@mdguggenbichler/slugbase-core 0.0.1

package/backend/dist/middleware/auth.js

@@ -0,0 +1,69 @@
+import passport from 'passport';
+import { validateToken } from '../services/api-tokens.js';
+// Type guard to check if request is AuthRequest
+export function isAuthRequest(req) {
+    return 'user' in req;
+}
+/**
+ * Middleware to authenticate requests using JWT or API token.
+ * Priority: JWT (cookie or Bearer) → API token (Bearer with sb_ prefix).
+ * If JWT fails and Bearer token starts with sb_, tries API token lookup.
+ */
+export function requireAuth() {
+    return (req, res, next) => {
+        passport.authenticate('jwt', { session: false }, async (err, user) => {
+            if (err) {
+                return res.status(401).json({ error: 'Unauthorized' });
+            }
+            if (user) {
+                req.user = user;
+                return next();
+            }
+            // JWT failed; try API token if Bearer header present
+            const authHeader = req.headers.authorization;
+            if (authHeader?.startsWith('Bearer ')) {
+                const token = authHeader.substring(7);
+                if (token.startsWith('sb_')) {
+                    const apiUser = await validateToken(token);
+                    if (apiUser) {
+                        req.user = apiUser;
+                        return next();
+                    }
+                }
+            }
+            return res.status(401).json({ error: 'Unauthorized' });
+        })(req, res, next);
+    };
+}
+/**
+ * Middleware to authenticate and require global admin.
+ * Supports JWT and API token same as requireAuth.
+ */
+export function requireAdmin() {
+    return (req, res, next) => {
+        passport.authenticate('jwt', { session: false }, async (err, user) => {
+            if (err) {
+                return res.status(401).json({ error: 'Unauthorized' });
+            }
+            if (!user) {
+                const authHeader = req.headers.authorization;
+                if (authHeader?.startsWith('Bearer ')) {
+                    const token = authHeader.substring(7);
+                    if (token.startsWith('sb_')) {
+                        user = await validateToken(token);
+                    }
+                }
+            }
+            if (!user) {
+                return res.status(401).json({ error: 'Unauthorized' });
+            }
+            const isGlobalAdmin = user.is_admin === true || user.is_admin === 1;
+            if (!isGlobalAdmin) {
+                return res.status(403).json({ error: 'Forbidden' });
+            }
+            req.user = user;
+            next();
+        })(req, res, next);
+    };
+}
+//# sourceMappingURL=auth.js.map

package/backend/dist/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AACA,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAY1D,gDAAgD;AAChD,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,OAAO,MAAM,IAAI,GAAG,CAAC;AACvB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACzD,QAAQ,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;YAC7E,IAAI,GAAG,EAAE,CAAC;gBACR,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YACzD,CAAC;YACD,IAAI,IAAI,EAAE,CAAC;gBACR,GAAmB,CAAC,IAAI,GAAG,IAAI,CAAC;gBACjC,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,qDAAqD;YACrD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBACtC,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5B,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;oBAC3C,IAAI,OAAO,EAAE,CAAC;wBACX,GAAmB,CAAC,IAAI,GAAG,OAAO,CAAC;wBACpC,OAAO,IAAI,EAAE,CAAC;oBAChB,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IACrB,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACzD,QAAQ,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;YAC7E,IAAI,GAAG,EAAE,CAAC;gBACR,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YACzD,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;gBAC7C,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;oBACtC,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oBACtC,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;wBAC5B,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;oBACpC,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YACzD,CAAC;YACD,MAAM,aAAa,GAAG,IAAI,CAAC,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,QAAQ,KAAK,CAAC,CAAC;YACpE,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YACtD,CAAC;YACA,GAAmB,CAAC,IAAI,GAAG,IAAI,CAAC;YACjC,IAAI,EAAE,CAAC;QACT,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IACrB,CAAC,CAAC;AACJ,CAAC"}

package/backend/dist/middleware/error-handler.d.ts

@@ -0,0 +1,11 @@
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Error handling middleware
+ * Prevents information disclosure in production
+ */
+export declare function errorHandler(err: any, req: Request, res: Response, next: NextFunction): Response<any, Record<string, any>>;
+/**
+ * 404 handler
+ */
+export declare function notFoundHandler(req: Request, res: Response): void;
+//# sourceMappingURL=error-handler.d.ts.map

package/backend/dist/middleware/error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.d.ts","sourceRoot":"","sources":["../../src/middleware/error-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,sCA8BrF;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,QAE1D"}

package/backend/dist/middleware/error-handler.js

@@ -0,0 +1,40 @@
+import * as Sentry from '@sentry/node';
+/**
+ * Error handling middleware
+ * Prevents information disclosure in production
+ */
+export function errorHandler(err, req, res, next) {
+    // Report to Sentry when configured (no-op when SENTRY_DSN is unset)
+    Sentry.captureException(err);
+    // Log error details server-side
+    console.error('Error:', {
+        message: err.message,
+        stack: process.env.NODE_ENV === 'development' ? err.stack : undefined,
+        path: req.path,
+        method: req.method,
+    });
+    // Don't expose error details in production (M5: never send err.message or stack)
+    if (process.env.NODE_ENV === 'production') {
+        const status = err.statusCode || 500;
+        const safeMessages = {
+            400: 'Bad request',
+            401: 'Unauthorized',
+            403: 'Forbidden',
+            404: 'Not found',
+        };
+        const safeMessage = status in safeMessages ? safeMessages[status] : 'Internal server error';
+        return res.status(status).json({ error: safeMessage });
+    }
+    // Development: show more details
+    return res.status(err.statusCode || 500).json({
+        error: err.message || 'An error occurred',
+        ...(process.env.NODE_ENV === 'development' && { stack: err.stack }),
+    });
+}
+/**
+ * 404 handler
+ */
+export function notFoundHandler(req, res) {
+    res.status(404).json({ error: 'Not found' });
+}
+//# sourceMappingURL=error-handler.js.map

package/backend/dist/middleware/error-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.js","sourceRoot":"","sources":["../../src/middleware/error-handler.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,MAAM,cAAc,CAAC;AAEvC;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,GAAQ,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB;IACpF,oEAAoE;IACpE,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAE7B,gCAAgC;IAChC,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE;QACtB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACrE,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,MAAM,EAAE,GAAG,CAAC,MAAM;KACnB,CAAC,CAAC;IAEH,iFAAiF;IACjF,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC;QACrC,MAAM,YAAY,GAA2B;YAC3C,GAAG,EAAE,aAAa;YAClB,GAAG,EAAE,cAAc;YACnB,GAAG,EAAE,WAAW;YAChB,GAAG,EAAE,WAAW;SACjB,CAAC;QACF,MAAM,WAAW,GAAG,MAAM,IAAI,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC;QAC5F,OAAO,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,iCAAiC;IACjC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;QAC5C,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,mBAAmB;QACzC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;KACpE,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,GAAY,EAAE,GAAa;IACzD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;AAC/C,CAAC"}

package/backend/dist/middleware/security.d.ts

@@ -0,0 +1,26 @@
+export declare const authRateLimiter: ((req: any, res: any, next: any) => any) | import("express-rate-limit").RateLimitRequestHandler;
+/** Refresh token: more lenient - 401 is expected when unauthenticated (e.g. signup/login page) */
+export declare const refreshRateLimiter: ((req: any, res: any, next: any) => any) | import("express-rate-limit").RateLimitRequestHandler;
+export declare const generalRateLimiter: ((req: any, res: any, next: any) => any) | import("express-rate-limit").RateLimitRequestHandler;
+export declare const strictRateLimiter: ((req: any, res: any, next: any) => any) | import("express-rate-limit").RateLimitRequestHandler;
+/** Contact form: strict limit to prevent abuse and PII flooding (M1) */
+export declare const contactRateLimiter: ((req: any, res: any, next: any) => any) | import("express-rate-limit").RateLimitRequestHandler;
+/** Redirect endpoint: stricter than general to reduce abuse/crawler load (M4) */
+export declare const redirectRateLimiter: ((req: any, res: any, next: any) => any) | import("express-rate-limit").RateLimitRequestHandler;
+/** API token creation: limit to prevent abuse */
+export declare const tokenCreateRateLimiter: ((req: any, res: any, next: any) => any) | import("express-rate-limit").RateLimitRequestHandler;
+/**
+ * Security headers middleware
+ */
+export declare function setupSecurityHeaders(): (req: import("http").IncomingMessage, res: import("http").ServerResponse, next: (err?: unknown) => void) => void;
+/**
+ * CSRF protection middleware (custom implementation for JWT-based auth)
+ * Generates and validates CSRF tokens stored in httpOnly cookies
+ * Note: SameSite=strict cookies provide good CSRF protection, but tokens add defense in depth
+ */
+export declare function csrfProtection(req: any, res: any, next: any): any;
+/**
+ * Generate CSRF token and set cookie
+ */
+export declare function generateCSRFToken(req: any, res: any): string;
+//# sourceMappingURL=security.d.ts.map

package/backend/dist/middleware/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/middleware/security.ts"],"names":[],"mappings":"AAaA,eAAO,MAAM,eAAe,SAFE,GAAG,OAAO,GAAG,QAAQ,GAAG,gEAWhD,CAAC;AAEP,kGAAkG;AAClG,eAAO,MAAM,kBAAkB,SAdD,GAAG,OAAO,GAAG,QAAQ,GAAG,gEAuBhD,CAAC;AAEP,eAAO,MAAM,kBAAkB,SAzBD,GAAG,OAAO,GAAG,QAAQ,GAAG,gEAgChD,CAAC;AAEP,eAAO,MAAM,iBAAiB,SAlCA,GAAG,OAAO,GAAG,QAAQ,GAAG,gEA0ChD,CAAC;AAEP,wEAAwE;AACxE,eAAO,MAAM,kBAAkB,SA7CD,GAAG,OAAO,GAAG,QAAQ,GAAG,gEAqDhD,CAAC;AAEP,iFAAiF;AACjF,eAAO,MAAM,mBAAmB,SAxDF,GAAG,OAAO,GAAG,QAAQ,GAAG,gEAgEhD,CAAC;AAEP,iDAAiD;AACjD,eAAO,MAAM,sBAAsB,SAnEL,GAAG,OAAO,GAAG,QAAQ,GAAG,gEA2EhD,CAAC;AAEP;;GAEG;AACH,wBAAgB,oBAAoB,wFA8ElC,CAAD,4BApCA;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,OAmB3D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,MAAM,CAe5D"}

package/backend/dist/middleware/security.js

@@ -0,0 +1,162 @@
+import rateLimit from 'express-rate-limit';
+import helmet from 'helmet';
+import crypto from 'crypto';
+/**
+ * Rate limiting configuration
+ * Disabled in development for easier testing
+ */
+const isDevelopment = process.env.NODE_ENV === 'development';
+// No-op rate limiter for development (allows all requests)
+const noOpRateLimiter = (req, res, next) => next();
+export const authRateLimiter = isDevelopment
+    ? noOpRateLimiter
+    : rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 300, // Limit each IP to 300 failed auth attempts per windowMs
+        message: 'Too many authentication attempts, please try again later.',
+        standardHeaders: true,
+        legacyHeaders: false,
+        skipSuccessfulRequests: true, // Don't count successful requests
+    });
+/** Refresh token: more lenient - 401 is expected when unauthenticated (e.g. signup/login page) */
+export const refreshRateLimiter = isDevelopment
+    ? noOpRateLimiter
+    : rateLimit({
+        windowMs: 15 * 60 * 1000,
+        max: 500, // Higher limit; failures are often from unauthenticated users checking /auth/me
+        message: 'Too many requests, please try again later.',
+        standardHeaders: true,
+        legacyHeaders: false,
+        skipSuccessfulRequests: true,
+    });
+export const generalRateLimiter = isDevelopment
+    ? noOpRateLimiter
+    : rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 2000, // Limit each IP to 2000 requests per windowMs
+        standardHeaders: true,
+        legacyHeaders: false,
+    });
+export const strictRateLimiter = isDevelopment
+    ? noOpRateLimiter
+    : rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 500, // Limit each IP to 500 requests per windowMs
+        message: 'Too many requests, please try again later.',
+        standardHeaders: true,
+        legacyHeaders: false,
+    });
+/** Contact form: strict limit to prevent abuse and PII flooding (M1) */
+export const contactRateLimiter = isDevelopment
+    ? noOpRateLimiter
+    : rateLimit({
+        windowMs: 60 * 60 * 1000, // 1 hour
+        max: 10,
+        message: 'Too many contact form submissions. Please try again later.',
+        standardHeaders: true,
+        legacyHeaders: false,
+    });
+/** Redirect endpoint: stricter than general to reduce abuse/crawler load (M4) */
+export const redirectRateLimiter = isDevelopment
+    ? noOpRateLimiter
+    : rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 200,
+        message: 'Too many redirect requests. Please try again later.',
+        standardHeaders: true,
+        legacyHeaders: false,
+    });
+/** API token creation: limit to prevent abuse */
+export const tokenCreateRateLimiter = isDevelopment
+    ? noOpRateLimiter
+    : rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 10,
+        message: 'Too many token creation attempts. Please try again later.',
+        standardHeaders: true,
+        legacyHeaders: false,
+    });
+/**
+ * Security headers middleware
+ */
+export function setupSecurityHeaders() {
+    // Only enable HSTS if we're actually using HTTPS
+    const baseUrl = process.env.BASE_URL || 'http://localhost:5000';
+    const isHttps = baseUrl.startsWith('https://');
+    const cspDirectives = {
+        defaultSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'"], // Swagger UI needs inline styles
+        scriptSrc: ["'self'"],
+        imgSrc: ["'self'", "data:", "https:"], // Allow data URIs and HTTPS images (for favicons)
+        connectSrc: [
+            "'self'",
+            // Sentry error tracking (ingest endpoints vary by region)
+            "https://*.ingest.sentry.io",
+            "https://*.ingest.de.sentry.io",
+            "https://*.ingest.eu.sentry.io",
+        ],
+        fontSrc: ["'self'"],
+        objectSrc: ["'none'"],
+        mediaSrc: ["'self'"],
+        frameSrc: ["'self'"], // Allow iframes for Swagger UI
+    };
+    // Only upgrade insecure requests when using HTTPS (set to null to disable when using HTTP)
+    if (isHttps) {
+        cspDirectives.upgradeInsecureRequests = [];
+    }
+    else {
+        cspDirectives.upgradeInsecureRequests = null; // Explicitly disable when using HTTP
+    }
+    return helmet({
+        contentSecurityPolicy: {
+            directives: cspDirectives,
+        },
+        crossOriginEmbedderPolicy: false, // Disable for compatibility
+        crossOriginOpenerPolicy: false, // Disable for compatibility (can cause issues with HTTP)
+        hsts: isHttps ? {
+            maxAge: 31536000, // 1 year
+            includeSubDomains: true,
+            preload: true,
+        } : false, // Disable HSTS when not using HTTPS
+    });
+}
+/**
+ * CSRF protection middleware (custom implementation for JWT-based auth)
+ * Generates and validates CSRF tokens stored in httpOnly cookies
+ * Note: SameSite=strict cookies provide good CSRF protection, but tokens add defense in depth
+ */
+export function csrfProtection(req, res, next) {
+    // Get token from header or body
+    const token = req.headers['x-csrf-token'] || req.body?.csrfToken;
+    const cookieToken = req.cookies?._csrf;
+    // If no cookie token exists, generate one (for first request)
+    if (!cookieToken) {
+        generateCSRFToken(req, res);
+        // Allow first request to proceed (they'll get token in response)
+        return next();
+    }
+    // Validate token for state-changing operations
+    if (token && token === cookieToken) {
+        return next();
+    }
+    // If token doesn't match, return error
+    return res.status(403).json({ error: 'Invalid CSRF token' });
+}
+/**
+ * Generate CSRF token and set cookie
+ */
+export function generateCSRFToken(req, res) {
+    const token = crypto.randomBytes(32).toString('hex');
+    // Only use secure cookies when actually using HTTPS (check BASE_URL)
+    const baseUrl = process.env.BASE_URL || 'http://localhost:5000';
+    const isHttps = baseUrl.startsWith('https://');
+    const isProduction = process.env.NODE_ENV === 'production' && isHttps;
+    res.cookie('_csrf', token, {
+        httpOnly: true,
+        secure: isProduction, // Only secure when using HTTPS
+        sameSite: 'strict',
+        maxAge: 24 * 60 * 60 * 1000, // 24 hours
+    });
+    return token;
+}
+//# sourceMappingURL=security.js.map

package/backend/dist/middleware/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/middleware/security.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,oBAAoB,CAAC;AAC3C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;GAGG;AACH,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,CAAC;AAE7D,2DAA2D;AAC3D,MAAM,eAAe,GAAG,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;AAElE,MAAM,CAAC,MAAM,eAAe,GAAG,aAAa;IAC1C,CAAC,CAAC,eAAe;IACjB,CAAC,CAAC,SAAS,CAAC;QACR,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACvC,GAAG,EAAE,GAAG,EAAE,yDAAyD;QACnE,OAAO,EAAE,2DAA2D;QACpE,eAAe,EAAE,IAAI;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,IAAI,EAAE,kCAAkC;KACjE,CAAC,CAAC;AAEP,kGAAkG;AAClG,MAAM,CAAC,MAAM,kBAAkB,GAAG,aAAa;IAC7C,CAAC,CAAC,eAAe;IACjB,CAAC,CAAC,SAAS,CAAC;QACR,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;QACxB,GAAG,EAAE,GAAG,EAAE,gFAAgF;QAC1F,OAAO,EAAE,4CAA4C;QACrD,eAAe,EAAE,IAAI;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,IAAI;KAC7B,CAAC,CAAC;AAEP,MAAM,CAAC,MAAM,kBAAkB,GAAG,aAAa;IAC7C,CAAC,CAAC,eAAe;IACjB,CAAC,CAAC,SAAS,CAAC;QACR,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACvC,GAAG,EAAE,IAAI,EAAE,8CAA8C;QACzD,eAAe,EAAE,IAAI;QACrB,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;AAEP,MAAM,CAAC,MAAM,iBAAiB,GAAG,aAAa;IAC5C,CAAC,CAAC,eAAe;IACjB,CAAC,CAAC,SAAS,CAAC;QACR,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACvC,GAAG,EAAE,GAAG,EAAE,6CAA6C;QACvD,OAAO,EAAE,4CAA4C;QACrD,eAAe,EAAE,IAAI;QACrB,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;AAEP,wEAAwE;AACxE,MAAM,CAAC,MAAM,kBAAkB,GAAG,aAAa;IAC7C,CAAC,CAAC,eAAe;IACjB,CAAC,CAAC,SAAS,CAAC;QACR,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;QACnC,GAAG,EAAE,EAAE;QACP,OAAO,EAAE,4DAA4D;QACrE,eAAe,EAAE,IAAI;QACrB,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;AAEP,iFAAiF;AACjF,MAAM,CAAC,MAAM,mBAAmB,GAAG,aAAa;IAC9C,CAAC,CAAC,eAAe;IACjB,CAAC,CAAC,SAAS,CAAC;QACR,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACvC,GAAG,EAAE,GAAG;QACR,OAAO,EAAE,qDAAqD;QAC9D,eAAe,EAAE,IAAI;QACrB,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;AAEP,iDAAiD;AACjD,MAAM,CAAC,MAAM,sBAAsB,GAAG,aAAa;IACjD,CAAC,CAAC,eAAe;IACjB,CAAC,CAAC,SAAS,CAAC;QACR,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACvC,GAAG,EAAE,EAAE;QACP,OAAO,EAAE,2DAA2D;QACpE,eAAe,EAAE,IAAI;QACrB,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;AAEP;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,iDAAiD;IACjD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,uBAAuB,CAAC;IAChE,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAQ;QACzB,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,QAAQ,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC,EAAE,iCAAiC;QAC1E,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,kDAAkD;QACzF,UAAU,EAAE;YACV,QAAQ;YACR,0DAA0D;YAC1D,4BAA4B;YAC5B,+BAA+B;YAC/B,+BAA+B;SAChC;QACD,OAAO,EAAE,CAAC,QAAQ,CAAC;QACnB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,QAAQ,EAAE,CAAC,QAAQ,CAAC,EAAE,+BAA+B;KACtD,CAAC;IAEF,2FAA2F;IAC3F,IAAI,OAAO,EAAE,CAAC;QACZ,aAAa,CAAC,uBAAuB,GAAG,EAAE,CAAC;IAC7C,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC,qCAAqC;IACrF,CAAC;IAED,OAAO,MAAM,CAAC;QACZ,qBAAqB,EAAE;YACrB,UAAU,EAAE,aAAa;SAC1B;QACD,yBAAyB,EAAE,KAAK,EAAE,4BAA4B;QAC9D,uBAAuB,EAAE,KAAK,EAAE,yDAAyD;QACzF,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;YACd,MAAM,EAAE,QAAQ,EAAE,SAAS;YAC3B,iBAAiB,EAAE,IAAI;YACvB,OAAO,EAAE,IAAI;SACd,CAAC,CAAC,CAAC,KAAK,EAAE,oCAAoC;KAChD,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS;IAC1D,gCAAgC;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC;IACjE,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC;IAEvC,8DAA8D;IAC9D,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC5B,iEAAiE;QACjE,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,+CAA+C;IAC/C,IAAI,KAAK,IAAI,KAAK,KAAK,WAAW,EAAE,CAAC;QACnC,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,uCAAuC;IACvC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAQ,EAAE,GAAQ;IAClD,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACrD,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,uBAAuB,CAAC;IAChE,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,OAAO,CAAC;IAEtE,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,EAAE;QACzB,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,YAAY,EAAE,+BAA+B;QACrD,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,WAAW;KACzC,CAAC,CAAC;IAEH,OAAO,KAAK,CAAC;AACf,CAAC"}

package/backend/dist/middleware/stats-auth.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Secret-based auth for stats endpoint.
+ * Uses X-Stats-Secret header; constant-time comparison; returns 404 on invalid (no info leak).
+ */
+import { Request, Response, NextFunction } from 'express';
+export declare function statsSecretAuth(req: Request, res: Response, next: NextFunction): void;
+//# sourceMappingURL=stats-auth.d.ts.map

package/backend/dist/middleware/stats-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stats-auth.d.ts","sourceRoot":"","sources":["../../src/middleware/stats-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAgBrF"}

package/backend/dist/middleware/stats-auth.js

@@ -0,0 +1,20 @@
+/**
+ * Secret-based auth for stats endpoint.
+ * Uses X-Stats-Secret header; constant-time comparison; returns 404 on invalid (no info leak).
+ */
+import crypto from 'crypto';
+export function statsSecretAuth(req, res, next) {
+    const secret = process.env.STATS_ENDPOINT_SECRET?.trim();
+    if (!secret) {
+        res.status(404).end();
+        return;
+    }
+    const headerSecret = req.headers['x-stats-secret'];
+    const provided = typeof headerSecret === 'string' ? headerSecret : '';
+    if (provided.length !== secret.length || !crypto.timingSafeEqual(Buffer.from(provided, 'utf8'), Buffer.from(secret, 'utf8'))) {
+        res.status(404).end();
+        return;
+    }
+    next();
+}
+//# sourceMappingURL=stats-auth.js.map

package/backend/dist/middleware/stats-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stats-auth.js","sourceRoot":"","sources":["../../src/middleware/stats-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,UAAU,eAAe,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAC7E,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,CAAC;IACzD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;IAEtE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;QAC7H,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,IAAI,EAAE,CAAC;AACT,CAAC"}

package/backend/dist/middleware/tenant.d.ts

@@ -0,0 +1,3 @@
+import type { Request, Response, NextFunction } from 'express';
+export declare function tenantMiddleware(req: Request, _res: Response, next: NextFunction): void;
+//# sourceMappingURL=tenant.d.ts.map

package/backend/dist/middleware/tenant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.d.ts","sourceRoot":"","sources":["../../src/middleware/tenant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG/D,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAYvF"}

package/backend/dist/middleware/tenant.js

@@ -0,0 +1,13 @@
+import { DEFAULT_TENANT_ID } from '../utils/tenant.js';
+export function tenantMiddleware(req, _res, next) {
+    let tenantId = DEFAULT_TENANT_ID;
+    if (process.env.NODE_ENV === 'test') {
+        const testTenant = req.header('x-test-tenant')?.trim();
+        if (testTenant) {
+            tenantId = testTenant;
+        }
+    }
+    req.tenantId = tenantId;
+    next();
+}
+//# sourceMappingURL=tenant.js.map

package/backend/dist/middleware/tenant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.js","sourceRoot":"","sources":["../../src/middleware/tenant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAEvD,MAAM,UAAU,gBAAgB,CAAC,GAAY,EAAE,IAAc,EAAE,IAAkB;IAC/E,IAAI,QAAQ,GAAG,iBAAiB,CAAC;IAEjC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,IAAI,EAAE,CAAC;QACvD,IAAI,UAAU,EAAE,CAAC;YACf,QAAQ,GAAG,UAAU,CAAC;QACxB,CAAC;IACH,CAAC;IAEA,GAAuC,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC7D,IAAI,EAAE,CAAC;AACT,CAAC"}

package/backend/dist/register-routes.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Mounts all core API routes and /go slug routes on the Express app.
+ * Does NOT add static file serving or error handlers.
+ */
+import express from 'express';
+export interface CoreRouteDeps {
+}
+/**
+ * Register all core API and /go routes. Call after createApp().
+ */
+export declare function registerCoreRoutes(app: express.Express, _deps?: CoreRouteDeps): void;
+//# sourceMappingURL=register-routes.d.ts.map

package/backend/dist/register-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register-routes.d.ts","sourceRoot":"","sources":["../src/register-routes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,OAAO,MAAM,SAAS,CAAC;AAqB9B,MAAM,WAAW,aAAa;CAE7B;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,aAAa,GAAG,IAAI,CAiCpF"}

package/backend/dist/register-routes.js

@@ -0,0 +1,59 @@
+/**
+ * Mounts all core API routes and /go slug routes on the Express app.
+ * Does NOT add static file serving or error handlers.
+ */
+import authRoutes from './routes/auth.js';
+import bookmarkRoutes from './routes/bookmarks.js';
+import folderRoutes from './routes/folders.js';
+import tagRoutes from './routes/tags.js';
+import goRoutes, { optionalAuthForGo, handleGoSlug, handleGoRemember } from './routes/go.js';
+import userRoutes from './routes/users.js';
+import teamRoutes from './routes/teams.js';
+import oidcProviderRoutes from './routes/oidc-providers.js';
+import adminUserRoutes from './routes/admin/users.js';
+import adminTeamRoutes from './routes/admin/teams.js';
+import adminSettingsRoutes from './routes/admin/settings.js';
+import adminStatsRoutes from './routes/admin/stats.js';
+import passwordResetRoutes from './routes/password-reset.js';
+import emailVerificationRoutes from './routes/email-verification.js';
+import dashboardRoutes from './routes/dashboard.js';
+import healthRoutes from './routes/health.js';
+import tokenRoutes from './routes/tokens.js';
+import configRoutes from './routes/config.js';
+import { redirectRateLimiter } from './middleware/security.js';
+/**
+ * Register all core API and /go routes. Call after createApp().
+ */
+export function registerCoreRoutes(app, _deps) {
+    app.use('/api/auth', authRoutes);
+    app.use('/api/password-reset', passwordResetRoutes);
+    app.use('/api/email-verification', emailVerificationRoutes);
+    app.use('/api/bookmarks', bookmarkRoutes);
+    app.use('/api/folders', folderRoutes);
+    app.use('/api/tags', tagRoutes);
+    app.use('/api/users', userRoutes);
+    app.use('/api/teams', teamRoutes);
+    app.use('/api/tokens', tokenRoutes);
+    app.use('/api/config', configRoutes);
+    app.use('/api/oidc-providers', oidcProviderRoutes);
+    app.use('/api/admin/users', adminUserRoutes);
+    app.use('/api/admin/teams', adminTeamRoutes);
+    app.use('/api/admin/settings', adminSettingsRoutes);
+    app.use('/api/admin/stats', adminStatsRoutes);
+    app.use('/api/dashboard', dashboardRoutes);
+    app.use('/api', healthRoutes);
+    app.use('/api/go', goRoutes);
+    if (process.env.SENTRY_DEBUG === 'true') {
+        app.get('/api/debug-sentry', () => {
+            throw new Error('Sentry backend test error');
+        });
+    }
+    app.get('/go/:slug/remember/:bookmarkId', redirectRateLimiter, optionalAuthForGo, (req, res) => {
+        handleGoRemember(req, res).catch((err) => {
+            console.error('Go remember error:', err);
+            res.status(500).send('Internal Server Error');
+        });
+    });
+    app.get('/go/:slug', redirectRateLimiter, optionalAuthForGo, handleGoSlug);
+}
+//# sourceMappingURL=register-routes.js.map

package/backend/dist/register-routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register-routes.js","sourceRoot":"","sources":["../src/register-routes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,UAAU,MAAM,kBAAkB,CAAC;AAC1C,OAAO,cAAc,MAAM,uBAAuB,CAAC;AACnD,OAAO,YAAY,MAAM,qBAAqB,CAAC;AAC/C,OAAO,SAAS,MAAM,kBAAkB,CAAC;AACzC,OAAO,QAAQ,EAAE,EAAE,iBAAiB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAC7F,OAAO,UAAU,MAAM,mBAAmB,CAAC;AAC3C,OAAO,UAAU,MAAM,mBAAmB,CAAC;AAC3C,OAAO,kBAAkB,MAAM,4BAA4B,CAAC;AAC5D,OAAO,eAAe,MAAM,yBAAyB,CAAC;AACtD,OAAO,eAAe,MAAM,yBAAyB,CAAC;AACtD,OAAO,mBAAmB,MAAM,4BAA4B,CAAC;AAC7D,OAAO,gBAAgB,MAAM,yBAAyB,CAAC;AACvD,OAAO,mBAAmB,MAAM,4BAA4B,CAAC;AAC7D,OAAO,uBAAuB,MAAM,gCAAgC,CAAC;AACrE,OAAO,eAAe,MAAM,uBAAuB,CAAC;AACpD,OAAO,YAAY,MAAM,oBAAoB,CAAC;AAC9C,OAAO,WAAW,MAAM,oBAAoB,CAAC;AAC7C,OAAO,YAAY,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAM/D;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAoB,EAAE,KAAqB;IAC5E,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACjC,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,mBAAmB,CAAC,CAAC;IACpD,GAAG,CAAC,GAAG,CAAC,yBAAyB,EAAE,uBAAuB,CAAC,CAAC;IAC5D,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC;IAC1C,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;IACtC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IAChC,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAClC,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAClC,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IACpC,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACrC,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CAAC;IACnD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,mBAAmB,CAAC,CAAC;IACpD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC;IAC9C,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC3C,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAE7B,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,MAAM,EAAE,CAAC;QACxC,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,GAAG,EAAE;YAChC,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC;IAED,GAAG,CAAC,GAAG,CAAC,gCAAgC,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7F,gBAAgB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACvC,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;YACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,YAAY,CAAC,CAAC;AAC7E,CAAC"}

package/backend/dist/routes/admin/demo-reset.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Demo reset endpoint
+ * Only available when DEMO_MODE is enabled
+ * Allows manual triggering of database reset
+ */
+declare const router: import("express-serve-static-core").Router;
+export default router;
+//# sourceMappingURL=demo-reset.d.ts.map

package/backend/dist/routes/admin/demo-reset.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo-reset.d.ts","sourceRoot":"","sources":["../../../src/routes/admin/demo-reset.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,QAAA,MAAM,MAAM,4CAAW,CAAC;AA4DxB,eAAe,MAAM,CAAC"}

package/backend/dist/routes/admin/demo-reset.js

@@ -0,0 +1,66 @@
+/**
+ * Demo reset endpoint
+ * Only available when DEMO_MODE is enabled
+ * Allows manual triggering of database reset
+ */
+import { Router } from 'express';
+import { resetDatabase } from '../../db/seed.js';
+import { requireAuth } from '../../middleware/auth.js';
+const router = Router();
+/**
+ * @swagger
+ * /api/admin/demo-reset:
+ *   post:
+ *     summary: Reset demo database
+ *     description: Resets the database to initial demo state. Only available when DEMO_MODE=true. Requires admin authentication.
+ *     tags: [Admin]
+ *     security:
+ *       - cookieAuth: []
+ *       - bearerAuth: []
+ *     responses:
+ *       200:
+ *         description: Database reset completed successfully
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 message:
+ *                   type: string
+ *                   example: "Database reset completed successfully"
+ *       403:
+ *         description: Not authorized (not admin) or DEMO_MODE not enabled
+ *       500:
+ *         description: Internal server error
+ */
+router.post('/', requireAuth(), async (req, res) => {
+    try {
+        // Only allow in DEMO_MODE
+        if (process.env.DEMO_MODE !== 'true') {
+            return res.status(403).json({
+                error: 'Demo reset is only available when DEMO_MODE is enabled',
+            });
+        }
+        // Check if user is admin
+        const authReq = req;
+        if (!authReq.user || !authReq.user.is_admin) {
+            return res.status(403).json({ error: 'Admin access required' });
+        }
+        // Perform reset
+        console.log('🔄 Manual database reset triggered by admin');
+        await resetDatabase();
+        res.json({
+            message: 'Database reset completed successfully',
+        });
+    }
+    catch (error) {
+        console.error('Error resetting database:', error);
+        res.status(500).json({
+            error: process.env.NODE_ENV === 'production'
+                ? 'Internal server error'
+                : error.message,
+        });
+    }
+});
+export default router;
+//# sourceMappingURL=demo-reset.js.map

package/backend/dist/routes/admin/demo-reset.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo-reset.js","sourceRoot":"","sources":["../../../src/routes/admin/demo-reset.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAe,MAAM,0BAA0B,CAAC;AAEpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;AAExB;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IACjD,IAAI,CAAC;QACH,0BAA0B;QAC1B,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;YACrC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,wDAAwD;aAChE,CAAC,CAAC;QACL,CAAC;QAED,yBAAyB;QACzB,MAAM,OAAO,GAAG,GAAkB,CAAC;QACnC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5C,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,gBAAgB;QAChB,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;QAC3D,MAAM,aAAa,EAAE,CAAC;QAEtB,GAAG,CAAC,IAAI,CAAC;YACP,OAAO,EAAE,uCAAuC;SACjD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;QAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;gBAC1C,CAAC,CAAC,uBAAuB;gBACzB,CAAC,CAAC,KAAK,CAAC,OAAO;SAClB,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,eAAe,MAAM,CAAC"}

package/backend/dist/routes/admin/settings.d.ts

@@ -0,0 +1,3 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;
+//# sourceMappingURL=settings.d.ts.map

package/backend/dist/routes/admin/settings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.d.ts","sourceRoot":"","sources":["../../../src/routes/admin/settings.ts"],"names":[],"mappings":"AAOA,QAAA,MAAM,MAAM,4CAAW,CAAC;AA2dxB,eAAe,MAAM,CAAC"}