@qwickapps/server 1.5.2 → 1.6.0

package/dist-ui-lib/pages/APIKeysPage.d.ts

@@ -0,0 +1,13 @@
+/**
+ * APIKeysPage Component
+ *
+ * API key management page for authentication and authorization.
+ * Allows users to create, view, and manage API keys with scopes.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+export interface APIKeysPageProps {
+    title?: string;
+    subtitle?: string;
+}
+export declare function APIKeysPage({ title, subtitle, }: APIKeysPageProps): import("react/jsx-runtime").JSX.Element;

package/dist-ui-lib/pages/AcceptInvitationPage.d.ts

@@ -0,0 +1,28 @@
+/**
+ * AcceptInvitationPage Component
+ *
+ * Standalone page for users to accept invitations and activate their accounts.
+ * Can be used in control panel or frontend applications.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+import { type User } from '../api/controlPanelApi';
+export interface AcceptInvitationPageProps {
+    /** Invitation token (if not provided, will extract from URL) */
+    token?: string;
+    /** Title text */
+    title?: string;
+    /** Subtitle text */
+    subtitle?: string;
+    /** Success message */
+    successMessage?: string;
+    /** URL to redirect to after successful activation (optional) */
+    redirectUrl?: string;
+    /** Label for the redirect button */
+    redirectLabel?: string;
+    /** Callback when invitation is accepted successfully */
+    onSuccess?: (user: User) => void;
+    /** Callback when invitation acceptance fails */
+    onError?: (error: string) => void;
+}
+export declare function AcceptInvitationPage({ token: tokenProp, title, subtitle, successMessage, redirectUrl, redirectLabel, onSuccess, onError, }: AcceptInvitationPageProps): import("react/jsx-runtime").JSX.Element;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qwickapps/server",
-  "version": "1.5.2",
+  "version": "1.6.0",
   "description": "Plugin-based application server framework for building websites, APIs, admin dashboards, and full-stack products",
   "type": "module",
   "main": "dist/index.js",
@@ -54,7 +54,8 @@
     "cors": "^2.8.5",
     "express": "^4.18.2",
     "helmet": "^7.1.0",
-    "http-proxy-middleware": "^3.0.3"
+    "http-proxy-middleware": "^3.0.3",
+    "zod": "^3.22.4"
   },
   "devDependencies": {
     "@emotion/react": "^11.14.0",

package/src/core/control-panel.ts

@@ -392,7 +392,7 @@ export function createControlPanel(options: CreateControlPanelOptions): ControlP
       return b.path.length - a.path.length;
     });
 
-    // Register routes with Express
+    // Register routes with Express router (mounted at apiBasePath)
     logger.debug(`Registering ${routes.length} routes in priority order:`);
     for (const route of routes) {
       // TODO: Add auth middleware if route.auth?.required
@@ -403,26 +403,26 @@ export function createControlPanel(options: CreateControlPanelOptions): ControlP
 
       switch (route.method) {
         case 'get':
-          app.get(route.path, ...handlers);
+          router.get(route.path, ...handlers);
           break;
         case 'post':
-          app.post(route.path, ...handlers);
+          router.post(route.path, ...handlers);
           break;
         case 'put':
-          app.put(route.path, ...handlers);
+          router.put(route.path, ...handlers);
           break;
         case 'delete':
-          app.delete(route.path, ...handlers);
+          router.delete(route.path, ...handlers);
           break;
         case 'patch':
-          app.patch(route.path, ...handlers);
+          router.patch(route.path, ...handlers);
           break;
         case 'use':
-          app.use(route.path, ...handlers);
+          router.use(route.path, ...handlers);
           break;
       }
 
-      logger.debug(`  ${route.method.toUpperCase()} ${route.path}`);
+      logger.debug(`  ${route.method.toUpperCase()} ${apiBasePath}${route.path}`);
     }
 
     return new Promise((resolve) => {

package/src/plugins/api-keys/api-keys-plugin.ts

@@ -0,0 +1,397 @@
+/**
+ * API Keys Plugin
+ *
+ * API key authentication and management plugin for @qwickapps/server.
+ * Provides API key generation, storage, and verification with PostgreSQL RLS.
+ *
+ * This plugin depends on the Users Plugin for user identity.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+
+import type { Request, Response } from 'express';
+import type { Plugin, PluginConfig, PluginRegistry } from '../../core/plugin-registry.js';
+import type {
+  ApiKeysPluginConfig,
+  ApiKeyStore,
+  CreateApiKeyParams,
+  UpdateApiKeyParams,
+  ApiKey,
+} from './types.js';
+import type { AuthenticatedRequest } from '../auth/types.js';
+import {
+  CreateApiKeySchema,
+  UpdateApiKeySchema,
+} from './types.js';
+
+// Store instance for helper access
+let currentStore: ApiKeyStore | null = null;
+
+/**
+ * Create the API Keys plugin
+ */
+export function createApiKeysPlugin(config: ApiKeysPluginConfig): Plugin {
+  const debug = config.debug || false;
+  // Routes are mounted under /api by the control panel, so don't include /api in prefix
+  const apiPrefix = config.api?.prefix || '/api-keys';
+  const apiEnabled = config.api?.enabled !== false;
+
+  function log(message: string, data?: Record<string, unknown>) {
+    if (debug) {
+      console.log(`[ApiKeysPlugin] ${message}`, data || '');
+    }
+  }
+
+  return {
+    id: 'api-keys',
+    name: 'API Keys',
+    version: '1.0.0',
+
+    async onStart(_pluginConfig: PluginConfig, registry: PluginRegistry): Promise<void> {
+      log('Starting API keys plugin');
+
+      // Check for users plugin dependency
+      if (!registry.hasPlugin('users')) {
+        throw new Error('API Keys plugin requires Users plugin to be loaded first');
+      }
+
+      // Initialize the store (creates tables and RLS policies if needed)
+      await config.store.initialize();
+      log('API keys plugin migrations complete');
+
+      // Store reference for helper access
+      currentStore = config.store;
+
+      // Register health check
+      registry.registerHealthCheck({
+        name: 'api-keys-store',
+        type: 'custom',
+        check: async () => {
+          try {
+            // Simple health check - store is accessible
+            return { healthy: currentStore !== null };
+          } catch {
+            return { healthy: false };
+          }
+        },
+      });
+
+      // Add API routes if enabled
+      if (apiEnabled) {
+        // POST /api-keys - Create a new API key
+        registry.addRoute({
+          method: 'post',
+          path: apiPrefix,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              // Validate request body
+              const validation = CreateApiKeySchema.safeParse(req.body);
+              if (!validation.success) {
+                return res.status(400).json({
+                  error: 'Invalid request',
+                });
+              }
+
+              const params: CreateApiKeyParams = {
+                user_id: userId,
+                ...validation.data,
+              };
+
+              // Create the API key
+              const apiKey = await config.store.create(params);
+
+              // Return the key with plaintext (ONLY time plaintext is accessible)
+              res.status(201).json({
+                id: apiKey.id,
+                name: apiKey.name,
+                key: apiKey.plaintext_key, // Client must save this - won't be shown again
+                key_prefix: apiKey.key_prefix,
+                key_type: apiKey.key_type,
+                scopes: apiKey.scopes,
+                expires_at: apiKey.expires_at,
+                is_active: apiKey.is_active,
+                created_at: apiKey.created_at,
+              });
+            } catch (error) {
+              console.error('[ApiKeysPlugin] Create API key error:', error);
+              res.status(500).json({ error: 'Failed to create API key' });
+            }
+          },
+        });
+
+        // GET /api-keys - List current user's API keys
+        registry.addRoute({
+          method: 'get',
+          path: apiPrefix,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              const keys = await config.store.list(userId);
+
+              // Remove sensitive fields from response
+              const sanitized = keys.map(key => ({
+                id: key.id,
+                name: key.name,
+                key_prefix: key.key_prefix,
+                key_type: key.key_type,
+                scopes: key.scopes,
+                last_used_at: key.last_used_at,
+                expires_at: key.expires_at,
+                is_active: key.is_active,
+                created_at: key.created_at,
+                updated_at: key.updated_at,
+              }));
+
+              res.json({ keys: sanitized });
+            } catch (error) {
+              console.error('[ApiKeysPlugin] List API keys error:', error);
+              res.status(500).json({ error: 'Failed to list API keys' });
+            }
+          },
+        });
+
+        // GET /api-keys/:id - Get a specific API key
+        registry.addRoute({
+          method: 'get',
+          path: `${apiPrefix}/:id`,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              const { id } = req.params;
+              const key = await config.store.get(userId, id);
+
+              if (!key) {
+                return res.status(404).json({ error: 'API key not found' });
+              }
+
+              // Remove sensitive fields from response
+              const sanitized = {
+                id: key.id,
+                name: key.name,
+                key_prefix: key.key_prefix,
+                key_type: key.key_type,
+                scopes: key.scopes,
+                last_used_at: key.last_used_at,
+                expires_at: key.expires_at,
+                is_active: key.is_active,
+                created_at: key.created_at,
+                updated_at: key.updated_at,
+              };
+
+              res.json(sanitized);
+            } catch (error) {
+              console.error('[ApiKeysPlugin] Get API key error:', error);
+              res.status(500).json({ error: 'Failed to get API key' });
+            }
+          },
+        });
+
+        // PUT /api-keys/:id - Update an API key
+        registry.addRoute({
+          method: 'put',
+          path: `${apiPrefix}/:id`,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              // Validate request body
+              const validation = UpdateApiKeySchema.safeParse(req.body);
+              if (!validation.success) {
+                return res.status(400).json({
+                  error: 'Invalid request',
+                });
+              }
+
+              const { id } = req.params;
+              const params: UpdateApiKeyParams = validation.data;
+
+              const updated = await config.store.update(userId, id, params);
+
+              if (!updated) {
+                return res.status(404).json({ error: 'API key not found' });
+              }
+
+              // Remove sensitive fields from response
+              const sanitized = {
+                id: updated.id,
+                name: updated.name,
+                key_prefix: updated.key_prefix,
+                key_type: updated.key_type,
+                scopes: updated.scopes,
+                last_used_at: updated.last_used_at,
+                expires_at: updated.expires_at,
+                is_active: updated.is_active,
+                created_at: updated.created_at,
+                updated_at: updated.updated_at,
+              };
+
+              res.json(sanitized);
+            } catch (error) {
+              console.error('[ApiKeysPlugin] Update API key error:', error);
+              res.status(500).json({ error: 'Failed to update API key' });
+            }
+          },
+        });
+
+        // DELETE /api-keys/:id - Delete an API key
+        registry.addRoute({
+          method: 'delete',
+          path: `${apiPrefix}/:id`,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              const { id } = req.params;
+              const deleted = await config.store.delete(userId, id);
+
+              if (!deleted) {
+                return res.status(404).json({ error: 'API key not found' });
+              }
+
+              res.status(204).send();
+            } catch (error) {
+              console.error('[ApiKeysPlugin] Delete API key error:', error);
+              res.status(500).json({ error: 'Failed to delete API key' });
+            }
+          },
+        });
+      }
+
+      log('API keys plugin started');
+    },
+
+    async onStop(): Promise<void> {
+      log('Stopping API keys plugin');
+      if (currentStore) {
+        await currentStore.shutdown();
+      }
+      currentStore = null;
+      log('API keys plugin stopped');
+    },
+  };
+}
+
+// ========================================
+// Helper Functions
+// ========================================
+
+/**
+ * Get the current API keys store instance
+ */
+export function getApiKeysStore(): ApiKeyStore | null {
+  return currentStore;
+}
+
+/**
+ * Verify an API key and return the associated key record
+ * Returns null if key is invalid, expired, or inactive
+ */
+export async function verifyApiKey(plaintextKey: string): Promise<ApiKey | null> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  const key = await currentStore.verify(plaintextKey);
+
+  // Update last_used_at timestamp if key is valid
+  if (key) {
+    await currentStore.recordUsage(key.id).catch(err => {
+      console.error('[ApiKeysPlugin] Failed to record key usage:', err);
+    });
+  }
+
+  return key;
+}
+
+/**
+ * Create an API key for a user
+ */
+export async function createApiKey(params: CreateApiKeyParams): Promise<ApiKey> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.create(params);
+}
+
+/**
+ * List all API keys for a user
+ */
+export async function listApiKeys(userId: string): Promise<ApiKey[]> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.list(userId);
+}
+
+/**
+ * Get a specific API key
+ */
+export async function getApiKey(userId: string, keyId: string): Promise<ApiKey | null> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.get(userId, keyId);
+}
+
+/**
+ * Update an API key
+ */
+export async function updateApiKey(
+  userId: string,
+  keyId: string,
+  params: UpdateApiKeyParams
+): Promise<ApiKey | null> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.update(userId, keyId, params);
+}
+
+/**
+ * Delete an API key
+ */
+export async function deleteApiKey(userId: string, keyId: string): Promise<boolean> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.delete(userId, keyId);
+}

package/src/plugins/api-keys/index.ts

@@ -0,0 +1,49 @@
+/**
+ * API Keys Plugin Index
+ *
+ * API key authentication and management plugin with PostgreSQL RLS.
+ * Depends on the Users Plugin for user identity.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+
+// Main plugin
+export {
+  createApiKeysPlugin,
+  getApiKeysStore,
+  verifyApiKey,
+  createApiKey,
+  listApiKeys,
+  getApiKey,
+  updateApiKey,
+  deleteApiKey,
+} from './api-keys-plugin.js';
+
+// Types
+export type {
+  ApiKeysPluginConfig,
+  ApiKeyStore,
+  ApiKey,
+  ApiKeyWithPlaintext,
+  ApiKeyScope,
+  ApiKeyType,
+  CreateApiKeyParams,
+  UpdateApiKeyParams,
+  PostgresApiKeyStoreConfig,
+  ApiKeysApiConfig,
+} from './types.js';
+
+// Zod schemas
+export {
+  ApiKeyScopeSchema,
+  ApiKeyTypeSchema,
+  CreateApiKeySchema,
+  UpdateApiKeySchema,
+  ApiKeySchema,
+} from './types.js';
+
+// Stores
+export { postgresApiKeyStore } from './stores/index.js';
+
+// Middleware
+export { bearerTokenAuth } from './middleware/index.js';