@rblez/authly 0.1.0

package/src/commands/serve.js

@@ -0,0 +1,383 @@
+import { Hono } from "hono";
+import { serve } from "@hono/node-server";
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { createHash, randomBytes } from "node:crypto";
+import chalk from "chalk";
+import ora from "ora";
+import { getSupabaseClient, fetchUsers } from "../lib/supabase.js";
+import { createSessionToken, verifySessionToken, authMiddleware, requireRole } from "../lib/jwt.js";
+import { signUp, signIn, signOut, getSession, getProviders, handleOAuthCallback } from "../auth/index.js";
+import { buildAuthorizeUrl, exchangeTokens, listProviderStatus } from "../lib/oauth.js";
+import {
+  createRole,
+  assignRoleToUser,
+  revokeRoleFromUser,
+  getUserRoles,
+  listRoles,
+} from "../generators/roles.js";
+import { listMigrations, getMigration, migrations } from "../generators/migrations.js";
+import { detectFramework } from "../lib/framework.js";
+import { scaffoldAuth, previewGenerated } from "../generators/ui.js";
+import { generateEnv } from "../generators/env.js";
+import { mountMcp } from "../mcp/server.js";
+
+const PORT = process.env.AUTHLY_PORT || 1284;
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+export async function cmdServe() {
+  const spinner = ora("Starting authly dashboard…").start();
+
+  const app = new Hono();
+
+  // ── Static file serving ────────────────────────────
+  const dashboardPath = path.join(__dirname, "../../dist/dashboard");
+  const hasDashboard = fs.existsSync(dashboardPath);
+
+  if (hasDashboard) {
+    app.use("/*", async (c, next) => {
+      const filePath = path.join(dashboardPath, c.req.path.replace(/^\//, ""));
+      if (fs.existsSync(filePath) && fs.statSync(filePath).isFile()) {
+        c.header("Content-Type", getContentType(filePath));
+        return c.body(fs.readFileSync(filePath));
+      }
+      return next();
+    });
+  }
+
+  // ── Public API ─────────────────────────────────────
+  app.get("/api/health", (c) => c.json({ status: "ok", uptime: process.uptime() }));
+
+  /** GET /api/users — list all users from Supabase */
+  app.get("/api/users", async (c) => {
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, errors }, 503);
+    const { users, error } = await fetchUsers(client);
+    if (error) return c.json({ success: false, error }, 500);
+    return c.json({ success: true, users, count: users.length });
+  });
+
+  /** GET /api/providers — list OAuth providers and their status */
+  app.get("/api/providers", (c) =>
+    c.json({ providers: listProviderStatus() }),
+  );
+
+  /** POST /api/auth/:provider/authorize — get OAuth URL */
+  app.post("/api/auth/:provider/authorize", async (c) => {
+    const { provider } = c.req.param();
+    const body = await c.req.json();
+    const result = buildAuthorizeUrl({
+      provider,
+      redirectUri: body.redirectUri,
+      state: body.state,
+      scope: body.scope,
+    });
+    if (result.error) return c.json({ error: result.error }, 400);
+    return c.json(result);
+  });
+
+  /** POST /api/auth/ :provider/callback — exchange code for session */
+  app.post("/api/auth/:provider/callback", async (c) => {
+    const { provider } = c.req.param();
+    const body = await c.req.json();
+    const { session, error } = await exchangeOAuthCode({
+      provider,
+      code: body.code,
+      redirectUri: body.redirectUri,
+    });
+    if (error) return c.json({ success: false, error }, 400);
+
+    // Create an internal Authly session token too
+    const token = await createSessionToken({
+      sub: session.user?.id ?? "unknown",
+      role: session.user?.user_metadata?.role ?? "user",
+    });
+    return c.json({ success: true, session, token });
+  });
+
+  /** POST /api/auth/session — create a session token from credentials */
+  app.post("/api/auth/session", async (c) => {
+    const body = await c.req.json();
+    if (!body.sub) return c.json({ error: "Missing 'sub' field" }, 400);
+    const token = await createSessionToken({
+      sub: body.sub,
+      role: body.role ?? "user",
+    });
+    return c.json({ success: true, token });
+  });
+
+  /** GET /api/auth/me — verify session token from Authorization header */
+  app.get("/api/auth/me", authMiddleware(), (c) =>
+    c.json({ success: true, session: c.get("session") }),
+  );
+
+  // ── Password Auth ──────────────────────────────────
+  /** POST /api/auth/register — sign up with email + password */
+  app.post("/api/auth/register", async (c) => {
+    const body = await c.req.json();
+    const { user, token, error } = await signUp({
+      email: body.email,
+      password: body.password,
+      name: body.name ?? "",
+    });
+    if (error) return c.json({ success: false, error }, 400);
+    return c.json({ success: true, user, token });
+  });
+
+  /** POST /api/auth/login — sign in with email + password */
+  app.post("/api/auth/login", async (c) => {
+    const body = await c.req.json();
+    const { user, token, error } = await signIn({
+      email: body.email,
+      password: body.password,
+    });
+    if (error) return c.json({ success: false, error }, 401);
+    return c.json({ success: true, user, token });
+  });
+
+  /** GET /api/auth/providers — list available and enabled providers */
+  app.get("/api/auth/providers", (c) => {
+    const providers = getProviders();
+    return c.json({ providers });
+  });
+
+  /** GET /api/config — non-sensitive project config */
+  app.get("/api/config", async (c) => {
+    const fw = detectFramework();
+    const { roles = [], error } = await listRoles();
+    return c.json({
+      framework: fw ?? null,
+      providers: listProviderStatus(),
+      roles,
+    });
+  });
+
+  // ── Role management (protected) ────────────────────
+  /** GET /api/roles — list all roles */
+  app.get("/api/roles", async (c) => {
+    const { roles, error } = await listRoles();
+    if (error) return c.json({ success: false, error }, 500);
+    return c.json({ success: true, roles });
+  });
+
+  /** POST /api/roles — create a new role */
+  app.post("/api/roles", async (c) => {
+    const { name, description } = await c.req.json();
+    if (!name) return c.json({ error: "'name' is required" }, 400);
+    const result = await createRole(name, description ?? "");
+    if (!result.success) return c.json(result, 400);
+    return c.json(result);
+  });
+
+  /** POST /api/roles/:roleId/users/:userId/assign — assign role to user */
+  app.post("/api/roles/:roleName/users/:userId/assign", async (c) => {
+    const { roleName, userId } = c.req.param();
+    const result = await assignRoleToUser(userId, roleName);
+    if (!result.success) return c.json(result, 400);
+    return c.json(result);
+  });
+
+  /** DELETE /api/roles/:roleId/users/:userId/revoke — revoke role from user */
+  app.delete("/api/roles/:roleName/users/:userId/revoke", async (c) => {
+    const { roleName, userId } = c.req.param();
+    const result = await revokeRoleFromUser(userId, roleName);
+    if (!result.success) return c.json(result, 400);
+    return c.json(result);
+  });
+
+  /** GET /api/users/:userId/roles — get roles for a user */
+  app.get("/api/users/:userId/roles", async (c) => {
+    const { userId } = c.req.param();
+    const { roles, error } = await getUserRoles(userId);
+    if (error) return c.json({ success: false, error }, 500);
+    return c.json({ success: true, userId, roles });
+  });
+
+  // ── API Keys ───────────────────────────────────────
+  /** POST /api/keys — generate a new API key */
+  app.post("/api/keys", async (c) => {
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, errors }, 503);
+
+    const body = await c.req.json();
+    if (!body.name) return c.json({ error: "'name' is required" }, 400);
+
+    const rawKey = `authly_${randomBytes(24).toString("base64url")}`;
+    const keyHash = createHash("sha256").update(rawKey).digest("hex");
+
+    const { error } = await client.from("api_keys").insert({
+      key_hash: keyHash,
+      name: body.name,
+      scopes: body.scopes ?? ["read"],
+      user_id: body.userId ?? null,
+      expires_at: body.expiresAt ?? null,
+    });
+    if (error) return c.json({ success: false, error: error.message }, 400);
+
+    // Return raw key ONCE — it cannot be retrieved later
+    return c.json({ success: true, key: rawKey, hashesTo: keyHash });
+  });
+
+  // ── Migrations ─────────────────────────────────────
+  /** GET /api/migrations — list available migrations */
+  app.get("/api/migrations", (c) =>
+    c.json({ success: true, migrations: listMigrations() }),
+  );
+
+  /** GET /api/migrations/:name/sql — get SQL for a migration */
+  app.get("/api/migrations/:name/sql", (c) => {
+    const { name } = c.req.param();
+    const sql = getMigration(name);
+    if (!sql) return c.json({ error: `Migration '${name}' not found` }, 404);
+    return c.json({ success: true, name, sql });
+  });
+
+  /** POST /api/migrations/:name/run — execute a migration against Supabase */
+  app.post("/api/migrations/:name/run", async (c) => {
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, errors }, 503);
+
+    const { name } = c.req.param();
+    const sql = getMigration(name);
+    if (!sql) return c.json({ error: `Migration '${name}' not found` }, 404);
+
+    const { error } = await client.rpc("exec_sql", { sql_query: sql });
+    if (error) return c.json({ success: false, error: error.message }, 400);
+    return c.json({ success: true, migration: name });
+  });
+
+  // ── Scaffold ───────────────────────────────────────
+  /** POST /api/scaffold/preview — preview generated code without writing */
+  app.post("/api/scaffold/preview", async (c) => {
+    const { type } = await c.req.json();
+    if (!["login", "signup", "middleware", "route-login", "route-signup"].includes(type)) {
+      return c.json({ error: `Unknown type '${type}'. Valid: login, signup, middleware, route-login, route-signup` }, 400);
+    }
+    return c.json({ success: true, type, code: previewGenerated(type) });
+  });
+
+  /** POST /api/scaffold/generate — write auth files to a project */
+  app.post("/api/scaffold/generate", async (c) => {
+    const { targetDir } = await c.req.json();
+    if (!targetDir) return c.json({ error: "'targetDir' is required" }, 400);
+    try {
+      const { files } = await scaffoldAuth(targetDir, { apiRoutes: true });
+      c.json({ success: true, files });
+    } catch (e) {
+      c.json({ success: false, error: e.message }, 500);
+    }
+  });
+
+  // ── Init ──────────────────────────────────────────
+  /** POST /api/init/connect — detect project and generate config */
+  app.post("/api/init/connect", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const fw = detectFramework();
+    if (!fw) return c.json({ success: false, error: "No Next.js project detected" }, 400);
+
+    // Store Supabase config if provided
+    if (body.supabaseUrl) process.env.SUPABASE_URL = body.supabaseUrl;
+    if (body.supabaseAnonKey) process.env.SUPABASE_ANON_KEY = body.supabaseAnonKey;
+    if (body.supabaseServiceKey) process.env.SUPABASE_SERVICE_ROLE_KEY = body.supabaseServiceKey;
+
+    // Generate .env.local if needed
+    if (!fs.existsSync(".env.local")) {
+      await generateEnv(".env.local");
+    }
+
+    // Write authly.config.json
+    const config = {
+      framework: fw,
+      supabase: {
+        url: body.supabaseUrl || "",
+        anonKey: body.supabaseAnonKey ? "set" : "",
+        serviceKey: body.supabaseServiceKey ? "set" : "",
+      },
+    };
+    fs.writeFileSync("authly.config.json", JSON.stringify(config, null, 2) + "\n");
+
+    return c.json({ success: true, framework: fw });
+  });
+
+  // ── MCP (beta) ─────────────────────────────────────
+  mountMcp(app);
+
+  // ── Audit ──────────────────────────────────────────
+  app.post("/api/audit", async (c) => {
+    const issues = [];
+
+    // Env vars
+    for (const key of ["SUPABASE_URL", "SUPABASE_ANON_KEY", "AUTHLY_SECRET"]) {
+      if (!process.env[key]) issues.push({ check: key, status: "fail", detail: "not set" });
+      else issues.push({ check: key, status: "ok" });
+    }
+
+    // Supabase connection
+    const { client } = getSupabaseClient();
+    if (client) {
+      const { error } = await client
+        .from("auth.users")
+        .select("count", { count: "exact", head: true });
+      if (error)
+        issues.push({ check: "supabase_connection", status: "fail", detail: error.message });
+      else
+        issues.push({ check: "supabase_connection", status: "ok" });
+    } else {
+      issues.push({ check: "supabase_connection", status: "fail", detail: "not configured" });
+    }
+
+    const allOk = issues.every((i) => i.status === "ok");
+    return c.json({ success: allOk, issues });
+  });
+
+  // ── Root ───────────────────────────────────────────
+  app.get("/", (c) => {
+    if (hasDashboard) {
+      const html = fs.readFileSync(path.join(dashboardPath, "index.html"), "utf-8");
+      return c.html(html);
+    }
+    return c.json({
+      name: "authly",
+      version: "0.1.0",
+      docs: "/api/health",
+    });
+  });
+
+  // ── Start server ───────────────────────────────────
+  if (hasDashboard) {
+    spinner.succeed(
+      `Authly dashboard running at ${chalk.cyan(`http://localhost:${PORT}`)}`,
+    );
+  } else {
+    spinner.succeed(
+      `Authly API running at ${chalk.cyan(`http://localhost:${PORT}`)}${chalk.dim(" (no dashboard UI)")}`,
+    );
+  }
+  console.log(chalk.dim("  Press Ctrl+C to stop\n"));
+
+  const server = serve({
+    fetch: app.fetch,
+    port: Number(PORT),
+  });
+
+  process.on("SIGINT", () => {
+    spinner.info("Shutting down authly dashboard");
+    server.close();
+    process.exit(0);
+  });
+}
+
+function getContentType(filePath) {
+  const ext = path.extname(filePath);
+  const types = {
+    ".html": "text/html",
+    ".css": "text/css",
+    ".js": "text/javascript",
+    ".json": "application/json",
+    ".png": "image/png",
+    ".svg": "image/svg+xml",
+    ".ico": "image/x-icon",
+  };
+  return types[ext] || "application/octet-stream";
+}

package/src/generators/env.js

@@ -0,0 +1,37 @@
+import fs from "node:fs";
+
+/**
+ * Generate a .env.local template with all authly-related variables.
+ */
+export async function generateEnv(envPath) {
+  const template = `# Authly Configuration - Generated by authly init
+# https://github.com/rblez/authly
+
+# Supabase (required)
+# Get these from your Supabase project settings
+SUPABASE_URL=""
+SUPABASE_ANON_KEY=""
+SUPABASE_SERVICE_ROLE_KEY=""
+
+# Authly (required)
+# Random secret for signing internal JWT tokens
+# Generate with: openssl rand -hex 32
+AUTHLY_SECRET=""
+
+# OAuth Providers (optional)
+# Google OAuth
+GOOGLE_CLIENT_ID=""
+GOOGLE_CLIENT_SECRET=""
+
+# GitHub OAuth
+GITHUB_CLIENT_ID=""
+GITHUB_CLIENT_SECRET=""
+
+# Magic Link (optional)
+# RESEND_API_KEY=""
+
+# Dashboard (optional overrides)
+# AUTHLY_PORT=1284
+`;
+  fs.writeFileSync(envPath, template, "utf-8");
+}

package/src/generators/migrations.js

@@ -0,0 +1,138 @@
+/**
+ * SQL migration templates for Authly's Supabase schema.
+ */
+
+export const migrations = [
+  {
+    name: "001_create_roles_table",
+    description: "Core RBAC — role definitions in database",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.roles (
+  id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  name        text UNIQUE NOT NULL,
+  description text DEFAULT '',
+  created_at  timestamptz  DEFAULT now(),
+  updated_at  timestamptz  DEFAULT now()
+);
+
+INSERT INTO public.roles (name, description) VALUES
+  ('admin', 'Full access to all resources'),
+  ('user',  'Standard authenticated user'),
+  ('guest', 'Limited access, no write permissions')
+ON CONFLICT (name) DO NOTHING;
+`,
+  },
+  {
+    name: "002_create_authly_users_table",
+    description: "Authly user pool — manages users independent of Supabase auth",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.authly_users (
+  id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  email         text UNIQUE NOT NULL,
+  password_hash text,  -- NULL for OAuth-only users
+  name          text DEFAULT '',
+  avatar_url    text DEFAULT '',
+  email_verified boolean DEFAULT false,
+  created_at    timestamptz DEFAULT now(),
+  updated_at    timestamptz DEFAULT now()
+);
+
+CREATE INDEX idx_authly_users_email ON public.authly_users(email);
+`,
+  },
+  {
+    name: "003_create_oauth_accounts_table",
+    description: "Links OAuth providers to authly_users",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.authly_oauth_accounts (
+  id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id       uuid NOT NULL REFERENCES public.authly_users(id) ON DELETE CASCADE,
+  provider      text NOT NULL,  -- 'google', 'github', 'discord'
+  provider_id   text NOT NULL,  -- provider's user ID
+  access_token  text,
+  refresh_token text,
+  expires_at    timestamptz,
+  created_at    timestamptz DEFAULT now(),
+  updated_at    timestamptz DEFAULT now(),
+  UNIQUE(provider, provider_id)
+);
+
+CREATE INDEX idx_oauth_user_id ON public.authly_oauth_accounts(user_id);
+`,
+  },
+  {
+    name: "004_create_user_roles_table",
+    description: "RBAC — link authly_users to roles",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.authly_user_roles (
+  id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id     uuid NOT NULL REFERENCES public.authly_users(id) ON DELETE CASCADE,
+  role_id     uuid NOT NULL REFERENCES public.roles(id) ON DELETE CASCADE,
+  assigned_at timestamptz DEFAULT now(),
+  UNIQUE(user_id, role_id)
+);
+
+-- Trigger: auto-assign 'user' role on new user
+CREATE OR REPLACE FUNCTION public.authly_assign_default_role()
+RETURNS trigger AS $$
+BEGIN
+  INSERT INTO public.authly_user_roles (user_id, role_id)
+  SELECT NEW.id, r.id
+  FROM public.roles r
+  WHERE r.name = 'user'
+  ON CONFLICT DO NOTHING;
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+CREATE OR REPLACE TRIGGER on_authly_user_created
+  AFTER INSERT ON public.authly_users
+  FOR EACH ROW
+  EXECUTE FUNCTION public.authly_assign_default_role();
+`,
+  },
+  {
+    name: "005_create_api_keys_table",
+    description: "Programmatic access keys with scopes",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.authly_api_keys (
+  id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  key_hash    text UNIQUE NOT NULL,
+  name        text NOT NULL,
+  scopes      text[] DEFAULT '{read}',
+  user_id     uuid REFERENCES public.authly_users(id) ON DELETE SET NULL,
+  created_at  timestamptz DEFAULT now(),
+  expires_at  timestamptz,
+  revoked_at  timestamptz
+);
+
+CREATE INDEX idx_api_keys_hash ON public.authly_api_keys(key_hash);
+`,
+  },
+  {
+    name: "006_create_user_sessions_table",
+    description: "Session tracking for active users",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.authly_sessions (
+  id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id     uuid NOT NULL REFERENCES public.authly_users(id) ON DELETE CASCADE,
+  token_hash  text UNIQUE NOT NULL,
+  ip_address  text,
+  user_agent  text,
+  expires_at  timestamptz NOT NULL,
+  created_at  timestamptz DEFAULT now()
+);
+
+CREATE INDEX idx_sessions_user ON public.authly_sessions(user_id);
+CREATE INDEX idx_sessions_token ON public.authly_sessions(token_hash);
+`,
+  },
+];
+
+export function getMigration(name) {
+  return migrations.find((m) => m.name === name)?.sql ?? null;
+}
+
+export function listMigrations() {
+  return migrations.map(({ name, description }) => ({ name, description }));
+}

package/src/generators/roles.js

@@ -0,0 +1,67 @@
+/**
+ * Role management — authly_users + roles tables.
+ */
+
+import { createClient } from "@supabase/supabase-js";
+
+function _getClient() {
+  const url = process.env.SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_ANON_KEY;
+  if (!url || !key) return { client: null, errors: ["Supabase not configured"] };
+  return { client: createClient(url, key), errors: [] };
+}
+
+export async function createRole(name, description = "") {
+  const { client, errors } = _getClient();
+  if (!client) return { success: false, error: errors.join("; ") };
+
+  const { error } = await client.from("roles").insert({ name, description });
+  if (error) return { success: false, error: error.message };
+  return { success: true, error: null };
+}
+
+export async function assignRoleToUser(userId, roleName) {
+  const { client, errors } = _getClient();
+  if (!client) return { success: false, error: errors.join("; ") };
+
+  const { data: role } = await client.from("roles").select("id").eq("name", roleName).single();
+  if (!role) return { success: false, error: `Role '${roleName}' not found` };
+
+  const { error } = await client.from("authly_user_roles").upsert({ user_id: userId, role_id: role.id });
+  if (error) return { success: false, error: error.message };
+  return { success: true, error: null };
+}
+
+export async function revokeRoleFromUser(userId, roleName) {
+  const { client, errors } = _getClient();
+  if (!client) return { success: false, error: errors.join("; ") };
+
+  const { data: role } = await client.from("roles").select("id").eq("name", roleName).single();
+  if (!role) return { success: false, error: `Role '${roleName}' not found` };
+
+  const { error } = await client.from("authly_user_roles").delete().eq("user_id", userId).eq("role_id", role.id);
+  if (error) return { success: false, error: error.message };
+  return { success: true, error: null };
+}
+
+export async function getUserRoles(userId) {
+  const { client, errors } = _getClient();
+  if (!client) return { roles: [], error: errors.join("; ") };
+
+  const { data, error } = await client
+    .from("authly_user_roles")
+    .select("roles(name)")
+    .eq("user_id", userId);
+
+  if (error) return { roles: [], error: error.message };
+  return { roles: data.map((d) => d.roles?.name ?? "").filter(Boolean), error: null };
+}
+
+export async function listRoles() {
+  const { client, errors } = _getClient();
+  if (!client) return { roles: [], error: errors.join("; ") };
+
+  const { data, error } = await client.from("roles").select("name, description").order("name");
+  if (error) return { roles: [], error: error.message };
+  return { roles: data ?? [], error: null };
+}