@leadertechie/personal-site-kit 0.1.0-alpha.4 → 0.1.0-alpha.6

package/src/api/handlers/auth-handler.ts

@@ -0,0 +1,181 @@
+import { createJSONResponse, createErrorResponse } from '../utils';
+import { 
+  setupAuth, 
+  getAuthStore,
+  checkRateLimit,
+  recordFailedAttempt,
+  clearRateLimit,
+  verifyCredentials,
+  getClientIP,
+  MAX_ATTEMPTS
+} from './auth';
+
+function createSessionCookie(token: string, secure: boolean): string {
+  const expires = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toUTCString();
+  const SameSite = secure ? 'Strict' : 'Lax';
+  return `session=${token}; HttpOnly; Secure; SameSite=${SameSite}; Path=/; Expires=${expires}`;
+}
+
+export async function handleAuth(request: Request, env: any, subpath: string): Promise<Response> {
+  const method = request.method;
+  const clientIP = getClientIP(request);
+  const path = subpath.replace(/^\//, '').split('/')[0];
+  const url = new URL(request.url);
+  const isSecure = url.protocol === 'https:';
+
+  // Check rate limit for login attempts
+  const rateCheck = await checkRateLimit(env, clientIP);
+  if (!rateCheck.allowed) {
+    return new Response(JSON.stringify({ 
+      error: 'Too many failed attempts. Please wait.',
+      retryAfter: Math.ceil(rateCheck.delayMs / 1000)
+    }), {
+      status: 429,
+      headers: { 
+        'Content-Type': 'application/json',
+        'Retry-After': String(Math.ceil(rateCheck.delayMs / 1000))
+      }
+    });
+  }
+
+  switch (path) {
+    case 'setup':
+      return handleSetup(request, env, clientIP, isSecure);
+    case 'status':
+      return handleStatus(env);
+    case 'login':
+      return handleLogin(request, env, clientIP, isSecure);
+    case 'logout':
+      return handleLogout(request, env);
+    default:
+      return createErrorResponse('Not found', 404);
+  }
+}
+
+async function handleSetup(request: Request, env: any, clientIP: string, isSecure: boolean): Promise<Response> {
+  if (request.method !== 'POST') {
+    return createErrorResponse('Method not allowed', 405);
+  }
+
+  const existing = await getAuthStore(env);
+  if (existing) {
+    return createErrorResponse('Admin already configured. Use /auth/login to login.', 400);
+  }
+
+  try {
+    const body = await request.json();
+    const { username, password } = body;
+
+    if (!username || !password) {
+      return createErrorResponse('Username and password required', 400);
+    }
+
+    if (username.length < 3 || password.length < 8) {
+      return createErrorResponse('Username must be 3+ chars, password must be 8+ chars', 400);
+    }
+
+    await setupAuth(env, username, password);
+    await clearRateLimit(env, clientIP);
+
+    const token = crypto.randomUUID();
+    await env.KV.put(`session:${token}`, JSON.stringify({
+      createdAt: Date.now(),
+      expiresAt: Date.now() + (7 * 24 * 60 * 60 * 1000)
+    }), { expirationTtl: 7 * 24 * 60 * 60 });
+
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/json',
+      'Set-Cookie': createSessionCookie(token, isSecure)
+    };
+
+    return new Response(JSON.stringify({ 
+      success: true,
+      message: 'Admin configured successfully'
+    }), {
+      status: 201,
+      headers
+    });
+  } catch (e) {
+    return createErrorResponse('Invalid request body', 400);
+  }
+}
+
+async function handleStatus(env: any): Promise<Response> {
+  const store = await getAuthStore(env);
+  
+  return createJSONResponse({
+    configured: !!store,
+    username: store?.username || null
+  });
+}
+
+async function handleLogin(request: Request, env: any, clientIP: string, isSecure: boolean): Promise<Response> {
+  if (request.method !== 'POST') {
+    return createErrorResponse('Method not allowed', 405);
+  }
+
+  const store = await getAuthStore(env);
+  if (!store) {
+    return createErrorResponse('Admin not configured. Use POST /auth/setup first.', 401);
+  }
+
+  try {
+    const body = await request.json();
+    const { username, password } = body;
+
+    if (!username || !password) {
+      return createErrorResponse('Username and password required', 400);
+    }
+
+    if (await verifyCredentials(env, username, password)) {
+      await clearRateLimit(env, clientIP);
+
+      const token = crypto.randomUUID();
+      await env.KV.put(`session:${token}`, JSON.stringify({
+        createdAt: Date.now(),
+        expiresAt: Date.now() + (7 * 24 * 60 * 60 * 1000)
+      }), { expirationTtl: 7 * 24 * 60 * 60 });
+
+      const headers: Record<string, string> = {
+        'Content-Type': 'application/json',
+        'Set-Cookie': createSessionCookie(token, isSecure)
+      };
+
+      return new Response(JSON.stringify({ 
+        success: true,
+        message: 'Login successful'
+      }), {
+        status: 200,
+        headers
+      });
+    } else {
+      await recordFailedAttempt(env, clientIP);
+      return createErrorResponse('Invalid credentials', 401);
+    }
+  } catch (e) {
+    return createErrorResponse('Invalid request body', 400);
+  }
+}
+
+async function handleLogout(request: Request, env: any): Promise<Response> {
+  if (request.method !== 'POST') {
+    return createErrorResponse('Method not allowed', 405);
+  }
+
+  const cookieHeader = request.headers.get('Cookie');
+  const sessionToken = cookieHeader?.split(';')
+    .find(c => c.trim().startsWith('session='))
+    ?.split('=')[1];
+
+  if (sessionToken) {
+    await env.KV.delete(`session:${sessionToken}`);
+  }
+
+  return new Response(JSON.stringify({ success: true, message: 'Logged out' }), {
+    status: 200,
+    headers: {
+      'Content-Type': 'application/json',
+      'Set-Cookie': 'session=; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=0'
+    }
+  });
+}

package/src/api/handlers/auth.ts

@@ -0,0 +1,157 @@
+const AUTH_KV = 'auth_store';
+const RATE_LIMIT_KV = 'rate_limit';
+const MAX_ATTEMPTS = 5;
+const BASE_DELAY_MS = 1000; // 1 second
+const MAX_DELAY_MS = 60000; // 1 minute
+
+interface AuthStore {
+  username: string;
+  passwordHash: string;
+  salt: string;
+}
+
+interface RateLimitEntry {
+  attempts: number;
+  firstAttempt: number;
+  lastAttempt: number;
+}
+
+async function hashPassword(password: string, salt: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(password),
+    'PBKDF2',
+    false,
+    ['deriveBits']
+  );
+  
+  const saltBuffer = encoder.encode(salt);
+  const derivedBits = await crypto.subtle.deriveBits(
+    {
+      name: 'PBKDF2',
+      salt: saltBuffer,
+      iterations: 100000,
+      hash: 'SHA-256'
+    },
+    keyMaterial,
+    256
+  );
+  
+  return btoa(String.fromCharCode(...new Uint8Array(derivedBits)));
+}
+
+async function generateSalt(): Promise<string> {
+  const saltBytes = crypto.getRandomValues(new Uint8Array(16));
+  return btoa(String.fromCharCode(...saltBytes));
+}
+
+async function checkRateLimit(env: any, ip: string): Promise<{ allowed: boolean; delayMs: number }> {
+  const kvKey = `rate:${ip}`;
+  const entry = await env.KV.get(kvKey, 'json') as RateLimitEntry | null;
+  
+  if (!entry) {
+    return { allowed: true, delayMs: 0 };
+  }
+  
+  const now = Date.now();
+  const windowMs = 15 * 60 * 1000; // 15 minute window
+  
+  // Reset if window expired
+  if (now - entry.firstAttempt > windowMs) {
+    return { allowed: true, delayMs: 0 };
+  }
+  
+  // Check if exceeded max attempts
+  if (entry.attempts >= MAX_ATTEMPTS) {
+    const delayMs = Math.min(BASE_DELAY_MS * Math.pow(2, entry.attempts - MAX_ATTEMPTS), MAX_DELAY_MS);
+    const timeSinceLast = now - entry.lastAttempt;
+    
+    if (timeSinceLast < delayMs) {
+      return { allowed: false, delayMs: delayMs - timeSinceLast };
+    }
+  }
+  
+  return { allowed: true, delayMs: 0 };
+}
+
+async function recordFailedAttempt(env: any, ip: string): Promise<void> {
+  const kvKey = `rate:${ip}`;
+  const entry = await env.KV.get(kvKey, 'json') as RateLimitEntry | null;
+  
+  const now = Date.now();
+  const windowMs = 15 * 60 * 1000;
+  
+  if (!entry || now - entry.firstAttempt > windowMs) {
+    // Start new window
+    await env.KV.put(kvKey, JSON.stringify({
+      attempts: 1,
+      firstAttempt: now,
+      lastAttempt: now
+    }), { expirationTtl: Math.ceil(windowMs / 1000) + 60 });
+  } else {
+    entry.attempts++;
+    entry.lastAttempt = now;
+    await env.KV.put(kvKey, JSON.stringify(entry), { 
+      expirationTtl: Math.ceil(windowMs / 1000) + 60 
+    });
+  }
+}
+
+async function clearRateLimit(env: any, ip: string): Promise<void> {
+  const kvKey = `rate:${ip}`;
+  await env.KV.delete(kvKey);
+}
+
+async function getAuthStore(env: any): Promise<AuthStore | null> {
+  const store = await env.KV.get(AUTH_KV, 'json') as AuthStore | null;
+  return store;
+}
+
+async function setupAuth(env: any, username: string, password: string): Promise<void> {
+  const salt = await generateSalt();
+  const passwordHash = await hashPassword(password, salt);
+  
+  await env.KV.put(AUTH_KV, JSON.stringify({
+    username,
+    passwordHash,
+    salt
+  }));
+}
+
+async function verifyCredentials(env: any, username: string, password: string): Promise<boolean> {
+  const store = await getAuthStore(env);
+  
+  if (!store) {
+    return false;
+  }
+  
+  if (username !== store.username) {
+    return false;
+  }
+  
+  const hash = await hashPassword(password, store.salt);
+  return hash === store.passwordHash;
+}
+
+function getClientIP(request: Request): string {
+  return request.headers.get('CF-Connecting-IP') || 
+         request.headers.get('X-Forwarded-For')?.split(',')[0]?.trim() ||
+         'unknown';
+}
+
+export { 
+  hashPassword, 
+  generateSalt, 
+  checkRateLimit, 
+  recordFailedAttempt, 
+  clearRateLimit,
+  getAuthStore,
+  setupAuth,
+  verifyCredentials,
+  getClientIP,
+  AUTH_KV,
+  RATE_LIMIT_KV,
+  MAX_ATTEMPTS,
+  BASE_DELAY_MS
+};

package/src/api/handlers/content.ts

@@ -1,4 +1,20 @@
 import { createJSONResponse, createErrorResponse } from '../utils';
+import { 
+  checkRateLimit, 
+  recordFailedAttempt, 
+  clearRateLimit,
+  verifyCredentials,
+  getClientIP,
+  getAuthStore
+} from './auth';
+
+function getSessionToken(request: Request): string | null {
+  const cookieHeader = request.headers.get('Cookie');
+  if (!cookieHeader) return null;
+  const match = cookieHeader.split(';')
+    .find(c => c.trim().startsWith('session='));
+  return match?.split('=')[1] || null;
+}
 
 export async function handleContent(request: Request, env: any, subpath: string): Promise<Response> {
   const bucket = env.CONTENT_BUCKET;
@@ -7,9 +23,68 @@ export async function handleContent(request: Request, env: any, subpath: string)
   }
 
   const method = request.method;
+  const clientIP = getClientIP(request);
+
+  const rateCheck = await checkRateLimit(env, clientIP);
+  if (!rateCheck.allowed) {
+    return new Response(JSON.stringify({ 
+      error: 'Too many failed attempts. Please wait.',
+      retryAfter: Math.ceil(rateCheck.delayMs / 1000)
+    }), {
+      status: 429,
+      headers: { 
+        'Content-Type': 'application/json',
+        'Retry-After': String(Math.ceil(rateCheck.delayMs / 1000))
+      }
+    });
+  }
+
+  const store = await getAuthStore(env);
+  
+  if (!store) {
+    if (method === 'GET') {
+      return handleGet(request, bucket, subpath);
+    }
+    return createErrorResponse('Admin not configured. Use POST /auth/setup to configure.', 401);
+  }
 
-  // List content: GET /content (subpath is empty or just slash)
-  if (method === 'GET' && (!subpath || subpath === '/')) {
+  const sessionToken = getSessionToken(request);
+  let isAuthenticated = false;
+  
+  if (sessionToken) {
+    const session = await env.KV.get(`session:${sessionToken}`, 'json');
+    if (session && session.expiresAt > Date.now()) {
+      isAuthenticated = true;
+    }
+  }
+
+  const authHeader = request.headers.get('Authorization');
+  if (!isAuthenticated && authHeader?.startsWith('Basic ')) {
+    try {
+      const credentials = atob(authHeader.slice(6));
+      const [username, password] = credentials.split(':');
+      if (await verifyCredentials(env, username, password)) {
+        isAuthenticated = true;
+      }
+    } catch (e) {}
+  }
+
+  if (!isAuthenticated) {
+    await recordFailedAttempt(env, clientIP);
+    return createErrorResponse('Unauthorized', 401);
+  }
+
+  await clearRateLimit(env, clientIP);
+
+  if (method === 'GET') {
+    return handleGet(request, bucket, subpath);
+  }
+
+  return handleWrite(request, bucket, subpath, env, method);
+}
+
+async function handleGet(request: Request, bucket: any, subpath: string): Promise<Response> {
+  if (request.method === 'GET' && (!subpath || subpath === '/')) {
     try {
       const list = await bucket.list();
       return createJSONResponse(list.objects.map((o: any) => ({
@@ -23,8 +98,7 @@ export async function handleContent(request: Request, env: any, subpath: string)
     }
   }
 
-  // Get content: GET /content/:key
-  if (method === 'GET' && subpath) {
+  if (request.method === 'GET' && subpath) {
     try {
       const object = await bucket.get(subpath);
       if (!object) {
@@ -39,16 +113,10 @@ export async function handleContent(request: Request, env: any, subpath: string)
     }
   }
 
-  // Auth check for write operations
-  const authHeader = request.headers.get('Authorization');
-  const apiKey = env.ADMIN_API_KEY; 
-  // Allow if apiKey is not set (dev mode) OR matches
-  // WARN: In prod, ADMIN_API_KEY should be set!
-  if (apiKey && authHeader !== `Bearer ${apiKey}`) {
-    return createErrorResponse('Unauthorized', 401);
-  }
+  return createErrorResponse('Method not allowed', 405);
+}
 
-  // Upload content: PUT /content/:key
+async function handleWrite(request: Request, bucket: any, subpath: string, env: any, method: string): Promise<Response> {
   if (method === 'PUT' && subpath) {
     try {
       await bucket.put(subpath, request.body);
@@ -58,7 +126,6 @@ export async function handleContent(request: Request, env: any, subpath: string)
     }
   }
 
-  // Delete content: DELETE /content/:key
   if (method === 'DELETE' && subpath) {
     try {
       await bucket.delete(subpath);

package/src/api/index.ts

@@ -1,6 +1,8 @@
 import { WebsiteAPI } from './website-api';
 export { WebsiteAPI };
 export type { APIHandler } from './website-api';
+export * from './handlers/auth';
+export * from './handlers/auth-handler';
 
 // Default worker export using WebsiteAPI
 const defaultAPI = new WebsiteAPI();

package/src/api/website-api.ts

@@ -3,9 +3,11 @@ import { handleAboutMe, clearContentCache } from './handlers/about-me';
 import { handleHome } from './handlers/home';
 import { handleInfo } from './handlers/info';
 import { handleContent } from './handlers/content';
+import { handleAuth } from './handlers/auth-handler';
 import { handleBlogs, handleStories, handleSearch } from './handlers/content-api';
 import { handleLogo } from './handlers/logo';
 import { handleStaticDetails } from './handlers/static-details';
+import { getAuthStore } from './handlers/auth';
 
 export type APIHandler = (request: Request, env: any) => Promise<Response>;
 
@@ -23,6 +25,14 @@ export class WebsiteAPI {
     return response;
   }
 
+  private addAdminCORSHeaders(response: Response): Response {
+    response.headers.set('Access-Control-Allow-Origin', 'same-origin');
+    response.headers.set('Access-Control-Allow-Credentials', 'true');
+    response.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
+    response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+    return response;
+  }
+
   private handleCORS(): Response {
     return new Response(null, {
       status: 200,
@@ -35,18 +45,6 @@ export class WebsiteAPI {
     });
   }
 
-  private requireAuth(request: Request, env?: any): Response | null {
-    const authHeader = request.headers.get('Authorization');
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      return createErrorResponse('Unauthorized', 401);
-    }
-    const token = authHeader.slice(7);
-    if (token !== env?.ADMIN_API_KEY) {
-      return createErrorResponse('Unauthorized', 401);
-    }
-    return null;
-  }
-
   public async fetch(request: Request, env: any): Promise<Response> {
     const url = new URL(request.url);
 
@@ -70,7 +68,7 @@ export class WebsiteAPI {
       // Check for content route first (content/*)
       if (route === 'content' || route.startsWith('content/')) {
         const subpath = route.replace(/^content\/?/, '');
-        return this.addCORSHeaders(await handleContent(request, env, subpath));
+        return this.addAdminCORSHeaders(await handleContent(request, env, subpath));
       }
 
       switch (route) {
@@ -79,16 +77,24 @@ export class WebsiteAPI {
         case 'home':
           return this.addCORSHeaders(await handleHome(env));
         case 'cache-clear':
-          const authError = this.requireAuth(request, env);
-          if (authError) return this.addCORSHeaders(authError);
+          const cookieHeader = request.headers.get('Cookie');
+          const sessionToken = cookieHeader?.split(';')
+            .find(c => c.trim().startsWith('session='))
+            ?.split('=')[1];
+          const session = sessionToken ? await env.KV.get(`session:${sessionToken}`, 'json') : null;
+          if (!session || session.expiresAt < Date.now()) {
+            return this.addAdminCORSHeaders(createErrorResponse('Unauthorized', 401));
+          }
           clearContentCache();
-          return this.addCORSHeaders(new Response(JSON.stringify({ success: true, message: 'Cache cleared' }), { status: 200 }));
+          return this.addAdminCORSHeaders(new Response(JSON.stringify({ success: true, message: 'Cache cleared' }), { status: 200 }));
         case 'aboutme':
           return this.addCORSHeaders(await handleAboutMe(env));
         case 'logo':
           return this.addCORSHeaders(await handleLogo(env));
         case 'static':
           return this.addCORSHeaders(await handleStaticDetails(env));
+        case 'auth':
+          return this.addAdminCORSHeaders(await handleAuth(request, env, '/auth'));
         case 'blogs':
           return this.addCORSHeaders(await handleBlogs(env));
         case 'blogs/latest':