@libredb/studio 0.9.7

package/src/lib/logger.ts

@@ -0,0 +1,127 @@
+/**
+ * Structured Logger
+ * Isomorphic logger with level filtering and context support
+ */
+
+type LogLevel = 'debug' | 'info' | 'warn' | 'error';
+
+export interface LogContext {
+  route?: string;
+  provider?: string;
+  connectionId?: string;
+  duration?: number;
+  [key: string]: unknown;
+}
+
+const LEVEL_ORDER: Record<LogLevel, number> = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+};
+
+function getMinLevel(): LogLevel {
+  if (typeof process !== 'undefined' && process.env?.LOG_LEVEL) {
+    const env = process.env.LOG_LEVEL.toLowerCase();
+    if (env in LEVEL_ORDER) return env as LogLevel;
+  }
+  const isDev =
+    typeof process !== 'undefined' &&
+    process.env?.NODE_ENV !== 'production';
+  return isDev ? 'debug' : 'info';
+}
+
+function shouldLog(level: LogLevel): boolean {
+  return LEVEL_ORDER[level] >= LEVEL_ORDER[getMinLevel()];
+}
+
+function formatContext(ctx?: LogContext): string {
+  if (!ctx) return '';
+  const parts: string[] = [];
+  if (ctx.route) parts.push(`route=${ctx.route}`);
+  if (ctx.provider) parts.push(`provider=${ctx.provider}`);
+  if (ctx.connectionId) parts.push(`connId=${ctx.connectionId}`);
+  if (ctx.duration !== undefined) parts.push(`duration=${ctx.duration}ms`);
+  // Extra keys
+  for (const [k, v] of Object.entries(ctx)) {
+    if (['route', 'provider', 'connectionId', 'duration'].includes(k)) continue;
+    if (v !== undefined) parts.push(`${k}=${typeof v === 'object' ? JSON.stringify(v) : v}`);
+  }
+  return parts.length ? ` {${parts.join(', ')}}` : '';
+}
+
+function extractError(error: unknown): { name: string; message: string; stack?: string } | undefined {
+  if (!error) return undefined;
+  if (error instanceof Error) {
+    const isDev =
+      typeof process !== 'undefined' &&
+      process.env?.NODE_ENV !== 'production';
+    return {
+      name: error.name,
+      message: error.message,
+      stack: isDev ? error.stack : undefined,
+    };
+  }
+  return { name: 'Unknown', message: String(error) };
+}
+
+/** Sanitize log message to prevent log injection (newlines, control chars) */
+function sanitizeLogValue(value: string): string {
+  return value.replace(/[\r\n]/g, ' ').replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, '');
+}
+
+function log(level: LogLevel, message: string, error?: unknown, context?: LogContext): void {
+  if (!shouldLog(level)) return;
+
+  const timestamp = new Date().toISOString();
+  const tag = level.toUpperCase().padEnd(5);
+  const ctx = formatContext(context);
+  const errInfo = level === 'error' ? extractError(error) : undefined;
+
+  const line = `[${tag}] [${timestamp}]${sanitizeLogValue(ctx)} ${sanitizeLogValue(message)}`;
+
+  if (errInfo) {
+    const errLine = ` | ${sanitizeLogValue(errInfo.name)}: ${sanitizeLogValue(errInfo.message)}`;
+    const full = line + errLine;
+    if (errInfo.stack) {
+      // Stack traces contain intentional newlines — sanitize control chars only
+      const safeStack = errInfo.stack.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, '');
+      console.error(full, '\n', safeStack);
+    } else {
+      console.error(full);
+    }
+    return;
+  }
+
+  // All values in `line` are already sanitized via sanitizeLogValue
+  const safeLine = line;
+  switch (level) {
+    case 'debug':
+      console.debug(safeLine);
+      break;
+    case 'info':
+      console.info(safeLine);
+      break;
+    case 'warn':
+      console.warn(safeLine);
+      break;
+    case 'error':
+      console.error(safeLine);
+      break;
+  }
+}
+
+export const logger = {
+  debug(message: string, context?: LogContext): void {
+    log('debug', message, undefined, context);
+  },
+  info(message: string, context?: LogContext): void {
+    log('info', message, undefined, context);
+  },
+  warn(message: string, context?: LogContext): void {
+    log('warn', message, undefined, context);
+  },
+  error(message: string, error?: unknown, context?: LogContext): void {
+    log('error', message, error, context);
+  },
+};

package/src/lib/monitoring-thresholds.ts

@@ -0,0 +1,44 @@
+export type ThresholdLevel = 'healthy' | 'warning' | 'critical';
+
+export interface ThresholdConfig {
+  metric: string;
+  warning: number;
+  critical: number;
+  direction: 'above' | 'below';
+  label: string;
+}
+
+export const DEFAULT_THRESHOLDS: ThresholdConfig[] = [
+  { metric: 'cacheHitRatio', warning: 90, critical: 80, direction: 'below', label: 'Cache Hit Ratio' },
+  { metric: 'connectionPercent', warning: 70, critical: 90, direction: 'above', label: 'Connection Usage' },
+  { metric: 'deadlocks', warning: 1, critical: 5, direction: 'above', label: 'Deadlocks' },
+  { metric: 'bufferPoolUsage', warning: 85, critical: 95, direction: 'above', label: 'Buffer Pool Usage' },
+];
+
+export function evaluateThreshold(value: number, config: ThresholdConfig): ThresholdLevel {
+  if (config.direction === 'above') {
+    if (value >= config.critical) return 'critical';
+    if (value >= config.warning) return 'warning';
+    return 'healthy';
+  } else {
+    if (value <= config.critical) return 'critical';
+    if (value <= config.warning) return 'warning';
+    return 'healthy';
+  }
+}
+
+export function getThresholdColor(level: ThresholdLevel): string {
+  switch (level) {
+    case 'critical': return 'border-red-500/50';
+    case 'warning': return 'border-yellow-500/50';
+    case 'healthy': return 'border-green-500/30';
+  }
+}
+
+export function getThresholdBadgeVariant(level: ThresholdLevel): 'destructive' | 'outline' | 'secondary' {
+  switch (level) {
+    case 'critical': return 'destructive';
+    case 'warning': return 'outline';
+    case 'healthy': return 'secondary';
+  }
+}

package/src/lib/oidc.ts

@@ -0,0 +1,262 @@
+import * as client from 'openid-client';
+import { SignJWT, jwtVerify } from 'jose';
+import { logger } from '@/lib/logger';
+
+// ─── Types ──────────────────────────────────────────────────────────────────
+
+export interface OIDCConfig {
+  issuer: string;
+  clientId: string;
+  clientSecret: string;
+  scope: string;
+  roleClaim: string;
+  adminRoles: string[];
+}
+
+export interface OIDCState {
+  code_verifier: string;
+  state: string;
+  nonce: string;
+}
+
+// ─── Configuration ──────────────────────────────────────────────────────────
+
+export function getOIDCConfig(): OIDCConfig {
+  const issuer = process.env.OIDC_ISSUER;
+  const clientId = process.env.OIDC_CLIENT_ID;
+  const clientSecret = process.env.OIDC_CLIENT_SECRET;
+
+  if (!issuer || !clientId || !clientSecret) {
+    throw new Error(
+      'OIDC_ISSUER, OIDC_CLIENT_ID, and OIDC_CLIENT_SECRET are required when using OIDC authentication'
+    );
+  }
+
+  return {
+    issuer,
+    clientId,
+    clientSecret,
+    scope: process.env.OIDC_SCOPE || 'openid profile email',
+    roleClaim: process.env.OIDC_ROLE_CLAIM || '',
+    adminRoles: (process.env.OIDC_ADMIN_ROLES || 'admin')
+      .split(',')
+      .map((r) => r.trim())
+      .filter(Boolean),
+  };
+}
+
+// ─── Discovery (cached) ────────────────────────────────────────────────────
+
+let cachedConfig: client.Configuration | null = null;
+let cacheExpiry = 0;
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+export async function discoverProvider(
+  oidcConfig?: OIDCConfig
+): Promise<client.Configuration> {
+  const now = Date.now();
+  if (cachedConfig && now < cacheExpiry) {
+    return cachedConfig;
+  }
+
+  const config = oidcConfig || getOIDCConfig();
+  const discovered = await client.discovery(
+    new URL(config.issuer),
+    config.clientId,
+    config.clientSecret,
+    client.ClientSecretPost(config.clientSecret)
+  );
+
+  cachedConfig = discovered;
+  cacheExpiry = now + CACHE_TTL;
+  return discovered;
+}
+
+/** Reset discovery cache (for testing) */
+export function resetDiscoveryCache(): void {
+  cachedConfig = null;
+  cacheExpiry = 0;
+}
+
+// ─── Authorization URL ─────────────────────────────────────────────────────
+
+export async function generateAuthUrl(
+  config: client.Configuration,
+  redirectUri: string,
+  scope: string
+): Promise<{ url: URL; state: OIDCState }> {
+  const code_verifier = client.randomPKCECodeVerifier();
+  const code_challenge = await client.calculatePKCECodeChallenge(code_verifier);
+  const state = client.randomState();
+  const nonce = client.randomNonce();
+
+  const parameters: Record<string, string> = {
+    redirect_uri: redirectUri,
+    scope,
+    code_challenge,
+    code_challenge_method: 'S256',
+    state,
+    nonce,
+    prompt: 'login',
+  };
+
+  const url = client.buildAuthorizationUrl(config, parameters);
+
+  return {
+    url,
+    state: { code_verifier, state, nonce },
+  };
+}
+
+// ─── Token Exchange ────────────────────────────────────────────────────────
+
+export interface OIDCClaims {
+  sub: string;
+  email?: string;
+  preferred_username?: string;
+  [claim: string]: unknown;
+}
+
+export async function exchangeCode(
+  config: client.Configuration,
+  callbackUrl: URL,
+  codeVerifier: string,
+  expectedState: string,
+  expectedNonce: string
+): Promise<OIDCClaims | null> {
+  const tokens = await client.authorizationCodeGrant(config, callbackUrl, {
+    pkceCodeVerifier: codeVerifier,
+    expectedState,
+    expectedNonce,
+    idTokenExpected: true,
+  });
+
+  const claims = tokens.claims();
+  if (!claims) {
+    logger.warn('OIDC token exchange succeeded but claims are empty', { route: 'oidc' });
+    return null;
+  }
+
+  return claims as unknown as OIDCClaims;
+}
+
+// ─── Role Mapping ──────────────────────────────────────────────────────────
+
+/**
+ * Extract role from OIDC claims using configured claim path.
+ * Supports dot-notation for nested claims (e.g. "realm_access.roles").
+ * Returns 'admin' if any claim value matches OIDC_ADMIN_ROLES, otherwise 'user'.
+ */
+export function mapOIDCRole(
+  claims: Record<string, unknown>,
+  roleClaim: string,
+  adminRoles: string[]
+): 'admin' | 'user' {
+  if (!roleClaim) return 'user';
+
+  // Navigate dot-notation path
+  const parts = roleClaim.split('.');
+  let value: unknown = claims;
+  for (const part of parts) {
+    if (value == null || typeof value !== 'object') return 'user';
+    value = (value as Record<string, unknown>)[part];
+  }
+
+  if (value == null) return 'user';
+
+  // Normalize to array of strings
+  const values: string[] = Array.isArray(value)
+    ? value.map(String)
+    : [String(value)];
+
+  // Check if any value matches admin roles
+  const isAdmin = values.some((v) =>
+    adminRoles.some((ar) => v.toLowerCase() === ar.toLowerCase())
+  );
+
+  return isAdmin ? 'admin' : 'user';
+}
+
+// ─── State Cookie Encryption ───────────────────────────────────────────────
+
+function getStateSecret(): Uint8Array {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) {
+    throw new Error('JWT_SECRET is required for OIDC state encryption');
+  }
+  return new TextEncoder().encode(secret);
+}
+
+export async function encryptState(data: OIDCState): Promise<string> {
+  return await new SignJWT({ ...data })
+    .setProtectedHeader({ alg: 'HS256' })
+    .setIssuedAt()
+    .setExpirationTime('5m')
+    .sign(getStateSecret());
+}
+
+export async function decryptState(token: string): Promise<OIDCState> {
+  const { payload } = await jwtVerify(token, getStateSecret());
+  return {
+    code_verifier: payload.code_verifier as string,
+    state: payload.state as string,
+    nonce: payload.nonce as string,
+  };
+}
+
+// ─── Public Origin (reverse proxy / PaaS) ──────────────────────────────────
+
+/**
+ * Derive the public-facing origin from request headers.
+ * On platforms like Render, Railway, Fly.io the app binds to 0.0.0.0:PORT
+ * but the actual public URL comes from x-forwarded-host/x-forwarded-proto.
+ */
+export function getPublicOrigin(request: Request): string {
+  const forwardedHost = request.headers.get('x-forwarded-host');
+  const forwardedProto = request.headers.get('x-forwarded-proto') || 'https';
+  const host = forwardedHost || request.headers.get('host');
+  if (host) {
+    return `${forwardedProto}://${host}`;
+  }
+  return new URL(request.url).origin;
+}
+
+// ─── Logout URL ─────────────────────────────────────────────────────────────
+
+/**
+ * Build the OIDC provider's logout URL.
+ * Auth0: /v2/logout?client_id=...&returnTo=...
+ * Generic: /protocol/openid-connect/logout?post_logout_redirect_uri=...&client_id=...
+ */
+export function buildLogoutUrl(returnTo: string): string | null {
+  try {
+    const config = getOIDCConfig();
+    const issuerUrl = new URL(config.issuer);
+    const roleClaim = config.roleClaim;
+
+    // Auth0 uses /v2/logout
+    if (issuerUrl.hostname === 'auth0.com' || issuerUrl.hostname.endsWith('.auth0.com')) {
+      const logoutUrl = new URL('/v2/logout', config.issuer);
+      logoutUrl.searchParams.set('client_id', config.clientId);
+      logoutUrl.searchParams.set('returnTo', returnTo);
+      return logoutUrl.toString();
+    }
+
+    // Zitadel RP-Initiated Logout
+    if (roleClaim.includes('zitadel')) {
+      const logoutUrl = new URL('/oidc/v1/end_session', config.issuer);
+      logoutUrl.searchParams.set('client_id', config.clientId);
+      logoutUrl.searchParams.set('post_logout_redirect_uri', returnTo);
+      return logoutUrl.toString();
+    }
+
+    // Generic OIDC (Keycloak, Okta, Azure AD, etc.) — RP-Initiated Logout
+    const logoutUrl = new URL('/protocol/openid-connect/logout', config.issuer);
+    logoutUrl.searchParams.set('client_id', config.clientId);
+    logoutUrl.searchParams.set('post_logout_redirect_uri', returnTo);
+    return logoutUrl.toString();
+  } catch (error) {
+    logger.warn('Failed to build OIDC logout URL', { route: 'oidc', error: error instanceof Error ? error.message : String(error) });
+    return null;
+  }
+}

package/src/lib/query-generators.ts

@@ -0,0 +1,61 @@
+import type { ProviderCapabilities } from '@/lib/db/types';
+import type { ColumnSchema } from '@/lib/types';
+
+export function generateTableQuery(tableName: string, capabilities: ProviderCapabilities): string {
+  if (capabilities.queryLanguage === 'json') {
+    return JSON.stringify(
+      { collection: tableName, operation: 'find', filter: {}, options: { limit: 50 } },
+      null,
+      2
+    );
+  }
+  // Oracle
+  if (capabilities.defaultPort === 1521) {
+    return `SELECT * FROM ${tableName} FETCH FIRST 50 ROWS ONLY;`;
+  }
+  // MSSQL
+  if (capabilities.defaultPort === 1433) {
+    return `SELECT TOP 50 * FROM ${tableName};`;
+  }
+  return `SELECT * FROM ${tableName} LIMIT 50;`;
+}
+
+export function generateSelectQuery(
+  tableName: string,
+  columns: ColumnSchema[],
+  capabilities: ProviderCapabilities
+): string {
+  if (capabilities.queryLanguage === 'json') {
+    const projection: Record<string, number> = {};
+    columns.forEach((c) => {
+      projection[c.name] = 1;
+    });
+    return JSON.stringify(
+      {
+        collection: tableName,
+        operation: 'find',
+        filter: {},
+        options: {
+          projection: Object.keys(projection).length > 0 ? projection : undefined,
+          limit: 100,
+        },
+      },
+      null,
+      2
+    );
+  }
+  const cols = columns.map((c) => `  ${c.name}`).join(',\n') || '  *';
+  // Oracle
+  if (capabilities.defaultPort === 1521) {
+    return `SELECT\n${cols}\nFROM ${tableName}\nWHERE 1=1\nFETCH FIRST 100 ROWS ONLY;`;
+  }
+  // MSSQL
+  if (capabilities.defaultPort === 1433) {
+    return `SELECT TOP 100\n${cols}\nFROM ${tableName}\nWHERE 1=1;`;
+  }
+  return `SELECT\n${cols}\nFROM ${tableName}\nWHERE 1=1\nLIMIT 100;`;
+}
+
+export function shouldRefreshSchema(query: string, schemaRefreshPattern: string): boolean {
+  return new RegExp(schemaRefreshPattern, 'i').test(query);
+}