@lovelybunch/api 1.0.55 → 1.0.57

package/dist/lib/auth/auth-manager.d.ts

@@ -0,0 +1,122 @@
+import { AuthConfig, LocalAuthUser, AuthSession, ApiKey, UserRole } from '@lovelybunch/types';
+export declare class AuthManager {
+    private authConfigPath;
+    private authConfig;
+    constructor(dataPath: string);
+    /**
+     * Check if auth is enabled
+     */
+    isAuthEnabled(): Promise<boolean>;
+    /**
+     * Load auth config from file
+     */
+    loadAuthConfig(): Promise<AuthConfig>;
+    /**
+     * Save auth config to file
+     */
+    saveAuthConfig(config: AuthConfig): Promise<void>;
+    /**
+     * Initialize auth config with defaults
+     */
+    initializeAuthConfig(adminEmail: string, adminName: string): Promise<AuthConfig>;
+    /**
+     * Find user by email
+     */
+    findUserByEmail(email: string): Promise<LocalAuthUser | null>;
+    /**
+     * Find user by ID
+     */
+    findUserById(userId: string): Promise<LocalAuthUser | null>;
+    /**
+     * Check if email is whitelisted
+     */
+    isEmailWhitelisted(email: string): Promise<boolean>;
+    /**
+     * Register a new user (must be whitelisted)
+     */
+    registerUser(email: string, password: string, name: string): Promise<LocalAuthUser>;
+    /**
+     * Verify user credentials
+     */
+    verifyCredentials(email: string, password: string): Promise<LocalAuthUser | null>;
+    /**
+     * Change user password
+     */
+    changePassword(userId: string, currentPassword: string, newPassword: string): Promise<void>;
+    /**
+     * Admin reset password (no current password required)
+     */
+    adminResetPassword(userId: string, newPassword: string): Promise<void>;
+    /**
+     * Update user's last login time
+     */
+    updateUserLastLogin(userId: string): Promise<void>;
+    /**
+     * Add a new whitelisted user
+     */
+    addWhitelistedUser(email: string, name: string, role?: UserRole): Promise<LocalAuthUser>;
+    /**
+     * Remove a user
+     */
+    removeUser(userId: string): Promise<void>;
+    /**
+     * Update user role
+     */
+    updateUserRole(userId: string, role: UserRole): Promise<void>;
+    /**
+     * Generate JWT token
+     */
+    generateToken(user: LocalAuthUser, provider?: string): Promise<string>;
+    /**
+     * Verify JWT token
+     */
+    verifyToken(token: string): Promise<AuthSession | null>;
+    /**
+     * Create API key
+     */
+    createApiKey(name: string, createdBy: string, scopes: string[], expiresIn?: string): Promise<{
+        apiKey: ApiKey;
+        rawKey: string;
+    }>;
+    /**
+     * Verify API key
+     */
+    verifyApiKey(rawKey: string): Promise<ApiKey | null>;
+    /**
+     * Update API key last used time
+     */
+    updateApiKeyLastUsed(apiKeyId: string): Promise<void>;
+    /**
+     * Delete API key
+     */
+    deleteApiKey(apiKeyId: string): Promise<void>;
+    /**
+     * List all API keys (without raw keys)
+     */
+    listApiKeys(): Promise<ApiKey[]>;
+    /**
+     * Generate a secure random ID
+     */
+    private generateId;
+    /**
+     * Generate a secure random secret
+     */
+    private generateSecret;
+    /**
+     * Generate a secure API key
+     */
+    private generateApiKey;
+    /**
+     * Parse expiry string to seconds
+     */
+    private parseExpiry;
+    /**
+     * Calculate expiry date from string
+     */
+    private calculateExpiry;
+    /**
+     * Clear cached config (useful for testing)
+     */
+    clearCache(): void;
+}
+export declare function getAuthManager(dataPath?: string): AuthManager;

package/dist/lib/auth/auth-manager.js

@@ -0,0 +1,411 @@
+import fs from 'fs/promises';
+import path from 'path';
+import bcrypt from 'bcrypt';
+import jwt from 'jsonwebtoken';
+import crypto from 'crypto';
+const SALT_ROUNDS = 10;
+const DEFAULT_SESSION_EXPIRY = '7d';
+const DEFAULT_COOKIE_NAME = 'nut-session';
+export class AuthManager {
+    authConfigPath;
+    authConfig = null;
+    constructor(dataPath) {
+        this.authConfigPath = path.join(dataPath, '.nut', 'auth.json');
+    }
+    /**
+     * Check if auth is enabled
+     */
+    async isAuthEnabled() {
+        try {
+            const config = await this.loadAuthConfig();
+            return config.enabled;
+        }
+        catch (error) {
+            // If config doesn't exist or can't be loaded, auth is disabled
+            return false;
+        }
+    }
+    /**
+     * Load auth config from file
+     */
+    async loadAuthConfig() {
+        if (this.authConfig) {
+            return this.authConfig;
+        }
+        try {
+            const content = await fs.readFile(this.authConfigPath, 'utf-8');
+            this.authConfig = JSON.parse(content);
+            return this.authConfig;
+        }
+        catch (error) {
+            throw new Error('Auth config not found or invalid');
+        }
+    }
+    /**
+     * Save auth config to file
+     */
+    async saveAuthConfig(config) {
+        await fs.writeFile(this.authConfigPath, JSON.stringify(config, null, 2), 'utf-8');
+        this.authConfig = config;
+    }
+    /**
+     * Initialize auth config with defaults
+     */
+    async initializeAuthConfig(adminEmail, adminName) {
+        const config = {
+            version: '1.0',
+            enabled: false, // Start disabled, admin must enable
+            allowRegistration: true,
+            providers: {
+                local: {
+                    enabled: true,
+                    users: [
+                        {
+                            id: this.generateId(),
+                            email: adminEmail,
+                            name: adminName,
+                            role: 'admin',
+                            registered: false,
+                            createdAt: new Date(),
+                            updatedAt: new Date(),
+                        },
+                    ],
+                },
+                oauth: {},
+            },
+            session: {
+                secret: this.generateSecret(),
+                expiresIn: DEFAULT_SESSION_EXPIRY,
+                cookieName: DEFAULT_COOKIE_NAME,
+                secure: process.env.NODE_ENV === 'production',
+            },
+            apiKeys: [],
+        };
+        await this.saveAuthConfig(config);
+        return config;
+    }
+    /**
+     * Find user by email
+     */
+    async findUserByEmail(email) {
+        const config = await this.loadAuthConfig();
+        const user = config.providers.local.users.find((u) => u.email.toLowerCase() === email.toLowerCase());
+        return user || null;
+    }
+    /**
+     * Find user by ID
+     */
+    async findUserById(userId) {
+        const config = await this.loadAuthConfig();
+        const user = config.providers.local.users.find((u) => u.id === userId);
+        return user || null;
+    }
+    /**
+     * Check if email is whitelisted
+     */
+    async isEmailWhitelisted(email) {
+        const config = await this.loadAuthConfig();
+        return config.providers.local.users.some((u) => u.email.toLowerCase() === email.toLowerCase());
+    }
+    /**
+     * Register a new user (must be whitelisted)
+     */
+    async registerUser(email, password, name) {
+        const config = await this.loadAuthConfig();
+        if (!config.allowRegistration) {
+            throw new Error('Registration is disabled');
+        }
+        // Find the whitelisted user entry
+        const userIndex = config.providers.local.users.findIndex((u) => u.email.toLowerCase() === email.toLowerCase());
+        if (userIndex === -1) {
+            throw new Error('Email not whitelisted');
+        }
+        const user = config.providers.local.users[userIndex];
+        if (user.registered) {
+            throw new Error('User already registered');
+        }
+        // Hash password
+        const passwordHash = await bcrypt.hash(password, SALT_ROUNDS);
+        // Update user
+        user.name = name;
+        user.passwordHash = passwordHash;
+        user.registered = true;
+        user.updatedAt = new Date();
+        await this.saveAuthConfig(config);
+        return user;
+    }
+    /**
+     * Verify user credentials
+     */
+    async verifyCredentials(email, password) {
+        const user = await this.findUserByEmail(email);
+        if (!user || !user.registered || !user.passwordHash) {
+            return null;
+        }
+        const isValid = await bcrypt.compare(password, user.passwordHash);
+        if (!isValid) {
+            return null;
+        }
+        // Update last login
+        await this.updateUserLastLogin(user.id);
+        return user;
+    }
+    /**
+     * Change user password
+     */
+    async changePassword(userId, currentPassword, newPassword) {
+        const config = await this.loadAuthConfig();
+        const userIndex = config.providers.local.users.findIndex((u) => u.id === userId);
+        if (userIndex === -1) {
+            throw new Error('User not found');
+        }
+        const user = config.providers.local.users[userIndex];
+        if (!user.passwordHash) {
+            throw new Error('User has no password set');
+        }
+        // Verify current password
+        const isValid = await bcrypt.compare(currentPassword, user.passwordHash);
+        if (!isValid) {
+            throw new Error('Current password is incorrect');
+        }
+        // Hash and set new password
+        user.passwordHash = await bcrypt.hash(newPassword, SALT_ROUNDS);
+        user.updatedAt = new Date();
+        await this.saveAuthConfig(config);
+    }
+    /**
+     * Admin reset password (no current password required)
+     */
+    async adminResetPassword(userId, newPassword) {
+        const config = await this.loadAuthConfig();
+        const userIndex = config.providers.local.users.findIndex((u) => u.id === userId);
+        if (userIndex === -1) {
+            throw new Error('User not found');
+        }
+        const user = config.providers.local.users[userIndex];
+        user.passwordHash = await bcrypt.hash(newPassword, SALT_ROUNDS);
+        user.updatedAt = new Date();
+        await this.saveAuthConfig(config);
+    }
+    /**
+     * Update user's last login time
+     */
+    async updateUserLastLogin(userId) {
+        const config = await this.loadAuthConfig();
+        const user = config.providers.local.users.find((u) => u.id === userId);
+        if (user) {
+            user.lastLoginAt = new Date();
+            await this.saveAuthConfig(config);
+        }
+    }
+    /**
+     * Add a new whitelisted user
+     */
+    async addWhitelistedUser(email, name, role = 'viewer') {
+        const config = await this.loadAuthConfig();
+        // Check if user already exists
+        const existingUser = config.providers.local.users.find((u) => u.email.toLowerCase() === email.toLowerCase());
+        if (existingUser) {
+            throw new Error('User already exists');
+        }
+        const newUser = {
+            id: this.generateId(),
+            email,
+            name,
+            role,
+            registered: false,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+        };
+        config.providers.local.users.push(newUser);
+        await this.saveAuthConfig(config);
+        return newUser;
+    }
+    /**
+     * Remove a user
+     */
+    async removeUser(userId) {
+        const config = await this.loadAuthConfig();
+        const userIndex = config.providers.local.users.findIndex((u) => u.id === userId);
+        if (userIndex === -1) {
+            throw new Error('User not found');
+        }
+        config.providers.local.users.splice(userIndex, 1);
+        await this.saveAuthConfig(config);
+    }
+    /**
+     * Update user role
+     */
+    async updateUserRole(userId, role) {
+        const config = await this.loadAuthConfig();
+        const user = config.providers.local.users.find((u) => u.id === userId);
+        if (!user) {
+            throw new Error('User not found');
+        }
+        user.role = role;
+        user.updatedAt = new Date();
+        await this.saveAuthConfig(config);
+    }
+    /**
+     * Generate JWT token
+     */
+    async generateToken(user, provider = 'local') {
+        const config = await this.loadAuthConfig();
+        const payload = {
+            userId: user.id,
+            email: user.email,
+            name: user.name,
+            role: user.role,
+            provider: provider,
+            iat: Math.floor(Date.now() / 1000),
+            exp: Math.floor(Date.now() / 1000) + this.parseExpiry(config.session.expiresIn),
+        };
+        return jwt.sign(payload, config.session.secret);
+    }
+    /**
+     * Verify JWT token
+     */
+    async verifyToken(token) {
+        try {
+            const config = await this.loadAuthConfig();
+            const decoded = jwt.verify(token, config.session.secret);
+            return decoded;
+        }
+        catch (error) {
+            return null;
+        }
+    }
+    /**
+     * Create API key
+     */
+    async createApiKey(name, createdBy, scopes, expiresIn) {
+        const config = await this.loadAuthConfig();
+        const rawKey = this.generateApiKey();
+        const hashedKey = await bcrypt.hash(rawKey, SALT_ROUNDS);
+        const apiKey = {
+            id: this.generateId(),
+            name,
+            key: hashedKey,
+            keyPreview: rawKey.slice(-4),
+            createdBy,
+            createdAt: new Date(),
+            expiresAt: expiresIn ? this.calculateExpiry(expiresIn) : undefined,
+            scopes,
+        };
+        config.apiKeys.push(apiKey);
+        await this.saveAuthConfig(config);
+        return { apiKey, rawKey };
+    }
+    /**
+     * Verify API key
+     */
+    async verifyApiKey(rawKey) {
+        const config = await this.loadAuthConfig();
+        for (const apiKey of config.apiKeys) {
+            const isValid = await bcrypt.compare(rawKey, apiKey.key);
+            if (isValid) {
+                // Check expiration
+                if (apiKey.expiresAt && new Date(apiKey.expiresAt) < new Date()) {
+                    return null;
+                }
+                // Update last used
+                await this.updateApiKeyLastUsed(apiKey.id);
+                return apiKey;
+            }
+        }
+        return null;
+    }
+    /**
+     * Update API key last used time
+     */
+    async updateApiKeyLastUsed(apiKeyId) {
+        const config = await this.loadAuthConfig();
+        const apiKey = config.apiKeys.find((k) => k.id === apiKeyId);
+        if (apiKey) {
+            apiKey.lastUsedAt = new Date();
+            await this.saveAuthConfig(config);
+        }
+    }
+    /**
+     * Delete API key
+     */
+    async deleteApiKey(apiKeyId) {
+        const config = await this.loadAuthConfig();
+        const keyIndex = config.apiKeys.findIndex((k) => k.id === apiKeyId);
+        if (keyIndex === -1) {
+            throw new Error('API key not found');
+        }
+        config.apiKeys.splice(keyIndex, 1);
+        await this.saveAuthConfig(config);
+    }
+    /**
+     * List all API keys (without raw keys)
+     */
+    async listApiKeys() {
+        const config = await this.loadAuthConfig();
+        return config.apiKeys;
+    }
+    /**
+     * Generate a secure random ID
+     */
+    generateId() {
+        return crypto.randomBytes(16).toString('hex');
+    }
+    /**
+     * Generate a secure random secret
+     */
+    generateSecret() {
+        return crypto.randomBytes(32).toString('hex');
+    }
+    /**
+     * Generate a secure API key
+     */
+    generateApiKey() {
+        return `nut_${crypto.randomBytes(32).toString('hex')}`;
+    }
+    /**
+     * Parse expiry string to seconds
+     */
+    parseExpiry(expiry) {
+        const match = expiry.match(/^(\d+)([smhd])$/);
+        if (!match) {
+            return 7 * 24 * 60 * 60; // Default to 7 days
+        }
+        const value = parseInt(match[1]);
+        const unit = match[2];
+        switch (unit) {
+            case 's':
+                return value;
+            case 'm':
+                return value * 60;
+            case 'h':
+                return value * 60 * 60;
+            case 'd':
+                return value * 24 * 60 * 60;
+            default:
+                return 7 * 24 * 60 * 60;
+        }
+    }
+    /**
+     * Calculate expiry date from string
+     */
+    calculateExpiry(expiresIn) {
+        const seconds = this.parseExpiry(expiresIn);
+        return new Date(Date.now() + seconds * 1000);
+    }
+    /**
+     * Clear cached config (useful for testing)
+     */
+    clearCache() {
+        this.authConfig = null;
+    }
+}
+// Singleton instance
+let authManagerInstance = null;
+export function getAuthManager(dataPath) {
+    if (!authManagerInstance) {
+        const path = dataPath || process.env.GAIT_DATA_PATH || process.cwd();
+        authManagerInstance = new AuthManager(path);
+    }
+    return authManagerInstance;
+}

package/dist/middleware/auth.d.ts

@@ -0,0 +1,31 @@
+import { Context, Next } from 'hono';
+import { AuthSession } from '@lovelybunch/types';
+/**
+ * Authentication middleware
+ * Checks for valid JWT token in cookie or Authorization header
+ */
+export declare function authMiddleware(c: Context, next: Next): Promise<void | (Response & import("hono").TypedResponse<{
+    error: string;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    error: string;
+    message: string;
+}, 403, "json">)>;
+/**
+ * Helper to get current session from context
+ */
+export declare function getSession(c: Context): AuthSession | null;
+/**
+ * Helper to check if user is admin
+ */
+export declare function isAdmin(c: Context): boolean;
+/**
+ * Helper to require authentication (throws if not authenticated)
+ * Returns null if auth is disabled
+ */
+export declare function requireAuth(c: Context): AuthSession | null;
+/**
+ * Helper to require admin access (throws if not admin)
+ * Returns null if auth is disabled
+ */
+export declare function requireAdmin(c: Context): AuthSession | null;

package/dist/middleware/auth.js

@@ -0,0 +1,142 @@
+import { getCookie } from 'hono/cookie';
+import { getAuthManager } from '../lib/auth/auth-manager.js';
+// Public routes that don't require authentication
+const PUBLIC_ROUTES = [
+    '/api/health',
+    '/api/v1/auth/status',
+    '/api/v1/auth/login',
+    '/api/v1/auth/register',
+    '/api/v1/auth/oauth',
+    '/api/v1/auth/callback',
+];
+// Routes that require specific roles
+const ADMIN_ROUTES = [
+    '/api/v1/auth-settings',
+    '/api/v1/config',
+];
+/**
+ * Check if a route is public (doesn't require auth)
+ */
+function isPublicRoute(path) {
+    return PUBLIC_ROUTES.some((route) => path.startsWith(route));
+}
+/**
+ * Check if a route requires admin access
+ */
+function isAdminRoute(path) {
+    return ADMIN_ROUTES.some((route) => path.startsWith(route));
+}
+/**
+ * Authentication middleware
+ * Checks for valid JWT token in cookie or Authorization header
+ */
+export async function authMiddleware(c, next) {
+    const authManager = getAuthManager();
+    // Check if auth is enabled
+    const authEnabled = await authManager.isAuthEnabled();
+    // Store auth status in context so helpers can check it
+    c.set('authEnabled', authEnabled);
+    if (!authEnabled) {
+        // Auth is disabled, allow all requests
+        return next();
+    }
+    const path = c.req.path;
+    // Allow public routes without authentication
+    if (isPublicRoute(path)) {
+        return next();
+    }
+    // Try to get token from cookie first
+    let token;
+    try {
+        const config = await authManager.loadAuthConfig();
+        token = getCookie(c, config.session.cookieName);
+    }
+    catch (error) {
+        // Config not available, try default cookie name
+        token = getCookie(c, 'nut-session');
+    }
+    // If no cookie, try Authorization header
+    if (!token) {
+        const authHeader = c.req.header('Authorization');
+        if (authHeader && authHeader.startsWith('Bearer ')) {
+            token = authHeader.substring(7);
+        }
+    }
+    // If no token, check for API key
+    if (!token) {
+        const apiKey = c.req.header('X-API-Key');
+        if (apiKey) {
+            const validApiKey = await authManager.verifyApiKey(apiKey);
+            if (validApiKey) {
+                // Store API key info in context
+                c.set('apiKey', validApiKey);
+                c.set('authType', 'apikey');
+                return next();
+            }
+        }
+    }
+    if (!token) {
+        return c.json({ error: 'Unauthorized', message: 'No authentication token provided' }, 401);
+    }
+    // Verify token
+    const session = await authManager.verifyToken(token);
+    if (!session) {
+        return c.json({ error: 'Unauthorized', message: 'Invalid or expired token' }, 401);
+    }
+    // Check if route requires admin access
+    if (isAdminRoute(path) && session.role !== 'admin') {
+        return c.json({ error: 'Forbidden', message: 'Admin access required' }, 403);
+    }
+    // Store session in context
+    c.set('session', session);
+    c.set('authType', 'session');
+    return next();
+}
+/**
+ * Helper to get current session from context
+ */
+export function getSession(c) {
+    return c.get('session') || null;
+}
+/**
+ * Helper to check if user is admin
+ */
+export function isAdmin(c) {
+    const session = getSession(c);
+    return session?.role === 'admin';
+}
+/**
+ * Helper to require authentication (throws if not authenticated)
+ * Returns null if auth is disabled
+ */
+export function requireAuth(c) {
+    const authEnabled = c.get('authEnabled');
+    // If auth is disabled, return null (no authentication required)
+    if (authEnabled === false) {
+        return null;
+    }
+    const session = getSession(c);
+    if (!session) {
+        throw new Error('Authentication required');
+    }
+    return session;
+}
+/**
+ * Helper to require admin access (throws if not admin)
+ * Returns null if auth is disabled
+ */
+export function requireAdmin(c) {
+    const authEnabled = c.get('authEnabled');
+    // If auth is disabled, return null (no admin check required)
+    if (authEnabled === false) {
+        return null;
+    }
+    const session = requireAuth(c);
+    if (!session) {
+        throw new Error('Authentication required');
+    }
+    if (session.role !== 'admin') {
+        throw new Error('Admin access required');
+    }
+    return session;
+}

package/dist/routes/api/v1/api-keys/index.d.ts

@@ -0,0 +1 @@
+export { default } from './route.js';

package/dist/routes/api/v1/api-keys/index.js

@@ -0,0 +1 @@
+export { default } from './route.js';