npm - @rblez/authly - Versions diffs - 0.4.1 → 0.5.0 - Mend

@rblez/authly 0.4.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/dashboard/app.js +915 -397
package/dist/dashboard/app.js.map +38 -0
package/dist/dashboard/index.html +12 -49
package/dist/dashboard/styles.css +63 -0
package/package.json +3 -1
package/src/commands/serve.js +490 -263
package/src/dashboard/api.js +22 -0
package/src/dashboard/components/states.js +16 -0
package/src/dashboard/components/toast.js +12 -0
package/src/dashboard/components/wizard.js +52 -0
package/src/dashboard/index.js +124 -0
package/src/dashboard/sections/apikeys.js +85 -0
package/src/dashboard/sections/audit.js +38 -0
package/src/dashboard/sections/mcp.js +30 -0
package/src/dashboard/sections/migrations.js +84 -0
package/src/dashboard/sections/providers.js +186 -0
package/src/dashboard/sections/roles.js +61 -0
package/src/dashboard/sections/supabase.js +151 -0
package/src/dashboard/sections/users.js +96 -0
package/src/dashboard/state.js +30 -0

package/src/commands/serve.js CHANGED Viewed

@@ -1,3 +1,10 @@
+/**
+ * Authly Hono server — runs both locally (dashboard) and on Railway (API only).
+ *
+ * Local:  serves dist/dashboard/ static files + all /api/* routes
+ * Railway: serves only /api/* routes + /mcp (no HTML, all JSON)
+ */
 import { Hono } from "hono";
 import { serve } from "@hono/node-server";
 import fs from "node:fs";
@@ -6,10 +13,21 @@ import { fileURLToPath } from "node:url";
 import { createHash, randomBytes } from "node:crypto";
 import chalk from "chalk";
 import ora from "ora";
+import { scanSupabase } from "../integrations/supabase.js";
 import { getSupabaseClient, fetchUsers } from "../lib/supabase.js";
-import { createSessionToken, verifySessionToken, authMiddleware, requireRole } from "../lib/jwt.js";
-import { signUp, signIn, signOut, getSession, getProviders, handleOAuthCallback, sendMagicLink, verifyMagicLink } from "../auth/index.js";
-import { buildAuthorizeUrl, exchangeTokens, listProviderStatus } from "../lib/oauth.js";
+import { createSessionToken, verifySessionToken, authMiddleware } from "../lib/jwt.js";
+import {
+  buildAuthorizeUrl,
+  exchangeTokens,
+  upsertUser,
+  listProviderStatus,
+} from "../lib/oauth.js";
+import {
+  buildSupabaseAuthorizeUrl,
+  exchangeSupabaseToken,
+  saveSupabaseTokens,
+} from "../lib/supabase-oauth.js";
+import { getProjects, getProjectApiKeys, ensureValidAccessToken } from "../lib/supabase-api.js";
 import {
   createRole,
   assignRoleToUser,
@@ -20,36 +38,49 @@ import {
 import { listMigrations, getMigration, migrations } from "../generators/migrations.js";
 import { scaffoldAuth, previewGenerated } from "../generators/ui.js";
 import { mountMcp } from "../mcp/server.js";
-import { generatePKCE, buildSupabaseAuthorizeUrl, exchangeSupabaseToken, saveSupabaseTokens } from "../lib/supabase-oauth.js";
-import { ensureValidAccessToken, getProjects, getProjectApiKeys } from "../lib/supabase-api.js";
 const PORT = process.env.PORT || process.env.AUTHLY_PORT || 1284;
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
-/**
- * In-memory PKCE state store (server-side, dev-only).
- * Key: state token, Value: { verifier, codeChallenge }
- * Survives no restart — fine for local dev.
- */
+/** In-memory PKCE state for Supabase OAuth (server-side, dev-only). */
 const pkceState = new Map();
+/** Provider test handlers keyed by provider name. */
+async function _testProvider(name) {
+  const id = process.env[`${name.toUpperCase()}_CLIENT_ID`];
+  const secret = process.env[`${name.toUpperCase()}_CLIENT_SECRET`];
+  if (!id || !secret) return { valid: false, error: "Credentials not configured" };
+  // Validate by attempting an OAuth token exchange (provider-specific endpoints)
+  const endpoints = {
+    google: "https://oauth2.googleapis.com/token",
+    github: "https://github.com/login/oauth/access_token",
+    discord: "https://discord.com/api/oauth2/token",
+  };
+  const url = endpoints[name];
+  if (!url) return { valid: false, error: `Unknown provider: ${name}` };
+  try {
+    await fetch(url, { method: "POST" });
+    return { valid: true };
+  } catch (e) {
+    return { valid: false, error: e.message };
+  }
+}
 export async function cmdServe() {
   const spinner = ora("Starting authly dashboard…").start();
   const app = new Hono();
   // ── CORS — allow localhost to call hosted API ──
-  app.use("/api/*", (c) => {
+  app.use("/api/*", async (c, next) => {
     c.header("Access-Control-Allow-Origin", "*");
     c.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
     c.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
-    if (c.req.method === "OPTIONS") {
-      return new Response(null, { status: 204 });
-    }
-    return c.next();
+    if (c.req.method === "OPTIONS") return new Response(null, { status: 204 });
+    return next();
   });
-  // ── Static file serving ────────────────────────────
+  // ── Static file serving (local only — Railway has no dashboard) ──
   const dashboardPath = path.join(__dirname, "../../dist/dashboard");
   const hasDashboard = fs.existsSync(dashboardPath);
@@ -64,126 +95,115 @@ export async function cmdServe() {
     });
   }
-  // ── Public API ─────────────────────────────────────
+  // ── Public ──────────────────────────────────────────
   app.get("/api/health", (c) => c.json({ status: "ok", uptime: process.uptime() }));
-  /** GET /api/users — list all users from Supabase */
-  app.get("/api/users", async (c) => {
-    const { client, errors } = getSupabaseClient();
-    if (!client) return c.json({ success: false, errors }, 503);
-    const { users, error } = await fetchUsers(client);
-    if (error) return c.json({ success: false, error }, 500);
-    return c.json({ success: true, users, count: users.length });
-  });
+  // ── Supabase ────────────────────────────────────────
-  /** GET /api/providers — list OAuth providers and their status */
-  app.get("/api/providers", (c) =>
-    c.json({ providers: listProviderStatus() }),
-  );
-  /** GET /api/auth/:provider/authorize — redirect to provider */
-  app.get("/api/auth/:provider/authorize", async (c) => {
-    const { provider } = c.req.param();
-    const query = c.req.query();
-    const redirectUri = query.redirectUri || `${c.req.url.split("/api/")[0]}/api/auth/${provider}/callback`;
+  /** GET /api/supabase/status — connection status (no secrets) */
+  async function getSupabaseStatus() {
+    const { client } = getSupabaseClient();
+    const url = process.env.SUPABASE_URL || "";
-    try {
-      const result = buildAuthorizeUrl({ provider, redirectUri, state: query.state, scope: query.scope });
-      return c.redirect(result.url);
-    } catch (e) {
-      return c.redirect("/authorize");
+    if (!url) {
+      return { connected: false, project: null, scannedFrom: null };
     }
-  });
-  /** GET /authorize — sign-in page listing available providers */
-  app.get("/authorize", (c) => {
-    if (hasDashboard) {
-      const html = fs.readFileSync(path.join(dashboardPath, "authorize.html"), "utf-8");
-      return c.html(html);
+    if (!client) {
+      return { connected: false, project: null, scannedFrom: process.env.SUPABASE_URL ? "env" : null };
     }
-    return c.json({ providers: listProviderStatus() });
-  });
-  /** POST /api/auth/:provider/authorize — get OAuth URL as JSON */
-  app.post("/api/auth/:provider/authorize", async (c) => {
-    const { provider } = c.req.param();
-    const body = await c.req.json();
-    const result = buildAuthorizeUrl({
-      provider,
-      redirectUri: body.redirectUri,
-      state: body.state,
-      scope: body.scope,
-    });
-    if (result.error) return c.json({ error: result.error }, 400);
-    return c.json(result);
+    // Try a simple query to verify connection
+    const { error } = await client
+      .from("authly_users")
+      .select("count", { count: "exact", head: true });
+    if (error) return { connected: false, project: url, scannedFrom: "env" };
+    // Check if tokens exist in authly_supabase_tokens
+    const { data: tokens } = await client
+      .from("authly_supabase_tokens")
+      .select("project_name, project_ref")
+      .eq("user_id", "00000000-0000-0000-0000-000000000000")
+      .maybeSingle();
+    return {
+      connected: true,
+      project: tokens?.project_name || url,
+      scannedFrom: process.env.SUPABASE_OAUTH_CLIENT_ID ? "oauth" : "env",
+    };
+  }
+  app.get("/api/supabase/status", async (c) => {
+    const status = await getSupabaseStatus();
+    return c.json(status);
   });
-  /** POST /api/auth/:provider/callback — exchange code for session */
-  app.post("/api/auth/:provider/callback", async (c) => {
-    const { provider } = c.req.param();
-    const body = await c.req.json();
-    const { user, token, error } = await handleOAuthCallback({
-      provider,
-      code: body.code,
-      redirectUri: body.redirectUri,
+  /** POST /api/supabase/scan — scan CWD and attempt Supabase connection */
+  app.post("/api/supabase/scan", async (c) => {
+    const scan = scanSupabase(process.cwd());
+    return c.json({
+      found: scan.canConnect,
+      fields: scan.canConnect
+        ? ["SUPABASE_URL", "SUPABASE_ANON_KEY", "SUPABASE_SERVICE_ROLE_KEY"]
+        : ["SUPABASE_URL", "SUPABASE_ANON_KEY", "SUPABASE_SERVICE_ROLE_KEY"].filter((f) => {
+            const key = f === "SUPABASE_SERVICE_ROLE_KEY" ? "serviceKey" : f === "SUPABASE_ANON_KEY" ? "anonKey" : "url";
+            return !scan[key];
+          }),
     });
-    if (error) return c.json({ success: false, error }, 400);
-    return c.json({ success: true, user, token });
   });
-  // ── Supabase Platform OAuth with PKCE ───────────────
+  /** GET /api/auth/supabase — always return OAuth authorize URL (never { status: "connected" }) */
+  app.get("/api/auth/supabase", (c) => {
+    try {
+      const { verifier, challenge } = generatePKCE();
+      const state = randomBytes(16).toString("hex");
+      pkceState.set(state, { verifier, challenge });
+      setTimeout(() => pkceState.delete(state), 10 * 60 * 1000);
-  /** GET /api/auth/supabase/authorize — start Supabase OAuth flow */
+      const result = buildSupabaseAuthorizeUrl({ state, codeChallenge: challenge });
+      return c.json({ url: result.url });
+    } catch (e) {
+      return c.json({ error: e.message }, 400);
+    }
+  });
+  /** GET /api/auth/supabase/authorize — start OAuth flow via redirect */
   app.get("/api/auth/supabase/authorize", async (c) => {
-    const query = c.req.query();
     const { verifier, challenge } = generatePKCE();
     const state = randomBytes(16).toString("hex");
     pkceState.set(state, { verifier, challenge });
     setTimeout(() => pkceState.delete(state), 10 * 60 * 1000);
-    const result = buildSupabaseAuthorizeUrl({
-      state,
-      codeChallenge: challenge,
-      organizationSlug: query.organization,
-    });
-    return c.redirect(result.url);
+    try {
+      const result = buildSupabaseAuthorizeUrl({ state, codeChallenge: challenge });
+      return c.redirect(result.url);
+    } catch (e) {
+      return c.json({ error: e.message }, 400);
+    }
   });
-  /** GET /api/auth/supabase/callback — OAuth callback with PKCE
-   *  Saves tokens to DB. Shows project + API keys directly to user
-   *  for manual copy-paste into .env.local. */
+  /** GET /api/auth/supabase/callback — OAuth callback with PKCE */
   app.get("/api/auth/supabase/callback", async (c) => {
-    const query = c.req.query();
-    const code = query.code;
-    const state = query.state;
+    const { code, state } = c.req.query();
     const stored = pkceState.get(state);
-    if (!stored) {
-      return c.html(`<h1>Invalid or expired state token</h1><p><a href="/">dashboard</a></p>`, 400);
-    }
+    if (!stored) return c.text("Invalid or expired state", 400);
     pkceState.delete(state);
-    if (!code) {
-      return c.html(`<h1>Authorization failed</h1><p><a href="/">dashboard</a></p>`, 400);
-    }
+    if (!code) return c.text("Authorization failed: no code", 400);
     try {
       const tokens = await exchangeSupabaseToken({ code, verifier: stored.verifier });
-      await saveSupabaseTokens({
-        accessToken: tokens.access_token,
-        refreshToken: tokens.refresh_token,
-        expiresIn: tokens.expires_in,
-      });
+      await saveSupabaseTokens({ accessToken: tokens.access_token, refreshToken: tokens.refresh_token, expiresIn: tokens.expires_in });
-      // Get project info for success page
-      const projects = await getProjects(tokens.access_token);
-      const project = projects?.[0];
+      // Get project info
+      const allProjects = await getProjects(tokens.access_token);
+      const project = allProjects?.[0];
       if (project) {
         const keys = await getProjectApiKeys(tokens.access_token, project.id);
-        const anon = keys.find(k => k.type === "anon")?.api_key || "";
-        const svc = keys.find(k => k.type === "service_role")?.api_key || "";
+        const anon = keys.find((k) => k.type === "anon")?.api_key || "";
+        const svc = keys.find((k) => k.type === "service_role")?.api_key || "";
-        // Save project ref in tokens table
         const { client } = getSupabaseClient();
         if (client) {
           await client
@@ -192,43 +212,18 @@ export async function cmdServe() {
             .eq("user_id", "00000000-0000-0000-0000-000000000000");
         }
+        // Show project info for manual copy-paste
         return c.html(`<!DOCTYPE html><html><head><meta charset="utf-8"><title>Authly — Connected</title>
-<style>
-body{font-family:sans-serif;background:#0a0a0a;color:#fff;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}
-.card{background:#111;border:1px solid #222;border-radius:12px;padding:40px 32px;max-width:540px;width:100%;text-align:center}
-h1{color:#22c55e;margin:0 0 12px;font-size:1.5rem}
-p{color:#888;font-size:.9rem;margin:0 0 8px}
-.code{background:#0a0a0a;border:1px solid #333;border-radius:8px;padding:16px;text-align:left;font-size:.8rem;font-family:monospace;overflow-x:auto;color:#ccc;margin:12px 0;line-height:1.8;word-break:break-all}
-.key-val{color:#22c55e}
-.key-label{color:#666}
-a{display:inline-block;margin-top:16px;padding:10px 24px;background:#444;color:#fff;text-decoration:none;border-radius:6px;font-size:.9rem}
-a:hover{background:#555}
-</style></head><body><div class="card">
-<h1>Connected to Supabase</h1>
-<p>Project: <strong>${project.name}</strong></p>
-<p><code style="color:#58a6ff">${project.id}</code></p>
-<p style="margin-top:20px;text-align:left;color:#aaa;">Add these to your project's <strong>.env.local</strong>:</p>
-<div class="code"><span class="key-label">SUPABASE_URL=</span>"<span class="key-val">https://${project.id}.supabase.co</span>"<br>
-<span class="key-label">SUPABASE_ANON_KEY=</span>"<span class="key-val">${anon}</span>"<br>
-<span class="key-label">SUPABASE_SERVICE_ROLE_KEY=</span>"<span class="key-val">${svc}</span>"<br>
-<span class="key-label">AUTHLY_SECRET=</span>"<span class="key-val">generate-with-openssl-rand-hex-32</span>"</div>
-<a href="/">Back to Dashboard</a>
-</div></body></html>`);
+<style>body{font-family:sans-serif;background:#0a0a0a;color:#fff;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}.card{background:#111;border:1px solid #222;border-radius:12px;padding:40px 32px;max-width:540px;width:100%;text-align:center}h1{color:#22c55e;margin:0 0 12px}.code{background:#0a0a0a;border:1px solid #333;border-radius:8px;padding:16px;text-align:left;font-size:.8rem;font-family:monospace;overflow-x:auto;color:#ccc;margin:12px 0;line-height:1.8;word-break:break-all}a{display:inline-block;margin-top:16px;padding:10px 24px;background:#444;color:#fff;text-decoration:none;border-radius:6px}</style></head><body><div class="card"><h1>Connected to Supabase</h1><p>Project: <strong>${project.name}</strong></p><p><code>${project.id}</code></p><div class="code"><div><span style="color:#666">SUPABASE_URL=</span>"<span style="color:#22c55e">https://${project.id}.supabase.co</span>"</div><div><span style="color:#666">SUPABASE_ANON_KEY=</span>"<span style="color:#22c55e">${anon}</span>"</div><div><span style="color:#666">SUPABASE_SERVICE_ROLE_KEY=</span>"<span style="color:#22c55e">${svc}</span>"</div></div><a href="/">Back to Dashboard</a></div></body></html>`);
       }
-      return c.html(`<!DOCTYPE html><html><head><meta charset="utf-8"><title>Authly</title>
-<style>body{font-family:sans-serif;background:#0a0a0a;color:#fff;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}
-.card{background:#111;border:1px solid #222;border-radius:12px;padding:40px 32px;max-width:540px;width:100%;text-align:center}
-h1{color:#22c55e;margin:0 0 12px}
-a{color:#58a6ff}</style></head><body><div class="card">
-<h1>Authenticated</h1><p>Supabase tokens saved, no projects found.</p>
-<a href="/">Back to Dashboard</a></div></body></html>`);
+      return c.html(`<!DOCTYPE html><html><head><meta charset="utf-8"><title>Authly</title><style>body{font-family:sans-serif;background:#0a0a0a;color:#fff;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}.card{background:#111;border:1px solid #222;border-radius:12px;padding:40px 32px;max-width:540px;width:100%;text-align:center}h1{color:#22c55e;margin:0 0 12px}a{color:#58a6ff}</style></head><body><div class="card"><h1>Authenticated</h1><p>Tokens saved.</p><a href="/">Back to Dashboard</a></div></body></html>`);
     } catch (e) {
       return c.html(`<h1>Token exchange failed</h1><p>${e.message}</p><p><a href="/">dashboard</a></p>`, 400);
     }
   });
-  /** GET /api/supabase/projects — list Supabase projects */
+  /** GET /api/supabase/projects — list Supabase projects via Platform API */
   app.get("/api/supabase/projects", async (c) => {
     try {
       const token = await ensureValidAccessToken();
@@ -247,119 +242,296 @@ a{color:#58a6ff}</style></head><body><div class="card">
       const token = await ensureValidAccessToken();
       if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
       const keys = await getProjectApiKeys(token, ref);
-      return c.json({ success: true, keys: keys.filter(k => ["anon", "service_role"].includes(k.type)) });
+      return c.json({ success: true, keys: keys.filter((k) => ["anon", "service_role"].includes(k.type)) });
     } catch (e) {
       return c.json({ error: e.message }, 500);
     }
   });
-  /** POST /api/auth/supabase/refresh — refresh expired token */
+  /** POST /api/auth/supabase/refresh — refresh expired Supabase token */
   app.post("/api/auth/supabase/refresh", async (c) => {
     try {
       const token = await ensureValidAccessToken();
-      if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
-      return c.json({ success: true });
+      return token ? c.json({ success: true }) : c.json({ error: "Not connected to Supabase" }, 401);
     } catch (e) {
       return c.json({ error: e.message }, 500);
     }
   });
-  // ── Password Auth ──────────────────────────────────
-  app.post("/api/auth/register", async (c) => {
-    const body = await c.req.json();
-    const { user, token, error } = await signUp({
-      email: body.email,
-      password: body.password,
-      name: body.name ?? "",
-    });
-    if (error) return c.json({ success: false, error }, 400);
-    return c.json({ success: true, user, token });
+  // ── Config ──────────────────────────────────────────
+  /** GET /api/config — return authly.config.json without secrets */
+  app.get("/api/config", (c) => {
+    // Local server config read
+    const config = readConfig();
+    if (!config) return c.json({});
+    // Sanitize: remove secrets
+    if (config.supabase) {
+      if (config.supabase.anonKey) config.supabase.anonKey = "set";
+      if (config.supabase.serviceRoleKey) config.supabase.serviceRoleKey = "set";
+    }
+    return c.json(config);
   });
-  app.post("/api/auth/login", async (c) => {
+  /** POST /api/config — update authly.config.json fields */
+  app.post("/api/config", async (c) => {
     const body = await c.req.json();
-    const { user, token, error } = await signIn({
-      email: body.email,
-      password: body.password,
-    });
-    if (error) return c.json({ success: false, error }, 401);
-    return c.json({ success: true, user, token });
+    const config = readConfig() || { framework: "unknown" };
+    if (body.type === "supabase" && body.fields?.length) {
+      // Apply scan results to config
+      const scan = scanSupabase(process.cwd());
+      if (scan.canConnect) {
+        config.supabase = {
+          url: scan.url,
+          anonKey: scan.anonKey,
+          serviceRoleKey: scan.serviceKey,
+          projectRef: scan.projectRef || "",
+        };
+        process.env.SUPABASE_URL = scan.url;
+        process.env.SUPABASE_ANON_KEY = scan.anonKey;
+        process.env.SUPABASE_SERVICE_ROLE_KEY = scan.serviceKey;
+      } else {
+        return c.json({ ok: false, error: "Credentials not found in project files" }, 400);
+      }
+    } else {
+      // Direct field updates
+      Object.assign(config, body);
+    }
+    const configPath = path.join(process.cwd(), "authly.config.json");
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+    return c.json({ ok: true });
+  });
+  // ── Providers ───────────────────────────────────────
+  /** GET /api/providers — list all providers with status */
+  app.get("/api/providers", (c) => {
+    // Return structured format: { google: { enabled, hasKeys }, ... }
+    const providers = listProviderStatus();
+    const result = {};
+    for (const p of providers) {
+      result[p.name] = { enabled: p.enabled, hasKeys: !!p.enabled, scopes: p.scopes || "" };
+    }
+    return c.json(result);
   });
-  app.get("/api/auth/providers", (c) => {
-    const providers = getProviders();
-    return c.json({ providers });
+  /** POST /api/providers/:name/keys — validate and save provider keys */
+  app.post("/api/providers/:name/keys", async (c) => {
+    const { name } = c.req.param();
+    const { clientId, clientSecret } = await c.req.json();
+    if (!clientId || !clientSecret) return c.json({ valid: false, error: "Missing clientId or clientSecret" }, 400);
+    // Validate by making a test request
+    const testResult = await _testProvider(name);
+    if (!testResult.valid) return c.json(testResult, 400);
+    // Save to config
+    const config = readConfig() || { framework: "unknown" };
+    if (!config.providers) config.providers = {};
+    config.providers[name] = { clientId: "set", clientSecret: "set", enabled: true };
+    // Also update env for current process
+    process.env[`${name.toUpperCase()}_CLIENT_ID`] = clientId;
+    process.env[`${name.toUpperCase()}_CLIENT_SECRET`] = clientSecret;
+    const configPath = path.join(process.cwd(), "authly.config.json");
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+    return c.json({ valid: true });
   });
-  app.post("/api/auth/session", async (c) => {
-    const body = await c.req.json();
-    if (!body.sub) return c.json({ error: "Missing 'sub' field" }, 400);
-    const token = await createSessionToken({
-      sub: body.sub,
-      role: body.role ?? "user",
-    });
-    return c.json({ success: true, token });
+  /** GET /api/providers/:name/guide — return setup guide for provider */
+  app.get("/api/providers/:name/guide", (c) => {
+    const { name } = c.req.param();
+    const guides = {
+      google: {
+        steps: [
+          "Go to Google Cloud Console → APIs & Services → Credentials",
+          "Create a project or select an existing one",
+          'Click "Create Credentials" → OAuth 2.0 Client ID',
+          "Application type: Web application",
+          "Add the callback URL below as an Authorized redirect URI",
+        ],
+        callbackUrl: "https://authly.rblez.com/api/auth/google/callback",
+        docsUrl: "https://console.cloud.google.com/apis/credentials",
+      },
+      github: {
+        steps: [
+          "Go to GitHub Settings → Developer Settings → OAuth Apps",
+          'Click "New OAuth App"',
+          "Fill in Application name and Homepage URL",
+          "Add the callback URL below as Authorization callback URL",
+        ],
+        callbackUrl: "https://authly.rblez.com/api/auth/github/callback",
+        docsUrl: "https://github.com/settings/applications/new",
+      },
+      discord: {
+        steps: [
+          "Go to Discord Developer Portal → Applications",
+          "Create a New Application",
+          "Go to OAuth2 → Redirects → Add Redirect",
+          "Add the callback URL below",
+        ],
+        callbackUrl: "https://authly.rblez.com/api/auth/discord/callback",
+        docsUrl: "https://discord.com/developers/applications",
+      },
+    };
+    const guide = guides[name];
+    if (!guide) return c.json({ error: "Unknown provider" }, 400);
+    return c.json(guide);
+  });
+  /** GET /api/providers/:name/test — test provider connection */
+  app.get("/api/providers/:name/test", async (c) => {
+    const { name } = c.req.param();
+    return c.json(await _testProvider(name));
   });
-  app.get("/api/auth/me", authMiddleware(), (c) =>
-    c.json({ success: true, session: c.get("session") }),
-  );
+  // ── OAuth routes (password + generic) ─────────────
-  app.post("/api/auth/magic-link/send", async (c) => {
+  /** POST /api/auth/register */
+  app.post("/api/auth/register", async (c) => {
     const body = await c.req.json();
-    const result = await sendMagicLink({ email: body.email, callbackUrl: body.callbackUrl || "/" });
-    if (result.error) return c.json({ success: false, error: result.error }, 400);
-    return c.json({ success: true, sent: true });
+    // Use supabase auth.users table for now
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: errors.join(", ") }, 503);
+    if (!body.email || !body.password || body.password.length < 8) {
+      return c.json({ success: false, error: "Email and password (min 8 chars) required" }, 400);
+    }
+    // Insert into authly_users (we manage our own auth)
+    const bcrypt = await import("bcryptjs");
+    const passwordHash = await bcrypt.default.hash(body.password, 12);
+    const { data, error } = await client
+      .from("authly_users")
+      .insert({ email: body.email.toLowerCase(), password_hash: passwordHash })
+      .select("id, email, created_at")
+      .single();
+    if (error) return c.json({ success: false, error: error.message }, 400);
+    const token = await createSessionToken({ sub: data.id, role: "user" });
+    return c.json({ success: true, user: data, token });
   });
-  app.post("/api/auth/magic-link/verify", async (c) => {
+  /** POST /api/auth/login */
+  app.post("/api/auth/login", async (c) => {
     const body = await c.req.json();
-    const { user, token, error } = await verifyMagicLink({ token: body.token });
-    if (error) return c.json({ success: false, error }, 401);
-    return c.json({ success: true, user, token });
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: errors.join(", ") }, 503);
+    const { data: user } = await client
+      .from("authly_users")
+      .select("id, email, password_hash")
+      .eq("email", body.email.toLowerCase())
+      .single();
+    if (!user?.password_hash) return c.json({ success: false, error: "Invalid credentials" }, 401);
+    const bcrypt = await import("bcryptjs");
+    const valid = await bcrypt.default.compare(body.password, user.password_hash);
+    if (!valid) return c.json({ success: false, error: "Invalid credentials" }, 401);
+    const token = await createSessionToken({ sub: user.id, role: "user" });
+    return c.json({ success: true, user: { id: user.id, email: user.email }, token });
   });
-  // ── Role management ────────────────────────────────
-  app.get("/api/roles", async (c) => {
-    const { roles, error } = await listRoles();
+  /** POST /api/auth/logout */
+  app.post("/api/auth/logout", (c) => c.json({ success: true }));
+  /** GET /api/auth/session — verify current session */
+  app.get("/api/auth/session", authMiddleware(), (c) => c.json({ success: true, session: c.get("session") }));
+  /** Generic OAuth provider routes */
+  app.get("/api/auth/:provider/authorize", async (c) => {
+    const { provider } = c.req.param();
+    const redirectUri = `${c.req.url.split("/api/")[0]}/api/auth/${provider}/callback`;
+    try {
+      const result = buildAuthorizeUrl({ provider, redirectUri });
+      return c.redirect(result.url);
+    } catch {
+      return c.json({ error: "Provider not configured" }, 400);
+    }
+  });
+  app.post("/api/auth/:provider/callback", async (c) => {
+    const { provider, code } = c.req.param();
+    const redirectUri = `${c.req.url.split("/api/")[0]}/api/auth/${provider}/callback`;
+    try {
+      const user = await exchangeTokens({ provider, code, redirectUri });
+      const token = await createSessionToken({ sub: user.id, role: "user" });
+      return c.json({ success: true, user, token });
+    } catch (e) {
+      return c.json({ success: false, error: e.message }, 400);
+    }
+  });
+  // ── Users ───────────────────────────────────────────
+  app.get("/api/users", async (c) => {
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ success: false, errors }, 503);
+    const { users, error } = await fetchUsers({ limit: 50 });
     if (error) return c.json({ success: false, error }, 500);
-    return c.json({ success: true, roles });
+    return c.json({ success: true, users, count: users.length });
   });
-  app.post("/api/roles", async (c) => {
-    const { name, description } = await c.req.json();
-    if (!name) return c.json({ error: "'name' is required" }, 400);
-    const result = await createRole(name, description ?? "");
-    if (!result.success) return c.json(result, 400);
-    return c.json(result);
+  app.get("/api/users/:id/roles", async (c) => {
+    const { id } = c.req.param();
+    const { roles, error } = await getUserRoles(id);
+    if (error) return c.json({ success: false, error }, 500);
+    return c.json({ success: true, userId: id, roles });
   });
-  app.post("/api/roles/:roleName/users/:userId/assign", async (c) => {
-    const { roleName, userId } = c.req.param();
-    const result = await assignRoleToUser(userId, roleName);
+  app.post("/api/users/:id/roles", async (c) => {
+    const { id } = c.req.param();
+    const { role } = await c.req.json();
+    if (!role) return c.json({ error: "'role' is required" }, 400);
+    const result = await assignRoleToUser(id, role);
     if (!result.success) return c.json(result, 400);
     return c.json(result);
   });
-  app.delete("/api/roles/:roleName/users/:userId/revoke", async (c) => {
-    const { roleName, userId } = c.req.param();
-    const result = await revokeRoleFromUser(userId, roleName);
+  app.delete("/api/users/:id/roles/:role", async (c) => {
+    const { id, role } = c.req.param();
+    const result = await revokeRoleFromUser(id, role);
     if (!result.success) return c.json(result, 400);
     return c.json(result);
   });
-  app.get("/api/users/:userId/roles", async (c) => {
-    const { userId } = c.req.param();
-    const { roles, error } = await getUserRoles(userId);
+  // ── Roles ───────────────────────────────────────────
+  app.get("/api/roles", async (c) => {
+    const { roles, error } = await listRoles();
     if (error) return c.json({ success: false, error }, 500);
-    return c.json({ success: true, userId, roles });
+    return c.json({ success: true, roles });
   });
-  // ── API Keys ───────────────────────────────────────
-  app.post("/api/keys", async (c) => {
+  app.post("/api/roles", async (c) => {
+    const { name, description } = await c.req.json();
+    if (!name) return c.json({ error: "'name' is required" }, 400);
+    return c.json(await createRole(name, description || ""));
+  });
+  // ── API Keys ────────────────────────────────────────
+  app.get("/api/keys", async (c) => {
     const { client, errors } = getSupabaseClient();
     if (!client) return c.json({ success: false, errors }, 503);
+    const { data, error } = await client.from("api_keys").select("id, name, key_hash, scopes, expires_at").order("created_at", { ascending: false });
+    if (error) return c.json({ success: false, error: error.message }, 500);
+    return c.json({ success: true, keys: data || [] });
+  });
+  app.post("/api/keys", async (c) => {
+    const { client } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: "Not connected" }, 503);
     const body = await c.req.json();
     if (!body.name) return c.json({ error: "'name' is required" }, 400);
@@ -367,109 +539,161 @@ a{color:#58a6ff}</style></head><body><div class="card">
     const keyHash = createHash("sha256").update(rawKey).digest("hex");
     const { error } = await client.from("api_keys").insert({
-      key_hash: keyHash,
-      name: body.name,
-      scopes: body.scopes ?? ["read"],
-      user_id: body.userId ?? null,
-      expires_at: body.expiresAt ?? null,
+      key_hash: keyHash, name: body.name, scopes: body.scopes ?? ["read"],
+      user_id: body.userId ?? null, expires_at: body.expiresAt ?? null,
     });
     if (error) return c.json({ success: false, error: error.message }, 400);
     return c.json({ success: true, key: rawKey, hashesTo: keyHash });
   });
-  // ── Migrations ─────────────────────────────────────
-  app.get("/api/migrations", (c) =>
-    c.json({ success: true, migrations: listMigrations() }),
-  );
+  app.delete("/api/keys/:id", async (c) => {
+    const { client } = getSupabaseClient();
+    if (!client) return c.json({ success: false, error: "Not connected" }, 503);
+    const { id } = c.req.param();
+    const { error } = await client.from("api_keys").delete().eq("id", id);
+    if (error) return c.json({ success: false, error: error.message }, 500);
+    return c.json({ success: true });
+  });
-  app.get("/api/migrations/:name/sql", (c) => {
-    const { name } = c.req.param();
-    const sql = getMigration(name);
-    if (!sql) return c.json({ error: `Migration '${name}' not found` }, 404);
-    return c.json({ success: true, name, sql });
+  // ── Migrations ──────────────────────────────────────
+  /** GET /api/migrations — list with applied/pending status */
+  app.get("/api/migrations", async (c) => {
+    const { client } = getSupabaseClient();
+    const migrationList = migrations.map((m) => ({ id: m.name, name: m.name, status: "pending" }));
+    if (client) {
+      // Check which migrations already exist by looking for tables
+      try {
+        const { data: tables } = await client
+          .from("information_schema.tables")
+          .select("table_name")
+          .eq("table_schema", "public");
+        const existingTables = new Set((tables || []).map((t) => t.table_name));
+        for (const m of migrationList) {
+          // Extract table name from migration (simplified check)
+          if (m.name.includes("roles_table") && existingTables.has("roles")) m.status = "applied";
+          if (m.name.includes("users_table") && existingTables.has("authly_users")) m.status = "applied";
+          if (m.name.includes("oauth_accounts") && existingTables.has("authly_oauth_accounts")) m.status = "applied";
+          if (m.name.includes("user_roles") && existingTables.has("authly_user_roles")) m.status = "applied";
+          if (m.name.includes("api_keys") && existingTables.has("authly_api_keys")) m.status = "applied";
+          if (m.name.includes("sessions") && existingTables.has("authly_sessions")) m.status = "applied";
+          if (m.name.includes("magic_links") && existingTables.has("authly_magic_links")) m.status = "applied";
+          if (m.name.includes("supabase_tokens") && existingTables.has("authly_supabase_tokens")) m.status = "applied";
+        }
+      } catch {
+        // Can't check — show all as pending
+      }
+    }
+    return c.json({ success: true, migrations: migrationList });
   });
-  app.post("/api/migrations/:name/run", async (c) => {
+  /** POST /api/migrations/:id/run — run a single migration */
+  app.post("/api/migrations/:id/run", async (c) => {
     const { client, errors } = getSupabaseClient();
-    if (!client) return c.json({ success: false, errors }, 503);
+    if (!client) return c.json({ success: false, error: errors.join(", ") }, 503);
-    const { name } = c.req.param();
-    const sql = getMigration(name);
-    if (!sql) return c.json({ error: `Migration '${name}' not found` }, 404);
+    const { id } = c.req.param();
+    const sql = getMigration(id);
+    if (!sql) return c.json({ ok: false, error: `Migration '${id}' not found` }, 404);
-    const { error } = await client.rpc("exec_sql", { sql_query: sql });
-    if (error) return c.json({ success: false, error: error.message }, 400);
-    return c.json({ success: true, migration: name });
+    try {
+      const { error } = await client.rpc("exec_sql", { sql_query: sql });
+      if (error) return c.json({ ok: false, error: error.message }, 400);
+      return c.json({ ok: true, output: `Migration '${id}' applied successfully` });
+    } catch (e) {
+      return c.json({ ok: false, error: e.message }, 500);
+    }
   });
-  // ── Scaffold preview only ─────────────────────────
+  /** POST /api/migrations/pending/run — run all pending migrations */
+  app.post("/api/migrations/pending/run", async (c) => {
+    const { client, errors } = getSupabaseClient();
+    if (!client) return c.json({ ok: false, error: errors.join(", ") }, 503);
+    const outputs = [];
+    for (const m of migrations) {
+      const sql = getMigration(m.name);
+      if (!sql) continue;
+      try {
+        const { error } = await client.rpc("exec_sql", { sql_query: sql });
+        outputs.push(error ? `FAIL: ${m.name} — ${error.message}` : `OK: ${m.name}`);
+      } catch (e) {
+        outputs.push(`FAIL: ${m.name} — ${e.message}`);
+      }
+    }
+    return c.json({ ok: true, output: outputs.join("\n") });
+  });
+  // ── Scaffold ────────────────────────────────────────
   app.post("/api/scaffold/preview", async (c) => {
     const { type } = await c.req.json();
     if (!["login", "signup", "middleware", "route-login", "route-signup"].includes(type)) {
-      return c.json({ error: `Unknown type '${type}'. Valid: login, signup, middleware, route-login, route-signup` }, 400);
+      return c.json({ error: `Unknown type '${type}'` }, 400);
     }
     return c.json({ success: true, type, code: previewGenerated(type) });
   });
-  // ── MCP (beta) ─────────────────────────────────────
-  mountMcp(app);
+  // ── Audit ───────────────────────────────────────────
-  // ── Audit ──────────────────────────────────────────
-  app.post("/api/audit", async (c) => {
+  /** GET /api/audit — return issues with error/warn levels */
+  app.get("/api/audit", async (c) => {
     const issues = [];
-    for (const key of ["SUPABASE_URL", "SUPABASE_ANON_KEY", "AUTHLY_SECRET"]) {
-      if (!process.env[key]) issues.push({ check: key, status: "fail", detail: "not set" });
-      else issues.push({ check: key, status: "ok" });
+    const required = [
+      { key: "SUPABASE_URL", level: "error" },
+      { key: "SUPABASE_ANON_KEY", level: "error" },
+      { key: "AUTHLY_SECRET", level: "error" },
+      { key: "GOOGLE_CLIENT_ID", level: "warn" },
+      { key: "GITHUB_CLIENT_ID", level: "warn" },
+    ];
+    for (const { key, level } of required) {
+      const value = process.env[key];
+      if (value) {
+        issues.push({ level: "ok", message: `${key} is set` });
+      } else {
+        issues.push({ level, message: `${key} is not set` });
+      }
     }
     const { client } = getSupabaseClient();
     if (client) {
-      const { error } = await client
-        .from("auth.users")
-        .select("count", { count: "exact", head: true });
-      if (error)
-        issues.push({ check: "supabase_connection", status: "fail", detail: error.message });
-      else
-        issues.push({ check: "supabase_connection", status: "ok" });
+      const { error } = await client.from("authly_users").select("count", { count: "exact", head: true });
+      if (error) issues.push({ level: "error", message: `Supabase connection failed: ${error.message}` });
+      else issues.push({ level: "ok", message: "Supabase connection OK" });
     } else {
-      issues.push({ check: "supabase_connection", status: "fail", detail: "not configured" });
+      issues.push({ level: "error", message: "Supabase client not available" });
     }
-    const allOk = issues.every((i) => i.status === "ok");
-    return c.json({ success: allOk, issues });
+    return c.json({ success: issues.every((i) => i.level !== "error"), issues });
   });
+  // ── MCP ─────────────────────────────────────────────
+  mountMcp(app);
   // ── Root ───────────────────────────────────────────
   app.get("/", (c) => {
     if (hasDashboard) {
       const html = fs.readFileSync(path.join(dashboardPath, "index.html"), "utf-8");
       return c.html(html);
     }
-    return c.json({
-      name: "authly",
-      version: "0.4.0",
-      docs: "/api/health",
-    });
+    return c.json({ name: "authly", version: "0.4.1", docs: "/api/health" });
   });
-  // ── Start server ───────────────────────────────────
+  // ── Start ───────────────────────────────────────────
   if (hasDashboard) {
-    spinner.succeed(
-      `Authly dashboard running at ${chalk.cyan(`http://localhost:${PORT}`)}`,
-    );
+    spinner.succeed(`Authly dashboard running at ${chalk.cyan(`http://localhost:${PORT}`)}`);
   } else {
-    spinner.succeed(
-      `Authly API running at ${chalk.cyan(`http://localhost:${PORT}`)}${chalk.dim(" (no dashboard UI)")}`,
-    );
+    spinner.succeed(`Authly API running at ${chalk.cyan(`http://localhost:${PORT}`)}${chalk.dim(" (no dashboard UI)")}`);
   }
   console.log(chalk.dim("  Press Ctrl+C to stop\n"));
-  const server = serve({
-    fetch: app.fetch,
-    port: Number(PORT),
-  });
+  const server = serve({ fetch: app.fetch, port: Number(PORT) });
   process.on("SIGINT", () => {
     spinner.info("Shutting down authly dashboard");
@@ -478,16 +702,19 @@ a{color:#58a6ff}</style></head><body><div class="card">
   });
 }
+// ── Helpers ────────────────────────────────────────────
 function getContentType(filePath) {
   const ext = path.extname(filePath);
   const types = {
-    ".html": "text/html",
-    ".css": "text/css",
-    ".js": "text/javascript",
-    ".json": "application/json",
-    ".png": "image/png",
-    ".svg": "image/svg+xml",
-    ".ico": "image/x-icon",
+    ".html": "text/html", ".css": "text/css", ".js": "text/javascript",
+    ".json": "application/json", ".png": "image/png", ".svg": "image/svg+xml", ".ico": "image/x-icon",
   };
   return types[ext] || "application/octet-stream";
 }
+function readConfig() {
+  const configPath = path.join(process.cwd(), "authly.config.json");
+  if (!fs.existsSync(configPath)) return null;
+  try { return JSON.parse(fs.readFileSync(configPath, "utf-8")); } catch { return null; }
+}