@rblez/authly 0.1.0

package/src/lib/jwt.js

@@ -0,0 +1,107 @@
+import { SignJWT, jwtVerify } from "jose";
+
+/**
+ * Internal JWT utilities for Authly's own session management.
+ * Uses jose (native ESM, no native deps — works on Termux).
+ *
+ * Tokens are signed with AUTHLY_SECRET (HS256) and carry
+ * a minimal payload: { sub, role, iat, exp }.
+ */
+
+const ALG = "HS256";
+const DEFAULT_TTL = 1000 * 60 * 60 * 24; // 24h
+
+/**
+ * Get a CryptoKey from the AUTHLY_SECRET env var.
+ *
+ * @returns {Promise<CryptoKey>}
+ */
+async function getSigningKey() {
+  const secret = process.env.AUTHLY_SECRET;
+  if (!secret) {
+    throw new Error("AUTHLY_SECRET is not configured");
+  }
+  return new TextEncoder().encode(secret);
+}
+
+/**
+ * Create a signed JWT for internal authly sessions.
+ *
+ * @param {{ sub: string; role: string }} payload
+ * @param {{ ttl?: number }} [options]
+ * @returns {Promise<string>}
+ */
+export async function createSessionToken(payload, options = {}) {
+  const secret = await getSigningKey();
+  const ttl = options.ttl ?? DEFAULT_TTL;
+
+  return new SignJWT({ role: payload.role })
+    .setProtectedHeader({ alg: ALG })
+    .setSubject(payload.sub)
+    .setIssuedAt()
+    .setExpirationTime(Date.now() + ttl)
+    .sign(secret);
+}
+
+/**
+ * Verify and decode an internal session token.
+ *
+ * @param {string} token
+ * @returns {Promise<{ sub: string; role: string } | null>}
+ */
+export async function verifySessionToken(token) {
+  const secret = await getSigningKey();
+
+  try {
+    const { payload } = await jwtVerify(token, secret);
+    return {
+      sub: payload.sub,
+      role: payload.role ?? "user",
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Create a bearer middleware for hono that validates the
+ * Authorization header against our internal session tokens.
+ *
+ * @returns {import("hono").MiddlewareHandler}
+ */
+export function authMiddleware() {
+  return async (c, next) => {
+    const header = c.req.header("Authorization");
+    if (!header?.startsWith("Bearer ")) {
+      return c.json({ error: "Missing or invalid Authorization header" }, 401);
+    }
+
+    const session = await verifySessionToken(header.slice(7));
+    if (!session) {
+      return c.json({ error: "Invalid or expired token" }, 401);
+    }
+
+    c.set("session", session);
+    return next();
+  };
+}
+
+/**
+ * Create a role-check wrapper for hono handlers.
+ * Requires a valid session with the specified role.
+ *
+ * @param {string} requiredRole
+ * @returns {import("hono").MiddlewareHandler}
+ */
+export function requireRole(requiredRole) {
+  return async (c, next) => {
+    const session = c.get("session");
+    if (!session) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    if (session.role !== requiredRole && session.role !== "admin") {
+      return c.json({ error: "Forbidden: insufficient permissions" }, 403);
+    }
+    return next();
+  };
+}

package/src/lib/oauth.js

@@ -0,0 +1,301 @@
+/**
+ * Authly OAuth Provider SDK
+ *
+ * Handles the full OAuth2 authorization code flow directly —
+ * no Supabase auth dependency. Like next-auth but as a standalone
+ * SDK that works with Supabase for user storage.
+ *
+ * Flow:
+ *   1. buildAuthorizeUrl() → redirect user to provider
+ *   2. User authorizes → provider redirects to callback
+ *   3. exchangeTokens() → get access_token from provider
+ *   4. fetchUserInfo() → get email/name from provider
+ *   5. upsertUser() → create/update user in Supabase
+ *   6. createSessionToken() → Authly JWT session
+ */
+
+import { createClient } from "@supabase/supabase-js";
+
+const PROVIDERS = {
+  google: {
+    authorize: "https://accounts.google.com/o/oauth2/v2/auth",
+    token: "https://oauth2.googleapis.com/token",
+    userinfo: "https://www.googleapis.com/oauth2/v2/userinfo",
+    scopeDefault: "openid email profile",
+  },
+  github: {
+    authorize: "https://github.com/login/oauth/authorize",
+    token: "https://github.com/login/oauth/access_token",
+    userinfo: "https://api.github.com/user",
+    scopeDefault: "read:user user:email",
+  },
+  discord: {
+    authorize: "https://discord.com/api/oauth2/authorize",
+    token: "https://discord.com/api/oauth2/token",
+    userinfo: "https://discord.com/api/users/@me",
+    scopeDefault: "identify email",
+  },
+};
+
+/**
+ * Build the OAuth authorization URL.
+ *
+ * @param {{ provider: string; redirectUri: string; state?: string; scope?: string }} opts
+ * @returns {{ url: string; state: string }}
+ */
+export function buildAuthorizeUrl(opts) {
+  const config = PROVIDERS[opts.provider.toLowerCase()];
+  if (!config) throw new Error(`Unknown provider: ${opts.provider}`);
+
+  const state = opts.state || crypto.randomUUID();
+
+  const clientId = process.env[`${opts.provider.toUpperCase()}_CLIENT_ID`];
+  if (!clientId) throw new Error(`${opts.provider} CLIENT_ID not configured`);
+
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: opts.redirectUri,
+    response_type: "code",
+    scope: opts.scope || config.scopeDefault,
+    state,
+  });
+
+  if (opts.provider.toLowerCase() === "google") {
+    params.set("access_type", "offline");
+    params.set("prompt", "consent");
+  }
+
+  return { url: `${config.authorize}?${params.toString()}`, state };
+}
+
+/**
+ * Exchange authorization code for an access token.
+ *
+ * @param {{ provider: string; code: string; redirectUri: string }} opts
+ * @returns {Promise<{ accessToken: string; scope: string; extra: Record<string, unknown> }>}
+ */
+export async function exchangeTokens(opts) {
+  const config = PROVIDERS[opts.provider.toLowerCase()];
+  if (!config) throw new Error(`Unknown provider: ${opts.provider}`);
+
+  const clientId = process.env[`${opts.provider.toUpperCase()}_CLIENT_ID`];
+  const clientSecret = process.env[`${opts.provider.toUpperCase()}_CLIENT_SECRET`];
+  if (!clientId || !clientSecret) {
+    throw new Error(`${opts.provider} CLIENT_ID and CLIENT_SECRET must be configured`);
+  }
+
+  const body = new URLSearchParams({
+    code: opts.code,
+    client_id: clientId,
+    client_secret: clientSecret,
+    grant_type: "authorization_code",
+    redirect_uri: opts.redirectUri,
+  });
+
+  const headers = {
+    "Content-Type": "application/x-www-form-urlencoded",
+    Accept: "application/json",
+  };
+
+  // GitHub requires Accept header; Google doesn't want it in some cases
+  if (opts.provider.toLowerCase() === "github") {
+    headers.Accept = "application/json";
+  }
+
+  const res = await fetch(config.token, { method: "POST", headers, body });
+
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Token exchange failed (${res.status}): ${text.slice(0, 300)}`);
+  }
+
+  const data = await res.json();
+
+  if (data.error) {
+    throw new Error(`OAuth error: ${data.error} — ${data.error_description || ""}`);
+  }
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresIn: data.expires_in,
+    scope: data.scope || "",
+    extra: data,
+  };
+}
+
+/**
+ * Fetch user info (email, name, avatar) from the provider.
+ *
+ * @param {{ provider: string; accessToken: string }} opts
+ * @returns {Promise<{ email: string; name?: string; avatar?: string; id?: string }>}
+ */
+export async function fetchUserInfo(opts) {
+  const config = PROVIDERS[opts.provider.toLowerCase()];
+  if (!config) throw new Error(`Unknown provider: ${opts.provider}`);
+
+  const headers = {
+    Authorization: `Bearer ${opts.accessToken}`,
+  };
+
+  if (opts.provider.toLowerCase() === "github") {
+    headers.Accept = "application/vnd.github+json";
+    headers["X-GitHub-Api-Version"] = "2022-11-28";
+  }
+
+  const res = await fetch(config.userinfo, { headers });
+  if (!res.ok) throw new Error(`Userinfo failed (${res.status})`);
+
+  const data = await res.json();
+
+  // Normalize across providers
+  return {
+    providerId: String(data.sub ?? data.id ?? ""),
+    email: String(
+      data.email ??
+      (data.emails?.[0]?.email) ??
+      ""
+    ),
+    name: String(data.name ?? data.display_name ?? data.login ?? data.username ?? ""),
+    avatar: String(data.picture ?? data.avatar_url ?? data.avatar ?? ""),
+    raw: data,
+  };
+}
+
+/**
+ * Upsert the user into Supabase's auth.users table via the
+ * Management API, then return the Supabase user record.
+ *
+ * If the user doesn't exist, creates them with the provider
+ * linked. If they exist with the same email, links the provider.
+ *
+ * @param {{ provider: string; providerId: string; email: string; name?: string; avatar?: string }} opts
+ * @returns {Promise<{ userId: string; email: string; isNew: boolean }>}
+ */
+export async function upsertUser(opts) {
+  const { client, errors } = _getClient();
+  if (!client) throw new Error(`Supabase not configured: ${errors.join(", ")}`);
+
+  // Check if user already exists by email
+  const { data: existing } = await client
+    .from("user_profiles")
+    .select("user_id")
+    .eq("email", opts.email)
+    .single();
+
+  if (existing) {
+    // Update profile
+    await client
+      .from("user_profiles")
+      .update({
+        avatar_url: opts.avatar || "",
+        updated_at: new Date().toISOString(),
+        provider: opts.provider,
+        provider_id: opts.providerId,
+      })
+      .eq("user_id", existing.user_id);
+
+    return { userId: existing.user_id, email: opts.email, isNew: false };
+  }
+
+  // Create user — since we can't directly insert into auth.users,
+  // we use the Supabase admin createUser method
+  // For now, we insert into user_profiles and let the app handle
+  // the auth.users linkage via a database function
+  const { data: newUser, error } = await client
+    .from("user_profiles")
+    .insert({
+      email: opts.email,
+      full_name: opts.name || "",
+      avatar_url: opts.avatar || "",
+      provider: opts.provider,
+      provider_id: opts.providerId,
+    })
+    .select("user_id")
+    .single();
+
+  if (error) throw new Error(`Failed to create user: ${error.message}`);
+
+  return { userId: newUser.user_id, email: opts.email, isNew: true };
+}
+
+/**
+ * Full OAuth login flow — all steps in one call.
+ * Used by the Next.js auth callback route.
+ *
+ * @param {{ provider: string; code: string; redirectUri: string }} opts
+ * @returns {Promise<{ userId: string; email: string; token: string; isNew: boolean }>}
+ */
+export async function authWithProvider(opts) {
+  const tokens = await exchangeTokens(opts);
+  const info = await fetchUserInfo({ provider: opts.provider, accessToken: tokens.accessToken });
+
+  if (!info.email && !info.providerId) {
+    throw new Error("Provider returned no email and no ID");
+  }
+
+  const user = await upsertUser({
+    provider: opts.provider,
+    providerId: info.providerId,
+    email: info.email,
+    name: info.name,
+    avatar: info.avatar,
+  });
+
+  return {
+    userId: user.userId,
+    email: user.email,
+    isNew: user.isNew,
+    provider: opts.provider,
+    tokens,
+    info: {
+      name: info.name,
+      avatar: info.avatar,
+    },
+  };
+}
+
+/**
+ * List all configured providers and their status.
+ *
+ * @returns {{ name: string; enabled: boolean; scopes: string }[]}
+ */
+export function listProviderStatus() {
+  return Object.keys(PROVIDERS).map((name) => {
+    const upper = name.toUpperCase();
+    const clientId = process.env[`${upper}_CLIENT_ID`] || "";
+    const clientSecret = process.env[`${upper}_CLIENT_SECRET`] || "";
+    return {
+      name,
+      enabled: !!(clientId && clientSecret),
+      scopes: PROVIDERS[name].scopeDefault,
+    };
+  });
+}
+
+/**
+ * Add a custom provider at runtime.
+ *
+ * @param {{ name: string; authorize: string; token: string; userinfo: string; scope: string }} config
+ */
+export function addProvider(config) {
+  PROVIDERS[config.name.toLowerCase()] = {
+    authorize: config.authorize,
+    token: config.token,
+    userinfo: config.userinfo,
+    scopeDefault: config.scope,
+  };
+}
+
+// ── Internal helpers ──────────────────────────────────
+
+function _getClient() {
+  const url = process.env.SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_ANON_KEY;
+
+  if (!url || !key) {
+    return { client: null, errors: ["Supabase credentials not configured"] };
+  }
+
+  return { client: createClient(url, key), errors: [] };
+}

package/src/lib/supabase.js

@@ -0,0 +1,58 @@
+import { createClient } from "@supabase/supabase-js";
+import fs from "node:fs";
+import path from "node:path";
+
+export function getSupabaseClient() {
+  const errors = [];
+  let url = process.env.SUPABASE_URL;
+  let anonKey = process.env.SUPABASE_ANON_KEY;
+  let serviceKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
+
+  if (!url || !anonKey) {
+    const config = _loadConfig();
+    if (config) {
+      url ||= config.supabase?.url || "";
+      anonKey ||= config.supabase?.anonKey || "";
+      serviceKey ||= config.supabase?.serviceRoleKey || "";
+    }
+  }
+
+  if (!url) errors.push("SUPABASE_URL is not configured");
+  if (!anonKey) errors.push("SUPABASE_ANON_KEY is not configured");
+  if (errors.length > 0) return { client: null, errors };
+
+  const client = createClient(url, anonKey, {
+    global: {
+      headers: serviceKey
+        ? { apikey: serviceKey, Authorization: `Bearer ${serviceKey}` }
+        : {},
+    },
+  });
+
+  return { client, errors: [] };
+}
+
+/**
+ * List users from the authly_users table.
+ * This is the primary user source — not Supabase auth.users.
+ */
+export async function fetchUsers({ limit = 50 } = {}) {
+  const { client, errors } = getSupabaseClient();
+  if (!client) return { users: [], error: errors.join(", ") };
+
+  const { data, error } = await client
+    .from("authly_users")
+    .select("id, email, name, avatar_url, email_verified, created_at")
+    .order("created_at", { ascending: false })
+    .limit(limit);
+
+  if (error) return { users: [], error: error.message };
+  return { users: data ?? [], error: null };
+}
+
+function _loadConfig() {
+  const p = path.join(process.cwd(), "authly.config.json");
+  if (!fs.existsSync(p)) return null;
+  try { return JSON.parse(fs.readFileSync(p, "utf-8")); }
+  catch { return null; }
+}