npm - @rebasepro/server-core - Versions diffs - 0.0.1-canary.4d4fb3e - Mend

@rebasepro/server-core 0.0.1-canary.4d4fb3e

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

package/LICENSE +6 -0
package/README.md +40 -0
package/build-errors.txt +52 -0
package/coverage/clover.xml +3739 -0
package/coverage/coverage-final.json +31 -0
package/coverage/lcov-report/base.css +224 -0
package/coverage/lcov-report/block-navigation.js +87 -0
package/coverage/lcov-report/favicon.png +0 -0
package/coverage/lcov-report/index.html +266 -0
package/coverage/lcov-report/prettify.css +1 -0
package/coverage/lcov-report/prettify.js +2 -0
package/coverage/lcov-report/sort-arrow-sprite.png +0 -0
package/coverage/lcov-report/sorter.js +210 -0
package/coverage/lcov-report/src/api/ast-schema-editor.ts.html +952 -0
package/coverage/lcov-report/src/api/errors.ts.html +472 -0
package/coverage/lcov-report/src/api/graphql/graphql-schema-generator.ts.html +1069 -0
package/coverage/lcov-report/src/api/graphql/index.html +116 -0
package/coverage/lcov-report/src/api/index.html +176 -0
package/coverage/lcov-report/src/api/openapi-generator.ts.html +565 -0
package/coverage/lcov-report/src/api/rest/api-generator.ts.html +994 -0
package/coverage/lcov-report/src/api/rest/index.html +131 -0
package/coverage/lcov-report/src/api/rest/query-parser.ts.html +550 -0
package/coverage/lcov-report/src/api/schema-editor-routes.ts.html +202 -0
package/coverage/lcov-report/src/api/server.ts.html +823 -0
package/coverage/lcov-report/src/auth/admin-routes.ts.html +973 -0
package/coverage/lcov-report/src/auth/index.html +176 -0
package/coverage/lcov-report/src/auth/jwt.ts.html +574 -0
package/coverage/lcov-report/src/auth/middleware.ts.html +745 -0
package/coverage/lcov-report/src/auth/password.ts.html +310 -0
package/coverage/lcov-report/src/auth/services.ts.html +2074 -0
package/coverage/lcov-report/src/collections/index.html +116 -0
package/coverage/lcov-report/src/collections/loader.ts.html +232 -0
package/coverage/lcov-report/src/db/auth-schema.ts.html +523 -0
package/coverage/lcov-report/src/db/data-transformer.ts.html +1753 -0
package/coverage/lcov-report/src/db/entityService.ts.html +700 -0
package/coverage/lcov-report/src/db/index.html +146 -0
package/coverage/lcov-report/src/db/services/EntityFetchService.ts.html +4048 -0
package/coverage/lcov-report/src/db/services/EntityPersistService.ts.html +883 -0
package/coverage/lcov-report/src/db/services/RelationService.ts.html +3121 -0
package/coverage/lcov-report/src/db/services/entity-helpers.ts.html +442 -0
package/coverage/lcov-report/src/db/services/index.html +176 -0
package/coverage/lcov-report/src/db/services/index.ts.html +124 -0
package/coverage/lcov-report/src/generate-drizzle-schema-logic.ts.html +1960 -0
package/coverage/lcov-report/src/index.html +116 -0
package/coverage/lcov-report/src/services/driver-registry.ts.html +631 -0
package/coverage/lcov-report/src/services/index.html +131 -0
package/coverage/lcov-report/src/services/postgresDataDriver.ts.html +3025 -0
package/coverage/lcov-report/src/storage/LocalStorageController.ts.html +1189 -0
package/coverage/lcov-report/src/storage/S3StorageController.ts.html +970 -0
package/coverage/lcov-report/src/storage/index.html +161 -0
package/coverage/lcov-report/src/storage/storage-registry.ts.html +646 -0
package/coverage/lcov-report/src/storage/types.ts.html +451 -0
package/coverage/lcov-report/src/utils/drizzle-conditions.ts.html +3082 -0
package/coverage/lcov-report/src/utils/index.html +116 -0
package/coverage/lcov.info +7179 -0
package/dist/common/src/collections/CollectionRegistry.d.ts +48 -0
package/dist/common/src/collections/index.d.ts +1 -0
package/dist/common/src/data/buildRebaseData.d.ts +14 -0
package/dist/common/src/index.d.ts +3 -0
package/dist/common/src/util/builders.d.ts +57 -0
package/dist/common/src/util/callbacks.d.ts +6 -0
package/dist/common/src/util/collections.d.ts +11 -0
package/dist/common/src/util/common.d.ts +2 -0
package/dist/common/src/util/conditions.d.ts +26 -0
package/dist/common/src/util/entities.d.ts +36 -0
package/dist/common/src/util/enums.d.ts +3 -0
package/dist/common/src/util/index.d.ts +16 -0
package/dist/common/src/util/navigation_from_path.d.ts +34 -0
package/dist/common/src/util/navigation_utils.d.ts +20 -0
package/dist/common/src/util/parent_references_from_path.d.ts +6 -0
package/dist/common/src/util/paths.d.ts +14 -0
package/dist/common/src/util/permissions.d.ts +5 -0
package/dist/common/src/util/references.d.ts +2 -0
package/dist/common/src/util/relations.d.ts +12 -0
package/dist/common/src/util/resolutions.d.ts +72 -0
package/dist/common/src/util/storage.d.ts +24 -0
package/dist/index-BeMqpmfQ.js +239 -0
package/dist/index-BeMqpmfQ.js.map +1 -0
package/dist/index-bl4J3lNb.js +55823 -0
package/dist/index-bl4J3lNb.js.map +1 -0
package/dist/index.es.js +58 -0
package/dist/index.es.js.map +1 -0
package/dist/index.umd.js +56062 -0
package/dist/index.umd.js.map +1 -0
package/dist/server-core/src/api/ast-schema-editor.d.ts +21 -0
package/dist/server-core/src/api/collections_for_test/callbacks_test_collection.d.ts +2 -0
package/dist/server-core/src/api/errors.d.ts +35 -0
package/dist/server-core/src/api/graphql/graphql-schema-generator.d.ts +35 -0
package/dist/server-core/src/api/graphql/index.d.ts +1 -0
package/dist/server-core/src/api/index.d.ts +9 -0
package/dist/server-core/src/api/openapi-generator.d.ts +2 -0
package/dist/server-core/src/api/rest/api-generator.d.ts +64 -0
package/dist/server-core/src/api/rest/index.d.ts +1 -0
package/dist/server-core/src/api/rest/query-parser.d.ts +9 -0
package/dist/server-core/src/api/schema-editor-routes.d.ts +3 -0
package/dist/server-core/src/api/server.d.ts +40 -0
package/dist/server-core/src/api/types.d.ts +90 -0
package/dist/server-core/src/auth/admin-routes.d.ts +7 -0
package/dist/server-core/src/auth/google-oauth.d.ts +20 -0
package/dist/server-core/src/auth/index.d.ts +12 -0
package/dist/server-core/src/auth/interfaces.d.ts +270 -0
package/dist/server-core/src/auth/jwt.d.ts +42 -0
package/dist/server-core/src/auth/middleware.d.ts +56 -0
package/dist/server-core/src/auth/password.d.ts +22 -0
package/dist/server-core/src/auth/rate-limiter.d.ts +31 -0
package/dist/server-core/src/auth/routes.d.ts +17 -0
package/dist/server-core/src/bootstrappers/index.d.ts +0 -0
package/dist/server-core/src/collections/BackendCollectionRegistry.d.ts +13 -0
package/dist/server-core/src/collections/loader.d.ts +5 -0
package/dist/server-core/src/db/interfaces.d.ts +18 -0
package/dist/server-core/src/email/index.d.ts +6 -0
package/dist/server-core/src/email/smtp-email-service.d.ts +25 -0
package/dist/server-core/src/email/templates.d.ts +33 -0
package/dist/server-core/src/email/types.d.ts +110 -0
package/dist/server-core/src/functions/function-loader.d.ts +17 -0
package/dist/server-core/src/functions/function-routes.d.ts +10 -0
package/dist/server-core/src/functions/index.d.ts +3 -0
package/dist/server-core/src/history/history-routes.d.ts +23 -0
package/dist/server-core/src/history/index.d.ts +1 -0
package/dist/server-core/src/index.d.ts +24 -0
package/dist/server-core/src/init.d.ts +49 -0
package/dist/server-core/src/serve-spa.d.ts +30 -0
package/dist/server-core/src/services/driver-registry.d.ts +78 -0
package/dist/server-core/src/storage/LocalStorageController.d.ts +46 -0
package/dist/server-core/src/storage/S3StorageController.d.ts +36 -0
package/dist/server-core/src/storage/index.d.ts +18 -0
package/dist/server-core/src/storage/routes.d.ts +38 -0
package/dist/server-core/src/storage/storage-registry.d.ts +78 -0
package/dist/server-core/src/storage/types.d.ts +91 -0
package/dist/server-core/src/types/index.d.ts +11 -0
package/dist/server-core/src/utils/logging.d.ts +9 -0
package/dist/server-core/src/utils/sql.d.ts +27 -0
package/dist/types/src/controllers/analytics_controller.d.ts +7 -0
package/dist/types/src/controllers/auth.d.ts +117 -0
package/dist/types/src/controllers/client.d.ts +58 -0
package/dist/types/src/controllers/collection_registry.d.ts +44 -0
package/dist/types/src/controllers/customization_controller.d.ts +54 -0
package/dist/types/src/controllers/data.d.ts +141 -0
package/dist/types/src/controllers/data_driver.d.ts +168 -0
package/dist/types/src/controllers/database_admin.d.ts +11 -0
package/dist/types/src/controllers/dialogs_controller.d.ts +36 -0
package/dist/types/src/controllers/effective_role.d.ts +4 -0
package/dist/types/src/controllers/index.d.ts +17 -0
package/dist/types/src/controllers/local_config_persistence.d.ts +20 -0
package/dist/types/src/controllers/navigation.d.ts +213 -0
package/dist/types/src/controllers/registry.d.ts +51 -0
package/dist/types/src/controllers/side_dialogs_controller.d.ts +67 -0
package/dist/types/src/controllers/side_entity_controller.d.ts +89 -0
package/dist/types/src/controllers/snackbar.d.ts +24 -0
package/dist/types/src/controllers/storage.d.ts +173 -0
package/dist/types/src/index.d.ts +4 -0
package/dist/types/src/rebase_context.d.ts +101 -0
package/dist/types/src/types/backend.d.ts +533 -0
package/dist/types/src/types/builders.d.ts +14 -0
package/dist/types/src/types/chips.d.ts +5 -0
package/dist/types/src/types/collections.d.ts +812 -0
package/dist/types/src/types/data_source.d.ts +64 -0
package/dist/types/src/types/entities.d.ts +145 -0
package/dist/types/src/types/entity_actions.d.ts +98 -0
package/dist/types/src/types/entity_callbacks.d.ts +173 -0
package/dist/types/src/types/entity_link_builder.d.ts +7 -0
package/dist/types/src/types/entity_overrides.d.ts +9 -0
package/dist/types/src/types/entity_views.d.ts +61 -0
package/dist/types/src/types/export_import.d.ts +21 -0
package/dist/types/src/types/index.d.ts +22 -0
package/dist/types/src/types/locales.d.ts +4 -0
package/dist/types/src/types/modify_collections.d.ts +5 -0
package/dist/types/src/types/plugins.d.ts +225 -0
package/dist/types/src/types/properties.d.ts +1091 -0
package/dist/types/src/types/property_config.d.ts +70 -0
package/dist/types/src/types/relations.d.ts +336 -0
package/dist/types/src/types/slots.d.ts +228 -0
package/dist/types/src/types/translations.d.ts +826 -0
package/dist/types/src/types/user_management_delegate.d.ts +120 -0
package/dist/types/src/types/websockets.d.ts +78 -0
package/dist/types/src/users/index.d.ts +2 -0
package/dist/types/src/users/roles.d.ts +22 -0
package/dist/types/src/users/user.d.ts +46 -0
package/history_diff.log +385 -0
package/jest.config.cjs +16 -0
package/package.json +86 -0
package/scratch.ts +8 -0
package/src/api/ast-schema-editor.ts +289 -0
package/src/api/collections_for_test/callbacks_test_collection.ts +57 -0
package/src/api/errors.ts +155 -0
package/src/api/graphql/graphql-schema-generator.ts +334 -0
package/src/api/graphql/index.ts +2 -0
package/src/api/index.ts +11 -0
package/src/api/openapi-generator.ts +160 -0
package/src/api/rest/api-generator.ts +466 -0
package/src/api/rest/index.ts +2 -0
package/src/api/rest/query-parser.ts +155 -0
package/src/api/schema-editor-routes.ts +39 -0
package/src/api/server.ts +245 -0
package/src/api/types.ts +90 -0
package/src/auth/admin-routes.ts +488 -0
package/src/auth/google-oauth.ts +60 -0
package/src/auth/index.ts +21 -0
package/src/auth/interfaces.ts +316 -0
package/src/auth/jwt.ts +164 -0
package/src/auth/middleware.ts +235 -0
package/src/auth/password.ts +75 -0
package/src/auth/rate-limiter.ts +129 -0
package/src/auth/routes.ts +730 -0
package/src/bootstrappers/index.ts +1 -0
package/src/collections/BackendCollectionRegistry.ts +20 -0
package/src/collections/loader.ts +49 -0
package/src/db/interfaces.ts +60 -0
package/src/email/index.ts +17 -0
package/src/email/smtp-email-service.ts +88 -0
package/src/email/templates.ts +301 -0
package/src/email/types.ts +112 -0
package/src/functions/function-loader.ts +91 -0
package/src/functions/function-routes.ts +31 -0
package/src/functions/index.ts +3 -0
package/src/history/history-routes.ts +128 -0
package/src/history/index.ts +2 -0
package/src/index.ts +56 -0
package/src/init.ts +309 -0
package/src/serve-spa.ts +81 -0
package/src/services/driver-registry.ts +182 -0
package/src/storage/LocalStorageController.ts +368 -0
package/src/storage/S3StorageController.ts +295 -0
package/src/storage/index.ts +32 -0
package/src/storage/routes.ts +247 -0
package/src/storage/storage-registry.ts +187 -0
package/src/storage/types.ts +122 -0
package/src/types/index.ts +27 -0
package/src/utils/logging.ts +35 -0
package/src/utils/sql.ts +38 -0
package/test/admin-routes.test.ts +591 -0
package/test/api-generator.test.ts +458 -0
package/test/ast-schema-editor.test.ts +61 -0
package/test/auth-middleware-hono.test.ts +321 -0
package/test/auth-routes.test.ts +868 -0
package/test/driver-registry.test.ts +280 -0
package/test/errors-hono.test.ts +133 -0
package/test/errors.test.ts +150 -0
package/test/jwt-security.test.ts +173 -0
package/test/jwt.test.ts +311 -0
package/test/middleware.test.ts +295 -0
package/test/password.test.ts +165 -0
package/test/query-parser.test.ts +258 -0
package/test/rate-limiter.test.ts +102 -0
package/test/storage-local.test.ts +278 -0
package/test/storage-registry.test.ts +280 -0
package/test/storage-routes.test.ts +218 -0
package/test/storage-s3.test.ts +301 -0
package/test-ast.ts +28 -0
package/test_output.txt +1133 -0
package/tsconfig.json +49 -0
package/tsconfig.prod.json +20 -0
package/vite.config.ts +78 -0
package/vite.config.ts.timestamp-1775065397568-8a853255edf6e.mjs +46 -0

package/src/auth/admin-routes.ts ADDED Viewed

@@ -0,0 +1,488 @@
+import { Hono } from "hono";
+import { ApiError } from "../api/errors";
+import type { AuthRepository } from "./interfaces";
+import { requireAuth, requireAdmin } from "./middleware";
+import { hashPassword, validatePasswordStrength } from "./password";
+import { AuthModuleConfig } from "./routes";
+import { HonoEnv } from "../api/types";
+import { randomBytes, createHash } from "crypto";
+import { getUserInvitationTemplate, getPasswordResetTemplate } from "../email/templates";
+/**
+ * Generate a cryptographically secure random password that meets strength requirements.
+ */
+function generateSecurePassword(): string {
+    const upper = "ABCDEFGHJKLMNPQRSTUVWXYZ";
+    const lower = "abcdefghjkmnpqrstuvwxyz";
+    const digits = "23456789";
+    const all = upper + lower + digits;
+    // Guarantee at least one of each required class
+    const pick = (chars: string) => chars[Math.floor(Math.random() * chars.length)];
+    const parts = [pick(upper), pick(lower), pick(digits)];
+    // Fill remaining with random chars (16 total)
+    for (let i = parts.length; i < 16; i++) {
+        parts.push(pick(all));
+    }
+    // Shuffle
+    for (let i = parts.length - 1; i > 0; i--) {
+        const j = Math.floor(Math.random() * (i + 1));
+        [parts[i], parts[j]] = [parts[j], parts[i]];
+    }
+    return parts.join("");
+}
+/**
+ * Generate a secure random token
+ */
+function generateSecureToken(): string {
+    return randomBytes(40).toString("hex");
+}
+/**
+ * Hash a token for database storage
+ */
+function hashToken(token: string): string {
+    return createHash("sha256").update(token).digest("hex");
+}
+/**
+ * Create admin routes for user and role management
+ */
+export function createAdminRoutes(config: AuthModuleConfig): Hono<HonoEnv> {
+    const router = new Hono<HonoEnv>();
+    const authRepo = config.authRepo;
+    const { emailService, emailConfig } = config;
+    // Apply auth middleware to all routes
+    router.use("/*", requireAuth);
+    router.post("/bootstrap", async (c) => {
+        const user = c.get("user");
+        if (!user || typeof user !== "object") {
+            throw ApiError.unauthorized("Not authenticated");
+        }
+        const users = await authRepo.listUsers();
+        let hasAdmin = false;
+        for (const u of users) {
+            const roles = await authRepo.getUserRoleIds(u.id);
+            if (roles.includes("admin")) {
+                hasAdmin = true;
+                break;
+            }
+        }
+        if (hasAdmin) {
+            throw ApiError.forbidden("Admin users already exist. Bootstrap not allowed.");
+        }
+        const userId = "userId" in user ? user.userId : undefined;
+        if (!userId) {
+            throw ApiError.unauthorized("User ID not found in auth context");
+        }
+        await authRepo.setUserRoles(userId, ["admin"]);
+        return c.json({
+            success: true,
+            message: "You are now an admin",
+            user: {
+                uid: userId,
+                roles: ["admin"]
+            }
+        });
+    });
+    router.get("/users", requireAdmin, async (c) => {
+        const limitParam = c.req.query("limit");
+        const offsetParam = c.req.query("offset");
+        const search = c.req.query("search");
+        const orderBy = c.req.query("orderBy");
+        const orderDir = c.req.query("orderDir") as "asc" | "desc" | undefined;
+        // If pagination params are provided, use the paginated path
+        if (limitParam !== undefined || search) {
+            const limit = limitParam ? parseInt(limitParam, 10) : 25;
+            const offset = offsetParam ? parseInt(offsetParam, 10) : 0;
+            const result = await authRepo.listUsersPaginated({
+                limit,
+                offset,
+                search: search || undefined,
+                orderBy: orderBy || undefined,
+                orderDir: orderDir || undefined
+            });
+            const usersWithRoles = await Promise.all(
+                result.users.map(async (u) => {
+                    const roles = await authRepo.getUserRoleIds(u.id);
+                    return {
+                        uid: u.id,
+                        email: u.email,
+                        displayName: u.displayName,
+                        photoURL: u.photoUrl,
+                        provider: u.provider,
+                        roles,
+                        createdAt: u.createdAt,
+                        updatedAt: u.updatedAt
+                    };
+                })
+            );
+            return c.json({
+                users: usersWithRoles,
+                total: result.total,
+                limit: result.limit,
+                offset: result.offset
+            });
+        }
+        // Legacy: return all users (no pagination)
+        const users = await authRepo.listUsers();
+        const usersWithRoles = await Promise.all(
+            users.map(async (u) => {
+                const roles = await authRepo.getUserRoleIds(u.id);
+                return {
+                    uid: u.id,
+                    email: u.email,
+                    displayName: u.displayName,
+                    photoURL: u.photoUrl,
+                    provider: u.provider,
+                    roles,
+                    createdAt: u.createdAt,
+                    updatedAt: u.updatedAt
+                };
+            })
+        );
+        return c.json({ users: usersWithRoles });
+    });
+    router.get("/users/:userId", requireAdmin, async (c) => {
+        const userId = c.req.param("userId");
+        const result = await authRepo.getUserWithRoles(userId);
+        if (!result) {
+            throw ApiError.notFound("User not found");
+        }
+        return c.json({
+            user: {
+                uid: result.user.id,
+                email: result.user.email,
+                displayName: result.user.displayName,
+                photoURL: result.user.photoUrl,
+                provider: result.user.provider,
+                roles: result.roles.map(r => r.id),
+                createdAt: result.user.createdAt,
+                updatedAt: result.user.updatedAt
+            }
+        });
+    });
+    router.post("/users", requireAdmin, async (c) => {
+        const body = await c.req.json();
+        const { email, displayName, password, roles } = body;
+        if (!email) {
+            throw ApiError.badRequest("Email is required", "INVALID_INPUT");
+        }
+        const existing = await authRepo.getUserByEmail(email);
+        if (existing) {
+            throw ApiError.conflict("Email already exists", "EMAIL_EXISTS");
+        }
+        // Use provided password or auto-generate one
+        const clearPassword = password || generateSecurePassword();
+        const validation = validatePasswordStrength(clearPassword);
+        if (!validation.valid) {
+            throw ApiError.badRequest(validation.errors.join(". "), "WEAK_PASSWORD");
+        }
+        const passwordHash = await hashPassword(clearPassword);
+        const user = await authRepo.createUser({
+            email: email.toLowerCase(),
+            displayName: displayName || null,
+            passwordHash,
+            provider: "email"
+        });
+        if (roles && Array.isArray(roles) && roles.length > 0) {
+            await authRepo.setUserRoles(user.id, roles);
+        } else if (config.defaultRole) {
+            await authRepo.assignDefaultRole(user.id, config.defaultRole);
+        }
+        const userRoles = await authRepo.getUserRoleIds(user.id);
+        // Determine if we can send an invitation email
+        const isEmailConfigured = !!(emailService && emailService.isConfigured());
+        let invitationSent = false;
+        let temporaryPassword: string | undefined;
+        if (isEmailConfigured && !password) {
+            // Send invitation email via password-reset token flow
+            try {
+                const token = generateSecureToken();
+                const tokenHash = hashToken(token);
+                const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+                await authRepo.createPasswordResetToken(user.id, tokenHash, expiresAt);
+                const baseUrl = emailConfig?.resetPasswordUrl || "";
+                const setPasswordUrl = `${baseUrl}/reset-password?token=${token}`;
+                const appName = emailConfig?.appName || "Rebase";
+                const templateFn = emailConfig?.templates?.userInvitation;
+                const emailContent = templateFn
+                    ? templateFn(setPasswordUrl, { email: user.email, displayName: user.displayName })
+                    : getUserInvitationTemplate(setPasswordUrl, { email: user.email, displayName: user.displayName }, appName);
+                await emailService!.send({
+                    to: user.email,
+                    subject: emailContent.subject,
+                    html: emailContent.html,
+                    text: emailContent.text
+                });
+                invitationSent = true;
+            } catch (emailError: unknown) {
+                console.error("Failed to send invitation email:", emailError instanceof Error ? emailError.message : emailError);
+                // Fall back to returning the temporary password
+                temporaryPassword = clearPassword;
+            }
+        } else if (!password) {
+            // No email service — return the auto-generated password one-time
+            temporaryPassword = clearPassword;
+        }
+        // If admin provided a password explicitly, don't return it or send email
+        return c.json({
+            user: {
+                uid: user.id,
+                email: user.email,
+                displayName: user.displayName,
+                roles: userRoles
+            },
+            invitationSent,
+            ...(temporaryPassword ? { temporaryPassword } : {})
+        }, 201);
+    });
+    router.post("/users/:userId/reset-password", requireAdmin, async (c) => {
+        const userId = c.req.param("userId");
+        const existing = await authRepo.getUserById(userId);
+        if (!existing) {
+            throw ApiError.notFound("User not found");
+        }
+        const isEmailConfigured = !!(emailService && emailService.isConfigured());
+        let invitationSent = false;
+        let temporaryPassword: string | undefined;
+        if (isEmailConfigured) {
+            try {
+                const token = generateSecureToken();
+                const tokenHash = hashToken(token);
+                const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+                await authRepo.createPasswordResetToken(existing.id, tokenHash, expiresAt);
+                const baseUrl = emailConfig?.resetPasswordUrl || "";
+                const setPasswordUrl = `${baseUrl}/reset-password?token=${token}`;
+                const appName = emailConfig?.appName || "Rebase";
+                const templateFn = emailConfig?.templates?.passwordReset;
+                const emailContent = templateFn
+                    ? templateFn(setPasswordUrl, { email: existing.email, displayName: existing.displayName })
+                    : getPasswordResetTemplate(setPasswordUrl, { email: existing.email, displayName: existing.displayName }, appName);
+                await emailService!.send({
+                    to: existing.email,
+                    subject: emailContent.subject,
+                    html: emailContent.html,
+                    text: emailContent.text
+                });
+                invitationSent = true;
+            } catch (emailError: unknown) {
+                console.error("Failed to send reset email:", emailError instanceof Error ? emailError.message : emailError);
+                // Fall back to returning the temporary password
+                const clearPassword = generateSecurePassword();
+                const passwordHash = await hashPassword(clearPassword);
+                await authRepo.updatePassword(existing.id, passwordHash);
+                temporaryPassword = clearPassword;
+            }
+        } else {
+            // No email service — generate password, set it, and return one-time
+            const clearPassword = generateSecurePassword();
+            const passwordHash = await hashPassword(clearPassword);
+            await authRepo.updatePassword(existing.id, passwordHash);
+            temporaryPassword = clearPassword;
+        }
+        const userRoles = await authRepo.getUserRoleIds(existing.id);
+        return c.json({
+            user: {
+                uid: existing.id,
+                email: existing.email,
+                displayName: existing.displayName,
+                roles: userRoles
+            },
+            invitationSent,
+            ...(temporaryPassword ? { temporaryPassword } : {})
+        }, 200);
+    });
+    router.put("/users/:userId", requireAdmin, async (c) => {
+        const userId = c.req.param("userId");
+        const body = await c.req.json();
+        const { email, displayName, password, roles } = body;
+        const existing = await authRepo.getUserById(userId);
+        if (!existing) {
+            throw ApiError.notFound("User not found");
+        }
+        const updates: Record<string, unknown> = {};
+        if (email !== undefined) updates.email = email.toLowerCase();
+        if (displayName !== undefined) updates.displayName = displayName;
+        if (password) {
+            const validation = validatePasswordStrength(password);
+            if (!validation.valid) {
+                throw ApiError.badRequest(validation.errors.join(". "), "WEAK_PASSWORD");
+            }
+            updates.passwordHash = await hashPassword(password);
+        }
+        if (Object.keys(updates).length > 0) {
+            await authRepo.updateUser(userId, updates);
+        }
+        if (roles !== undefined && Array.isArray(roles)) {
+            await authRepo.setUserRoles(userId, roles);
+        }
+        const result = await authRepo.getUserWithRoles(userId);
+        return c.json({
+            user: {
+                uid: result!.user.id,
+                email: result!.user.email,
+                displayName: result!.user.displayName,
+                roles: result!.roles.map(r => r.id)
+            }
+        });
+    });
+    router.delete("/users/:userId", requireAdmin, async (c) => {
+        const userId = c.req.param("userId");
+        const user = c.get("user");
+        const currentUserId = user && typeof user === "object" && "userId" in user ? user.userId : undefined;
+        if (currentUserId === userId) {
+            throw ApiError.badRequest("Cannot delete your own account", "SELF_DELETE");
+        }
+        const existing = await authRepo.getUserById(userId);
+        if (!existing) {
+            throw ApiError.notFound("User not found");
+        }
+        await authRepo.deleteUser(userId);
+        return c.json({ success: true });
+    });
+    router.get("/roles", requireAdmin, async (c) => {
+        const roles = await authRepo.listRoles();
+        return c.json({
+            roles: roles.map(r => ({
+                id: r.id,
+                name: r.name,
+                isAdmin: r.isAdmin,
+                defaultPermissions: r.defaultPermissions,
+                config: r.config
+            }))
+        });
+    });
+    router.get("/roles/:roleId", requireAdmin, async (c) => {
+        const roleId = c.req.param("roleId");
+        const role = await authRepo.getRoleById(roleId);
+        if (!role) {
+            throw ApiError.notFound("Role not found");
+        }
+        return c.json({ role });
+    });
+    router.post("/roles", requireAdmin, async (c) => {
+        const body = await c.req.json();
+        const { id, name, isAdmin, defaultPermissions, config } = body;
+        if (!id || !name) {
+            throw ApiError.badRequest("Role ID and name are required", "INVALID_INPUT");
+        }
+        const existing = await authRepo.getRoleById(id);
+        if (existing) {
+            throw ApiError.conflict("Role already exists", "ROLE_EXISTS");
+        }
+        const role = await authRepo.createRole({
+            id,
+            name,
+            isAdmin: isAdmin ?? false,
+            defaultPermissions: defaultPermissions ?? null,
+            config: config ?? null
+        });
+        return c.json({ role }, 201);
+    });
+    router.put("/roles/:roleId", requireAdmin, async (c) => {
+        const roleId = c.req.param("roleId");
+        const body = await c.req.json();
+        const { name, isAdmin, defaultPermissions, config } = body;
+        const existing = await authRepo.getRoleById(roleId);
+        if (!existing) {
+            throw ApiError.notFound("Role not found");
+        }
+        const role = await authRepo.updateRole(roleId, {
+            name,
+            isAdmin,
+            defaultPermissions,
+            config
+        });
+        return c.json({ role });
+    });
+    router.delete("/roles/:roleId", requireAdmin, async (c) => {
+        const roleId = c.req.param("roleId");
+        if (["admin", "editor", "viewer"].includes(roleId)) {
+            throw ApiError.badRequest("Cannot delete built-in roles", "BUILTIN_ROLE");
+        }
+        const existing = await authRepo.getRoleById(roleId);
+        if (!existing) {
+            throw ApiError.notFound("Role not found");
+        }
+        await authRepo.deleteRole(roleId);
+        return c.json({ success: true });
+    });
+    return router;
+}

package/src/auth/google-oauth.ts ADDED Viewed

@@ -0,0 +1,60 @@
+import { OAuth2Client } from "google-auth-library/build/src/index.js";
+export interface GoogleUserInfo {
+    googleId: string;
+    email: string;
+    displayName: string | null;
+    photoUrl: string | null;
+    emailVerified: boolean;
+}
+let googleClient: OAuth2Client | null = null;
+let configuredClientId: string | null = null;
+/**
+ * Configure Google OAuth - call this during initialization
+ */
+export function configureGoogleOAuth(clientId: string): void {
+    configuredClientId = clientId;
+    googleClient = new OAuth2Client(clientId);
+}
+/**
+ * Verify a Google ID token and extract user information
+ * @param idToken The ID token from Google Sign-In on the frontend
+ */
+export async function verifyGoogleIdToken(idToken: string): Promise<GoogleUserInfo | null> {
+    if (!googleClient || !configuredClientId) {
+        throw new Error("Google OAuth not configured. Call configureGoogleOAuth() first.");
+    }
+    try {
+        const ticket = await googleClient.verifyIdToken({
+            idToken,
+            audience: configuredClientId
+        });
+        const payload = ticket.getPayload();
+        if (!payload) {
+            return null;
+        }
+        return {
+            googleId: payload.sub,
+            email: payload.email || "",
+            displayName: payload.name || null,
+            photoUrl: payload.picture || null,
+            emailVerified: payload.email_verified || false
+        };
+    } catch (error) {
+        console.error("Failed to verify Google ID token:", error);
+        return null;
+    }
+}
+/**
+ * Check if Google OAuth is configured
+ */
+export function isGoogleOAuthConfigured(): boolean {
+    return googleClient !== null && configuredClientId !== null;
+}

package/src/auth/index.ts ADDED Viewed

@@ -0,0 +1,21 @@
+// Auth module exports
+export { configureJwt, generateAccessToken, verifyAccessToken, generateRefreshToken, hashRefreshToken, getRefreshTokenExpiry, getAccessTokenExpiry } from "./jwt";
+export type { JwtConfig, AccessTokenPayload } from "./jwt";
+export { hashPassword, verifyPassword, validatePasswordStrength } from "./password";
+export type { PasswordValidationResult } from "./password";
+export { configureGoogleOAuth, verifyGoogleIdToken, isGoogleOAuthConfigured } from "./google-oauth";
+export type { GoogleUserInfo } from "./google-oauth";
+export { requireAuth, requireAdmin, optionalAuth, extractUserFromToken, createAuthMiddleware } from "./middleware";
+export type { AuthMiddlewareOptions, AuthResult } from "./middleware";
+export { createAuthRoutes } from "./routes";
+export type { AuthModuleConfig } from "./routes";
+export { createAdminRoutes } from "./admin-routes";
+export { createRateLimiter, defaultAuthLimiter, strictAuthLimiter } from "./rate-limiter";