npm - @rblez/authly - Versions diffs - 0.4.0 → 0.5.0 - Mend

@rblez/authly 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/dashboard/app.js +915 -397
package/dist/dashboard/app.js.map +38 -0
package/dist/dashboard/index.html +12 -49
package/dist/dashboard/styles.css +63 -0
package/package.json +3 -1
package/src/commands/init.js +24 -29
package/src/commands/serve.js +499 -376
package/src/dashboard/api.js +22 -0
package/src/dashboard/components/states.js +16 -0
package/src/dashboard/components/toast.js +12 -0
package/src/dashboard/components/wizard.js +52 -0
package/src/dashboard/index.js +124 -0
package/src/dashboard/sections/apikeys.js +85 -0
package/src/dashboard/sections/audit.js +38 -0
package/src/dashboard/sections/mcp.js +30 -0
package/src/dashboard/sections/migrations.js +84 -0
package/src/dashboard/sections/providers.js +186 -0
package/src/dashboard/sections/roles.js +61 -0
package/src/dashboard/sections/supabase.js +151 -0
package/src/dashboard/sections/users.js +96 -0
package/src/dashboard/state.js +30 -0

package/src/commands/serve.js CHANGED Viewed

@@ -1,3 +1,10 @@
+/**
+ * Authly Hono server — runs both locally (dashboard) and on Railway (API only).
+ *
+ * Local:  serves dist/dashboard/ static files + all /api/* routes
+ * Railway: serves only /api/* routes + /mcp (no HTML, all JSON)
+ */
 import { Hono } from "hono";
 import { serve } from "@hono/node-server";
 import fs from "node:fs";
@@ -6,10 +13,21 @@ import { fileURLToPath } from "node:url";
 import { createHash, randomBytes } from "node:crypto";
 import chalk from "chalk";
 import ora from "ora";
+import { scanSupabase } from "../integrations/supabase.js";
 import { getSupabaseClient, fetchUsers } from "../lib/supabase.js";
-import { createSessionToken, verifySessionToken, authMiddleware, requireRole } from "../lib/jwt.js";
-import { signUp, signIn, signOut, getSession, getProviders, handleOAuthCallback, sendMagicLink, verifyMagicLink } from "../auth/index.js";
-import { buildAuthorizeUrl, exchangeTokens, listProviderStatus } from "../lib/oauth.js";
+import { createSessionToken, verifySessionToken, authMiddleware } from "../lib/jwt.js";
+import {
+  buildAuthorizeUrl,
+  exchangeTokens,
+  upsertUser,
+  listProviderStatus,
+} from "../lib/oauth.js";
+import {
+  buildSupabaseAuthorizeUrl,
+  exchangeSupabaseToken,
+  saveSupabaseTokens,
+} from "../lib/supabase-oauth.js";
+import { getProjects, getProjectApiKeys, ensureValidAccessToken } from "../lib/supabase-api.js";
 import {
   createRole,
   assignRoleToUser,
@@ -18,41 +36,51 @@ import {
   listRoles,
 } from "../generators/roles.js";
 import { listMigrations, getMigration, migrations } from "../generators/migrations.js";
-import { detectFramework } from "../lib/framework.js";
 import { scaffoldAuth, previewGenerated } from "../generators/ui.js";
-import { generateEnv } from "../generators/env.js";
 import { mountMcp } from "../mcp/server.js";
-import { scanSupabase } from "../integrations/supabase.js";
-import { generatePKCE, buildSupabaseAuthorizeUrl, exchangeSupabaseToken, saveSupabaseTokens } from "../lib/supabase-oauth.js";
-import { ensureValidAccessToken, autoConfigureFromToken, getProjects, getProjectApiKeys } from "../lib/supabase-api.js";
 const PORT = process.env.PORT || process.env.AUTHLY_PORT || 1284;
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
-/**
- * In-memory PKCE state store (server-side, dev-only).
- * Key: state token, Value: { verifier, codeChallenge }
- * Survives no restart — fine for local dev.
- */
+/** In-memory PKCE state for Supabase OAuth (server-side, dev-only). */
 const pkceState = new Map();
+/** Provider test handlers keyed by provider name. */
+async function _testProvider(name) {
+  const id = process.env[`${name.toUpperCase()}_CLIENT_ID`];
+  const secret = process.env[`${name.toUpperCase()}_CLIENT_SECRET`];
+  if (!id || !secret) return { valid: false, error: "Credentials not configured" };
+  // Validate by attempting an OAuth token exchange (provider-specific endpoints)
+  const endpoints = {
+    google: "https://oauth2.googleapis.com/token",
+    github: "https://github.com/login/oauth/access_token",
+    discord: "https://discord.com/api/oauth2/token",
+  };
+  const url = endpoints[name];
+  if (!url) return { valid: false, error: `Unknown provider: ${name}` };
+  try {
+    await fetch(url, { method: "POST" });
+    return { valid: true };
+  } catch (e) {
+    return { valid: false, error: e.message };
+  }
+}
 export async function cmdServe() {
   const spinner = ora("Starting authly dashboard…").start();
   const app = new Hono();
-  // ── CORS — allow localhost to call the hosted API ──
-  app.use("/api/*", (c) => {
+  // ── CORS — allow localhost to call hosted API ──
+  app.use("/api/*", async (c, next) => {
     c.header("Access-Control-Allow-Origin", "*");
     c.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
     c.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
-    if (c.req.method === "OPTIONS") {
-      return new Response(null, { status: 204 });
-    }
-    return c.next();
+    if (c.req.method === "OPTIONS") return new Response(null, { status: 204 });
+    return next();
   });
-  // ── Static file serving ────────────────────────────
+  // ── Static file serving (local only — Railway has no dashboard) ──
   const dashboardPath = path.join(__dirname, "../../dist/dashboard");
   const hasDashboard = fs.existsSync(dashboardPath);
@@ -67,140 +95,139 @@ export async function cmdServe() {
     });
   }
-  // ── Public API ─────────────────────────────────────
+  // ── Public ──────────────────────────────────────────
   app.get("/api/health", (c) => c.json({ status: "ok", uptime: process.uptime() }));
-  /** GET /api/integrations/supabase/scan — scan local project */
-  app.get("/api/integrations/supabase/scan", (c) => {
-    const projectRoot = path.resolve(process.cwd());
-    const scan = scanSupabase(projectRoot);
-    return c.json({ success: true, ...scan });
-  });
+  // ── Supabase ────────────────────────────────────────
-  /** GET /api/users — list all users from Supabase */
-  app.get("/api/users", async (c) => {
-    const { client, errors } = getSupabaseClient();
-    if (!client) return c.json({ success: false, errors }, 503);
-    const { users, error } = await fetchUsers(client);
-    if (error) return c.json({ success: false, error }, 500);
-    return c.json({ success: true, users, count: users.length });
-  });
-  /** GET /api/providers — list OAuth providers and their status */
-  app.get("/api/providers", (c) =>
-    c.json({ providers: listProviderStatus() }),
-  );
+  /** GET /api/supabase/status — connection status (no secrets) */
+  async function getSupabaseStatus() {
+    const { client } = getSupabaseClient();
+    const url = process.env.SUPABASE_URL || "";
-  /** GET /api/auth/:provider/authorize — redirect to provider */
-  app.get("/api/auth/:provider/authorize", async (c) => {
-    const { provider } = c.req.param();
-    const query = c.req.query();
-    const redirectUri = query.redirectUri || `${c.req.url.split("/api/")[0]}/api/auth/${provider}/callback`;
+    if (!url) {
+      return { connected: false, project: null, scannedFrom: null };
+    }
-    try {
-      const result = buildAuthorizeUrl({ provider, redirectUri, state: query.state, scope: query.scope });
-      return c.redirect(result.url);
-    } catch (e) {
-      // Provider not found — redirect to authorize page
-      return c.redirect("/authorize");
+    if (!client) {
+      return { connected: false, project: null, scannedFrom: process.env.SUPABASE_URL ? "env" : null };
     }
+    // Try a simple query to verify connection
+    const { error } = await client
+      .from("authly_users")
+      .select("count", { count: "exact", head: true });
+    if (error) return { connected: false, project: url, scannedFrom: "env" };
+    // Check if tokens exist in authly_supabase_tokens
+    const { data: tokens } = await client
+      .from("authly_supabase_tokens")
+      .select("project_name, project_ref")
+      .eq("user_id", "00000000-0000-0000-0000-000000000000")
+      .maybeSingle();
+    return {
+      connected: true,
+      project: tokens?.project_name || url,
+      scannedFrom: process.env.SUPABASE_OAUTH_CLIENT_ID ? "oauth" : "env",
+    };
+  }
+  app.get("/api/supabase/status", async (c) => {
+    const status = await getSupabaseStatus();
+    return c.json(status);
   });
-  /** GET /authorize — sign-in page listing available providers */
-  app.get("/authorize", (c) => {
-    if (hasDashboard) {
-      const html = fs.readFileSync(path.join(dashboardPath, "authorize.html"), "utf-8");
-      return c.html(html);
-    }
-    return c.json({ providers: listProviderStatus() });
+  /** POST /api/supabase/scan — scan CWD and attempt Supabase connection */
+  app.post("/api/supabase/scan", async (c) => {
+    const scan = scanSupabase(process.cwd());
+    return c.json({
+      found: scan.canConnect,
+      fields: scan.canConnect
+        ? ["SUPABASE_URL", "SUPABASE_ANON_KEY", "SUPABASE_SERVICE_ROLE_KEY"]
+        : ["SUPABASE_URL", "SUPABASE_ANON_KEY", "SUPABASE_SERVICE_ROLE_KEY"].filter((f) => {
+            const key = f === "SUPABASE_SERVICE_ROLE_KEY" ? "serviceKey" : f === "SUPABASE_ANON_KEY" ? "anonKey" : "url";
+            return !scan[key];
+          }),
+    });
   });
-  // ── Supabase Platform OAuth with PKCE ───────────────
+  /** GET /api/auth/supabase — always return OAuth authorize URL (never { status: "connected" }) */
+  app.get("/api/auth/supabase", (c) => {
+    try {
+      const { verifier, challenge } = generatePKCE();
+      const state = randomBytes(16).toString("hex");
+      pkceState.set(state, { verifier, challenge });
+      setTimeout(() => pkceState.delete(state), 10 * 60 * 1000);
+      const result = buildSupabaseAuthorizeUrl({ state, codeChallenge: challenge });
+      return c.json({ url: result.url });
+    } catch (e) {
+      return c.json({ error: e.message }, 400);
+    }
+  });
-  /** GET /api/auth/supabase/authorize — start Supabase OAuth flow */
+  /** GET /api/auth/supabase/authorize — start OAuth flow via redirect */
   app.get("/api/auth/supabase/authorize", async (c) => {
-    const query = c.req.query();
     const { verifier, challenge } = generatePKCE();
     const state = randomBytes(16).toString("hex");
-    // Store verifier for later exchange
     pkceState.set(state, { verifier, challenge });
-    // Auto-expire state after 10 min
     setTimeout(() => pkceState.delete(state), 10 * 60 * 1000);
-    const result = buildSupabaseAuthorizeUrl({
-      state,
-      codeChallenge: challenge,
-      organizationSlug: query.organization,
-    });
-    return c.redirect(result.url);
+    try {
+      const result = buildSupabaseAuthorizeUrl({ state, codeChallenge: challenge });
+      return c.redirect(result.url);
+    } catch (e) {
+      return c.json({ error: e.message }, 400);
+    }
   });
   /** GET /api/auth/supabase/callback — OAuth callback with PKCE */
   app.get("/api/auth/supabase/callback", async (c) => {
-    const query = c.req.query();
-    const code = query.code;
-    const state = query.state;
-    // Validate state and get stored verifier
+    const { code, state } = c.req.query();
     const stored = pkceState.get(state);
-    if (!stored) {
-      return c.html(`<h1>Invalid or expired state token</h1>
-        <p>Return to <a href="/">dashboard</a></p>`, 400);
-    }
+    if (!stored) return c.text("Invalid or expired state", 400);
     pkceState.delete(state);
-    if (!code) {
-      return c.html(`<h1>Authorization failed</h1>
-        <p>Return to <a href="/">dashboard</a></p>`, 400);
-    }
+    if (!code) return c.text("Authorization failed: no code", 400);
     try {
-      // Exchange code for tokens
-      const tokens = await exchangeSupabaseToken({
-        code,
-        verifier: stored.verifier,
-      });
-      // Save tokens to DB
-      await saveSupabaseTokens({
-        accessToken: tokens.access_token,
-        refreshToken: tokens.refresh_token,
-        expiresIn: tokens.expires_in,
-      });
-      // Auto-configure: get project, extract keys, fill .env.local
-      const config = await autoConfigureFromToken(tokens.access_token);
-      if (config) {
-        return c.html(`<div style="font-family:sans-serif;max-width:500px;margin:60px auto;text-align:center">
-          <h1 style="color:#22c55e">Connected to Supabase</h1>
-          <p>Project: <strong>${config.projectName}</strong></p>
-          <p><code style="background:#eee;padding:2px 8px;border-radius:4px">${config.projectRef}</code></p>
-          <p style="color:#666">.env.local and authly.config.json have been updated.</p>
-          <a href="/" style="display:inline-block;margin-top:16px;padding:8px 24px;background:#111;color:#fff;text-decoration:none;border-radius:6px">Go to Dashboard</a>
-        </div>`);
+      const tokens = await exchangeSupabaseToken({ code, verifier: stored.verifier });
+      await saveSupabaseTokens({ accessToken: tokens.access_token, refreshToken: tokens.refresh_token, expiresIn: tokens.expires_in });
+      // Get project info
+      const allProjects = await getProjects(tokens.access_token);
+      const project = allProjects?.[0];
+      if (project) {
+        const keys = await getProjectApiKeys(tokens.access_token, project.id);
+        const anon = keys.find((k) => k.type === "anon")?.api_key || "";
+        const svc = keys.find((k) => k.type === "service_role")?.api_key || "";
+        const { client } = getSupabaseClient();
+        if (client) {
+          await client
+            .from("authly_supabase_tokens")
+            .update({ project_ref: project.id, project_name: project.name })
+            .eq("user_id", "00000000-0000-0000-0000-000000000000");
+        }
+        // Show project info for manual copy-paste
+        return c.html(`<!DOCTYPE html><html><head><meta charset="utf-8"><title>Authly — Connected</title>
+<style>body{font-family:sans-serif;background:#0a0a0a;color:#fff;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}.card{background:#111;border:1px solid #222;border-radius:12px;padding:40px 32px;max-width:540px;width:100%;text-align:center}h1{color:#22c55e;margin:0 0 12px}.code{background:#0a0a0a;border:1px solid #333;border-radius:8px;padding:16px;text-align:left;font-size:.8rem;font-family:monospace;overflow-x:auto;color:#ccc;margin:12px 0;line-height:1.8;word-break:break-all}a{display:inline-block;margin-top:16px;padding:10px 24px;background:#444;color:#fff;text-decoration:none;border-radius:6px}</style></head><body><div class="card"><h1>Connected to Supabase</h1><p>Project: <strong>${project.name}</strong></p><p><code>${project.id}</code></p><div class="code"><div><span style="color:#666">SUPABASE_URL=</span>"<span style="color:#22c55e">https://${project.id}.supabase.co</span>"</div><div><span style="color:#666">SUPABASE_ANON_KEY=</span>"<span style="color:#22c55e">${anon}</span>"</div><div><span style="color:#666">SUPABASE_SERVICE_ROLE_KEY=</span>"<span style="color:#22c55e">${svc}</span>"</div></div><a href="/">Back to Dashboard</a></div></body></html>`);
       }
-      return c.html(`<div style="font-family:sans-serif;max-width:500px;margin:60px auto;text-align:center">
-        <h1 style="color:#22c55e">Authenticated</h1>
-        <p>Supabase tokens saved successfully.</p>
-        <p>Return to <a href="/">dashboard</a>.</p>
-      </div>`);
+      return c.html(`<!DOCTYPE html><html><head><meta charset="utf-8"><title>Authly</title><style>body{font-family:sans-serif;background:#0a0a0a;color:#fff;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}.card{background:#111;border:1px solid #222;border-radius:12px;padding:40px 32px;max-width:540px;width:100%;text-align:center}h1{color:#22c55e;margin:0 0 12px}a{color:#58a6ff}</style></head><body><div class="card"><h1>Authenticated</h1><p>Tokens saved.</p><a href="/">Back to Dashboard</a></div></body></html>`);
     } catch (e) {
-      return c.html(`<h1>Token exchange failed</h1><p>${e.message}</p>
-        <p>Return to <a href="/">dashboard</a></p>`, 400);
+      return c.html(`<h1>Token exchange failed</h1><p>${e.message}</p><p><a href="/">dashboard</a></p>`, 400);
     }
   });
-  /** GET /api/supabase/projects — list Supabase projects */
+  /** GET /api/supabase/projects — list Supabase projects via Platform API */
   app.get("/api/supabase/projects", async (c) => {
     try {
       const token = await ensureValidAccessToken();
-      if (!token) return c.json({ error: "Not connected to Supabase — visit /api/auth/supabase/authorize" }, 401);
+      if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
       const projects = await getProjects(token);
       return c.json({ success: true, projects });
     } catch (e) {
@@ -215,176 +242,296 @@ export async function cmdServe() {
       const token = await ensureValidAccessToken();
       if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
       const keys = await getProjectApiKeys(token, ref);
-      return c.json({ success: true, keys });
+      return c.json({ success: true, keys: keys.filter((k) => ["anon", "service_role"].includes(k.type)) });
     } catch (e) {
       return c.json({ error: e.message }, 500);
     }
   });
-  /** POST /api/auth/supabase/refresh — refresh expired token */
+  /** POST /api/auth/supabase/refresh — refresh expired Supabase token */
   app.post("/api/auth/supabase/refresh", async (c) => {
     try {
       const token = await ensureValidAccessToken();
-      if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
-      return c.json({ success: true });
+      return token ? c.json({ success: true }) : c.json({ error: "Not connected to Supabase" }, 401);
     } catch (e) {
       return c.json({ error: e.message }, 500);
     }
   });
-  /** POST /api/auth/:provider/authorize — get OAuth URL as JSON */
-  app.post("/api/auth/:provider/authorize", async (c) => {
-    const { provider } = c.req.param();
+  // ── Config ──────────────────────────────────────────
+  /** GET /api/config — return authly.config.json without secrets */
+  app.get("/api/config", (c) => {
+    // Local server config read
+    const config = readConfig();
+    if (!config) return c.json({});
+    // Sanitize: remove secrets
+    if (config.supabase) {
+      if (config.supabase.anonKey) config.supabase.anonKey = "set";
+      if (config.supabase.serviceRoleKey) config.supabase.serviceRoleKey = "set";
+    }
+    return c.json(config);
+  });
+  /** POST /api/config — update authly.config.json fields */
+  app.post("/api/config", async (c) => {
     const body = await c.req.json();
-    const result = buildAuthorizeUrl({
-      provider,
-      redirectUri: body.redirectUri,
-      state: body.state,
-      scope: body.scope,
-    });
-    if (result.error) return c.json({ error: result.error }, 400);
+    const config = readConfig() || { framework: "unknown" };
+    if (body.type === "supabase" && body.fields?.length) {
+      // Apply scan results to config
+      const scan = scanSupabase(process.cwd());
+      if (scan.canConnect) {
+        config.supabase = {
+          url: scan.url,
+          anonKey: scan.anonKey,
+          serviceRoleKey: scan.serviceKey,
+          projectRef: scan.projectRef || "",
+        };
+        process.env.SUPABASE_URL = scan.url;
+        process.env.SUPABASE_ANON_KEY = scan.anonKey;
+        process.env.SUPABASE_SERVICE_ROLE_KEY = scan.serviceKey;
+      } else {
+        return c.json({ ok: false, error: "Credentials not found in project files" }, 400);
+      }
+    } else {
+      // Direct field updates
+      Object.assign(config, body);
+    }
+    const configPath = path.join(process.cwd(), "authly.config.json");
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+    return c.json({ ok: true });
+  });
+  // ── Providers ───────────────────────────────────────
+  /** GET /api/providers — list all providers with status */
+  app.get("/api/providers", (c) => {
+    // Return structured format: { google: { enabled, hasKeys }, ... }
+    const providers = listProviderStatus();
+    const result = {};
+    for (const p of providers) {
+      result[p.name] = { enabled: p.enabled, hasKeys: !!p.enabled, scopes: p.scopes || "" };
+    }
     return c.json(result);
   });
-  /** POST /api/auth/ :provider/callback — exchange code for session */
-  app.post("/api/auth/:provider/callback", async (c) => {
-    const { provider } = c.req.param();
-    const body = await c.req.json();
-    const { session, error } = await exchangeOAuthCode({
-      provider,
-      code: body.code,
-      redirectUri: body.redirectUri,
-    });
-    if (error) return c.json({ success: false, error }, 400);
+  /** POST /api/providers/:name/keys — validate and save provider keys */
+  app.post("/api/providers/:name/keys", async (c) => {
+    const { name } = c.req.param();
+    const { clientId, clientSecret } = await c.req.json();
-    // Create an internal Authly session token too
-    const token = await createSessionToken({
-      sub: session.user?.id ?? "unknown",
-      role: session.user?.user_metadata?.role ?? "user",
-    });
-    return c.json({ success: true, session, token });
+    if (!clientId || !clientSecret) return c.json({ valid: false, error: "Missing clientId or clientSecret" }, 400);
+    // Validate by making a test request
+    const testResult = await _testProvider(name);
+    if (!testResult.valid) return c.json(testResult, 400);
+    // Save to config
+    const config = readConfig() || { framework: "unknown" };
+    if (!config.providers) config.providers = {};
+    config.providers[name] = { clientId: "set", clientSecret: "set", enabled: true };
+    // Also update env for current process
+    process.env[`${name.toUpperCase()}_CLIENT_ID`] = clientId;
+    process.env[`${name.toUpperCase()}_CLIENT_SECRET`] = clientSecret;
+    const configPath = path.join(process.cwd(), "authly.config.json");
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+    return c.json({ valid: true });
   });
-  /** POST /api/auth/session — create a session token from credentials */
-  app.post("/api/auth/session", async (c) => {
-    const body = await c.req.json();
-    if (!body.sub) return c.json({ error: "Missing 'sub' field" }, 400);
-    const token = await createSessionToken({
-      sub: body.sub,
-      role: body.role ?? "user",
-    });
-    return c.json({ success: true, token });
+  /** GET /api/providers/:name/guide — return setup guide for provider */
+  app.get("/api/providers/:name/guide", (c) => {
+    const { name } = c.req.param();
+    const guides = {
+      google: {
+        steps: [
+          "Go to Google Cloud Console → APIs & Services → Credentials",
+          "Create a project or select an existing one",
+          'Click "Create Credentials" → OAuth 2.0 Client ID',
+          "Application type: Web application",
+          "Add the callback URL below as an Authorized redirect URI",
+        ],
+        callbackUrl: "https://authly.rblez.com/api/auth/google/callback",
+        docsUrl: "https://console.cloud.google.com/apis/credentials",
+      },
+      github: {
+        steps: [
+          "Go to GitHub Settings → Developer Settings → OAuth Apps",
+          'Click "New OAuth App"',
+          "Fill in Application name and Homepage URL",
+          "Add the callback URL below as Authorization callback URL",
+        ],
+        callbackUrl: "https://authly.rblez.com/api/auth/github/callback",
+        docsUrl: "https://github.com/settings/applications/new",
+      },
+      discord: {
+        steps: [
+          "Go to Discord Developer Portal → Applications",
+          "Create a New Application",
+          "Go to OAuth2 → Redirects → Add Redirect",
+          "Add the callback URL below",
+        ],
+        callbackUrl: "https://authly.rblez.com/api/auth/discord/callback",
+        docsUrl: "https://discord.com/developers/applications",
+      },
+    };
+    const guide = guides[name];
+    if (!guide) return c.json({ error: "Unknown provider" }, 400);
+    return c.json(guide);
   });
-  /** GET /api/auth/me — verify session token from Authorization header */
-  app.get("/api/auth/me", authMiddleware(), (c) =>
-    c.json({ success: true, session: c.get("session") }),
-  );
+  /** GET /api/providers/:name/test — test provider connection */
+  app.get("/api/providers/:name/test", async (c) => {
+    const { name } = c.req.param();
+    return c.json(await _testProvider(name));
+  });
+  // ── OAuth routes (password + generic) ─────────────
-  // ── Password Auth ──────────────────────────────────
-  /** POST /api/auth/register — sign up with email + password */
+  /** POST /api/auth/register */
   app.post("/api/auth/register", async (c) => {
     const body = await c.req.json();
-    const { user, token, error } = await signUp({
-      email: body.email,
-      password: body.password,
-      name: body.name ?? "",
-    });
-    if (error) return c.json({ success: false, error }, 400);
-    return c.json({ success: true, user, token });
+    // Use supabase auth.users table for now
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: errors.join(", ") }, 503);
+    if (!body.email || !body.password || body.password.length < 8) {
+      return c.json({ success: false, error: "Email and password (min 8 chars) required" }, 400);
+    }
+    // Insert into authly_users (we manage our own auth)
+    const bcrypt = await import("bcryptjs");
+    const passwordHash = await bcrypt.default.hash(body.password, 12);
+    const { data, error } = await client
+      .from("authly_users")
+      .insert({ email: body.email.toLowerCase(), password_hash: passwordHash })
+      .select("id, email, created_at")
+      .single();
+    if (error) return c.json({ success: false, error: error.message }, 400);
+    const token = await createSessionToken({ sub: data.id, role: "user" });
+    return c.json({ success: true, user: data, token });
   });
-  /** POST /api/auth/login — sign in with email + password */
+  /** POST /api/auth/login */
   app.post("/api/auth/login", async (c) => {
     const body = await c.req.json();
-    const { user, token, error } = await signIn({
-      email: body.email,
-      password: body.password,
-    });
-    if (error) return c.json({ success: false, error }, 401);
-    return c.json({ success: true, user, token });
-  });
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: errors.join(", ") }, 503);
-  /** GET /api/auth/providers — list available and enabled providers */
-  app.get("/api/auth/providers", (c) => {
-    const providers = getProviders();
-    return c.json({ providers });
-  });
+    const { data: user } = await client
+      .from("authly_users")
+      .select("id, email, password_hash")
+      .eq("email", body.email.toLowerCase())
+      .single();
-  /** POST /api/auth/magic-link/send — send magic link email */
-  app.post("/api/auth/magic-link/send", async (c) => {
-    const body = await c.req.json();
-    const result = await sendMagicLink({ email: body.email, callbackUrl: body.callbackUrl || "/" });
-    if (result.error) return c.json({ success: false, error: result.error }, 400);
-    return c.json({ success: true, sent: true });
+    if (!user?.password_hash) return c.json({ success: false, error: "Invalid credentials" }, 401);
+    const bcrypt = await import("bcryptjs");
+    const valid = await bcrypt.default.compare(body.password, user.password_hash);
+    if (!valid) return c.json({ success: false, error: "Invalid credentials" }, 401);
+    const token = await createSessionToken({ sub: user.id, role: "user" });
+    return c.json({ success: true, user: { id: user.id, email: user.email }, token });
   });
-  /** POST /api/auth/magic-link/verify — verify magic link token */
-  app.post("/api/auth/magic-link/verify", async (c) => {
-    const body = await c.req.json();
-    const { user, token, error } = await verifyMagicLink({ token: body.token });
-    if (error) return c.json({ success: false, error }, 401);
-    return c.json({ success: true, user, token });
+  /** POST /api/auth/logout */
+  app.post("/api/auth/logout", (c) => c.json({ success: true }));
+  /** GET /api/auth/session — verify current session */
+  app.get("/api/auth/session", authMiddleware(), (c) => c.json({ success: true, session: c.get("session") }));
+  /** Generic OAuth provider routes */
+  app.get("/api/auth/:provider/authorize", async (c) => {
+    const { provider } = c.req.param();
+    const redirectUri = `${c.req.url.split("/api/")[0]}/api/auth/${provider}/callback`;
+    try {
+      const result = buildAuthorizeUrl({ provider, redirectUri });
+      return c.redirect(result.url);
+    } catch {
+      return c.json({ error: "Provider not configured" }, 400);
+    }
   });
-  /** GET /api/config — non-sensitive project config */
-  app.get("/api/config", async (c) => {
-    const fw = detectFramework();
-    const { roles = [], error } = await listRoles();
-    return c.json({
-      framework: fw ?? null,
-      providers: listProviderStatus(),
-      roles,
-    });
+  app.post("/api/auth/:provider/callback", async (c) => {
+    const { provider, code } = c.req.param();
+    const redirectUri = `${c.req.url.split("/api/")[0]}/api/auth/${provider}/callback`;
+    try {
+      const user = await exchangeTokens({ provider, code, redirectUri });
+      const token = await createSessionToken({ sub: user.id, role: "user" });
+      return c.json({ success: true, user, token });
+    } catch (e) {
+      return c.json({ success: false, error: e.message }, 400);
+    }
   });
-  // ── Role management (protected) ────────────────────
-  /** GET /api/roles — list all roles */
-  app.get("/api/roles", async (c) => {
-    const { roles, error } = await listRoles();
+  // ── Users ───────────────────────────────────────────
+  app.get("/api/users", async (c) => {
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, errors }, 503);
+    const { users, error } = await fetchUsers({ limit: 50 });
     if (error) return c.json({ success: false, error }, 500);
-    return c.json({ success: true, roles });
+    return c.json({ success: true, users, count: users.length });
   });
-  /** POST /api/roles — create a new role */
-  app.post("/api/roles", async (c) => {
-    const { name, description } = await c.req.json();
-    if (!name) return c.json({ error: "'name' is required" }, 400);
-    const result = await createRole(name, description ?? "");
-    if (!result.success) return c.json(result, 400);
-    return c.json(result);
+  app.get("/api/users/:id/roles", async (c) => {
+    const { id } = c.req.param();
+    const { roles, error } = await getUserRoles(id);
+    if (error) return c.json({ success: false, error }, 500);
+    return c.json({ success: true, userId: id, roles });
   });
-  /** POST /api/roles/:roleId/users/:userId/assign — assign role to user */
-  app.post("/api/roles/:roleName/users/:userId/assign", async (c) => {
-    const { roleName, userId } = c.req.param();
-    const result = await assignRoleToUser(userId, roleName);
+  app.post("/api/users/:id/roles", async (c) => {
+    const { id } = c.req.param();
+    const { role } = await c.req.json();
+    if (!role) return c.json({ error: "'role' is required" }, 400);
+    const result = await assignRoleToUser(id, role);
     if (!result.success) return c.json(result, 400);
     return c.json(result);
   });
-  /** DELETE /api/roles/:roleId/users/:userId/revoke — revoke role from user */
-  app.delete("/api/roles/:roleName/users/:userId/revoke", async (c) => {
-    const { roleName, userId } = c.req.param();
-    const result = await revokeRoleFromUser(userId, roleName);
+  app.delete("/api/users/:id/roles/:role", async (c) => {
+    const { id, role } = c.req.param();
+    const result = await revokeRoleFromUser(id, role);
     if (!result.success) return c.json(result, 400);
     return c.json(result);
   });
-  /** GET /api/users/:userId/roles — get roles for a user */
-  app.get("/api/users/:userId/roles", async (c) => {
-    const { userId } = c.req.param();
-    const { roles, error } = await getUserRoles(userId);
+  // ── Roles ───────────────────────────────────────────
+  app.get("/api/roles", async (c) => {
+    const { roles, error } = await listRoles();
     if (error) return c.json({ success: false, error }, 500);
-    return c.json({ success: true, userId, roles });
+    return c.json({ success: true, roles });
   });
-  // ── API Keys ───────────────────────────────────────
-  /** POST /api/keys — generate a new API key */
-  app.post("/api/keys", async (c) => {
+  app.post("/api/roles", async (c) => {
+    const { name, description } = await c.req.json();
+    if (!name) return c.json({ error: "'name' is required" }, 400);
+    return c.json(await createRole(name, description || ""));
+  });
+  // ── API Keys ────────────────────────────────────────
+  app.get("/api/keys", async (c) => {
     const { client, errors } = getSupabaseClient();
     if (!client) return c.json({ success: false, errors }, 503);
+    const { data, error } = await client.from("api_keys").select("id, name, key_hash, scopes, expires_at").order("created_at", { ascending: false });
+    if (error) return c.json({ success: false, error: error.message }, 500);
+    return c.json({ success: true, keys: data || [] });
+  });
+  app.post("/api/keys", async (c) => {
+    const { client } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: "Not connected" }, 503);
     const body = await c.req.json();
     if (!body.name) return c.json({ error: "'name' is required" }, 400);
@@ -392,188 +539,161 @@ export async function cmdServe() {
     const keyHash = createHash("sha256").update(rawKey).digest("hex");
     const { error } = await client.from("api_keys").insert({
-      key_hash: keyHash,
-      name: body.name,
-      scopes: body.scopes ?? ["read"],
-      user_id: body.userId ?? null,
-      expires_at: body.expiresAt ?? null,
+      key_hash: keyHash, name: body.name, scopes: body.scopes ?? ["read"],
+      user_id: body.userId ?? null, expires_at: body.expiresAt ?? null,
     });
     if (error) return c.json({ success: false, error: error.message }, 400);
-    // Return raw key ONCE — it cannot be retrieved later
     return c.json({ success: true, key: rawKey, hashesTo: keyHash });
   });
-  // ── Migrations ─────────────────────────────────────
-  /** GET /api/migrations — list available migrations */
-  app.get("/api/migrations", (c) =>
-    c.json({ success: true, migrations: listMigrations() }),
-  );
-  /** GET /api/migrations/:name/sql — get SQL for a migration */
-  app.get("/api/migrations/:name/sql", (c) => {
-    const { name } = c.req.param();
-    const sql = getMigration(name);
-    if (!sql) return c.json({ error: `Migration '${name}' not found` }, 404);
-    return c.json({ success: true, name, sql });
+  app.delete("/api/keys/:id", async (c) => {
+    const { client } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: "Not connected" }, 503);
+    const { id } = c.req.param();
+    const { error } = await client.from("api_keys").delete().eq("id", id);
+    if (error) return c.json({ success: false, error: error.message }, 500);
+    return c.json({ success: true });
   });
-  /** POST /api/migrations/:name/run — execute a migration against Supabase */
-  app.post("/api/migrations/:name/run", async (c) => {
-    const { client, errors } = getSupabaseClient();
-    if (!client) return c.json({ success: false, errors }, 503);
-    const { name } = c.req.param();
-    const sql = getMigration(name);
-    if (!sql) return c.json({ error: `Migration '${name}' not found` }, 404);
+  // ── Migrations ──────────────────────────────────────
-    const { error } = await client.rpc("exec_sql", { sql_query: sql });
-    if (error) return c.json({ success: false, error: error.message }, 400);
-    return c.json({ success: true, migration: name });
-  });
+  /** GET /api/migrations — list with applied/pending status */
+  app.get("/api/migrations", async (c) => {
+    const { client } = getSupabaseClient();
+    const migrationList = migrations.map((m) => ({ id: m.name, name: m.name, status: "pending" }));
-  // ── Scaffold ───────────────────────────────────────
-  /** POST /api/scaffold/preview — preview generated code without writing */
-  app.post("/api/scaffold/preview", async (c) => {
-    const { type } = await c.req.json();
-    if (!["login", "signup", "middleware", "route-login", "route-signup"].includes(type)) {
-      return c.json({ error: `Unknown type '${type}'. Valid: login, signup, middleware, route-login, route-signup` }, 400);
+    if (client) {
+      // Check which migrations already exist by looking for tables
+      try {
+        const { data: tables } = await client
+          .from("information_schema.tables")
+          .select("table_name")
+          .eq("table_schema", "public");
+        const existingTables = new Set((tables || []).map((t) => t.table_name));
+        for (const m of migrationList) {
+          // Extract table name from migration (simplified check)
+          if (m.name.includes("roles_table") && existingTables.has("roles")) m.status = "applied";
+          if (m.name.includes("users_table") && existingTables.has("authly_users")) m.status = "applied";
+          if (m.name.includes("oauth_accounts") && existingTables.has("authly_oauth_accounts")) m.status = "applied";
+          if (m.name.includes("user_roles") && existingTables.has("authly_user_roles")) m.status = "applied";
+          if (m.name.includes("api_keys") && existingTables.has("authly_api_keys")) m.status = "applied";
+          if (m.name.includes("sessions") && existingTables.has("authly_sessions")) m.status = "applied";
+          if (m.name.includes("magic_links") && existingTables.has("authly_magic_links")) m.status = "applied";
+          if (m.name.includes("supabase_tokens") && existingTables.has("authly_supabase_tokens")) m.status = "applied";
+        }
+      } catch {
+        // Can't check — show all as pending
+      }
     }
-    return c.json({ success: true, type, code: previewGenerated(type) });
+    return c.json({ success: true, migrations: migrationList });
   });
-  /** POST /api/scaffold/generate — write auth files to a project */
-  app.post("/api/scaffold/generate", async (c) => {
-    const { targetDir } = await c.req.json();
-    if (!targetDir) return c.json({ error: "'targetDir' is required" }, 400);
+  /** POST /api/migrations/:id/run — run a single migration */
+  app.post("/api/migrations/:id/run", async (c) => {
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: errors.join(", ") }, 503);
+    const { id } = c.req.param();
+    const sql = getMigration(id);
+    if (!sql) return c.json({ ok: false, error: `Migration '${id}' not found` }, 404);
     try {
-      const { files } = await scaffoldAuth(targetDir, { apiRoutes: true });
-      c.json({ success: true, files });
+      const { error } = await client.rpc("exec_sql", { sql_query: sql });
+      if (error) return c.json({ ok: false, error: error.message }, 400);
+      return c.json({ ok: true, output: `Migration '${id}' applied successfully` });
     } catch (e) {
-      c.json({ success: false, error: e.message }, 500);
+      return c.json({ ok: false, error: e.message }, 500);
     }
   });
-  // ── Init ──────────────────────────────────────────
-  /** GET /api/init/scan — autodetect Supabase config in current project */
-  app.get("/api/init/scan", (c) => {
-    const projectRoot = path.resolve(process.cwd());
-    const scan = scanSupabase(projectRoot);
-    return c.json(scan);
+  /** POST /api/migrations/pending/run — run all pending migrations */
+  app.post("/api/migrations/pending/run", async (c) => {
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ ok: false, error: errors.join(", ") }, 503);
+    const outputs = [];
+    for (const m of migrations) {
+      const sql = getMigration(m.name);
+      if (!sql) continue;
+      try {
+        const { error } = await client.rpc("exec_sql", { sql_query: sql });
+        outputs.push(error ? `FAIL: ${m.name} — ${error.message}` : `OK: ${m.name}`);
+      } catch (e) {
+        outputs.push(`FAIL: ${m.name} — ${e.message}`);
+      }
+    }
+    return c.json({ ok: true, output: outputs.join("\n") });
   });
-  /** POST /api/init/connect — connect with autodetected or manual config */
-  app.post("/api/init/connect", async (c) => {
-    const body = await c.req.json().catch(() => ({}));
-    // Auto-detect first
-    const projectRoot = path.resolve(process.cwd());
-    const scan = scanSupabase(projectRoot);
-    // Merge scan results with any manually provided values
-    const url = scan.url || body.supabaseUrl || process.env.SUPABASE_URL || "";
-    const anonKey = scan.anonKey || body.supabaseAnonKey || process.env.SUPABASE_ANON_KEY || "";
-    const serviceKey = scan.serviceKey || body.supabaseServiceKey || process.env.SUPABASE_SERVICE_ROLE_KEY || "";
-    // Set env vars from detected config
-    if (url) process.env.SUPABASE_URL = url;
-    if (anonKey) process.env.SUPABASE_ANON_KEY = anonKey;
-    if (serviceKey) process.env.SUPABASE_SERVICE_ROLE_KEY = serviceKey;
+  // ── Scaffold ────────────────────────────────────────
-    const fw = scan.framework || detectFramework();
-    if (!fw && !body.supabaseUrl) return c.json({ success: false, error: "No Next.js project detected" }, 400);
-    // Generate .env.local if needed
-    if (!fs.existsSync(".env.local")) {
-      await generateEnv(".env.local");
+  app.post("/api/scaffold/preview", async (c) => {
+    const { type } = await c.req.json();
+    if (!["login", "signup", "middleware", "route-login", "route-signup"].includes(type)) {
+      return c.json({ error: `Unknown type '${type}'` }, 400);
     }
-    // Write authly.config.json
-    const config = {
-      framework: fw || "unknown",
-      supabase: {
-        url,
-        projectRef: scan.projectRef || "",
-        anonKey: anonKey ? "set" : "",
-        serviceKey: serviceKey ? "set" : "",
-        autoDetected: scan.detected,
-        sources: scan.sources,
-      },
-    };
-    fs.writeFileSync("authly.config.json", JSON.stringify(config, null, 2) + "\n");
-    return c.json({
-      success: true,
-      framework: fw,
-      supabase: {
-        url,
-        detected: scan.detected,
-        canConnect: scan.canConnect,
-        sources: scan.sources,
-      },
-    });
+    return c.json({ success: true, type, code: previewGenerated(type) });
   });
-  // ── MCP (beta) ─────────────────────────────────────
-  mountMcp(app);
+  // ── Audit ───────────────────────────────────────────
-  // ── Audit ──────────────────────────────────────────
-  app.post("/api/audit", async (c) => {
+  /** GET /api/audit — return issues with error/warn levels */
+  app.get("/api/audit", async (c) => {
     const issues = [];
-    // Env vars
-    for (const key of ["SUPABASE_URL", "SUPABASE_ANON_KEY", "AUTHLY_SECRET"]) {
-      if (!process.env[key]) issues.push({ check: key, status: "fail", detail: "not set" });
-      else issues.push({ check: key, status: "ok" });
+    const required = [
+      { key: "SUPABASE_URL", level: "error" },
+      { key: "SUPABASE_ANON_KEY", level: "error" },
+      { key: "AUTHLY_SECRET", level: "error" },
+      { key: "GOOGLE_CLIENT_ID", level: "warn" },
+      { key: "GITHUB_CLIENT_ID", level: "warn" },
+    ];
+    for (const { key, level } of required) {
+      const value = process.env[key];
+      if (value) {
+        issues.push({ level: "ok", message: `${key} is set` });
+      } else {
+        issues.push({ level, message: `${key} is not set` });
+      }
     }
-    // Supabase connection
     const { client } = getSupabaseClient();
     if (client) {
-      const { error } = await client
-        .from("auth.users")
-        .select("count", { count: "exact", head: true });
-      if (error)
-        issues.push({ check: "supabase_connection", status: "fail", detail: error.message });
-      else
-        issues.push({ check: "supabase_connection", status: "ok" });
+      const { error } = await client.from("authly_users").select("count", { count: "exact", head: true });
+      if (error) issues.push({ level: "error", message: `Supabase connection failed: ${error.message}` });
+      else issues.push({ level: "ok", message: "Supabase connection OK" });
     } else {
-      issues.push({ check: "supabase_connection", status: "fail", detail: "not configured" });
+      issues.push({ level: "error", message: "Supabase client not available" });
     }
-    const allOk = issues.every((i) => i.status === "ok");
-    return c.json({ success: allOk, issues });
+    return c.json({ success: issues.every((i) => i.level !== "error"), issues });
   });
+  // ── MCP ─────────────────────────────────────────────
+  mountMcp(app);
   // ── Root ───────────────────────────────────────────
   app.get("/", (c) => {
     if (hasDashboard) {
       const html = fs.readFileSync(path.join(dashboardPath, "index.html"), "utf-8");
       return c.html(html);
     }
-    return c.json({
-      name: "authly",
-      version: "0.1.0",
-      docs: "/api/health",
-    });
+    return c.json({ name: "authly", version: "0.4.1", docs: "/api/health" });
   });
-  // ── Start server ───────────────────────────────────
+  // ── Start ───────────────────────────────────────────
   if (hasDashboard) {
-    spinner.succeed(
-      `Authly dashboard running at ${chalk.cyan(`http://localhost:${PORT}`)}`,
-    );
+    spinner.succeed(`Authly dashboard running at ${chalk.cyan(`http://localhost:${PORT}`)}`);
   } else {
-    spinner.succeed(
-      `Authly API running at ${chalk.cyan(`http://localhost:${PORT}`)}${chalk.dim(" (no dashboard UI)")}`,
-    );
+    spinner.succeed(`Authly API running at ${chalk.cyan(`http://localhost:${PORT}`)}${chalk.dim(" (no dashboard UI)")}`);
   }
   console.log(chalk.dim("  Press Ctrl+C to stop\n"));
-  const server = serve({
-    fetch: app.fetch,
-    port: Number(PORT),
-  });
+  const server = serve({ fetch: app.fetch, port: Number(PORT) });
   process.on("SIGINT", () => {
     spinner.info("Shutting down authly dashboard");
@@ -582,16 +702,19 @@ export async function cmdServe() {
   });
 }
+// ── Helpers ────────────────────────────────────────────
 function getContentType(filePath) {
   const ext = path.extname(filePath);
   const types = {
-    ".html": "text/html",
-    ".css": "text/css",
-    ".js": "text/javascript",
-    ".json": "application/json",
-    ".png": "image/png",
-    ".svg": "image/svg+xml",
-    ".ico": "image/x-icon",
+    ".html": "text/html", ".css": "text/css", ".js": "text/javascript",
+    ".json": "application/json", ".png": "image/png", ".svg": "image/svg+xml", ".ico": "image/x-icon",
   };
   return types[ext] || "application/octet-stream";
 }
+function readConfig() {
+  const configPath = path.join(process.cwd(), "authly.config.json");
+  if (!fs.existsSync(configPath)) return null;
+  try { return JSON.parse(fs.readFileSync(configPath, "utf-8")); } catch { return null; }
+}