@nuraly/lumenjs 0.1.3 → 0.1.4

package/dist/auth/routes.js

@@ -0,0 +1,110 @@
+import { sendJson } from './routes/utils.js';
+import { handleNativeLogin, handleOidcLogin } from './routes/login.js';
+import { handleNativeSignup } from './routes/signup.js';
+import { handleOidcCallback } from './routes/oidc-callback.js';
+import { handleLogout, handleLogoutAll } from './routes/logout.js';
+import { handleVerifyEmail } from './routes/verify.js';
+import { handleForgotPassword, handleResetPassword, handleChangePassword } from './routes/password.js';
+import { handleTokenRefresh, handleTokenRevoke } from './routes/token.js';
+/**
+ * Validate Origin header on POST requests to prevent CSRF.
+ * Returns true if the request is safe to proceed.
+ */
+function checkOrigin(req, url) {
+    if (req.method !== 'POST')
+        return true;
+    const origin = req.headers.origin || req.headers.referer;
+    if (!origin)
+        return true; // Allow requests without Origin (non-browser clients)
+    try {
+        const originUrl = new URL(origin);
+        // Direct match
+        if (originUrl.origin === url.origin)
+            return true;
+        // Behind reverse proxy: check X-Forwarded-Host
+        const fwdHost = req.headers['x-forwarded-host']?.split(',')[0]?.trim();
+        if (fwdHost && originUrl.host === fwdHost)
+            return true;
+        // Match hostname only (ignore port differences from proxy)
+        if (originUrl.hostname === url.hostname)
+            return true;
+        return false;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Handle auth routes (login, callback, logout, signup, me).
+ * Supports both OIDC and native auth.
+ * Returns true if the request was handled.
+ */
+export async function handleAuthRoutes(config, req, res, db) {
+    const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+    const pathname = url.pathname;
+    const routes = config.routes;
+    // CSRF check: verify Origin header on POST requests
+    if (req.method === 'POST' && !checkOrigin(req, url)) {
+        sendJson(res, 403, { error: 'Origin mismatch — possible CSRF' });
+        return true;
+    }
+    // ── Login (GET) — redirect to OIDC or show available methods ──
+    // /__nk_auth/login/<provider> — specific provider
+    // /__nk_auth/login — default provider or first OIDC
+    if (pathname.startsWith(routes.login)) {
+        const providerName = pathname.slice(routes.login.length + 1) || undefined; // e.g. "keycloak"
+        // Native login via POST
+        if (req.method === 'POST') {
+            return handleNativeLogin(config, req, res, url, db);
+        }
+        // OIDC login
+        return handleOidcLogin(config, res, url, providerName);
+    }
+    // ── Signup (POST) — native registration ───────────────────────
+    if (pathname === routes.signup && req.method === 'POST') {
+        return handleNativeSignup(config, req, res, db);
+    }
+    // ── Callback — OIDC code exchange ─────────────────────────────
+    if (pathname === routes.callback) {
+        return handleOidcCallback(config, req, res, url, db);
+    }
+    // ── Logout ────────────────────────────────────────────────────
+    if (pathname === routes.logout) {
+        return handleLogout(config, req, res, url, db);
+    }
+    // ── Logout All — invalidate all sessions across devices ──────
+    if (pathname === '/__nk_auth/logout-all' && req.method === 'POST') {
+        return handleLogoutAll(config, req, res, db);
+    }
+    // ── Me — return current user ──────────────────────────────────
+    if (pathname === '/__nk_auth/me') {
+        const user = req.nkAuth?.user ?? null;
+        sendJson(res, 200, user);
+        return true;
+    }
+    // ── Verify email ───────────────────────────────────────────────
+    if (pathname === '/__nk_auth/verify-email' && req.method === 'GET') {
+        return handleVerifyEmail(config, url, res, db);
+    }
+    // ── Forgot password (request reset) ───────────────────────────
+    if (pathname === '/__nk_auth/forgot-password' && req.method === 'POST') {
+        return handleForgotPassword(config, req, res, db);
+    }
+    // ── Reset password (with token) ───────────────────────────────
+    if (pathname === '/__nk_auth/reset-password' && req.method === 'POST') {
+        return handleResetPassword(config, req, res, db);
+    }
+    // ── Change password (authenticated) ──────────────────────────
+    if (pathname === '/__nk_auth/change-password' && req.method === 'POST') {
+        return handleChangePassword(config, req, res, db);
+    }
+    // ── Refresh — exchange refresh token for new access token ─────
+    if (pathname === '/__nk_auth/refresh' && req.method === 'POST') {
+        return handleTokenRefresh(config, req, res, db);
+    }
+    // ── Revoke — invalidate refresh token (mobile logout) ─────────
+    if (pathname === '/__nk_auth/revoke' && req.method === 'POST') {
+        return handleTokenRevoke(req, res, db);
+    }
+    return false;
+}

package/dist/auth/session.d.ts

@@ -0,0 +1,8 @@
+import type { SessionData } from './types.js';
+export declare function deriveKey(secret: string): Buffer;
+export declare function encryptSession(data: SessionData, secret: string): Promise<string>;
+export declare function decryptSession(cookie: string, secret: string): Promise<SessionData | null>;
+export declare function createSessionCookie(name: string, value: string, maxAge: number, secure: boolean): string;
+export declare function clearSessionCookie(name: string): string;
+export declare function parseSessionCookie(cookieHeader: string, name: string): string | undefined;
+export declare function shouldRefreshSession(session: SessionData): boolean;

package/dist/auth/session.js

@@ -0,0 +1,54 @@
+import crypto from 'node:crypto';
+const keyCache = new Map();
+export function deriveKey(secret) {
+    const cached = keyCache.get(secret);
+    if (cached)
+        return cached;
+    const key = Buffer.from(crypto.hkdfSync('sha256', secret, '', 'lumenjs-session', 32));
+    keyCache.set(secret, key);
+    return key;
+}
+export async function encryptSession(data, secret) {
+    const key = deriveKey(secret);
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const plaintext = JSON.stringify(data);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return `${iv.toString('base64url')}.${ciphertext.toString('base64url')}.${tag.toString('base64url')}`;
+}
+export async function decryptSession(cookie, secret) {
+    try {
+        const parts = cookie.split('.');
+        if (parts.length !== 3)
+            return null;
+        const iv = Buffer.from(parts[0], 'base64url');
+        const ciphertext = Buffer.from(parts[1], 'base64url');
+        const tag = Buffer.from(parts[2], 'base64url');
+        const key = deriveKey(secret);
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+        decipher.setAuthTag(tag);
+        const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        return JSON.parse(plaintext.toString('utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+export function createSessionCookie(name, value, maxAge, secure) {
+    let cookie = `${name}=${value}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${maxAge}`;
+    if (secure)
+        cookie += '; Secure';
+    return cookie;
+}
+export function clearSessionCookie(name) {
+    return `${name}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
+}
+export function parseSessionCookie(cookieHeader, name) {
+    const escapedName = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${escapedName}=([^;]*)`));
+    return match ? match[1] : undefined;
+}
+export function shouldRefreshSession(session) {
+    return session.expiresAt - Date.now() / 1000 < 300;
+}

package/dist/auth/token.d.ts

@@ -0,0 +1,33 @@
+import type { AuthUser } from './types.js';
+/**
+ * Issue a short-lived access token (HMAC-SHA256 signed, stateless).
+ * Format: base64url(payload).base64url(signature)
+ */
+export declare function issueAccessToken(user: AuthUser, secret: string, ttlSeconds: number): string;
+/**
+ * Verify and decode an access token. Returns the user or null if invalid/expired.
+ */
+export declare function verifyAccessToken(token: string, secret: string): AuthUser | null;
+/**
+ * Generate an opaque refresh token (random bytes, stored hashed in DB).
+ */
+export declare function generateRefreshToken(): string;
+/**
+ * Hash a refresh token for DB storage (SHA-256).
+ */
+export declare function hashRefreshToken(token: string): string;
+interface Db {
+    all<T = any>(sql: string, ...params: any[]): Promise<T[]>;
+    get<T = any>(sql: string, ...params: any[]): Promise<T | undefined>;
+    run(sql: string, ...params: any[]): Promise<{
+        changes: number;
+        lastInsertRowid: number | bigint;
+    }>;
+    exec(sql: string): Promise<void>;
+}
+export declare function ensureRefreshTokenTable(db: Db): Promise<void>;
+export declare function storeRefreshToken(db: Db, token: string, userId: string, ttlSeconds: number): Promise<void>;
+export declare function validateRefreshToken(db: Db, token: string): Promise<string | null>;
+export declare function deleteRefreshToken(db: Db, token: string): Promise<void>;
+export declare function deleteAllRefreshTokens(db: Db, userId: string): Promise<void>;
+export {};

package/dist/auth/token.js

@@ -0,0 +1,90 @@
+import crypto from 'node:crypto';
+/**
+ * Issue a short-lived access token (HMAC-SHA256 signed, stateless).
+ * Format: base64url(payload).base64url(signature)
+ */
+export function issueAccessToken(user, secret, ttlSeconds) {
+    const payload = {
+        sub: user.sub,
+        email: user.email,
+        name: user.name,
+        roles: user.roles || [],
+        provider: user.provider,
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + ttlSeconds,
+    };
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signature = crypto.createHmac('sha256', secret).update(payloadB64).digest('base64url');
+    return `${payloadB64}.${signature}`;
+}
+/**
+ * Verify and decode an access token. Returns the user or null if invalid/expired.
+ */
+export function verifyAccessToken(token, secret) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 2)
+            return null;
+        const [payloadB64, signature] = parts;
+        const expectedSig = crypto.createHmac('sha256', secret).update(payloadB64).digest('base64url');
+        if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSig)))
+            return null;
+        const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf8'));
+        if (payload.exp < Math.floor(Date.now() / 1000))
+            return null;
+        return {
+            sub: payload.sub,
+            email: payload.email,
+            name: payload.name,
+            roles: payload.roles || [],
+            provider: payload.provider,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Generate an opaque refresh token (random bytes, stored hashed in DB).
+ */
+export function generateRefreshToken() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+/**
+ * Hash a refresh token for DB storage (SHA-256).
+ */
+export function hashRefreshToken(token) {
+    return crypto.createHash('sha256').update(token).digest('hex');
+}
+export async function ensureRefreshTokenTable(db) {
+    await db.exec(`CREATE TABLE IF NOT EXISTS _nk_auth_refresh_tokens (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    token_hash TEXT NOT NULL UNIQUE,
+    user_id TEXT NOT NULL,
+    expires_at TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  )`);
+}
+export async function storeRefreshToken(db, token, userId, ttlSeconds) {
+    const tokenHash = hashRefreshToken(token);
+    const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+    await db.run('INSERT INTO _nk_auth_refresh_tokens (token_hash, user_id, expires_at) VALUES (?, ?, ?)', tokenHash, userId, expiresAt);
+}
+export async function validateRefreshToken(db, token) {
+    const tokenHash = hashRefreshToken(token);
+    const row = await db.get('SELECT user_id, expires_at FROM _nk_auth_refresh_tokens WHERE token_hash = ?', tokenHash);
+    if (!row)
+        return null;
+    if (new Date(row.expires_at) < new Date()) {
+        await db.run('DELETE FROM _nk_auth_refresh_tokens WHERE token_hash = ?', tokenHash);
+        return null;
+    }
+    return row.user_id;
+}
+export async function deleteRefreshToken(db, token) {
+    const tokenHash = hashRefreshToken(token);
+    await db.run('DELETE FROM _nk_auth_refresh_tokens WHERE token_hash = ?', tokenHash);
+}
+export async function deleteAllRefreshTokens(db, userId) {
+    await db.run('DELETE FROM _nk_auth_refresh_tokens WHERE user_id = ?', userId);
+}

package/dist/auth/types.d.ts

@@ -0,0 +1,156 @@
+export interface OIDCProvider {
+    type: 'oidc';
+    name: string;
+    issuer: string;
+    clientId: string;
+    clientSecret?: string;
+    scopes?: string[];
+}
+export interface NativeProvider {
+    type: 'native';
+    name: string;
+    /** Minimum password length. Default: 8 */
+    minPasswordLength?: number;
+    /** Allow user registration. Default: true */
+    allowRegistration?: boolean;
+    /** Require email verification before login. Default: false */
+    requireEmailVerification?: boolean;
+}
+/** Auth event types for hooks (email sending, logging, etc.) */
+export type AuthEvent = {
+    type: 'verification-email';
+    email: string;
+    token: string;
+    url: string;
+} | {
+    type: 'password-reset';
+    email: string;
+    token: string;
+    url: string;
+} | {
+    type: 'password-changed';
+    email: string;
+    userId: string;
+};
+export type AuthProvider = OIDCProvider | NativeProvider;
+export interface AuthConfig {
+    /** Single provider (legacy) or array of providers */
+    provider?: {
+        issuer: string;
+        clientId: string;
+        clientSecret?: string;
+        scopes?: string[];
+    };
+    /** Multi-provider config (preferred) */
+    providers?: AuthProvider[];
+    session: {
+        secret: string;
+        cookieName?: string;
+        maxAge?: number;
+        secure?: boolean;
+    };
+    routes?: {
+        login?: string;
+        loginPage?: string;
+        callback?: string;
+        logout?: string;
+        signup?: string;
+        postLogin?: string;
+        postLogout?: string;
+        me?: string;
+    };
+    guards?: {
+        defaultAuth?: boolean;
+    };
+    permissions?: {
+        enabled?: boolean;
+        defaultOwnerGrants?: string[];
+    };
+    token?: {
+        enabled?: boolean;
+        /** Access token TTL in seconds. Default: 900 (15 min) */
+        accessTokenTTL?: number;
+        /** Refresh token TTL in seconds. Default: 604800 (7 days) */
+        refreshTokenTTL?: number;
+    };
+    /** Hook called for auth events (send verification emails, password reset emails, etc.) */
+    onEvent?: (event: AuthEvent) => void | Promise<void>;
+}
+export interface ResolvedAuthConfig {
+    providers: AuthProvider[];
+    session: {
+        secret: string;
+        cookieName: string;
+        maxAge: number;
+        secure: boolean;
+    };
+    routes: {
+        login: string;
+        loginPage: string;
+        callback: string;
+        logout: string;
+        signup: string;
+        postLogin: string;
+        postLogout: string;
+    };
+    guards: {
+        defaultAuth: boolean;
+    };
+    permissions: {
+        enabled: boolean;
+        defaultOwnerGrants: string[];
+    };
+    token: {
+        enabled: boolean;
+        accessTokenTTL: number;
+        refreshTokenTTL: number;
+    };
+    onEvent?: (event: AuthEvent) => void | Promise<void>;
+}
+export interface TokenResponse {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+    tokenType: 'Bearer';
+    user: AuthUser;
+}
+export interface AuthUser {
+    sub: string;
+    email?: string;
+    name?: string;
+    preferred_username?: string;
+    roles: string[];
+    /** Which provider authenticated this user */
+    provider?: string;
+    [key: string]: unknown;
+}
+export interface SessionData {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    expiresAt: number;
+    user: AuthUser;
+    /** Which provider created this session */
+    provider?: string;
+    /** Epoch seconds when session was created — used for logout-all invalidation */
+    createdAt?: number;
+}
+export interface NkAuth {
+    user: AuthUser;
+    session: SessionData;
+}
+export interface OIDCMetadata {
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint: string;
+    end_session_endpoint?: string;
+    jwks_uri: string;
+    issuer: string;
+}
+export interface TokenSet {
+    access_token: string;
+    refresh_token?: string;
+    id_token?: string;
+    expires_in: number;
+    token_type: string;
+}

package/dist/auth/types.js

@@ -0,0 +1,2 @@
+// ── Provider Configs ──────────────────────────────────────────────
+export {};

package/dist/build/build-client.d.ts

@@ -0,0 +1,15 @@
+import { type UserConfig, type Plugin } from 'vite';
+export interface BuildClientOptions {
+    projectDir: string;
+    clientDir: string;
+    title: string;
+    integrations: string[];
+    prefetchStrategy: 'hover' | 'viewport' | 'none';
+    publicDir: string;
+    shared: {
+        resolve: UserConfig['resolve'];
+        esbuild: UserConfig['esbuild'];
+        plugins: Plugin[];
+    };
+}
+export declare function buildClient(opts: BuildClientOptions): Promise<void>;

package/dist/build/build-client.js

@@ -0,0 +1,45 @@
+import { build as viteBuild } from 'vite';
+import path from 'path';
+import fs from 'fs';
+import { generateIndexHtml } from '../dev-server/index-html.js';
+export async function buildClient(opts) {
+    const { projectDir, clientDir, title, integrations, prefetchStrategy, publicDir, shared } = opts;
+    console.log('[LumenJS] Building client bundle...');
+    // Read optional head.html for blocking scripts (e.g. theme initialization)
+    const headHtmlPath = path.join(projectDir, 'head.html');
+    const headContent = fs.existsSync(headHtmlPath) ? fs.readFileSync(headHtmlPath, 'utf-8') : undefined;
+    // Generate index.html as build entry
+    const indexHtml = generateIndexHtml({ title, editorMode: false, integrations, prefetch: prefetchStrategy, headContent });
+    const tempIndexPath = path.join(projectDir, '__nk_build_index.html');
+    fs.writeFileSync(tempIndexPath, indexHtml);
+    try {
+        await viteBuild({
+            root: projectDir,
+            publicDir: fs.existsSync(publicDir) ? publicDir : undefined,
+            resolve: shared.resolve,
+            plugins: shared.plugins,
+            esbuild: shared.esbuild,
+            build: {
+                outDir: clientDir,
+                emptyOutDir: true,
+                rollupOptions: {
+                    input: tempIndexPath,
+                    external: ['mermaid', 'monaco-editor', 'monacopilot', '@lumenjs/db', '@lumenjs/permissions', '@lumenjs/storage'],
+                },
+            },
+            logLevel: 'warn',
+        });
+    }
+    finally {
+        // Clean up temp file
+        if (fs.existsSync(tempIndexPath)) {
+            fs.unlinkSync(tempIndexPath);
+        }
+    }
+    // Rename the built HTML file from __nk_build_index.html to index.html
+    const builtHtmlPath = path.join(clientDir, '__nk_build_index.html');
+    const finalHtmlPath = path.join(clientDir, 'index.html');
+    if (fs.existsSync(builtHtmlPath)) {
+        fs.renameSync(builtHtmlPath, finalHtmlPath);
+    }
+}

package/dist/build/build-prerender.d.ts

@@ -0,0 +1,11 @@
+import type { BuildManifest } from '../shared/types.js';
+import type { PageEntry, LayoutEntry } from './scan.js';
+export interface PrerenderOptions {
+    serverDir: string;
+    clientDir: string;
+    pagesDir: string;
+    pageEntries: PageEntry[];
+    layoutEntries: LayoutEntry[];
+    manifest: BuildManifest;
+}
+export declare function prerenderPages(opts: PrerenderOptions): Promise<void>;