@libredb/studio 0.9.7

package/src/app/api/auth/login/route.ts

@@ -0,0 +1,62 @@
+import { login } from '@/lib/auth';
+import { NextRequest, NextResponse } from 'next/server';
+import { createErrorResponse } from '@/lib/api/errors';
+import { logger } from '@/lib/logger';
+
+interface AuthUser {
+  email: string;
+  password: string;
+  role: 'admin' | 'user';
+}
+
+function getAuthUsers(): AuthUser[] {
+  const adminEmail = process.env.ADMIN_EMAIL;
+  const adminPassword = process.env.ADMIN_PASSWORD;
+  const userEmail = process.env.USER_EMAIL;
+  const userPassword = process.env.USER_PASSWORD;
+
+  if (process.env.NODE_ENV === 'production') {
+    if (!adminEmail || !adminPassword || !userEmail || !userPassword) {
+      throw new Error(
+        'ADMIN_EMAIL, ADMIN_PASSWORD, USER_EMAIL, and USER_PASSWORD environment variables are required in production'
+      );
+    }
+  }
+
+  return [
+    {
+      email: adminEmail || 'admin@libredb.org',
+      password: adminPassword || 'LibreDB.2026',
+      role: 'admin',
+    },
+    {
+      email: userEmail || 'user@libredb.org',
+      password: userPassword || 'LibreDB.2026',
+      role: 'user',
+    },
+  ];
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const { email, password } = await request.json();
+    const users = getAuthUsers();
+
+    const matched = users.find(
+      (u) => u.email === email && u.password === password
+    );
+
+    if (matched) {
+      await login(matched.role, matched.email);
+      return NextResponse.json({ success: true, role: matched.role });
+    }
+
+    logger.warn('Failed login attempt', { route: 'POST /api/auth/login', email });
+    return NextResponse.json(
+      { success: false, message: 'Invalid email or password' },
+      { status: 401 }
+    );
+  } catch (error) {
+    return createErrorResponse(error, { route: 'POST /api/auth/login' });
+  }
+}

package/src/app/api/auth/logout/route.ts

@@ -0,0 +1,25 @@
+import { logout } from '@/lib/auth';
+import { buildLogoutUrl, getPublicOrigin } from '@/lib/oidc';
+import { NextRequest, NextResponse } from 'next/server';
+import { createErrorResponse } from '@/lib/api/errors';
+
+export async function POST(request: NextRequest) {
+  try {
+    await logout();
+
+    const authProvider = process.env.NEXT_PUBLIC_AUTH_PROVIDER || 'local';
+    if (authProvider === 'oidc') {
+      const origin = getPublicOrigin(request);
+      const returnTo = `${origin}/login`;
+      const oidcLogoutUrl = buildLogoutUrl(returnTo);
+
+      if (oidcLogoutUrl) {
+        return NextResponse.json({ success: true, redirectUrl: oidcLogoutUrl });
+      }
+    }
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    return createErrorResponse(error, { route: 'POST /api/auth/logout' });
+  }
+}

package/src/app/api/auth/me/route.ts

@@ -0,0 +1,10 @@
+import { getSession } from '@/lib/auth';
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  const session = await getSession();
+  if (!session) {
+    return NextResponse.json({ authenticated: false }, { status: 401 });
+  }
+  return NextResponse.json({ authenticated: true, user: session });
+}

package/src/app/api/auth/oidc/callback/route.ts

@@ -0,0 +1,82 @@
+import { NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { login } from '@/lib/auth';
+import {
+  getOIDCConfig,
+  discoverProvider,
+  exchangeCode,
+  decryptState,
+  mapOIDCRole,
+  getPublicOrigin,
+} from '@/lib/oidc';
+import { logger } from '@/lib/logger';
+
+export async function GET(request: Request) {
+  const origin = getPublicOrigin(request);
+
+  try {
+    const cookieStore = await cookies();
+    const stateCookie = cookieStore.get('oidc-state')?.value;
+
+    if (!stateCookie) {
+      return NextResponse.redirect(`${origin}/login?error=oidc_state_missing`);
+    }
+
+    // Decrypt and validate state
+    let oidcState;
+    try {
+      oidcState = await decryptState(stateCookie);
+    } catch (decryptError) {
+      logger.warn('OIDC state decryption failed', { route: 'GET /api/auth/oidc/callback', error: decryptError instanceof Error ? decryptError.message : 'Unknown' });
+      cookieStore.delete('oidc-state');
+      return NextResponse.redirect(`${origin}/login?error=oidc_state_invalid`);
+    }
+
+    // Exchange code for tokens
+    const oidcConfig = getOIDCConfig();
+    const config = await discoverProvider(oidcConfig);
+
+    // Reconstruct callback URL with public origin for token exchange
+    const internalUrl = new URL(request.url);
+    const callbackUrl = new URL(
+      `${internalUrl.pathname}${internalUrl.search}`,
+      origin
+    );
+
+    const claims = await exchangeCode(
+      config,
+      callbackUrl,
+      oidcState.code_verifier,
+      oidcState.state,
+      oidcState.nonce
+    );
+
+    if (!claims) {
+      logger.warn('OIDC callback: no claims returned from token exchange', { route: 'oidc/callback' });
+      return NextResponse.redirect(`${origin}/login?error=oidc_no_claims`);
+    }
+
+    // Map role from claims
+    const role = mapOIDCRole(
+      claims as Record<string, unknown>,
+      oidcConfig.roleClaim,
+      oidcConfig.adminRoles
+    );
+
+    // Create local JWT session (same as password login)
+    const username = claims.email || claims.preferred_username || claims.sub || role;
+    await login(role, username);
+
+    // Clean up state cookie
+    cookieStore.delete('oidc-state');
+
+    // Redirect based on role
+    return NextResponse.redirect(
+      `${origin}${role === 'admin' ? '/admin' : '/'}`
+    );
+  } catch (error) {
+    logger.error('OIDC callback error', error, { route: 'GET /api/auth/oidc/callback' });
+    const errorCode = error instanceof Error && error.message.includes('config') ? 'oidc_config' : 'oidc_failed';
+    return NextResponse.redirect(`${origin}/login?error=${errorCode}`);
+  }
+}

package/src/app/api/auth/oidc/login/route.ts

@@ -0,0 +1,43 @@
+import { NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import {
+  getOIDCConfig,
+  discoverProvider,
+  generateAuthUrl,
+  encryptState,
+  getPublicOrigin,
+} from '@/lib/oidc';
+import { logger } from '@/lib/logger';
+
+export async function GET(request: Request) {
+  try {
+    const oidcConfig = getOIDCConfig();
+    const config = await discoverProvider(oidcConfig);
+
+    const origin = getPublicOrigin(request);
+    const redirectUri = `${origin}/api/auth/oidc/callback`;
+
+    const { url, state } = await generateAuthUrl(
+      config,
+      redirectUri,
+      oidcConfig.scope
+    );
+
+    // Store PKCE state in signed cookie
+    const stateCookie = await encryptState(state);
+    const cookieStore = await cookies();
+    cookieStore.set('oidc-state', stateCookie, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 300, // 5 minutes
+      path: '/',
+    });
+
+    return NextResponse.redirect(url.toString());
+  } catch (error) {
+    logger.error('OIDC login error', error, { route: 'GET /api/auth/oidc/login' });
+    const origin = getPublicOrigin(request);
+    return NextResponse.redirect(`${origin}/login?error=oidc_config`);
+  }
+}

package/src/app/api/connections/managed/route.ts

@@ -0,0 +1,35 @@
+import { NextResponse } from 'next/server';
+import { getSession } from '@/lib/auth';
+import { getManagedConnections } from '@/lib/seed';
+import { logger } from '@/lib/logger';
+
+export const dynamic = 'force-dynamic';
+
+export async function GET() {
+  try {
+    const session = await getSession();
+    if (!session) {
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+    }
+
+    const connections = await getManagedConnections([session.role]);
+
+    const sanitized = connections.map((conn) => {
+      if (conn.managed) {
+        const { password, connectionString, ...rest } = conn;
+        return rest;
+      }
+      return conn;
+    });
+
+    const rawTTL = Number(process.env.SEED_CACHE_TTL_MS);
+    const cacheTTL = Number.isFinite(rawTTL) ? rawTTL : 60_000;
+
+    return NextResponse.json({ connections: sanitized, cacheHint: cacheTTL });
+  } catch (error) {
+    logger.error('Failed to load managed connections', error, {
+      route: 'GET /api/connections/managed',
+    });
+    return NextResponse.json({ error: 'Failed to load managed connections' }, { status: 500 });
+  }
+}

package/src/app/api/db/cancel/route.ts

@@ -0,0 +1,42 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getOrCreateProvider } from '@/lib/db';
+import { createErrorResponse } from '@/lib/api/errors';
+import { resolveConnection } from '@/lib/seed/resolve-connection';
+import { getSession } from '@/lib/auth';
+
+export async function POST(req: NextRequest) {
+  try {
+    const body = await req.json();
+    const { queryId } = body;
+
+    const session = await getSession();
+    if (!session) {
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+    }
+
+    const connection = await resolveConnection(body, session);
+
+    if (!queryId) {
+      return NextResponse.json(
+        { error: 'Connection and queryId are required' },
+        { status: 400 }
+      );
+    }
+
+    const provider = await getOrCreateProvider(connection);
+
+    // Check if provider supports cancellation
+    if (!('cancelQuery' in provider) || typeof (provider as Record<string, unknown>).cancelQuery !== 'function') {
+      return NextResponse.json(
+        { error: 'Query cancellation is not supported for this database type', cancelled: false },
+        { status: 400 }
+      );
+    }
+
+    const cancelled = await (provider as { cancelQuery(queryId: string): Promise<boolean> }).cancelQuery(queryId);
+
+    return NextResponse.json({ cancelled });
+  } catch (error) {
+    return createErrorResponse(error, { route: 'api/db/cancel' });
+  }
+}

package/src/app/api/db/disconnect/route.ts

@@ -0,0 +1,28 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { removeProvider } from '@/lib/db/factory';
+import { logger } from '@/lib/logger';
+
+export async function POST(req: NextRequest) {
+  try {
+    const { connectionId } = await req.json();
+
+    if (!connectionId || typeof connectionId !== 'string') {
+      return NextResponse.json(
+        { success: false, error: 'connectionId is required' },
+        { status: 400 }
+      );
+    }
+
+    await removeProvider(connectionId);
+
+    logger.info('[DB] Provider disconnected and removed from cache', { connectionId });
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    logger.error('[DB] Error disconnecting provider', { error: String(error) });
+    return NextResponse.json(
+      { success: false, error: 'Failed to disconnect' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/db/health/route.ts

@@ -0,0 +1,49 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getOrCreateProvider } from '@/lib/db';
+import { createErrorResponse } from '@/lib/api/errors';
+import { resolveConnection } from '@/lib/seed/resolve-connection';
+import { getSession } from '@/lib/auth';
+
+/**
+ * GET /api/db/health
+ * Simple health check for load balancers and container orchestration (Render, K8s, etc.)
+ * Returns 200 OK if the service is running
+ */
+export async function GET() {
+  return NextResponse.json({
+    status: 'healthy',
+    timestamp: new Date().toISOString(),
+    service: 'libredb-studio',
+  });
+}
+
+/**
+ * POST /api/db/health
+ * Detailed health check for a specific database connection
+ */
+export async function POST(req: NextRequest) {
+  try {
+    const body = await req.json();
+
+    const session = await getSession();
+    if (!session) {
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+    }
+
+    const connection = await resolveConnection(body, session);
+
+    if (!connection.type) {
+      return NextResponse.json(
+        { error: 'Valid connection configuration is required' },
+        { status: 400 }
+      );
+    }
+
+    const provider = await getOrCreateProvider(connection);
+    const health = await provider.getHealth();
+
+    return NextResponse.json(health);
+  } catch (error) {
+    return createErrorResponse(error, { route: 'api/db/health' });
+  }
+}

package/src/app/api/db/maintenance/route.ts

@@ -0,0 +1,72 @@
+import { getSession } from '@/lib/auth';
+import { NextResponse } from 'next/server';
+import {
+  getOrCreateProvider,
+  type MaintenanceType,
+} from '@/lib/db';
+import { getServerAuditBuffer } from '@/lib/audit';
+import { createErrorResponse } from '@/lib/api/errors';
+import { resolveConnection } from '@/lib/seed/resolve-connection';
+
+export async function POST(request: Request) {
+  // Check admin authorization
+  const session = await getSession();
+
+  if (!session || session.role !== 'admin') {
+    return NextResponse.json(
+      { error: 'Unauthorized. Admin access required.' },
+      { status: 403 }
+    );
+  }
+
+  try {
+    const body = await request.json();
+    const { type, target } = body;
+
+    const connection = await resolveConnection(body, session);
+
+    if (!type) {
+      return NextResponse.json(
+        { error: 'Maintenance type is required' },
+        { status: 400 }
+      );
+    }
+
+    const provider = await getOrCreateProvider(connection);
+    const capabilities = provider.getCapabilities();
+
+    if (!capabilities.supportsMaintenance) {
+      return NextResponse.json(
+        { error: `Maintenance operations not supported for this database` },
+        { status: 400 }
+      );
+    }
+
+    if (!capabilities.maintenanceOperations.includes(type as MaintenanceType)) {
+      return NextResponse.json(
+        { error: `Operation '${type}' not supported for this database. Supported: ${capabilities.maintenanceOperations.join(', ')}` },
+        { status: 400 }
+      );
+    }
+
+    const startTime = Date.now();
+    const result = await provider.runMaintenance(type, target);
+    const duration = Date.now() - startTime;
+
+    // Emit audit event
+    const audit = getServerAuditBuffer();
+    audit.push({
+      type: type === 'kill' ? 'kill_session' : 'maintenance',
+      action: type.toUpperCase(),
+      target: target || 'all',
+      connectionName: connection.name || connection.database || 'unknown',
+      user: session.username || 'admin',
+      result: 'success',
+      duration,
+    });
+
+    return NextResponse.json(result);
+  } catch (error) {
+    return createErrorResponse(error, { route: 'api/db/maintenance' });
+  }
+}

package/src/app/api/db/monitoring/route.ts

@@ -0,0 +1,62 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getOrCreateProvider } from '@/lib/db';
+import type { MonitoringOptions } from '@/lib/db/types';
+import { createErrorResponse } from '@/lib/api/errors';
+import { resolveConnection } from '@/lib/seed/resolve-connection';
+import { getSession } from '@/lib/auth';
+
+/**
+ * POST /api/db/monitoring
+ * Get comprehensive monitoring data for a database connection
+ */
+export async function POST(req: NextRequest) {
+  try {
+    // Handle empty or aborted requests
+    let body;
+    try {
+      const text = await req.text();
+      if (!text) {
+        return NextResponse.json(
+          { error: 'Request body is empty' },
+          { status: 400 }
+        );
+      }
+      body = JSON.parse(text);
+    } catch {
+      return NextResponse.json(
+        { error: 'Invalid JSON in request body' },
+        { status: 400 }
+      );
+    }
+
+    const session = await getSession();
+    if (!session) {
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+    }
+
+    const connection = await resolveConnection(body, session);
+    const { options } = body as { options?: MonitoringOptions };
+
+    if (!connection.type) {
+      return NextResponse.json(
+        { error: 'Valid connection configuration is required' },
+        { status: 400 }
+      );
+    }
+
+    const provider = await getOrCreateProvider(connection);
+    const monitoringData = await provider.getMonitoringData(options);
+
+    return NextResponse.json(monitoringData);
+  } catch (error) {
+    // Ignore aborted requests (client cancelled)
+    if (error instanceof Error &&
+        (error.message === 'aborted' ||
+         error.name === 'AbortError' ||
+         (error as NodeJS.ErrnoException).code === 'ECONNRESET')) {
+      return new Response(null, { status: 499 }); // Client Closed Request
+    }
+
+    return createErrorResponse(error, { route: 'api/db/monitoring' });
+  }
+}

package/src/app/api/db/multi-query/route.ts

@@ -0,0 +1,116 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getOrCreateProvider } from '@/lib/db';
+import { splitStatements } from '@/lib/sql/statement-splitter';
+import { createErrorResponse } from '@/lib/api/errors';
+import { resolveConnection } from '@/lib/seed/resolve-connection';
+import { getSession } from '@/lib/auth';
+
+export interface StatementResult {
+  index: number;
+  sql: string;
+  startLine: number;
+  status: 'success' | 'error';
+  rows?: Record<string, unknown>[];
+  fields?: string[];
+  rowCount?: number;
+  executionTime: number;
+  error?: string;
+}
+
+export async function POST(req: NextRequest) {
+  try {
+    const body = await req.json();
+    const { sql, options = {} } = body;
+
+    const session = await getSession();
+    if (!session) {
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+    }
+
+    const connection = await resolveConnection(body, session);
+
+    if (!sql) {
+      return NextResponse.json(
+        { error: 'Connection and query are required' },
+        { status: 400 }
+      );
+    }
+
+    const statements = splitStatements(sql);
+
+    if (statements.length === 0) {
+      return NextResponse.json(
+        { error: 'No valid SQL statements found' },
+        { status: 400 }
+      );
+    }
+
+    const provider = await getOrCreateProvider(connection);
+    const results: StatementResult[] = [];
+    let totalExecutionTime = 0;
+
+    for (let i = 0; i < statements.length; i++) {
+      const stmt = statements[i];
+      const startTime = performance.now();
+
+      try {
+        // For the last statement that is a SELECT, apply limit
+        const isLastSelect = i === statements.length - 1 && /^\s*SELECT\b/i.test(stmt.sql);
+        const prepared = isLastSelect
+          ? provider.prepareQuery(stmt.sql, options)
+          : { query: stmt.sql, wasLimited: false, limit: 0, offset: 0 };
+
+        const result = await provider.query(prepared.query);
+        const executionTime = Math.round(performance.now() - startTime);
+        totalExecutionTime += executionTime;
+
+        results.push({
+          index: i,
+          sql: stmt.sql,
+          startLine: stmt.startLine,
+          status: 'success',
+          rows: result.rows,
+          fields: result.fields,
+          rowCount: result.rowCount,
+          executionTime,
+        });
+      } catch (error) {
+        const executionTime = Math.round(performance.now() - startTime);
+        totalExecutionTime += executionTime;
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+
+        results.push({
+          index: i,
+          sql: stmt.sql,
+          startLine: stmt.startLine,
+          status: 'error',
+          executionTime,
+          error: errorMessage,
+        });
+
+        // Stop execution on error
+        break;
+      }
+    }
+
+    // Return the last successful result with rows as the main result (for ResultsGrid)
+    const lastResultWithRows = [...results].reverse().find(r => r.status === 'success' && r.rows && r.rows.length > 0);
+    const hasError = results.some(r => r.status === 'error');
+
+    return NextResponse.json({
+      // Main result (for backward compatibility with ResultsGrid)
+      rows: lastResultWithRows?.rows || [],
+      fields: lastResultWithRows?.fields || [],
+      rowCount: lastResultWithRows?.rowCount || 0,
+      executionTime: totalExecutionTime,
+      // Multi-statement metadata
+      multiStatement: true,
+      statementCount: statements.length,
+      executedCount: results.length,
+      hasError,
+      statements: results,
+    });
+  } catch (error) {
+    return createErrorResponse(error, { route: 'api/db/multi-query' });
+  }
+}

package/src/app/api/db/pool-stats/route.ts

@@ -0,0 +1,37 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getOrCreateProvider } from '@/lib/db/factory';
+import { createErrorResponse } from '@/lib/api/errors';
+import { resolveConnection } from '@/lib/seed/resolve-connection';
+import { getSession } from '@/lib/auth';
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json();
+
+    const session = await getSession();
+    if (!session) {
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+    }
+
+    const connection = await resolveConnection(body, session);
+
+    const provider = await getOrCreateProvider(connection);
+
+    // Check if provider has getPoolStats
+    if ('getPoolStats' in provider && typeof (provider as Record<string, unknown>).getPoolStats === 'function') {
+      const stats = (provider as { getPoolStats: () => { total: number; idle: number; active: number; waiting: number } }).getPoolStats();
+      return NextResponse.json(stats);
+    }
+
+    // Fallback for providers without pool stats
+    return NextResponse.json({
+      total: 0,
+      idle: 0,
+      active: 0,
+      waiting: 0,
+      message: 'Pool statistics not available for this provider',
+    });
+  } catch (error) {
+    return createErrorResponse(error, { route: 'api/db/pool-stats' });
+  }
+}