npm - @rebasepro/server-core - Versions diffs - 0.0.1-canary.09e5ec5 - Mend

@rebasepro/server-core 0.0.1-canary.09e5ec5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (300) hide show

package/LICENSE +6 -0
package/README.md +40 -0
package/build-errors.txt +52 -0
package/coverage/clover.xml +3739 -0
package/coverage/coverage-final.json +31 -0
package/coverage/lcov-report/base.css +224 -0
package/coverage/lcov-report/block-navigation.js +87 -0
package/coverage/lcov-report/favicon.png +0 -0
package/coverage/lcov-report/index.html +266 -0
package/coverage/lcov-report/prettify.css +1 -0
package/coverage/lcov-report/prettify.js +2 -0
package/coverage/lcov-report/sort-arrow-sprite.png +0 -0
package/coverage/lcov-report/sorter.js +210 -0
package/coverage/lcov-report/src/api/ast-schema-editor.ts.html +952 -0
package/coverage/lcov-report/src/api/errors.ts.html +472 -0
package/coverage/lcov-report/src/api/graphql/graphql-schema-generator.ts.html +1069 -0
package/coverage/lcov-report/src/api/graphql/index.html +116 -0
package/coverage/lcov-report/src/api/index.html +176 -0
package/coverage/lcov-report/src/api/openapi-generator.ts.html +565 -0
package/coverage/lcov-report/src/api/rest/api-generator.ts.html +994 -0
package/coverage/lcov-report/src/api/rest/index.html +131 -0
package/coverage/lcov-report/src/api/rest/query-parser.ts.html +550 -0
package/coverage/lcov-report/src/api/schema-editor-routes.ts.html +202 -0
package/coverage/lcov-report/src/api/server.ts.html +823 -0
package/coverage/lcov-report/src/auth/admin-routes.ts.html +973 -0
package/coverage/lcov-report/src/auth/index.html +176 -0
package/coverage/lcov-report/src/auth/jwt.ts.html +574 -0
package/coverage/lcov-report/src/auth/middleware.ts.html +745 -0
package/coverage/lcov-report/src/auth/password.ts.html +310 -0
package/coverage/lcov-report/src/auth/services.ts.html +2074 -0
package/coverage/lcov-report/src/collections/index.html +116 -0
package/coverage/lcov-report/src/collections/loader.ts.html +232 -0
package/coverage/lcov-report/src/db/auth-schema.ts.html +523 -0
package/coverage/lcov-report/src/db/data-transformer.ts.html +1753 -0
package/coverage/lcov-report/src/db/entityService.ts.html +700 -0
package/coverage/lcov-report/src/db/index.html +146 -0
package/coverage/lcov-report/src/db/services/EntityFetchService.ts.html +4048 -0
package/coverage/lcov-report/src/db/services/EntityPersistService.ts.html +883 -0
package/coverage/lcov-report/src/db/services/RelationService.ts.html +3121 -0
package/coverage/lcov-report/src/db/services/entity-helpers.ts.html +442 -0
package/coverage/lcov-report/src/db/services/index.html +176 -0
package/coverage/lcov-report/src/db/services/index.ts.html +124 -0
package/coverage/lcov-report/src/generate-drizzle-schema-logic.ts.html +1960 -0
package/coverage/lcov-report/src/index.html +116 -0
package/coverage/lcov-report/src/services/driver-registry.ts.html +631 -0
package/coverage/lcov-report/src/services/index.html +131 -0
package/coverage/lcov-report/src/services/postgresDataDriver.ts.html +3025 -0
package/coverage/lcov-report/src/storage/LocalStorageController.ts.html +1189 -0
package/coverage/lcov-report/src/storage/S3StorageController.ts.html +970 -0
package/coverage/lcov-report/src/storage/index.html +161 -0
package/coverage/lcov-report/src/storage/storage-registry.ts.html +646 -0
package/coverage/lcov-report/src/storage/types.ts.html +451 -0
package/coverage/lcov-report/src/utils/drizzle-conditions.ts.html +3082 -0
package/coverage/lcov-report/src/utils/index.html +116 -0
package/coverage/lcov.info +7179 -0
package/dist/common/src/collections/CollectionRegistry.d.ts +56 -0
package/dist/common/src/collections/index.d.ts +1 -0
package/dist/common/src/data/buildRebaseData.d.ts +14 -0
package/dist/common/src/index.d.ts +3 -0
package/dist/common/src/util/builders.d.ts +57 -0
package/dist/common/src/util/callbacks.d.ts +6 -0
package/dist/common/src/util/collections.d.ts +11 -0
package/dist/common/src/util/common.d.ts +2 -0
package/dist/common/src/util/conditions.d.ts +26 -0
package/dist/common/src/util/entities.d.ts +58 -0
package/dist/common/src/util/enums.d.ts +3 -0
package/dist/common/src/util/index.d.ts +16 -0
package/dist/common/src/util/navigation_from_path.d.ts +34 -0
package/dist/common/src/util/navigation_utils.d.ts +20 -0
package/dist/common/src/util/parent_references_from_path.d.ts +6 -0
package/dist/common/src/util/paths.d.ts +14 -0
package/dist/common/src/util/permissions.d.ts +5 -0
package/dist/common/src/util/references.d.ts +2 -0
package/dist/common/src/util/relations.d.ts +22 -0
package/dist/common/src/util/resolutions.d.ts +72 -0
package/dist/common/src/util/storage.d.ts +24 -0
package/dist/index-DXVBFp5V.js +37 -0
package/dist/index-DXVBFp5V.js.map +1 -0
package/dist/index.es.js +49934 -0
package/dist/index.es.js.map +1 -0
package/dist/index.umd.js +49968 -0
package/dist/index.umd.js.map +1 -0
package/dist/server-core/src/api/ast-schema-editor.d.ts +21 -0
package/dist/server-core/src/api/collections_for_test/callbacks_test_collection.d.ts +2 -0
package/dist/server-core/src/api/errors.d.ts +35 -0
package/dist/server-core/src/api/graphql/graphql-schema-generator.d.ts +35 -0
package/dist/server-core/src/api/graphql/index.d.ts +1 -0
package/dist/server-core/src/api/index.d.ts +9 -0
package/dist/server-core/src/api/openapi-generator.d.ts +16 -0
package/dist/server-core/src/api/rest/api-generator.d.ts +64 -0
package/dist/server-core/src/api/rest/index.d.ts +1 -0
package/dist/server-core/src/api/rest/query-parser.d.ts +9 -0
package/dist/server-core/src/api/schema-editor-routes.d.ts +3 -0
package/dist/server-core/src/api/server.d.ts +40 -0
package/dist/server-core/src/api/types.d.ts +90 -0
package/dist/server-core/src/auth/admin-routes.d.ts +16 -0
package/dist/server-core/src/auth/apple-oauth.d.ts +30 -0
package/dist/server-core/src/auth/bitbucket-oauth.d.ts +11 -0
package/dist/server-core/src/auth/discord-oauth.d.ts +14 -0
package/dist/server-core/src/auth/facebook-oauth.d.ts +14 -0
package/dist/server-core/src/auth/github-oauth.d.ts +15 -0
package/dist/server-core/src/auth/gitlab-oauth.d.ts +13 -0
package/dist/server-core/src/auth/google-oauth.d.ts +14 -0
package/dist/server-core/src/auth/index.d.ts +23 -0
package/dist/server-core/src/auth/interfaces.d.ts +309 -0
package/dist/server-core/src/auth/jwt.d.ts +43 -0
package/dist/server-core/src/auth/linkedin-oauth.d.ts +18 -0
package/dist/server-core/src/auth/microsoft-oauth.d.ts +16 -0
package/dist/server-core/src/auth/middleware.d.ts +81 -0
package/dist/server-core/src/auth/password.d.ts +22 -0
package/dist/server-core/src/auth/rate-limiter.d.ts +31 -0
package/dist/server-core/src/auth/routes.d.ts +27 -0
package/dist/server-core/src/auth/slack-oauth.d.ts +12 -0
package/dist/server-core/src/auth/spotify-oauth.d.ts +12 -0
package/dist/server-core/src/auth/twitter-oauth.d.ts +18 -0
package/dist/server-core/src/bootstrappers/index.d.ts +0 -0
package/dist/server-core/src/collections/BackendCollectionRegistry.d.ts +13 -0
package/dist/server-core/src/collections/loader.d.ts +5 -0
package/dist/server-core/src/cron/cron-loader.d.ts +17 -0
package/dist/server-core/src/cron/cron-routes.d.ts +14 -0
package/dist/server-core/src/cron/cron-scheduler.d.ts +61 -0
package/dist/server-core/src/cron/cron-store.d.ts +32 -0
package/dist/server-core/src/cron/index.d.ts +6 -0
package/dist/server-core/src/db/interfaces.d.ts +18 -0
package/dist/server-core/src/email/index.d.ts +6 -0
package/dist/server-core/src/email/smtp-email-service.d.ts +25 -0
package/dist/server-core/src/email/templates.d.ts +42 -0
package/dist/server-core/src/email/types.d.ts +107 -0
package/dist/server-core/src/functions/function-loader.d.ts +17 -0
package/dist/server-core/src/functions/function-routes.d.ts +10 -0
package/dist/server-core/src/functions/index.d.ts +3 -0
package/dist/server-core/src/history/history-routes.d.ts +23 -0
package/dist/server-core/src/history/index.d.ts +1 -0
package/dist/server-core/src/index.d.ts +29 -0
package/dist/server-core/src/init.d.ts +159 -0
package/dist/server-core/src/serve-spa.d.ts +30 -0
package/dist/server-core/src/services/driver-registry.d.ts +78 -0
package/dist/server-core/src/singleton.d.ts +35 -0
package/dist/server-core/src/storage/LocalStorageController.d.ts +46 -0
package/dist/server-core/src/storage/S3StorageController.d.ts +36 -0
package/dist/server-core/src/storage/index.d.ts +25 -0
package/dist/server-core/src/storage/routes.d.ts +38 -0
package/dist/server-core/src/storage/storage-registry.d.ts +78 -0
package/dist/server-core/src/storage/types.d.ts +103 -0
package/dist/server-core/src/types/index.d.ts +11 -0
package/dist/server-core/src/utils/dev-port.d.ts +35 -0
package/dist/server-core/src/utils/logger.d.ts +31 -0
package/dist/server-core/src/utils/logging.d.ts +9 -0
package/dist/server-core/src/utils/request-logger.d.ts +19 -0
package/dist/server-core/src/utils/sql.d.ts +27 -0
package/dist/types/src/controllers/analytics_controller.d.ts +7 -0
package/dist/types/src/controllers/auth.d.ts +119 -0
package/dist/types/src/controllers/client.d.ts +170 -0
package/dist/types/src/controllers/collection_registry.d.ts +45 -0
package/dist/types/src/controllers/customization_controller.d.ts +60 -0
package/dist/types/src/controllers/data.d.ts +168 -0
package/dist/types/src/controllers/data_driver.d.ts +160 -0
package/dist/types/src/controllers/database_admin.d.ts +11 -0
package/dist/types/src/controllers/dialogs_controller.d.ts +36 -0
package/dist/types/src/controllers/effective_role.d.ts +4 -0
package/dist/types/src/controllers/email.d.ts +34 -0
package/dist/types/src/controllers/index.d.ts +18 -0
package/dist/types/src/controllers/local_config_persistence.d.ts +20 -0
package/dist/types/src/controllers/navigation.d.ts +213 -0
package/dist/types/src/controllers/registry.d.ts +54 -0
package/dist/types/src/controllers/side_dialogs_controller.d.ts +67 -0
package/dist/types/src/controllers/side_entity_controller.d.ts +90 -0
package/dist/types/src/controllers/snackbar.d.ts +24 -0
package/dist/types/src/controllers/storage.d.ts +171 -0
package/dist/types/src/index.d.ts +4 -0
package/dist/types/src/rebase_context.d.ts +105 -0
package/dist/types/src/types/backend.d.ts +536 -0
package/dist/types/src/types/builders.d.ts +15 -0
package/dist/types/src/types/chips.d.ts +5 -0
package/dist/types/src/types/collections.d.ts +856 -0
package/dist/types/src/types/cron.d.ts +102 -0
package/dist/types/src/types/data_source.d.ts +64 -0
package/dist/types/src/types/entities.d.ts +145 -0
package/dist/types/src/types/entity_actions.d.ts +98 -0
package/dist/types/src/types/entity_callbacks.d.ts +173 -0
package/dist/types/src/types/entity_link_builder.d.ts +7 -0
package/dist/types/src/types/entity_overrides.d.ts +10 -0
package/dist/types/src/types/entity_views.d.ts +61 -0
package/dist/types/src/types/export_import.d.ts +21 -0
package/dist/types/src/types/index.d.ts +23 -0
package/dist/types/src/types/locales.d.ts +4 -0
package/dist/types/src/types/modify_collections.d.ts +5 -0
package/dist/types/src/types/plugins.d.ts +279 -0
package/dist/types/src/types/properties.d.ts +1176 -0
package/dist/types/src/types/property_config.d.ts +70 -0
package/dist/types/src/types/relations.d.ts +336 -0
package/dist/types/src/types/slots.d.ts +252 -0
package/dist/types/src/types/translations.d.ts +870 -0
package/dist/types/src/types/user_management_delegate.d.ts +121 -0
package/dist/types/src/types/websockets.d.ts +78 -0
package/dist/types/src/users/index.d.ts +2 -0
package/dist/types/src/users/roles.d.ts +22 -0
package/dist/types/src/users/user.d.ts +46 -0
package/history_diff.log +385 -0
package/jest.config.cjs +16 -0
package/package.json +86 -0
package/scratch.ts +9 -0
package/src/api/ast-schema-editor.ts +289 -0
package/src/api/collections_for_test/callbacks_test_collection.ts +60 -0
package/src/api/errors.ts +179 -0
package/src/api/graphql/graphql-schema-generator.ts +336 -0
package/src/api/graphql/index.ts +2 -0
package/src/api/index.ts +11 -0
package/src/api/openapi-generator.ts +715 -0
package/src/api/rest/api-generator.ts +472 -0
package/src/api/rest/index.ts +2 -0
package/src/api/rest/query-parser.ts +155 -0
package/src/api/schema-editor-routes.ts +41 -0
package/src/api/server.ts +248 -0
package/src/api/types.ts +90 -0
package/src/auth/admin-routes.ts +529 -0
package/src/auth/apple-oauth.ts +130 -0
package/src/auth/bitbucket-oauth.ts +82 -0
package/src/auth/discord-oauth.ts +83 -0
package/src/auth/facebook-oauth.ts +72 -0
package/src/auth/github-oauth.ts +110 -0
package/src/auth/gitlab-oauth.ts +70 -0
package/src/auth/google-oauth.ts +48 -0
package/src/auth/index.ts +34 -0
package/src/auth/interfaces.ts +363 -0
package/src/auth/jwt.ts +181 -0
package/src/auth/linkedin-oauth.ts +81 -0
package/src/auth/microsoft-oauth.ts +88 -0
package/src/auth/middleware.ts +384 -0
package/src/auth/password.ts +77 -0
package/src/auth/rate-limiter.ts +129 -0
package/src/auth/routes.ts +788 -0
package/src/auth/slack-oauth.ts +71 -0
package/src/auth/spotify-oauth.ts +67 -0
package/src/auth/twitter-oauth.ts +120 -0
package/src/bootstrappers/index.ts +1 -0
package/src/collections/BackendCollectionRegistry.ts +20 -0
package/src/collections/loader.ts +49 -0
package/src/cron/cron-loader.ts +89 -0
package/src/cron/cron-routes.test.ts +265 -0
package/src/cron/cron-routes.ts +85 -0
package/src/cron/cron-scheduler.test.ts +421 -0
package/src/cron/cron-scheduler.ts +413 -0
package/src/cron/cron-store.ts +163 -0
package/src/cron/index.ts +6 -0
package/src/db/interfaces.ts +60 -0
package/src/email/index.ts +18 -0
package/src/email/smtp-email-service.ts +91 -0
package/src/email/templates.ts +388 -0
package/src/email/types.ts +105 -0
package/src/functions/function-loader.ts +119 -0
package/src/functions/function-routes.ts +31 -0
package/src/functions/index.ts +3 -0
package/src/history/history-routes.ts +129 -0
package/src/history/index.ts +2 -0
package/src/index.ts +66 -0
package/src/init.ts +727 -0
package/src/serve-spa.ts +81 -0
package/src/services/driver-registry.ts +182 -0
package/src/singleton.test.ts +28 -0
package/src/singleton.ts +70 -0
package/src/storage/LocalStorageController.ts +365 -0
package/src/storage/S3StorageController.ts +298 -0
package/src/storage/index.ts +43 -0
package/src/storage/routes.ts +264 -0
package/src/storage/storage-registry.ts +187 -0
package/src/storage/types.ts +134 -0
package/src/types/index.ts +27 -0
package/src/utils/dev-port.ts +176 -0
package/src/utils/logger.ts +143 -0
package/src/utils/logging.ts +38 -0
package/src/utils/request-logger.ts +66 -0
package/src/utils/sql.ts +38 -0
package/test/admin-routes.test.ts +640 -0
package/test/api-generator.test.ts +501 -0
package/test/ast-schema-editor.test.ts +63 -0
package/test/auth-middleware-hono.test.ts +556 -0
package/test/auth-routes.test.ts +1047 -0
package/test/driver-registry.test.ts +282 -0
package/test/error-propagation.test.ts +226 -0
package/test/errors-hono.test.ts +133 -0
package/test/errors.test.ts +155 -0
package/test/jwt-security.test.ts +182 -0
package/test/jwt.test.ts +324 -0
package/test/middleware.test.ts +300 -0
package/test/password.test.ts +165 -0
package/test/query-parser.test.ts +263 -0
package/test/rate-limiter.test.ts +102 -0
package/test/safe-compare.test.ts +66 -0
package/test/singleton.test.ts +59 -0
package/test/storage-local.test.ts +271 -0
package/test/storage-registry.test.ts +282 -0
package/test/storage-routes.test.ts +222 -0
package/test/storage-s3.test.ts +304 -0
package/test-ast.ts +28 -0
package/test.ts +6 -0
package/test_output.txt +1133 -0
package/tsconfig.json +49 -0
package/tsconfig.prod.json +20 -0
package/vite.config.ts +80 -0

package/src/auth/middleware.ts ADDED Viewed

@@ -0,0 +1,384 @@
+import { MiddlewareHandler, Context } from "hono";
+import { DataDriver } from "@rebasepro/types";
+import { verifyAccessToken, AccessTokenPayload } from "./jwt";
+import { HonoEnv } from "../api/types";
+import { timingSafeEqual } from "crypto";
+/**
+ * Result from a custom auth validator.
+ * - `false`/`null`/`undefined` = not authenticated
+ * - `true` = authenticated as default user
+ * - object with `userId` or `uid` = authenticated with user info
+ */
+export type AuthResult = boolean | null | undefined | { userId?: string; uid?: string; roles?: string[]; [key: string]: unknown };
+/**
+ * Options for creating an auth middleware via createAuthMiddleware()
+ */
+export interface AuthMiddlewareOptions {
+    /** DataDriver to scope via withAuth() for RLS */
+    driver: DataDriver;
+    /**
+     * If true, return 401 when no valid token is present.
+     *
+     * **Defaults to `true` (secure by default).** Set to `false` only for
+     * intentionally public endpoints where access control is fully delegated
+     * to Postgres Row-Level Security policies.
+     */
+    requireAuth?: boolean;
+    /** Optional custom validator (for non-JWT auth, e.g. Firebase Auth) */
+    validator?: (c: Context<HonoEnv>) => Promise<AuthResult>;
+    /**
+     * A static secret key for server-to-server / script authentication.
+     *
+     * When a request sends `Authorization: Bearer <key>` and the key matches
+     * this value, the request is granted admin-level access (uid: `service`,
+     * roles: `["admin"]`) **without** JWT verification. The driver is scoped
+     * via `withAuth()` with the service identity.
+     *
+     * This is the Rebase equivalent of a Firebase Service Account key.
+     * Set via `REBASE_SERVICE_KEY` in `.env` and pass through the backend config.
+     *
+     * **Security:** The comparison uses constant-time equality to prevent
+     * timing attacks. The key must be at least 32 characters.
+     */
+    serviceKey?: string;
+}
+/**
+ * Hono middleware that requires a valid JWT token
+ * Returns 401 if token is missing or invalid
+ */
+export const requireAuth: MiddlewareHandler<HonoEnv> = async (
+    c,
+    next
+) => {
+    const authHeader = c.req.header("authorization");
+    const queryToken = c.req.query("token");
+    const hasBearer = authHeader && authHeader.startsWith("Bearer ");
+    if (!hasBearer && !queryToken) {
+        return c.json({
+            error: {
+                message: "Authorization header or token query parameter missing or invalid",
+                code: "UNAUTHORIZED"
+            }
+        }, 401);
+    }
+    const token = hasBearer ? authHeader!.substring(7) : queryToken!;
+    const payload = verifyAccessToken(token);
+    if (!payload) {
+        return c.json({
+            error: {
+                message: "Invalid or expired token",
+                code: "UNAUTHORIZED"
+            }
+        }, 401);
+    }
+    c.set("user", payload);
+    return next();
+};
+/**
+ * Factory that creates a requireAuth middleware with optional service key support.
+ *
+ * When `serviceKey` is provided, the middleware will check if the Bearer token
+ * matches the service key using constant-time comparison. If it matches, the
+ * request is authenticated as a service user with admin privileges.
+ *
+ * This allows admin routes (which use standalone requireAuth + requireAdmin)
+ * to be accessed via service keys for scripts and server-to-server calls.
+ */
+export function createRequireAuth(options?: { serviceKey?: string }): MiddlewareHandler<HonoEnv> {
+    if (!options?.serviceKey) return requireAuth;
+    const key = options.serviceKey;
+    return async (c, next) => {
+        const authHeader = c.req.header("authorization");
+        const queryToken = c.req.query("token");
+        const hasBearer = authHeader && authHeader.startsWith("Bearer ");
+        if (!hasBearer && !queryToken) {
+            return c.json({
+                error: {
+                    message: "Authorization header or token query parameter missing or invalid",
+                    code: "UNAUTHORIZED"
+                }
+            }, 401);
+        }
+        const token = hasBearer ? authHeader!.substring(7) : queryToken!;
+        // Check service key first (constant-time comparison)
+        if (safeCompare(token, key)) {
+            c.set("user", { userId: "service",
+roles: ["admin"] } as AccessTokenPayload);
+            return next();
+        }
+        // Fall back to JWT verification
+        const payload = verifyAccessToken(token);
+        if (!payload) {
+            return c.json({
+                error: {
+                    message: "Invalid or expired token",
+                    code: "UNAUTHORIZED"
+                }
+            }, 401);
+        }
+        c.set("user", payload);
+        return next();
+    };
+}
+/**
+ * Middleware that requires the user to have an admin or schema-admin role.
+ * Must be used AFTER requireAuth or on a route where user is guaranteed.
+ */
+export const requireAdmin: MiddlewareHandler<HonoEnv> = async (
+    c,
+    next
+) => {
+    const user = c.get("user");
+    if (!user) {
+        return c.json({
+            error: {
+                message: "User not authenticated. requireAuth middleware is missing?",
+                code: "UNAUTHORIZED"
+            }
+        }, 401);
+    }
+    const roles = (typeof user === "object" && user !== null && "roles" in user) ? (user.roles || []) : [];
+    const isAdmin = roles.some((role: string) => {
+        return role === "admin" || role === "schema-admin";
+    });
+    if (!isAdmin) {
+        return c.json({
+            error: {
+                message: "Admin privileges required for this operation",
+                code: "FORBIDDEN"
+            }
+        }, 403);
+    }
+    return next();
+};
+/**
+ * Middleware that optionally extracts user from JWT
+ * Does not return 401 if token is missing - allows anonymous access
+ */
+export const optionalAuth: MiddlewareHandler<HonoEnv> = async (
+    c,
+    next
+) => {
+    const authHeader = c.req.header("authorization");
+    const queryToken = c.req.query("token");
+    const hasBearer = authHeader && authHeader.startsWith("Bearer ");
+    if (hasBearer || queryToken) {
+        const token = hasBearer ? authHeader!.substring(7) : queryToken!;
+        const payload = verifyAccessToken(token);
+        if (payload) {
+            c.set("user", payload);
+        }
+    }
+    return next();
+};
+/**
+ * Extract user from token - for WebSocket authentication
+ */
+export function extractUserFromToken(token: string): AccessTokenPayload | null {
+    return verifyAccessToken(token);
+}
+/**
+ * Helper to scope a DataDriver via withAuth() for RLS.
+ * SECURITY: If withAuth() is available but fails, the error is re-thrown
+ * so the request is denied rather than proceeding with unscoped access.
+ */
+async function scopeDataDriver(
+    driver: DataDriver,
+    user: { uid: string; roles?: string[] }
+): Promise<DataDriver> {
+    if ("withAuth" in driver && typeof (driver as Record<string, unknown>).withAuth === "function") {
+        // Fail closed — do NOT catch and swallow errors here.
+        // If RLS scoping fails the request must be rejected.
+        return await (driver as unknown as { withAuth: (user: Record<string, unknown>) => Promise<DataDriver> }).withAuth(user);
+    }
+    return driver;
+}
+/**
+ * Create a configurable auth middleware that handles:
+ * 1. Token extraction (via custom validator or JWT Bearer token)
+ * 2. RLS-scoped DataDriver via withAuth()
+ * 3. Enforcement (401 when requireAuth is true and no user)
+ *
+ * **Secure by default:** `requireAuth` defaults to `true`. Anonymous
+ * access is only allowed when the developer explicitly opts out by
+ * setting `requireAuth: false`, indicating that Postgres RLS policies
+ * fully control access.
+ *
+ * **Fail-closed:** The raw unscoped driver is never placed in the
+ * request context. Every code path either scopes via `withAuth()` or
+ * rejects the request. This prevents silent RLS bypass.
+ *
+ * This is the single source of truth for HTTP auth in Rebase.
+ * Use this instead of manually parsing tokens in route handlers.
+ */
+/**
+ * Constant-time string comparison to prevent timing attacks on service keys.
+ *
+ * We intentionally avoid early-returning on length mismatch because that
+ * would leak the key's length through timing differences. Instead, both
+ * inputs are padded to the same length so `timingSafeEqual` always runs
+ * over equal-length buffers.
+ */
+function safeCompare(a: string, b: string): boolean {
+    const maxLen = Math.max(a.length, b.length);
+    // Pad both to maxLen so timingSafeEqual always compares equal-length buffers.
+    // If the original lengths differ the result will be false due to the padding
+    // difference, but the comparison still takes constant time.
+    const bufA = Buffer.alloc(maxLen);
+    const bufB = Buffer.alloc(maxLen);
+    bufA.write(a);
+    bufB.write(b);
+    try {
+        const isEqual = timingSafeEqual(bufA, bufB);
+        // Even though padding makes mismatched-length strings compare as
+        // different bytes, we still need to verify lengths match to avoid
+        // a padded shorter string accidentally equaling a longer one that
+        // has trailing null bytes.
+        return isEqual && a.length === b.length;
+    } catch {
+        return false;
+    }
+}
+export function createAuthMiddleware(options: AuthMiddlewareOptions): MiddlewareHandler<HonoEnv> {
+    const { driver, requireAuth: enforceAuth = true, validator, serviceKey } = options;
+    return async (c, next) => {
+        if (validator) {
+            // Custom validator path (e.g., Firebase Auth, API keys)
+            try {
+                const authResult = await validator(c);
+                if (authResult && typeof authResult === "object") {
+                    const id = ("userId" in authResult ? authResult.userId : undefined)
+                        || ("uid" in authResult ? authResult.uid : undefined);
+                    if (id) {
+                        const roles = authResult.roles || [];
+                        c.set("user", { userId: id,
+roles });
+                        const user = { uid: id,
+roles,
+...authResult };
+                        c.set("driver", await scopeDataDriver(driver, user));
+                    } else {
+                        // Validator returned an object but without an ID — scope as anon
+                        c.set("driver", await scopeDataDriver(driver, { uid: "anon",
+roles: ["anon"] }));
+                    }
+                } else if (authResult === true) {
+                    c.set("user", { userId: "default",
+roles: [] });
+                    c.set("driver", await scopeDataDriver(driver, { uid: "default",
+roles: [] }));
+                } else {
+                    // Not authenticated — scope as anon so RLS can evaluate.
+                    // Fail closed: if anon scoping fails, reject instead of
+                    // falling back to the raw driver.
+                    c.set("driver", await scopeDataDriver(driver, { uid: "anon",
+roles: ["anon"] }));
+                }
+            } catch (error) {
+                return c.json({ error: { message: "Unauthorized",
+code: "UNAUTHORIZED" } }, 401);
+            }
+        } else {
+            // Default JWT path (with optional service key support)
+            const authHeader = c.req.header("authorization");
+            const queryToken = c.req.query("token");
+            const hasBearer = authHeader && authHeader.startsWith("Bearer ");
+            if (hasBearer || queryToken) {
+                const token = hasBearer ? authHeader!.substring(7) : queryToken!;
+                // ── Service Key check ──────────────────────────────────
+                // Check BEFORE JWT verification. Service keys are static
+                // secrets (like Firebase SA keys) that grant admin access
+                // for scripts, cron jobs, and server-to-server calls.
+                if (serviceKey && safeCompare(token, serviceKey)) {
+                    const serviceUser: AccessTokenPayload = {
+                        userId: "service",
+                        roles: ["admin"]
+                    };
+                    c.set("user", serviceUser);
+                    try {
+                        c.set("driver", await scopeDataDriver(driver, {
+                            uid: "service",
+                            roles: ["admin"]
+                        }));
+                    } catch (error) {
+                        console.error("[AUTH] RLS scoping failed for service key:", error);
+                        return c.json({ error: { message: "Internal authentication error",
+code: "INTERNAL_ERROR" } }, 500);
+                    }
+                } else {
+                    // ── JWT verification ───────────────────────────────────
+                    const payload = extractUserFromToken(token);
+                    if (payload) {
+                        c.set("user", payload);
+                        try {
+                            const user = { uid: payload.userId,
+roles: payload.roles };
+                            c.set("driver", await scopeDataDriver(driver, user));
+                        } catch (error) {
+                            // withAuth() failed for a valid token — reject (fail closed)
+                            console.error("[AUTH] RLS scoping failed for authenticated user:", error);
+                            return c.json({ error: { message: "Internal authentication error",
+code: "INTERNAL_ERROR" } }, 500);
+                        }
+                    } else {
+                        // Token present but invalid — always reject.
+                        // Providing a malformed token should never grant access,
+                        // regardless of requireAuth setting.
+                        return c.json({ error: { message: "Invalid or expired token",
+code: "UNAUTHORIZED" } }, 401);
+                    }
+                }
+            } else {
+                // No token provided — scope as anon for RLS evaluation.
+                // Fail closed: if anon scoping fails, return 500 rather
+                // than silently proceeding with an unscoped driver.
+                try {
+                    c.set("driver", await scopeDataDriver(driver, { uid: "anon",
+roles: ["anon"] }));
+                } catch (error) {
+                    console.error("[AUTH] Failed to create anon-scoped driver:", error);
+                    return c.json({ error: { message: "Server configuration error",
+code: "INTERNAL_ERROR" } }, 500);
+                }
+            }
+        }
+        if (enforceAuth && !c.get("user")) {
+            return c.json({ error: { message: "Unauthorized: Authentication required",
+code: "UNAUTHORIZED" } }, 401);
+        }
+        return next();
+    };
+}

package/src/auth/password.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { scrypt, randomBytes, timingSafeEqual } from "crypto";
+import { promisify } from "util";
+const scryptAsync = promisify(scrypt);
+// Scrypt parameters (recommended values for 2024+)
+const SALT_LENGTH = 32;
+const KEY_LENGTH = 64;
+const SCRYPT_PARAMS = { N: 16384,
+r: 8,
+p: 1 };
+export interface PasswordValidationResult {
+    valid: boolean;
+    errors: string[];
+}
+/**
+ * Password requirements:
+ * - Minimum 8 characters
+ * - At least 1 uppercase letter
+ * - At least 1 lowercase letter
+ * - At least 1 number
+ */
+export function validatePasswordStrength(password: string): PasswordValidationResult {
+    const errors: string[] = [];
+    if (password.length < 8) {
+        errors.push("Password must be at least 8 characters long");
+    }
+    if (!/[A-Z]/.test(password)) {
+        errors.push("Password must contain at least one uppercase letter");
+    }
+    if (!/[a-z]/.test(password)) {
+        errors.push("Password must contain at least one lowercase letter");
+    }
+    if (!/[0-9]/.test(password)) {
+        errors.push("Password must contain at least one number");
+    }
+    return {
+        valid: errors.length === 0,
+        errors
+    };
+}
+/**
+ * Hash a password using Node's built-in scrypt
+ * Returns format: salt:hash (both hex encoded)
+ */
+export async function hashPassword(password: string): Promise<string> {
+    const salt = randomBytes(SALT_LENGTH);
+    const derivedKey = await scryptAsync(password, salt, KEY_LENGTH) as Buffer;
+    return `${salt.toString("hex")}:${derivedKey.toString("hex")}`;
+}
+/**
+ * Verify a password against a scrypt hash
+ * Expects format: salt:hash (both hex encoded)
+ */
+export async function verifyPassword(password: string, storedHash: string): Promise<boolean> {
+    const [saltHex, hashHex] = storedHash.split(":");
+    if (!saltHex || !hashHex) {
+        return false;
+    }
+    const salt = Buffer.from(saltHex, "hex");
+    const storedKey = Buffer.from(hashHex, "hex");
+    const derivedKey = await scryptAsync(password, salt, KEY_LENGTH) as Buffer;
+    // Use timing-safe comparison to prevent timing attacks
+    return timingSafeEqual(derivedKey, storedKey);
+}

package/src/auth/rate-limiter.ts ADDED Viewed

@@ -0,0 +1,129 @@
+import { MiddlewareHandler } from "hono";
+import { HonoEnv } from "../api/types";
+/**
+ * In-memory sliding-window rate limiter for Hono.
+ *
+ * Suitable for single-instance and moderate-scale deployments.
+ * For multi-instance setups, consider a shared store
+ * (e.g. PostgreSQL-backed counters or an external rate-limit service).
+ */
+interface RateLimitEntry {
+    timestamps: number[];
+}
+interface RateLimiterOptions {
+    /** Time window in milliseconds (default: 15 minutes) */
+    windowMs?: number;
+    /** Maximum requests per window (default: 100) */
+    limit?: number;
+    /** Key generator function. Defaults to IP-based keying. */
+    keyGenerator?: (c: Parameters<MiddlewareHandler<HonoEnv>>[0]) => string;
+    /** Custom message for rate limit responses */
+    message?: string;
+}
+/**
+ * Create a rate-limiting middleware.
+ *
+ * Uses a sliding window algorithm: only timestamps within the last
+ * `windowMs` milliseconds are counted. Old entries are garbage-collected
+ * every `windowMs` to prevent unbounded memory growth.
+ */
+export function createRateLimiter(options: RateLimiterOptions = {}): MiddlewareHandler<HonoEnv> {
+    const {
+        windowMs = 15 * 60 * 1000,
+        limit = 100,
+        keyGenerator = defaultKeyGenerator,
+        message = "Too many requests, please try again later."
+    } = options;
+    const store = new Map<string, RateLimitEntry>();
+    // Periodic cleanup to prevent memory leak from expired entries
+    const cleanupInterval = setInterval(() => {
+        const now = Date.now();
+        for (const [key, entry] of store.entries()) {
+            entry.timestamps = entry.timestamps.filter(t => now - t < windowMs);
+            if (entry.timestamps.length === 0) {
+                store.delete(key);
+            }
+        }
+    }, windowMs);
+    // Allow the Node.js process to exit even if the interval is still running
+    if (cleanupInterval.unref) {
+        cleanupInterval.unref();
+    }
+    return async (c, next) => {
+        const key = keyGenerator(c);
+        const now = Date.now();
+        let entry = store.get(key);
+        if (!entry) {
+            entry = { timestamps: [] };
+            store.set(key, entry);
+        }
+        // Remove timestamps outside the current window
+        entry.timestamps = entry.timestamps.filter(t => now - t < windowMs);
+        if (entry.timestamps.length >= limit) {
+            const retryAfterMs = entry.timestamps[0] + windowMs - now;
+            const retryAfterSec = Math.ceil(retryAfterMs / 1000);
+            c.header("Retry-After", String(retryAfterSec));
+            c.header("X-RateLimit-Limit", String(limit));
+            c.header("X-RateLimit-Remaining", "0");
+            c.header("X-RateLimit-Reset", String(Math.ceil((now + retryAfterMs) / 1000)));
+            return c.json({
+                error: {
+                    message,
+                    code: "RATE_LIMITED"
+                }
+            }, 429);
+        }
+        entry.timestamps.push(now);
+        // Set rate limit headers
+        c.header("X-RateLimit-Limit", String(limit));
+        c.header("X-RateLimit-Remaining", String(limit - entry.timestamps.length));
+        return next();
+    };
+}
+/**
+ * Default key generator: extract client IP from standard headers.
+ */
+function defaultKeyGenerator(c: Parameters<MiddlewareHandler<HonoEnv>>[0]): string {
+    return (
+        c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ||
+        c.req.header("x-real-ip") ||
+        "unknown"
+    );
+}
+/**
+ * Pre-configured rate limiter for general auth endpoints (login, register).
+ * 200 requests per 15 minutes per IP.
+ */
+export const defaultAuthLimiter = createRateLimiter({
+    windowMs: 15 * 60 * 1000,
+    limit: 200,
+    message: "Too many authentication attempts, please try again later."
+});
+/**
+ * Pre-configured strict rate limiter for sensitive endpoints (password reset, verification).
+ * 50 requests per 15 minutes per IP.
+ */
+export const strictAuthLimiter = createRateLimiter({
+    windowMs: 15 * 60 * 1000,
+    limit: 50,
+    message: "Too many requests to this sensitive endpoint, please try again later."
+});