, ip) {
+  const kvKey = `rate:${ip}`;
+  await env.KV.delete(kvKey);
+}
+async function getAuthStore(env) {
+  const store = await env.KV.get(AUTH_KV, "json");
+  return store;
+}
+async function setupAuth(env, username, password) {
+  const salt = await generateSalt();
+  const passwordHash = await hashPassword(password, salt);
+  await env.KV.put(AUTH_KV, JSON.stringify({
+    username,
+    passwordHash,
+    salt
+  }));
+}
+async function verifyCredentials(env, username, password) {
+  const store = await getAuthStore(env);
+  if (!store) {
+    return false;
+  }
+  if (username !== store.username) {
+    return false;
+  }
+  const hash = await hashPassword(password, store.salt);
+  return hash === store.passwordHash;
+}
+function getClientIP(request) {
+  return request.headers.get("CF-Connecting-IP") || request.headers.get("X-Forwarded-For")?.split(",")[0]?.trim() || "unknown";
+}
+function getSessionToken(request) {
+  const cookieHeader = request.headers.get("Cookie");
+  if (!cookieHeader) return null;
+  const match = cookieHeader.split(";").find((c) => c.trim().startsWith("session="));
+  return match?.split("=")[1] || null;
+}
 async function handleContent(request, env, subpath) {
   const bucket = env.CONTENT_BUCKET;
   if (!bucket) {
     return createErrorResponse("Content bucket not configured", 500);
   }
   const method = request.method;
-  if (method === "GET" && (!subpath || subpath === "/")) {
+  const clientIP = getClientIP(request);
+  const rateCheck = await checkRateLimit(env, clientIP);
+  if (!rateCheck.allowed) {
+    return new Response(JSON.stringify({
+      error: "Too many failed attempts. Please wait.",
+      retryAfter: Math.ceil(rateCheck.delayMs / 1e3)
+    }), {
+      status: 429,
+      headers: {
+        "Content-Type": "application/json",
+        "Retry-After": String(Math.ceil(rateCheck.delayMs / 1e3))
+      }
+    });
+  }
+  const store = await getAuthStore(env);
+  if (!store) {
+    if (method === "GET") {
+      return handleGet(request, bucket, subpath);
+    }
+    return createErrorResponse("Admin not configured. Use POST /auth/setup to configure.", 401);
+  }
+  const sessionToken = getSessionToken(request);
+  let isAuthenticated = false;
+  if (sessionToken) {
+    const session = await env.KV.get(`session:${sessionToken}`, "json");
+    if (session && session.expiresAt > Date.now()) {
+      isAuthenticated = true;
+    }
+  }
+  const authHeader = request.headers.get("Authorization");
+  if (!isAuthenticated && authHeader?.startsWith("Basic ")) {
+    try {
+      const credentials = atob(authHeader.slice(6));
+      const [username, password] = credentials.split(":");
+      if (await verifyCredentials(env, username, password)) {
+        isAuthenticated = true;
+      }
+    } catch (e) {
+    }
+  }
+  if (!isAuthenticated) {
+    await recordFailedAttempt(env, clientIP);
+    return createErrorResponse("Unauthorized", 401);
+  }
+  await clearRateLimit(env, clientIP);
+  if (method === "GET") {
+    return handleGet(request, bucket, subpath);
+  }
+  return handleWrite(request, bucket, subpath, env, method);
+}
+async function handleGet(request, bucket, subpath) {
+  if (request.method === "GET" && (!subpath || subpath === "/")) {
     try {
       const list = await bucket.list();
       return createJSONResponse(list.objects.map((o) => ({
@@ -166,7 +324,7 @@ async function handleContent(request, env, subpath) {
       return createErrorResponse("Failed to list content: " + e.message, 500);
     }
   }
-  if (method === "GET" && subpath) {
+  if (request.method === "GET" && subpath) {
     try {
       const object = await bucket.get(subpath);
       if (!object) {
@@ -180,11 +338,9 @@ async function handleContent(request, env, subpath) {
       return createErrorResponse("Failed to get content: " + e.message, 500);
     }
   }
-  const authHeader = request.headers.get("Authorization");
-  const apiKey = env.ADMIN_API_KEY;
-  if (apiKey && authHeader !== `Bearer ${apiKey}`) {
-    return createErrorResponse("Unauthorized", 401);
-  }
+  return createErrorResponse("Method not allowed", 405);
+}
+async function handleWrite(request, bucket, subpath, env, method) {
   if (method === "PUT" && subpath) {
     try {
       await bucket.put(subpath, request.body);
@@ -203,6 +359,146 @@ async function handleContent(request, env, subpath) {
   }
   return createErrorResponse("Method not allowed", 405);
 }
+function createSessionCookie(token, secure) {
+  const expires = new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3).toUTCString();
+  const SameSite = secure ? "Strict" : "Lax";
+  return `session=${token}; HttpOnly; Secure; SameSite=${SameSite}; Path=/; Expires=${expires}`;
+}
+async function handleAuth(request, env, subpath) {
+  request.method;
+  const clientIP = getClientIP(request);
+  const path = subpath.replace(/^\//, "").split("/")[0];
+  const url = new URL(request.url);
+  const isSecure = url.protocol === "https:";
+  const rateCheck = await checkRateLimit(env, clientIP);
+  if (!rateCheck.allowed) {
+    return new Response(JSON.stringify({
+      error: "Too many failed attempts. Please wait.",
+      retryAfter: Math.ceil(rateCheck.delayMs / 1e3)
+    }), {
+      status: 429,
+      headers: {
+        "Content-Type": "application/json",
+        "Retry-After": String(Math.ceil(rateCheck.delayMs / 1e3))
+      }
+    });
+  }
+  switch (path) {
+    case "setup":
+      return handleSetup(request, env, clientIP, isSecure);
+    case "status":
+      return handleStatus(env);
+    case "login":
+      return handleLogin(request, env, clientIP, isSecure);
+    case "logout":
+      return handleLogout(request, env);
+    default:
+      return createErrorResponse("Not found", 404);
+  }
+}
+async function handleSetup(request, env, clientIP, isSecure) {
+  if (request.method !== "POST") {
+    return createErrorResponse("Method not allowed", 405);
+  }
+  const existing = await getAuthStore(env);
+  if (existing) {
+    return createErrorResponse("Admin already configured. Use /auth/login to login.", 400);
+  }
+  try {
+    const body = await request.json();
+    const { username, password } = body;
+    if (!username || !password) {
+      return createErrorResponse("Username and password required", 400);
+    }
+    if (username.length < 3 || password.length < 8) {
+      return createErrorResponse("Username must be 3+ chars, password must be 8+ chars", 400);
+    }
+    await setupAuth(env, username, password);
+    await clearRateLimit(env, clientIP);
+    const token = crypto.randomUUID();
+    await env.KV.put(`session:${token}`, JSON.stringify({
+      createdAt: Date.now(),
+      expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1e3
+    }), { expirationTtl: 7 * 24 * 60 * 60 });
+    const headers = {
+      "Content-Type": "application/json",
+      "Set-Cookie": createSessionCookie(token, isSecure)
+    };
+    return new Response(JSON.stringify({
+      success: true,
+      message: "Admin configured successfully"
+    }), {
+      status: 201,
+      headers
+    });
+  } catch (e) {
+    return createErrorResponse("Invalid request body", 400);
+  }
+}
+async function handleStatus(env) {
+  const store = await getAuthStore(env);
+  return createJSONResponse({
+    configured: !!store,
+    username: store?.username || null
+  });
+}
+async function handleLogin(request, env, clientIP, isSecure) {
+  if (request.method !== "POST") {
+    return createErrorResponse("Method not allowed", 405);
+  }
+  const store = await getAuthStore(env);
+  if (!store) {
+    return createErrorResponse("Admin not configured. Use POST /auth/setup first.", 401);
+  }
+  try {
+    const body = await request.json();
+    const { username, password } = body;
+    if (!username || !password) {
+      return createErrorResponse("Username and password required", 400);
+    }
+    if (await verifyCredentials(env, username, password)) {
+      await clearRateLimit(env, clientIP);
+      const token = crypto.randomUUID();
+      await env.KV.put(`session:${token}`, JSON.stringify({
+        createdAt: Date.now(),
+        expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1e3
+      }), { expirationTtl: 7 * 24 * 60 * 60 });
+      const headers = {
+        "Content-Type": "application/json",
+        "Set-Cookie": createSessionCookie(token, isSecure)
+      };
+      return new Response(JSON.stringify({
+        success: true,
+        message: "Login successful"
+      }), {
+        status: 200,
+        headers
+      });
+    } else {
+      await recordFailedAttempt(env, clientIP);
+      return createErrorResponse("Invalid credentials", 401);
+    }
+  } catch (e) {
+    return createErrorResponse("Invalid request body", 400);
+  }
+}
+async function handleLogout(request, env) {
+  if (request.method !== "POST") {
+    return createErrorResponse("Method not allowed", 405);
+  }
+  const cookieHeader = request.headers.get("Cookie");
+  const sessionToken = cookieHeader?.split(";").find((c) => c.trim().startsWith("session="))?.split("=")[1];
+  if (sessionToken) {
+    await env.KV.delete(`session:${sessionToken}`);
+  }
+  return new Response(JSON.stringify({ success: true, message: "Logged out" }), {
+    status: 200,
+    headers: {
+      "Content-Type": "application/json",
+      "Set-Cookie": "session=; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=0"
+    }
+  });
+}
 const contentCache = /* @__PURE__ */ new Map();
 const CACHE_TTL = 5 * 60 * 1e3;
 async function getCachedOrFetch(key, fetchFn) {
@@ -504,6 +800,13 @@ class WebsiteAPI {
     response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
     return response;
   }
+  addAdminCORSHeaders(response) {
+    response.headers.set("Access-Control-Allow-Origin", "same-origin");
+    response.headers.set("Access-Control-Allow-Credentials", "true");
+    response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+    response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    return response;
+  }
   handleCORS() {
     return new Response(null, {
       status: 200,
@@ -515,17 +818,6 @@ class WebsiteAPI {
       }
     });
   }
-  requireAuth(request, env) {
-    const authHeader = request.headers.get("Authorization");
-    if (!authHeader || !authHeader.startsWith("Bearer ")) {
-      return createErrorResponse("Unauthorized", 401);
-    }
-    const token = authHeader.slice(7);
-    if (token !== env?.ADMIN_API_KEY) {
-      return createErrorResponse("Unauthorized", 401);
-    }
-    return null;
-  }
   async fetch(request, env) {
     const url = new URL(request.url);
     if (request.method === "OPTIONS") {
@@ -540,7 +832,7 @@ class WebsiteAPI {
     try {
       if (route === "content" || route.startsWith("content/")) {
         const subpath = route.replace(/^content\/?/, "");
-        return this.addCORSHeaders(await handleContent(request, env, subpath));
+        return this.addAdminCORSHeaders(await handleContent(request, env, subpath));
       }
       switch (route) {
         case "info":
@@ -548,16 +840,22 @@ class WebsiteAPI {
         case "home":
           return this.addCORSHeaders(await handleHome(env));
         case "cache-clear":
-          const authError = this.requireAuth(request, env);
-          if (authError) return this.addCORSHeaders(authError);
+          const cookieHeader = request.headers.get("Cookie");
+          const sessionToken = cookieHeader?.split(";").find((c) => c.trim().startsWith("session="))?.split("=")[1];
+          const session = sessionToken ? await env.KV.get(`session:${sessionToken}`, "json") : null;
+          if (!session || session.expiresAt < Date.now()) {
+            return this.addAdminCORSHeaders(createErrorResponse("Unauthorized", 401));
+          }
           clearContentCache();
-          return this.addCORSHeaders(new Response(JSON.stringify({ success: true, message: "Cache cleared" }), { status: 200 }));
+          return this.addAdminCORSHeaders(new Response(JSON.stringify({ success: true, message: "Cache cleared" }), { status: 200 }));
         case "aboutme":
           return this.addCORSHeaders(await handleAboutMe(env));
         case "logo":
           return this.addCORSHeaders(await handleLogo(env));
         case "static":
           return this.addCORSHeaders(await handleStaticDetails(env));
+        case "auth":
+          return this.addAdminCORSHeaders(await handleAuth(request, env, "/auth"));
         case "blogs":
           return this.addCORSHeaders(await handleBlogs(env));
         case "blogs/latest":
@@ -592,5 +890,19 @@ class WebsiteAPI {
   }
 }
 export {
-  WebsiteAPI as W
+  AUTH_KV as A,
+  BASE_DELAY_MS as B,
+  MAX_ATTEMPTS as M,
+  RATE_LIMIT_KV as R,
+  WebsiteAPI as W,
+  clearRateLimit as a,
+  getAuthStore as b,
+  checkRateLimit as c,
+  getClientIP as d,
+  hashPassword as e,
+  generateSalt as g,
+  handleAuth as h,
+  recordFailedAttempt as r,
+  setupAuth as s,
+  verifyCredentials as v
 };

package/dist/index.js

@@ -1,24 +1,38 @@
-import { W } from "./chunks/website-api-CVsi-OLc.js";
+import { A, B, M, R, W, c, a, g, b, d, h, e, r, s, v } from "./chunks/website-api-DI3muo2s.js";
 import { WebsitePrerender } from "./prerender.js";
-import { A, B, F, M, a, S } from "./chunks/index-VimKeB5W.js";
-import { R, S as S2, T, W as W2, b, c, g, a as a2, i, r } from "./chunks/template-MawmknFQ.js";
+import { A as A2, B as B2, F, M as M2, a as a2, S } from "./chunks/index-VimKeB5W.js";
+import { R as R2, S as S2, T, W as W2, b as b2, c as c2, g as g2, a as a3, i, r as r2 } from "./chunks/template-MawmknFQ.js";
 export {
-  A as AdminPortal,
-  B as BlogViewer,
+  A as AUTH_KV,
+  A2 as AdminPortal,
+  B as BASE_DELAY_MS,
+  B2 as BlogViewer,
   F as FooterComponent,
-  M as MyAboutme,
-  a as MyBanner,
-  R as Router,
+  M as MAX_ATTEMPTS,
+  M2 as MyAboutme,
+  a2 as MyBanner,
+  R as RATE_LIMIT_KV,
+  R2 as Router,
   S2 as SiteStore,
   S as StoryViewer,
   T as ThemeToggle,
   W as WebsiteAPI,
   WebsitePrerender,
   W2 as WebsiteUI,
-  b as bootstrap,
-  c as createHtmlTemplate,
-  g as generatePageContent,
-  a2 as getConfig,
+  b2 as bootstrap,
+  c as checkRateLimit,
+  a as clearRateLimit,
+  c2 as createHtmlTemplate,
+  g2 as generatePageContent,
+  g as generateSalt,
+  b as getAuthStore,
+  d as getClientIP,
+  a3 as getConfig,
+  h as handleAuth,
+  e as hashPassword,
   i as initializeConfig,
-  r as renderMarkdown
+  r as recordFailedAttempt,
+  r2 as renderMarkdown,
+  s as setupAuth,
+  v as verifyCredentials
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@leadertechie/personal-site-kit",
-  "version": "0.1.0-alpha.4",
+  "version": "0.1.0-alpha.5",
   "type": "module",
   "description": "A high-performance personal website engine for Cloudflare Workers and R2",
   "repository": {

package/src/api/handlers/auth-handler.ts

@@ -0,0 +1,181 @@
+import { createJSONResponse, createErrorResponse } from '../utils';
+import { 
+  setupAuth, 
+  getAuthStore,
+  checkRateLimit,
+  recordFailedAttempt,
+  clearRateLimit,
+  verifyCredentials,
+  getClientIP,
+  MAX_ATTEMPTS
+} from './auth';
+
+function createSessionCookie(token: string, secure: boolean): string {
+  const expires = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toUTCString();
+  const SameSite = secure ? 'Strict' : 'Lax';
+  return `session=${token}; HttpOnly; Secure; SameSite=${SameSite}; Path=/; Expires=${expires}`;
+}
+
+export async function handleAuth(request: Request, env: any, subpath: string): Promise<Response> {
+  const method = request.method;
+  const clientIP = getClientIP(request);
+  const path = subpath.replace(/^\//, '').split('/')[0];
+  const url = new URL(request.url);
+  const isSecure = url.protocol === 'https:';
+
+  // Check rate limit for login attempts
+  const rateCheck = await checkRateLimit(env, clientIP);
+  if (!rateCheck.allowed) {
+    return new Response(JSON.stringify({ 
+      error: 'Too many failed attempts. Please wait.',
+      retryAfter: Math.ceil(rateCheck.delayMs / 1000)
+    }), {
+      status: 429,
+      headers: { 
+        'Content-Type': 'application/json',
+        'Retry-After': String(Math.ceil(rateCheck.delayMs / 1000))
+      }
+    });
+  }
+
+  switch (path) {
+    case 'setup':
+      return handleSetup(request, env, clientIP, isSecure);
+    case 'status':
+      return handleStatus(env);
+    case 'login':
+      return handleLogin(request, env, clientIP, isSecure);
+    case 'logout':
+      return handleLogout(request, env);
+    default:
+      return createErrorResponse('Not found', 404);
+  }
+}
+
+async function handleSetup(request: Request, env: any, clientIP: string, isSecure: boolean): Promise<Response> {
+  if (request.method !== 'POST') {
+    return createErrorResponse('Method not allowed', 405);
+  }
+
+  const existing = await getAuthStore(env);
+  if (existing) {
+    return createErrorResponse('Admin already configured. Use /auth/login to login.', 400);
+  }
+
+  try {
+    const body = await request.json();
+    const { username, password } = body;
+
+    if (!username || !password) {
+      return createErrorResponse('Username and password required', 400);
+    }
+
+    if (username.length < 3 || password.length < 8) {
+      return createErrorResponse('Username must be 3+ chars, password must be 8+ chars', 400);
+    }
+
+    await setupAuth(env, username, password);
+    await clearRateLimit(env, clientIP);
+
+    const token = crypto.randomUUID();
+    await env.KV.put(`session:${token}`, JSON.stringify({
+      createdAt: Date.now(),
+      expiresAt: Date.now() + (7 * 24 * 60 * 60 * 1000)
+    }), { expirationTtl: 7 * 24 * 60 * 60 });
+
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/json',
+      'Set-Cookie': createSessionCookie(token, isSecure)
+    };
+
+    return new Response(JSON.stringify({ 
+      success: true,
+      message: 'Admin configured successfully'
+    }), {
+      status: 201,
+      headers
+    });
+  } catch (e) {
+    return createErrorResponse('Invalid request body', 400);
+  }
+}
+
+async function handleStatus(env: any): Promise<Response> {
+  const store = await getAuthStore(env);
+  
+  return createJSONResponse({
+    configured: !!store,
+    username: store?.username || null
+  });
+}
+
+async function handleLogin(request: Request, env: any, clientIP: string, isSecure: boolean): Promise<Response> {
+  if (request.method !== 'POST') {
+    return createErrorResponse('Method not allowed', 405);
+  }
+
+  const store = await getAuthStore(env);
+  if (!store) {
+    return createErrorResponse('Admin not configured. Use POST /auth/setup first.', 401);
+  }
+
+  try {
+    const body = await request.json();
+    const { username, password } = body;
+
+    if (!username || !password) {
+      return createErrorResponse('Username and password required', 400);
+    }
+
+    if (await verifyCredentials(env, username, password)) {
+      await clearRateLimit(env, clientIP);
+
+      const token = crypto.randomUUID();
+      await env.KV.put(`session:${token}`, JSON.stringify({
+        createdAt: Date.now(),
+        expiresAt: Date.now() + (7 * 24 * 60 * 60 * 1000)
+      }), { expirationTtl: 7 * 24 * 60 * 60 });
+
+      const headers: Record<string, string> = {
+        'Content-Type': 'application/json',
+        'Set-Cookie': createSessionCookie(token, isSecure)
+      };
+
+      return new Response(JSON.stringify({ 
+        success: true,
+        message: 'Login successful'
+      }), {
+        status: 200,
+        headers
+      });
+    } else {
+      await recordFailedAttempt(env, clientIP);
+      return createErrorResponse('Invalid credentials', 401);
+    }
+  } catch (e) {
+    return createErrorResponse('Invalid request body', 400);
+  }
+}
+
+async function handleLogout(request: Request, env: any): Promise<Response> {
+  if (request.method !== 'POST') {
+    return createErrorResponse('Method not allowed', 405);
+  }
+
+  const cookieHeader = request.headers.get('Cookie');
+  const sessionToken = cookieHeader?.split(';')
+    .find(c => c.trim().startsWith('session='))
+    ?.split('=')[1];
+
+  if (sessionToken) {
+    await env.KV.delete(`session:${sessionToken}`);
+  }
+
+  return new Response(JSON.stringify({ success: true, message: 'Logged out' }), {
+    status: 200,
+    headers: {
+      'Content-Type': 'application/json',
+      'Set-Cookie': 'session=; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=0'
+    }
+  });
+}

package/src/api/handlers/auth.ts

@@ -0,0 +1,157 @@
+const AUTH_KV = 'auth_store';
+const RATE_LIMIT_KV = 'rate_limit';
+const MAX_ATTEMPTS = 5;
+const BASE_DELAY_MS = 1000; // 1 second
+const MAX_DELAY_MS = 60000; // 1 minute
+
+interface AuthStore {
+  username: string;
+  passwordHash: string;
+  salt: string;
+}
+
+interface RateLimitEntry {
+  attempts: number;
+  firstAttempt: number;
+  lastAttempt: number;
+}
+
+async function hashPassword(password: string, salt: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(password),
+    'PBKDF2',
+    false,
+    ['deriveBits']
+  );
+  
+  const saltBuffer = encoder.encode(salt);
+  const derivedBits = await crypto.subtle.deriveBits(
+    {
+      name: 'PBKDF2',
+      salt: saltBuffer,
+      iterations: 100000,
+      hash: 'SHA-256'
+    },
+    keyMaterial,
+    256
+  );
+  
+  return btoa(String.fromCharCode(...new Uint8Array(derivedBits)));
+}
+
+async function generateSalt(): Promise<string> {
+  const saltBytes = crypto.getRandomValues(new Uint8Array(16));
+  return btoa(String.fromCharCode(...saltBytes));
+}
+
+async function checkRateLimit(env: any, ip: string): Promise<{ allowed: boolean; delayMs: number }> {
+  const kvKey = `rate:${ip}`;
+  const entry = await env.KV.get(kvKey, 'json') as RateLimitEntry | null;
+  
+  if (!entry) {
+    return { allowed: true, delayMs: 0 };
+  }
+  
+  const now = Date.now();
+  const windowMs = 15 * 60 * 1000; // 15 minute window
+  
+  // Reset if window expired
+  if (now - entry.firstAttempt > windowMs) {
+    return { allowed: true, delayMs: 0 };
+  }
+  
+  // Check if exceeded max attempts
+  if (entry.attempts >= MAX_ATTEMPTS) {
+    const delayMs = Math.min(BASE_DELAY_MS * Math.pow(2, entry.attempts - MAX_ATTEMPTS), MAX_DELAY_MS);
+    const timeSinceLast = now - entry.lastAttempt;
+    
+    if (timeSinceLast < delayMs) {
+      return { allowed: false, delayMs: delayMs - timeSinceLast };
+    }
+  }
+  
+  return { allowed: true, delayMs: 0 };
+}
+
+async function recordFailedAttempt(env: any, ip: string): Promise<void> {
+  const kvKey = `rate:${ip}`;
+  const entry = await env.KV.get(kvKey, 'json') as RateLimitEntry | null;
+  
+  const now = Date.now();
+  const windowMs = 15 * 60 * 1000;
+  
+  if (!entry || now - entry.firstAttempt > windowMs) {
+    // Start new window
+    await env.KV.put(kvKey, JSON.stringify({
+      attempts: 1,
+      firstAttempt: now,
+      lastAttempt: now
+    }), { expirationTtl: Math.ceil(windowMs / 1000) + 60 });
+  } else {
+    entry.attempts++;
+    entry.lastAttempt = now;
+    await env.KV.put(kvKey, JSON.stringify(entry), { 
+      expirationTtl: Math.ceil(windowMs / 1000) + 60 
+    });
+  }
+}
+
+async function clearRateLimit(env: any, ip: string): Promise<void> {
+  const kvKey = `rate:${ip}`;
+  await env.KV.delete(kvKey);
+}
+
+async function getAuthStore(env: any): Promise<AuthStore | null> {
+  const store = await env.KV.get(AUTH_KV, 'json') as AuthStore | null;
+  return store;
+}
+
+async function setupAuth(env: any, username: string, password: string): Promise<void> {
+  const salt = await generateSalt();
+  const passwordHash = await hashPassword(password, salt);
+  
+  await env.KV.put(AUTH_KV, JSON.stringify({
+    username,
+    passwordHash,
+    salt
+  }));
+}
+
+async function verifyCredentials(env: any, username: string, password: string): Promise<boolean> {
+  const store = await getAuthStore(env);
+  
+  if (!store) {
+    return false;
+  }
+  
+  if (username !== store.username) {
+    return false;
+  }
+  
+  const hash = await hashPassword(password, store.salt);
+  return hash === store.passwordHash;
+}
+
+function getClientIP(request: Request): string {
+  return request.headers.get('CF-Connecting-IP') || 
+         request.headers.get('X-Forwarded-For')?.split(',')[0]?.trim() ||
+         'unknown';
+}
+
+export { 
+  hashPassword, 
+  generateSalt, 
+  checkRateLimit, 
+  recordFailedAttempt, 
+  clearRateLimit,
+  getAuthStore,
+  setupAuth,
+  verifyCredentials,
+  getClientIP,
+  AUTH_KV,
+  RATE_LIMIT_KV,
+  MAX_ATTEMPTS,
+  BASE_DELAY_MS
+};

package/src/api/handlers/content.ts

@@ -1,4 +1,20 @@
 import { createJSONResponse, createErrorResponse } from '../utils';
+import { 
+  checkRateLimit, 
+  recordFailedAttempt, 
+  clearRateLimit,
+  verifyCredentials,
+  getClientIP,
+  getAuthStore
+} from './auth';
+
+function getSessionToken(request: Request): string | null {
+  const cookieHeader = request.headers.get('Cookie');
+  if (!cookieHeader) return null;
+  const match = cookieHeader.split(';')
+    .find(c => c.trim().startsWith('session='));
+  return match?.split('=')[1] || null;
+}
 
 export async function handleContent(request: Request, env: any, subpath: string): Promise<Response> {
   const bucket = env.CONTENT_BUCKET;
@@ -7,9 +23,68 @@ export async function handleContent(request: Request, env: any, subpath: string)
   }
 
   const method = request.method;
+  const clientIP = getClientIP(request);
+
+  const rateCheck = await checkRateLimit(env, clientIP);
+  if (!rateCheck.allowed) {
+    return new Response(JSON.stringify({ 
+      error: 'Too many failed attempts. Please wait.',
+      retryAfter: Math.ceil(rateCheck.delayMs / 1000)
+    }), {
+      status: 429,
+      headers: { 
+        'Content-Type': 'application/json',
+        'Retry-After': String(Math.ceil(rateCheck.delayMs / 1000))
+      }
+    });
+  }
+
+  const store = await getAuthStore(env);
+  
+  if (!store) {
+    if (method === 'GET') {
+      return handleGet(request, bucket, subpath);
+    }
+    return createErrorResponse('Admin not configured. Use POST /auth/setup to configure.', 401);
+  }
 
-  // List content: GET /content (subpath is empty or just slash)
-  if (method === 'GET' && (!subpath || subpath === '/')) {
+  const sessionToken = getSessionToken(request);
+  let isAuthenticated = false;
+  
+  if (sessionToken) {
+    const session = await env.KV.get(`session:${sessionToken}`, 'json');
+    if (session && session.expiresAt > Date.now()) {
+      isAuthenticated = true;
+    }
+  }
+
+  const authHeader = request.headers.get('Authorization');
+  if (!isAuthenticated && authHeader?.startsWith('Basic ')) {
+    try {
+      const credentials = atob(authHeader.slice(6));
+      const [username, password] = credentials.split(':');
+      if (await verifyCredentials(env, username, password)) {
+        isAuthenticated = true;
+      }
+    } catch (e) {}
+  }
+
+  if (!isAuthenticated) {
+    await recordFailedAttempt(env, clientIP);
+    return createErrorResponse('Unauthorized', 401);
+  }
+
+  await clearRateLimit(env, clientIP);
+
+  if (method === 'GET') {
+    return handleGet(request, bucket, subpath);
+  }
+
+  return handleWrite(request, bucket, subpath, env, method);
+}
+
+async function handleGet(request: Request, bucket: any, subpath: string): Promise<Response> {
+  if (request.method === 'GET' && (!subpath || subpath === '/')) {
     try {
       const list = await bucket.list();
       return createJSONResponse(list.objects.map((o: any) => ({
@@ -23,8 +98,7 @@ export async function handleContent(request: Request, env: any, subpath: string)
     }
   }
 
-  // Get content: GET /content/:key
-  if (method === 'GET' && subpath) {
+  if (request.method === 'GET' && subpath) {
     try {
       const object = await bucket.get(subpath);
       if (!object) {
@@ -39,16 +113,10 @@ export async function handleContent(request: Request, env: any, subpath: string)
     }
   }
 
-  // Auth check for write operations
-  const authHeader = request.headers.get('Authorization');
-  const apiKey = env.ADMIN_API_KEY; 
-  // Allow if apiKey is not set (dev mode) OR matches
-  // WARN: In prod, ADMIN_API_KEY should be set!
-  if (apiKey && authHeader !== `Bearer ${apiKey}`) {
-    return createErrorResponse('Unauthorized', 401);
-  }
+  return createErrorResponse('Method not allowed', 405);
+}
 
-  // Upload content: PUT /content/:key
+async function handleWrite(request: Request, bucket: any, subpath: string, env: any, method: string): Promise<Response> {
   if (method === 'PUT' && subpath) {
     try {
       await bucket.put(subpath, request.body);
@@ -58,7 +126,6 @@ export async function handleContent(request: Request, env: any, subpath: string)
     }
   }
 
-  // Delete content: DELETE /content/:key
   if (method === 'DELETE' && subpath) {
     try {
       await bucket.delete(subpath);

package/src/api/index.ts

@@ -1,6 +1,8 @@
 import { WebsiteAPI } from './website-api';
 export { WebsiteAPI };
 export type { APIHandler } from './website-api';
+export * from './handlers/auth';
+export * from './handlers/auth-handler';
 
 // Default worker export using WebsiteAPI
 const defaultAPI = new WebsiteAPI();

package/src/api/website-api.ts

@@ -3,9 +3,11 @@ import { handleAboutMe, clearContentCache } from './handlers/about-me';
 import { handleHome } from './handlers/home';
 import { handleInfo } from './handlers/info';
 import { handleContent } from './handlers/content';
+import { handleAuth } from './handlers/auth-handler';
 import { handleBlogs, handleStories, handleSearch } from './handlers/content-api';
 import { handleLogo } from './handlers/logo';
 import { handleStaticDetails } from './handlers/static-details';
+import { getAuthStore } from './handlers/auth';
 
 export type APIHandler = (request: Request, env: any) => Promise<Response>;
 
@@ -23,6 +25,14 @@ export class WebsiteAPI {
     return response;
   }
 
+  private addAdminCORSHeaders(response: Response): Response {
+    response.headers.set('Access-Control-Allow-Origin', 'same-origin');
+    response.headers.set('Access-Control-Allow-Credentials', 'true');
+    response.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
+    response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+    return response;
+  }
+
   private handleCORS(): Response {
     return new Response(null, {
       status: 200,
@@ -35,18 +45,6 @@ export class WebsiteAPI {
     });
   }
 
-  private requireAuth(request: Request, env?: any): Response | null {
-    const authHeader = request.headers.get('Authorization');
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      return createErrorResponse('Unauthorized', 401);
-    }
-    const token = authHeader.slice(7);
-    if (token !== env?.ADMIN_API_KEY) {
-      return createErrorResponse('Unauthorized', 401);
-    }
-    return null;
-  }
-
   public async fetch(request: Request, env: any): Promise<Response> {
     const url = new URL(request.url);
 
@@ -70,7 +68,7 @@ export class WebsiteAPI {
       // Check for content route first (content/*)
       if (route === 'content' || route.startsWith('content/')) {
         const subpath = route.replace(/^content\/?/, '');
-        return this.addCORSHeaders(await handleContent(request, env, subpath));
+        return this.addAdminCORSHeaders(await handleContent(request, env, subpath));
       }
 
       switch (route) {
@@ -79,16 +77,24 @@ export class WebsiteAPI {
         case 'home':
           return this.addCORSHeaders(await handleHome(env));
         case 'cache-clear':
-          const authError = this.requireAuth(request, env);
-          if (authError) return this.addCORSHeaders(authError);
+          const cookieHeader = request.headers.get('Cookie');
+          const sessionToken = cookieHeader?.split(';')
+            .find(c => c.trim().startsWith('session='))
+            ?.split('=')[1];
+          const session = sessionToken ? await env.KV.get(`session:${sessionToken}`, 'json') : null;
+          if (!session || session.expiresAt < Date.now()) {
+            return this.addAdminCORSHeaders(createErrorResponse('Unauthorized', 401));
+          }
           clearContentCache();
-          return this.addCORSHeaders(new Response(JSON.stringify({ success: true, message: 'Cache cleared' }), { status: 200 }));
+          return this.addAdminCORSHeaders(new Response(JSON.stringify({ success: true, message: 'Cache cleared' }), { status: 200 }));
         case 'aboutme':
           return this.addCORSHeaders(await handleAboutMe(env));
         case 'logo':
           return this.addCORSHeaders(await handleLogo(env));
         case 'static':
           return this.addCORSHeaders(await handleStaticDetails(env));
+        case 'auth':
+          return this.addAdminCORSHeaders(await handleAuth(request, env, '/auth'));
         case 'blogs':
           return this.addCORSHeaders(await handleBlogs(env));
         case 'blogs/latest':