npm - @rebasepro/server-core - Versions diffs - 0.0.1-canary.4d4fb3e - Mend

@rebasepro/server-core 0.0.1-canary.4d4fb3e

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

package/LICENSE +6 -0
package/README.md +40 -0
package/build-errors.txt +52 -0
package/coverage/clover.xml +3739 -0
package/coverage/coverage-final.json +31 -0
package/coverage/lcov-report/base.css +224 -0
package/coverage/lcov-report/block-navigation.js +87 -0
package/coverage/lcov-report/favicon.png +0 -0
package/coverage/lcov-report/index.html +266 -0
package/coverage/lcov-report/prettify.css +1 -0
package/coverage/lcov-report/prettify.js +2 -0
package/coverage/lcov-report/sort-arrow-sprite.png +0 -0
package/coverage/lcov-report/sorter.js +210 -0
package/coverage/lcov-report/src/api/ast-schema-editor.ts.html +952 -0
package/coverage/lcov-report/src/api/errors.ts.html +472 -0
package/coverage/lcov-report/src/api/graphql/graphql-schema-generator.ts.html +1069 -0
package/coverage/lcov-report/src/api/graphql/index.html +116 -0
package/coverage/lcov-report/src/api/index.html +176 -0
package/coverage/lcov-report/src/api/openapi-generator.ts.html +565 -0
package/coverage/lcov-report/src/api/rest/api-generator.ts.html +994 -0
package/coverage/lcov-report/src/api/rest/index.html +131 -0
package/coverage/lcov-report/src/api/rest/query-parser.ts.html +550 -0
package/coverage/lcov-report/src/api/schema-editor-routes.ts.html +202 -0
package/coverage/lcov-report/src/api/server.ts.html +823 -0
package/coverage/lcov-report/src/auth/admin-routes.ts.html +973 -0
package/coverage/lcov-report/src/auth/index.html +176 -0
package/coverage/lcov-report/src/auth/jwt.ts.html +574 -0
package/coverage/lcov-report/src/auth/middleware.ts.html +745 -0
package/coverage/lcov-report/src/auth/password.ts.html +310 -0
package/coverage/lcov-report/src/auth/services.ts.html +2074 -0
package/coverage/lcov-report/src/collections/index.html +116 -0
package/coverage/lcov-report/src/collections/loader.ts.html +232 -0
package/coverage/lcov-report/src/db/auth-schema.ts.html +523 -0
package/coverage/lcov-report/src/db/data-transformer.ts.html +1753 -0
package/coverage/lcov-report/src/db/entityService.ts.html +700 -0
package/coverage/lcov-report/src/db/index.html +146 -0
package/coverage/lcov-report/src/db/services/EntityFetchService.ts.html +4048 -0
package/coverage/lcov-report/src/db/services/EntityPersistService.ts.html +883 -0
package/coverage/lcov-report/src/db/services/RelationService.ts.html +3121 -0
package/coverage/lcov-report/src/db/services/entity-helpers.ts.html +442 -0
package/coverage/lcov-report/src/db/services/index.html +176 -0
package/coverage/lcov-report/src/db/services/index.ts.html +124 -0
package/coverage/lcov-report/src/generate-drizzle-schema-logic.ts.html +1960 -0
package/coverage/lcov-report/src/index.html +116 -0
package/coverage/lcov-report/src/services/driver-registry.ts.html +631 -0
package/coverage/lcov-report/src/services/index.html +131 -0
package/coverage/lcov-report/src/services/postgresDataDriver.ts.html +3025 -0
package/coverage/lcov-report/src/storage/LocalStorageController.ts.html +1189 -0
package/coverage/lcov-report/src/storage/S3StorageController.ts.html +970 -0
package/coverage/lcov-report/src/storage/index.html +161 -0
package/coverage/lcov-report/src/storage/storage-registry.ts.html +646 -0
package/coverage/lcov-report/src/storage/types.ts.html +451 -0
package/coverage/lcov-report/src/utils/drizzle-conditions.ts.html +3082 -0
package/coverage/lcov-report/src/utils/index.html +116 -0
package/coverage/lcov.info +7179 -0
package/dist/common/src/collections/CollectionRegistry.d.ts +48 -0
package/dist/common/src/collections/index.d.ts +1 -0
package/dist/common/src/data/buildRebaseData.d.ts +14 -0
package/dist/common/src/index.d.ts +3 -0
package/dist/common/src/util/builders.d.ts +57 -0
package/dist/common/src/util/callbacks.d.ts +6 -0
package/dist/common/src/util/collections.d.ts +11 -0
package/dist/common/src/util/common.d.ts +2 -0
package/dist/common/src/util/conditions.d.ts +26 -0
package/dist/common/src/util/entities.d.ts +36 -0
package/dist/common/src/util/enums.d.ts +3 -0
package/dist/common/src/util/index.d.ts +16 -0
package/dist/common/src/util/navigation_from_path.d.ts +34 -0
package/dist/common/src/util/navigation_utils.d.ts +20 -0
package/dist/common/src/util/parent_references_from_path.d.ts +6 -0
package/dist/common/src/util/paths.d.ts +14 -0
package/dist/common/src/util/permissions.d.ts +5 -0
package/dist/common/src/util/references.d.ts +2 -0
package/dist/common/src/util/relations.d.ts +12 -0
package/dist/common/src/util/resolutions.d.ts +72 -0
package/dist/common/src/util/storage.d.ts +24 -0
package/dist/index-BeMqpmfQ.js +239 -0
package/dist/index-BeMqpmfQ.js.map +1 -0
package/dist/index-bl4J3lNb.js +55823 -0
package/dist/index-bl4J3lNb.js.map +1 -0
package/dist/index.es.js +58 -0
package/dist/index.es.js.map +1 -0
package/dist/index.umd.js +56062 -0
package/dist/index.umd.js.map +1 -0
package/dist/server-core/src/api/ast-schema-editor.d.ts +21 -0
package/dist/server-core/src/api/collections_for_test/callbacks_test_collection.d.ts +2 -0
package/dist/server-core/src/api/errors.d.ts +35 -0
package/dist/server-core/src/api/graphql/graphql-schema-generator.d.ts +35 -0
package/dist/server-core/src/api/graphql/index.d.ts +1 -0
package/dist/server-core/src/api/index.d.ts +9 -0
package/dist/server-core/src/api/openapi-generator.d.ts +2 -0
package/dist/server-core/src/api/rest/api-generator.d.ts +64 -0
package/dist/server-core/src/api/rest/index.d.ts +1 -0
package/dist/server-core/src/api/rest/query-parser.d.ts +9 -0
package/dist/server-core/src/api/schema-editor-routes.d.ts +3 -0
package/dist/server-core/src/api/server.d.ts +40 -0
package/dist/server-core/src/api/types.d.ts +90 -0
package/dist/server-core/src/auth/admin-routes.d.ts +7 -0
package/dist/server-core/src/auth/google-oauth.d.ts +20 -0
package/dist/server-core/src/auth/index.d.ts +12 -0
package/dist/server-core/src/auth/interfaces.d.ts +270 -0
package/dist/server-core/src/auth/jwt.d.ts +42 -0
package/dist/server-core/src/auth/middleware.d.ts +56 -0
package/dist/server-core/src/auth/password.d.ts +22 -0
package/dist/server-core/src/auth/rate-limiter.d.ts +31 -0
package/dist/server-core/src/auth/routes.d.ts +17 -0
package/dist/server-core/src/bootstrappers/index.d.ts +0 -0
package/dist/server-core/src/collections/BackendCollectionRegistry.d.ts +13 -0
package/dist/server-core/src/collections/loader.d.ts +5 -0
package/dist/server-core/src/db/interfaces.d.ts +18 -0
package/dist/server-core/src/email/index.d.ts +6 -0
package/dist/server-core/src/email/smtp-email-service.d.ts +25 -0
package/dist/server-core/src/email/templates.d.ts +33 -0
package/dist/server-core/src/email/types.d.ts +110 -0
package/dist/server-core/src/functions/function-loader.d.ts +17 -0
package/dist/server-core/src/functions/function-routes.d.ts +10 -0
package/dist/server-core/src/functions/index.d.ts +3 -0
package/dist/server-core/src/history/history-routes.d.ts +23 -0
package/dist/server-core/src/history/index.d.ts +1 -0
package/dist/server-core/src/index.d.ts +24 -0
package/dist/server-core/src/init.d.ts +49 -0
package/dist/server-core/src/serve-spa.d.ts +30 -0
package/dist/server-core/src/services/driver-registry.d.ts +78 -0
package/dist/server-core/src/storage/LocalStorageController.d.ts +46 -0
package/dist/server-core/src/storage/S3StorageController.d.ts +36 -0
package/dist/server-core/src/storage/index.d.ts +18 -0
package/dist/server-core/src/storage/routes.d.ts +38 -0
package/dist/server-core/src/storage/storage-registry.d.ts +78 -0
package/dist/server-core/src/storage/types.d.ts +91 -0
package/dist/server-core/src/types/index.d.ts +11 -0
package/dist/server-core/src/utils/logging.d.ts +9 -0
package/dist/server-core/src/utils/sql.d.ts +27 -0
package/dist/types/src/controllers/analytics_controller.d.ts +7 -0
package/dist/types/src/controllers/auth.d.ts +117 -0
package/dist/types/src/controllers/client.d.ts +58 -0
package/dist/types/src/controllers/collection_registry.d.ts +44 -0
package/dist/types/src/controllers/customization_controller.d.ts +54 -0
package/dist/types/src/controllers/data.d.ts +141 -0
package/dist/types/src/controllers/data_driver.d.ts +168 -0
package/dist/types/src/controllers/database_admin.d.ts +11 -0
package/dist/types/src/controllers/dialogs_controller.d.ts +36 -0
package/dist/types/src/controllers/effective_role.d.ts +4 -0
package/dist/types/src/controllers/index.d.ts +17 -0
package/dist/types/src/controllers/local_config_persistence.d.ts +20 -0
package/dist/types/src/controllers/navigation.d.ts +213 -0
package/dist/types/src/controllers/registry.d.ts +51 -0
package/dist/types/src/controllers/side_dialogs_controller.d.ts +67 -0
package/dist/types/src/controllers/side_entity_controller.d.ts +89 -0
package/dist/types/src/controllers/snackbar.d.ts +24 -0
package/dist/types/src/controllers/storage.d.ts +173 -0
package/dist/types/src/index.d.ts +4 -0
package/dist/types/src/rebase_context.d.ts +101 -0
package/dist/types/src/types/backend.d.ts +533 -0
package/dist/types/src/types/builders.d.ts +14 -0
package/dist/types/src/types/chips.d.ts +5 -0
package/dist/types/src/types/collections.d.ts +812 -0
package/dist/types/src/types/data_source.d.ts +64 -0
package/dist/types/src/types/entities.d.ts +145 -0
package/dist/types/src/types/entity_actions.d.ts +98 -0
package/dist/types/src/types/entity_callbacks.d.ts +173 -0
package/dist/types/src/types/entity_link_builder.d.ts +7 -0
package/dist/types/src/types/entity_overrides.d.ts +9 -0
package/dist/types/src/types/entity_views.d.ts +61 -0
package/dist/types/src/types/export_import.d.ts +21 -0
package/dist/types/src/types/index.d.ts +22 -0
package/dist/types/src/types/locales.d.ts +4 -0
package/dist/types/src/types/modify_collections.d.ts +5 -0
package/dist/types/src/types/plugins.d.ts +225 -0
package/dist/types/src/types/properties.d.ts +1091 -0
package/dist/types/src/types/property_config.d.ts +70 -0
package/dist/types/src/types/relations.d.ts +336 -0
package/dist/types/src/types/slots.d.ts +228 -0
package/dist/types/src/types/translations.d.ts +826 -0
package/dist/types/src/types/user_management_delegate.d.ts +120 -0
package/dist/types/src/types/websockets.d.ts +78 -0
package/dist/types/src/users/index.d.ts +2 -0
package/dist/types/src/users/roles.d.ts +22 -0
package/dist/types/src/users/user.d.ts +46 -0
package/history_diff.log +385 -0
package/jest.config.cjs +16 -0
package/package.json +86 -0
package/scratch.ts +8 -0
package/src/api/ast-schema-editor.ts +289 -0
package/src/api/collections_for_test/callbacks_test_collection.ts +57 -0
package/src/api/errors.ts +155 -0
package/src/api/graphql/graphql-schema-generator.ts +334 -0
package/src/api/graphql/index.ts +2 -0
package/src/api/index.ts +11 -0
package/src/api/openapi-generator.ts +160 -0
package/src/api/rest/api-generator.ts +466 -0
package/src/api/rest/index.ts +2 -0
package/src/api/rest/query-parser.ts +155 -0
package/src/api/schema-editor-routes.ts +39 -0
package/src/api/server.ts +245 -0
package/src/api/types.ts +90 -0
package/src/auth/admin-routes.ts +488 -0
package/src/auth/google-oauth.ts +60 -0
package/src/auth/index.ts +21 -0
package/src/auth/interfaces.ts +316 -0
package/src/auth/jwt.ts +164 -0
package/src/auth/middleware.ts +235 -0
package/src/auth/password.ts +75 -0
package/src/auth/rate-limiter.ts +129 -0
package/src/auth/routes.ts +730 -0
package/src/bootstrappers/index.ts +1 -0
package/src/collections/BackendCollectionRegistry.ts +20 -0
package/src/collections/loader.ts +49 -0
package/src/db/interfaces.ts +60 -0
package/src/email/index.ts +17 -0
package/src/email/smtp-email-service.ts +88 -0
package/src/email/templates.ts +301 -0
package/src/email/types.ts +112 -0
package/src/functions/function-loader.ts +91 -0
package/src/functions/function-routes.ts +31 -0
package/src/functions/index.ts +3 -0
package/src/history/history-routes.ts +128 -0
package/src/history/index.ts +2 -0
package/src/index.ts +56 -0
package/src/init.ts +309 -0
package/src/serve-spa.ts +81 -0
package/src/services/driver-registry.ts +182 -0
package/src/storage/LocalStorageController.ts +368 -0
package/src/storage/S3StorageController.ts +295 -0
package/src/storage/index.ts +32 -0
package/src/storage/routes.ts +247 -0
package/src/storage/storage-registry.ts +187 -0
package/src/storage/types.ts +122 -0
package/src/types/index.ts +27 -0
package/src/utils/logging.ts +35 -0
package/src/utils/sql.ts +38 -0
package/test/admin-routes.test.ts +591 -0
package/test/api-generator.test.ts +458 -0
package/test/ast-schema-editor.test.ts +61 -0
package/test/auth-middleware-hono.test.ts +321 -0
package/test/auth-routes.test.ts +868 -0
package/test/driver-registry.test.ts +280 -0
package/test/errors-hono.test.ts +133 -0
package/test/errors.test.ts +150 -0
package/test/jwt-security.test.ts +173 -0
package/test/jwt.test.ts +311 -0
package/test/middleware.test.ts +295 -0
package/test/password.test.ts +165 -0
package/test/query-parser.test.ts +258 -0
package/test/rate-limiter.test.ts +102 -0
package/test/storage-local.test.ts +278 -0
package/test/storage-registry.test.ts +280 -0
package/test/storage-routes.test.ts +218 -0
package/test/storage-s3.test.ts +301 -0
package/test-ast.ts +28 -0
package/test_output.txt +1133 -0
package/tsconfig.json +49 -0
package/tsconfig.prod.json +20 -0
package/vite.config.ts +78 -0
package/vite.config.ts.timestamp-1775065397568-8a853255edf6e.mjs +46 -0

package/src/auth/interfaces.ts ADDED Viewed

@@ -0,0 +1,316 @@
+/**
+ * Authentication Abstraction Interfaces
+ *
+ * These interfaces define the contracts for authentication-related operations.
+ * Implementations can use different databases (PostgreSQL, MongoDB, etc.) to
+ * store user, role, and token data.
+ */
+/**
+ * User data structure
+ */
+export interface UserData {
+    id: string;
+    email: string;
+    passwordHash?: string | null;
+    displayName?: string | null;
+    photoUrl?: string | null;
+    provider: string;
+    googleId?: string | null;
+    emailVerified: boolean;
+    emailVerificationToken?: string | null;
+    emailVerificationSentAt?: Date | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * Data for creating a new user
+ */
+export interface CreateUserData {
+    email: string;
+    passwordHash?: string;
+    displayName?: string;
+    photoUrl?: string;
+    provider?: string;
+    googleId?: string;
+    emailVerified?: boolean;
+}
+/**
+ * Role data structure
+ */
+export interface RoleData {
+    id: string;
+    name: string;
+    isAdmin: boolean;
+    defaultPermissions: {
+        read?: boolean;
+        create?: boolean;
+        edit?: boolean;
+        delete?: boolean;
+    } | null;
+    collectionPermissions: Record<string, {
+        read?: boolean;
+        create?: boolean;
+        edit?: boolean;
+        delete?: boolean;
+    }> | null;
+    config: Record<string, unknown> | null;
+}
+/**
+ * Data for creating a new role
+ */
+export interface CreateRoleData {
+    id: string;
+    name: string;
+    isAdmin?: boolean;
+    defaultPermissions?: RoleData["defaultPermissions"];
+    collectionPermissions?: RoleData["collectionPermissions"];
+    config?: RoleData["config"];
+}
+/**
+ * Refresh token info
+ */
+export interface RefreshTokenInfo {
+    id: string;
+    userId: string;
+    tokenHash: string;
+    expiresAt: Date;
+    createdAt: Date;
+    userAgent?: string | null;
+    ipAddress?: string | null;
+}
+/**
+ * Password reset token info
+ */
+export interface PasswordResetTokenInfo {
+    userId: string;
+    expiresAt: Date;
+}
+// =============================================================================
+// AUTH REPOSITORY INTERFACES
+// =============================================================================
+/**
+ * Options for paginated user listing
+ */
+export interface ListUsersOptions {
+    /** Max results per page (default 25) */
+    limit?: number;
+    /** Number of results to skip (default 0) */
+    offset?: number;
+    /** Search term — matches against email and displayName (case-insensitive) */
+    search?: string;
+    /** Field to sort by (default "createdAt") */
+    orderBy?: string;
+    /** Sort direction (default "desc") */
+    orderDir?: "asc" | "desc";
+}
+/**
+ * Result of a paginated user listing
+ */
+export interface PaginatedUsersResult {
+    users: UserData[];
+    /** Total number of users matching the filters (ignoring limit/offset) */
+    total: number;
+    limit: number;
+    offset: number;
+}
+/**
+ * Abstract user repository interface.
+ * Handles all user-related database operations.
+ */
+export interface UserRepository {
+    /**
+     * Create a new user
+     */
+    createUser(data: CreateUserData): Promise<UserData>;
+    /**
+     * Get a user by ID
+     */
+    getUserById(id: string): Promise<UserData | null>;
+    /**
+     * Get a user by email
+     */
+    getUserByEmail(email: string): Promise<UserData | null>;
+    /**
+     * Get a user by Google ID
+     */
+    getUserByGoogleId(googleId: string): Promise<UserData | null>;
+    /**
+     * Update a user
+     */
+    updateUser(id: string, data: Partial<Omit<CreateUserData, "id">>): Promise<UserData | null>;
+    /**
+     * Delete a user
+     */
+    deleteUser(id: string): Promise<void>;
+    /**
+     * List all users (unbounded — use listUsersPaginated for large datasets)
+     */
+    listUsers(): Promise<UserData[]>;
+    /**
+     * List users with server-side pagination, search, and sorting.
+     */
+    listUsersPaginated(options?: ListUsersOptions): Promise<PaginatedUsersResult>;
+    /**
+     * Update user's password hash
+     */
+    updatePassword(id: string, passwordHash: string): Promise<void>;
+    /**
+     * Set email verification status
+     */
+    setEmailVerified(id: string, verified: boolean): Promise<void>;
+    /**
+     * Set email verification token
+     */
+    setVerificationToken(id: string, token: string | null): Promise<void>;
+    /**
+     * Find user by email verification token
+     */
+    getUserByVerificationToken(token: string): Promise<UserData | null>;
+    /**
+     * Get roles for a user
+     */
+    getUserRoles(userId: string): Promise<RoleData[]>;
+    /**
+     * Get role IDs for a user
+     */
+    getUserRoleIds(userId: string): Promise<string[]>;
+    /**
+     * Set roles for a user (replaces existing roles)
+     */
+    setUserRoles(userId: string, roleIds: string[]): Promise<void>;
+    /**
+     * Assign a specific role to a new user
+     */
+    assignDefaultRole(userId: string, roleId: string): Promise<void>;
+    /**
+     * Get user with their roles
+     */
+    getUserWithRoles(userId: string): Promise<{ user: UserData; roles: RoleData[] } | null>;
+}
+/**
+ * Abstract role repository interface.
+ * Handles all role-related database operations.
+ */
+export interface RoleRepository {
+    /**
+     * Get a role by ID
+     */
+    getRoleById(id: string): Promise<RoleData | null>;
+    /**
+     * List all roles
+     */
+    listRoles(): Promise<RoleData[]>;
+    /**
+     * Create a new role
+     */
+    createRole(data: CreateRoleData): Promise<RoleData>;
+    /**
+     * Update a role
+     */
+    updateRole(id: string, data: Partial<Omit<RoleData, "id">>): Promise<RoleData | null>;
+    /**
+     * Delete a role
+     */
+    deleteRole(id: string): Promise<void>;
+}
+/**
+ * Abstract token repository interface.
+ * Handles refresh tokens and password reset tokens.
+ */
+export interface TokenRepository {
+    // Refresh tokens
+    /**
+     * Create a new refresh token
+     */
+    createRefreshToken(userId: string, tokenHash: string, expiresAt: Date, userAgent?: string, ipAddress?: string): Promise<void>;
+    /**
+     * Find a refresh token by hash
+     */
+    findRefreshTokenByHash(tokenHash: string): Promise<RefreshTokenInfo | null>;
+    /**
+     * Delete a refresh token by hash
+     */
+    deleteRefreshToken(tokenHash: string): Promise<void>;
+    /**
+     * Delete all refresh tokens for a user
+     */
+    deleteAllRefreshTokensForUser(userId: string): Promise<void>;
+    /**
+     * List all refresh tokens for a user
+     */
+    listRefreshTokensForUser(userId: string): Promise<RefreshTokenInfo[]>;
+    /**
+     * Delete a specific refresh token by its primary key ID
+     */
+    deleteRefreshTokenById(id: string, userId: string): Promise<void>;
+    // Password reset tokens
+    /**
+     * Create a password reset token
+     */
+    createPasswordResetToken(userId: string, tokenHash: string, expiresAt: Date): Promise<void>;
+    /**
+     * Find a valid (not expired, not used) password reset token by hash
+     */
+    findValidPasswordResetToken(tokenHash: string): Promise<PasswordResetTokenInfo | null>;
+    /**
+     * Mark a password reset token as used
+     */
+    markPasswordResetTokenUsed(tokenHash: string): Promise<void>;
+    /**
+     * Delete all password reset tokens for a user
+     */
+    deleteAllPasswordResetTokensForUser(userId: string): Promise<void>;
+    /**
+     * Clean up expired tokens
+     */
+    deleteExpiredTokens(): Promise<void>;
+}
+/**
+ * Combined auth repository interface for convenience
+ */
+export interface AuthRepository extends UserRepository, RoleRepository, TokenRepository { }

package/src/auth/jwt.ts ADDED Viewed

@@ -0,0 +1,164 @@
+import jwt from "jsonwebtoken";
+import { createHash, randomBytes } from "crypto";
+export interface JwtConfig {
+    secret: string;
+    accessExpiresIn?: string;
+    refreshExpiresIn?: string;
+}
+export interface AccessTokenPayload {
+    userId: string;
+    roles: string[];
+}
+let jwtConfig: JwtConfig = {
+    secret: "",
+    accessExpiresIn: "1h",
+    refreshExpiresIn: "30d"
+};
+/**
+ * Configure JWT settings - call this during initialization.
+ * Validates the secret strength to prevent deployment with default/weak secrets.
+ */
+export function configureJwt(config: JwtConfig): void {
+    // Reject obviously weak/default secrets
+    const weakSecrets = new Set([
+        "secret",
+        "jwt-secret",
+        "jwt_secret",
+        "your-secret",
+        "your-super-secret-jwt-key-change-in-production",
+        "change-me",
+        "changeme",
+        "password",
+        "test"
+    ]);
+    if (!config.secret || config.secret.length < 32) {
+        throw new Error(
+            "JWT secret is too short. Must be at least 32 characters. " +
+            "Generate one with: node -e \"console.log(require('crypto').randomBytes(48).toString('base64'))\""
+        );
+    }
+    if (weakSecrets.has(config.secret.toLowerCase())) {
+        throw new Error(
+            "JWT secret is a known default/weak value. Please use a strong, randomly generated secret. " +
+            "Generate one with: node -e \"console.log(require('crypto').randomBytes(48).toString('base64'))\""
+        );
+    }
+    jwtConfig = {
+        ...jwtConfig,
+        ...config
+    };
+}
+/**
+ * Generate an access token (short-lived, 1 hour by default)
+ */
+export function generateAccessToken(userId: string, roles: string[]): string {
+    if (!jwtConfig.secret) {
+        throw new Error("JWT secret not configured. Call configureJwt() first.");
+    }
+    const payload: AccessTokenPayload = { userId, roles };
+    return jwt.sign(payload, jwtConfig.secret, {
+        expiresIn: jwtConfig.accessExpiresIn as jwt.SignOptions["expiresIn"],
+        algorithm: "HS256"
+    });
+}
+/**
+ * Get the expiration time of an access token in milliseconds from now
+ */
+export function getAccessTokenExpiryMs(): number {
+    const duration = jwtConfig.accessExpiresIn || "1h";
+    const match = duration.match(/^(\d+)([dhms])$/);
+    if (!match) {
+        // Default to 1 hour
+        return 60 * 60 * 1000;
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    switch (unit) {
+        case "d": return value * 24 * 60 * 60 * 1000;
+        case "h": return value * 60 * 60 * 1000;
+        case "m": return value * 60 * 1000;
+        case "s": return value * 1000;
+        default: return 60 * 60 * 1000;
+    }
+}
+/**
+ * Get the expiration timestamp for an access token
+ */
+export function getAccessTokenExpiry(): number {
+    return Date.now() + getAccessTokenExpiryMs();
+}
+/**
+ * Verify and decode an access token
+ */
+export function verifyAccessToken(token: string): AccessTokenPayload | null {
+    if (!jwtConfig.secret) {
+        throw new Error("JWT secret not configured. Call configureJwt() first.");
+    }
+    try {
+        const decoded = jwt.verify(token, jwtConfig.secret, { algorithms: ["HS256"] }) as jwt.JwtPayload & AccessTokenPayload;
+        return {
+            userId: decoded.userId,
+            roles: decoded.roles
+        };
+    } catch (error) {
+        return null;
+    }
+}
+/**
+ * Generate a random refresh token (long-lived, 30 days by default)
+ */
+export function generateRefreshToken(): string {
+    return randomBytes(40).toString("hex");
+}
+/**
+ * Hash a refresh token for database storage (don't store raw tokens)
+ */
+export function hashRefreshToken(token: string): string {
+    return createHash("sha256").update(token).digest("hex");
+}
+/**
+ * Calculate refresh token expiration date
+ */
+export function getRefreshTokenExpiry(): Date {
+    const duration = jwtConfig.refreshExpiresIn || "30d";
+    const match = duration.match(/^(\d+)([dhms])$/);
+    if (!match) {
+        // Default to 30 days
+        return new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    let ms: number;
+    switch (unit) {
+        case "d": ms = value * 24 * 60 * 60 * 1000; break;
+        case "h": ms = value * 60 * 60 * 1000; break;
+        case "m": ms = value * 60 * 1000; break;
+        case "s": ms = value * 1000; break;
+        default: ms = 30 * 24 * 60 * 60 * 1000;
+    }
+    return new Date(Date.now() + ms);
+}

package/src/auth/middleware.ts ADDED Viewed

@@ -0,0 +1,235 @@
+import { MiddlewareHandler, Context } from "hono";
+import { DataDriver } from "@rebasepro/types";
+import { verifyAccessToken, AccessTokenPayload } from "./jwt";
+import { HonoEnv } from "../api/types";
+/**
+ * Result from a custom auth validator.
+ * - `false`/`null`/`undefined` = not authenticated
+ * - `true` = authenticated as default user
+ * - object with `userId` or `uid` = authenticated with user info
+ */
+export type AuthResult = boolean | null | undefined | { userId?: string; uid?: string; roles?: string[]; [key: string]: unknown };
+/**
+ * Options for creating an auth middleware via createAuthMiddleware()
+ */
+export interface AuthMiddlewareOptions {
+    /** DataDriver to scope via withAuth() for RLS */
+    driver: DataDriver;
+    /** If true, return 401 when no valid token is present (default: false) */
+    requireAuth?: boolean;
+    /** Optional custom validator (for non-JWT auth, e.g. Firebase Auth) */
+    validator?: (c: Context<HonoEnv>) => Promise<AuthResult>;
+}
+/**
+ * Express middleware that requires a valid JWT token
+ * Returns 401 if token is missing or invalid
+ */
+export const requireAuth: MiddlewareHandler<HonoEnv> = async (
+    c,
+    next
+) => {
+    const authHeader = c.req.header("authorization");
+    const queryToken = c.req.query("token");
+    const hasBearer = authHeader && authHeader.startsWith("Bearer ");
+    if (!hasBearer && !queryToken) {
+        return c.json({
+            error: {
+                message: "Authorization header or token query parameter missing or invalid",
+                code: "UNAUTHORIZED"
+            }
+        }, 401);
+    }
+    const token = hasBearer ? authHeader!.substring(7) : queryToken!;
+    const payload = verifyAccessToken(token);
+    if (!payload) {
+        return c.json({
+            error: {
+                message: "Invalid or expired token",
+                code: "UNAUTHORIZED"
+            }
+        }, 401);
+    }
+    c.set("user", payload);
+    return next();
+};
+/**
+ * Middleware that requires the user to have an admin or schema-admin role.
+ * Must be used AFTER requireAuth or on a route where user is guaranteed.
+ */
+export const requireAdmin: MiddlewareHandler<HonoEnv> = async (
+    c,
+    next
+) => {
+    const user = c.get("user");
+    if (!user) {
+        return c.json({
+            error: {
+                message: "User not authenticated. requireAuth middleware is missing?",
+                code: "UNAUTHORIZED"
+            }
+        }, 401);
+    }
+    const roles = (typeof user === "object" && user !== null && "roles" in user) ? (user.roles || []) : [];
+    const isAdmin = roles.some((role: string) => {
+        return role === "admin" || role === "schema-admin";
+    });
+    if (!isAdmin) {
+        return c.json({
+            error: {
+                message: "Admin privileges required for this operation",
+                code: "FORBIDDEN"
+            }
+        }, 403);
+    }
+    return next();
+};
+/**
+ * Middleware that optionally extracts user from JWT
+ * Does not return 401 if token is missing - allows anonymous access
+ */
+export const optionalAuth: MiddlewareHandler<HonoEnv> = async (
+    c,
+    next
+) => {
+    const authHeader = c.req.header("authorization");
+    const queryToken = c.req.query("token");
+    const hasBearer = authHeader && authHeader.startsWith("Bearer ");
+    if (hasBearer || queryToken) {
+        const token = hasBearer ? authHeader!.substring(7) : queryToken!;
+        const payload = verifyAccessToken(token);
+        if (payload) {
+            c.set("user", payload);
+        }
+    }
+    return next();
+};
+/**
+ * Extract user from token - for WebSocket authentication
+ */
+export function extractUserFromToken(token: string): AccessTokenPayload | null {
+    return verifyAccessToken(token);
+}
+/**
+ * Helper to scope a DataDriver via withAuth() for RLS.
+ * SECURITY: If withAuth() is available but fails, the error is re-thrown
+ * so the request is denied rather than proceeding with unscoped access.
+ */
+async function scopeDataDriver(
+    driver: DataDriver,
+    user: { uid: string; roles?: string[] }
+): Promise<DataDriver> {
+    if ("withAuth" in driver && typeof (driver as Record<string, unknown>).withAuth === "function") {
+        // Fail closed — do NOT catch and swallow errors here.
+        // If RLS scoping fails the request must be rejected.
+        return await (driver as unknown as { withAuth: (user: Record<string, unknown>) => Promise<DataDriver> }).withAuth(user);
+    }
+    return driver;
+}
+/**
+ * Create a configurable auth middleware that handles:
+ * 1. Token extraction (via custom validator or JWT Bearer token)
+ * 2. RLS-scoped DataDriver via withAuth()
+ * 3. Optional enforcement (401 when requireAuth is true and no user)
+ *
+ * This is the single source of truth for HTTP auth in Rebase.
+ * Use this instead of manually parsing tokens in route handlers.
+ */
+export function createAuthMiddleware(options: AuthMiddlewareOptions): MiddlewareHandler<HonoEnv> {
+    const { driver, requireAuth: enforceAuth = false, validator } = options;
+    return async (c, next) => {
+        if (validator) {
+            // Custom validator path (e.g., Firebase Auth, API keys)
+            try {
+                const authResult = await validator(c);
+                if (authResult && typeof authResult === "object") {
+                    const id = ("userId" in authResult ? authResult.userId : undefined)
+                        || ("uid" in authResult ? authResult.uid : undefined);
+                    if (id) {
+                        const roles = authResult.roles || [];
+                        c.set("user", { userId: id, roles });
+                        const user = { uid: id, roles, ...authResult };
+                        c.set("driver", await scopeDataDriver(driver, user));
+                    } else {
+                        c.set("driver", driver);
+                    }
+                } else if (authResult === true) {
+                    c.set("user", { userId: "default", roles: [] });
+                    c.set("driver", driver);
+                } else {
+                    // Not authenticated - inject anon scope explicitly
+                    try {
+                        c.set("driver", await scopeDataDriver(driver, { uid: "anon", roles: ["anon"] }));
+                    } catch (error) {
+                        c.set("driver", driver);
+                    }
+                }
+            } catch (error) {
+                return c.json({ error: { message: "Unauthorized", code: "UNAUTHORIZED" } }, 401);
+            }
+        } else {
+            // Default JWT path
+            try {
+                const authHeader = c.req.header("authorization");
+                const queryToken = c.req.query("token");
+                const hasBearer = authHeader && authHeader.startsWith("Bearer ");
+                if (hasBearer || queryToken) {
+                    const token = hasBearer ? authHeader!.substring(7) : queryToken!;
+                    const payload = extractUserFromToken(token);
+                    if (payload) {
+                        c.set("user", payload);
+                        const user = { uid: payload.userId, roles: payload.roles };
+                        c.set("driver", await scopeDataDriver(driver, user));
+                    } else {
+                        console.error("[AUTH] Token payload empty or invalid (length: " + token.length + ")");
+                        c.set("driver", driver);
+                    }
+                } else {
+                    // Try to inject anon scope to allow RLS policies to match against public connections
+                    try {
+                        c.set("driver", await scopeDataDriver(driver, { uid: "anon", roles: ["anon"] }));
+                    } catch (error) {
+                        console.error("[AUTH] Error scoping default anon driver", error);
+                        c.set("driver", driver);
+                    }
+                }
+            } catch (error) {
+                console.error("Default auth validation error", error);
+                // Fallback to anon scope
+                try {
+                    c.set("driver", await scopeDataDriver(driver, { uid: "anon", roles: ["anon"] }));
+                } catch (anonError) {
+                    c.set("driver", driver);
+                }
+            }
+        }
+        if (enforceAuth && !c.get("user")) {
+            console.error("[AUTH] Rejecting with 401. Path:", c.req.path);
+            return c.json({ error: { message: "Unauthorized: Invalid or missing token", code: "UNAUTHORIZED" } }, 401);
+        }
+        return next();
+    };
+}