@rebasepro/server-core 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +14 -14
- package/src/api/errors.ts +16 -2
- package/src/api/graphql/graphql-schema-generator.ts +45 -10
- package/src/api/rest/api-generator.ts +19 -2
- package/src/api/server.ts +10 -2
- package/src/api/types.ts +6 -0
- package/src/auth/adapter-middleware.ts +10 -2
- package/src/auth/admin-roles-route.ts +36 -0
- package/src/auth/admin-users-route.ts +302 -0
- package/src/auth/api-keys/api-key-middleware.ts +4 -3
- package/src/auth/api-keys/api-key-routes.ts +12 -2
- package/src/auth/api-keys/api-key-store.ts +83 -66
- package/src/auth/api-keys/api-key-types.ts +8 -0
- package/src/auth/apple-oauth.ts +2 -1
- package/src/auth/auth-hooks.ts +21 -0
- package/src/auth/bitbucket-oauth.ts +2 -1
- package/src/auth/builtin-auth-adapter.ts +28 -4
- package/src/auth/custom-auth-adapter.ts +2 -0
- package/src/auth/discord-oauth.ts +2 -1
- package/src/auth/facebook-oauth.ts +2 -1
- package/src/auth/github-oauth.ts +2 -1
- package/src/auth/gitlab-oauth.ts +2 -1
- package/src/auth/google-oauth.ts +8 -4
- package/src/auth/index.ts +2 -0
- package/src/auth/interfaces.ts +27 -0
- package/src/auth/linkedin-oauth.ts +2 -1
- package/src/auth/magic-link-routes.ts +167 -0
- package/src/auth/mfa-crypto.ts +91 -0
- package/src/auth/mfa-routes.ts +34 -10
- package/src/auth/microsoft-oauth.ts +2 -1
- package/src/auth/middleware.ts +10 -1
- package/src/auth/reset-password-admin.ts +17 -1
- package/src/auth/routes.ts +77 -8
- package/src/auth/session-routes.ts +15 -3
- package/src/auth/slack-oauth.ts +2 -1
- package/src/auth/spotify-oauth.ts +2 -1
- package/src/auth/twitter-oauth.ts +8 -1
- package/src/cron/cron-store.ts +25 -23
- package/src/email/index.ts +3 -2
- package/src/email/templates.ts +82 -0
- package/src/email/types.ts +16 -0
- package/src/init.ts +137 -5
- package/src/services/routed-realtime-service.ts +113 -0
- package/src/storage/routes.ts +4 -0
- package/src/utils/dev-port.ts +13 -7
- package/test/auth-routes.test.ts +54 -4
- package/test/custom-auth-adapter.test.ts +20 -1
- package/test/env.test.ts +9 -19
- package/test/multi-datasource-routing.test.ts +113 -0
- package/test/routed-realtime-service.test.ts +86 -0
- package/test/transform-auth-response.test.ts +305 -0
- package/vite.config.ts +5 -0
- package/build-errors.txt +0 -52
- package/dist/api/ast-schema-editor.d.ts +0 -21
- package/dist/api/collections_for_test/callbacks_test_collection.d.ts +0 -2
- package/dist/api/errors.d.ts +0 -53
- package/dist/api/graphql/graphql-schema-generator.d.ts +0 -35
- package/dist/api/graphql/index.d.ts +0 -1
- package/dist/api/index.d.ts +0 -9
- package/dist/api/logs-routes.d.ts +0 -37
- package/dist/api/openapi-generator.d.ts +0 -16
- package/dist/api/rest/api-generator.d.ts +0 -88
- package/dist/api/rest/index.d.ts +0 -1
- package/dist/api/rest/query-parser.d.ts +0 -11
- package/dist/api/schema-editor-routes.d.ts +0 -3
- package/dist/api/server.d.ts +0 -40
- package/dist/api/types.d.ts +0 -98
- package/dist/auth/adapter-middleware.d.ts +0 -37
- package/dist/auth/admin-user-ops.d.ts +0 -79
- package/dist/auth/api-keys/api-key-middleware.d.ts +0 -39
- package/dist/auth/api-keys/api-key-permission-guard.d.ts +0 -32
- package/dist/auth/api-keys/api-key-routes.d.ts +0 -20
- package/dist/auth/api-keys/api-key-store.d.ts +0 -35
- package/dist/auth/api-keys/api-key-types.d.ts +0 -88
- package/dist/auth/api-keys/index.d.ts +0 -17
- package/dist/auth/apple-oauth.d.ts +0 -30
- package/dist/auth/auth-hooks.d.ts +0 -225
- package/dist/auth/bitbucket-oauth.d.ts +0 -11
- package/dist/auth/builtin-auth-adapter.d.ts +0 -49
- package/dist/auth/crypto-utils.d.ts +0 -16
- package/dist/auth/custom-auth-adapter.d.ts +0 -39
- package/dist/auth/discord-oauth.d.ts +0 -14
- package/dist/auth/facebook-oauth.d.ts +0 -14
- package/dist/auth/github-oauth.d.ts +0 -15
- package/dist/auth/gitlab-oauth.d.ts +0 -13
- package/dist/auth/google-oauth.d.ts +0 -47
- package/dist/auth/index.d.ts +0 -36
- package/dist/auth/interfaces.d.ts +0 -401
- package/dist/auth/jwt.d.ts +0 -55
- package/dist/auth/linkedin-oauth.d.ts +0 -18
- package/dist/auth/mfa-routes.d.ts +0 -6
- package/dist/auth/mfa.d.ts +0 -49
- package/dist/auth/microsoft-oauth.d.ts +0 -16
- package/dist/auth/middleware.d.ts +0 -106
- package/dist/auth/password.d.ts +0 -22
- package/dist/auth/rate-limiter.d.ts +0 -50
- package/dist/auth/reset-password-admin.d.ts +0 -29
- package/dist/auth/rls-scope.d.ts +0 -31
- package/dist/auth/routes.d.ts +0 -33
- package/dist/auth/session-routes.d.ts +0 -25
- package/dist/auth/slack-oauth.d.ts +0 -12
- package/dist/auth/spotify-oauth.d.ts +0 -12
- package/dist/auth/twitter-oauth.d.ts +0 -18
- package/dist/backend-CIxN4FVm.js +0 -15
- package/dist/backend-CIxN4FVm.js.map +0 -1
- package/dist/chunk-Dze3rakg.js +0 -42
- package/dist/collections/BackendCollectionRegistry.d.ts +0 -13
- package/dist/collections/loader.d.ts +0 -5
- package/dist/cron/cron-loader.d.ts +0 -17
- package/dist/cron/cron-routes.d.ts +0 -14
- package/dist/cron/cron-scheduler.d.ts +0 -106
- package/dist/cron/cron-store.d.ts +0 -32
- package/dist/cron/index.d.ts +0 -6
- package/dist/db/interfaces.d.ts +0 -18
- package/dist/dist-CZKP-Xz4.js +0 -832
- package/dist/dist-CZKP-Xz4.js.map +0 -1
- package/dist/email/index.d.ts +0 -6
- package/dist/email/smtp-email-service.d.ts +0 -25
- package/dist/email/templates.d.ts +0 -42
- package/dist/email/types.d.ts +0 -108
- package/dist/env.d.ts +0 -102
- package/dist/from-VbwD7xRf.js +0 -3849
- package/dist/from-VbwD7xRf.js.map +0 -1
- package/dist/functions/function-loader.d.ts +0 -17
- package/dist/functions/function-routes.d.ts +0 -10
- package/dist/functions/index.d.ts +0 -3
- package/dist/history/history-routes.d.ts +0 -23
- package/dist/history/index.d.ts +0 -1
- package/dist/index.d.ts +0 -33
- package/dist/index.es.js +0 -61726
- package/dist/index.es.js.map +0 -1
- package/dist/index.umd.js +0 -73216
- package/dist/index.umd.js.map +0 -1
- package/dist/init/docs.d.ts +0 -4
- package/dist/init/health.d.ts +0 -2
- package/dist/init/middlewares.d.ts +0 -10
- package/dist/init/shutdown.d.ts +0 -11
- package/dist/init/storage.d.ts +0 -5
- package/dist/init.d.ts +0 -258
- package/dist/jwt-DHcQRGC3.js +0 -4168
- package/dist/jwt-DHcQRGC3.js.map +0 -1
- package/dist/logger-BYU66ENZ.js +0 -94
- package/dist/logger-BYU66ENZ.js.map +0 -1
- package/dist/ms-BeBSuOXN.js +0 -125
- package/dist/ms-BeBSuOXN.js.map +0 -1
- package/dist/multipart-parser-CedBDOeC.js +0 -299
- package/dist/multipart-parser-CedBDOeC.js.map +0 -1
- package/dist/serve-spa.d.ts +0 -30
- package/dist/services/driver-registry.d.ts +0 -78
- package/dist/services/webhook-service.d.ts +0 -29
- package/dist/singleton.d.ts +0 -35
- package/dist/src-COaj0G3P.js +0 -1182
- package/dist/src-COaj0G3P.js.map +0 -1
- package/dist/storage/LocalStorageController.d.ts +0 -46
- package/dist/storage/S3StorageController.d.ts +0 -36
- package/dist/storage/image-transform.d.ts +0 -50
- package/dist/storage/index.d.ts +0 -28
- package/dist/storage/routes.d.ts +0 -38
- package/dist/storage/storage-registry.d.ts +0 -78
- package/dist/storage/tus-handler.d.ts +0 -51
- package/dist/storage/types.d.ts +0 -103
- package/dist/types/index.d.ts +0 -11
- package/dist/utils/dev-port.d.ts +0 -35
- package/dist/utils/logger.d.ts +0 -31
- package/dist/utils/logging.d.ts +0 -9
- package/dist/utils/request-id.d.ts +0 -4
- package/dist/utils/request-logger.d.ts +0 -19
- package/dist/utils/sql.d.ts +0 -27
package/dist/api/server.d.ts
DELETED
|
@@ -1,40 +0,0 @@
|
|
|
1
|
-
import { Hono } from "hono";
|
|
2
|
-
import { DataDriver } from "@rebasepro/types";
|
|
3
|
-
import { ApiConfig, HonoEnv } from "./types";
|
|
4
|
-
/**
|
|
5
|
-
* Simplified API server that leverages existing Rebase infrastructure
|
|
6
|
-
* Can be used standalone or mounted on existing Hono app
|
|
7
|
-
*/
|
|
8
|
-
export declare class RebaseApiServer {
|
|
9
|
-
private app;
|
|
10
|
-
private router;
|
|
11
|
-
private config;
|
|
12
|
-
private driver;
|
|
13
|
-
private constructor();
|
|
14
|
-
/**
|
|
15
|
-
* Factory method to create an asynchronously initialized ApiServer instance
|
|
16
|
-
*/
|
|
17
|
-
static create(config: ApiConfig & {
|
|
18
|
-
driver: DataDriver;
|
|
19
|
-
}): Promise<RebaseApiServer>;
|
|
20
|
-
/**
|
|
21
|
-
* Setup Hono middleware
|
|
22
|
-
*/
|
|
23
|
-
private setupMiddleware;
|
|
24
|
-
/**
|
|
25
|
-
* Setup API routes using existing services
|
|
26
|
-
*/
|
|
27
|
-
private setupRoutes;
|
|
28
|
-
/**
|
|
29
|
-
* Get the Hono router with all API routes
|
|
30
|
-
*/
|
|
31
|
-
getRouter(): Hono<HonoEnv>;
|
|
32
|
-
/**
|
|
33
|
-
* Get the standalone Hono app
|
|
34
|
-
*/
|
|
35
|
-
getApp(): Hono<HonoEnv>;
|
|
36
|
-
/**
|
|
37
|
-
* Start the server (standalone mode) via @hono/node-server
|
|
38
|
-
*/
|
|
39
|
-
listen(port?: number, callback?: () => void): void;
|
|
40
|
-
}
|
package/dist/api/types.d.ts
DELETED
|
@@ -1,98 +0,0 @@
|
|
|
1
|
-
import { EntityCollection, VectorSearchParams, LogicalCondition } from "@rebasepro/types";
|
|
2
|
-
import { AuthResult } from "../auth/middleware";
|
|
3
|
-
import { NodePgDatabase } from "drizzle-orm/node-postgres";
|
|
4
|
-
import { DataDriver } from "@rebasepro/types";
|
|
5
|
-
import type { ApiKeyMasked } from "../auth/api-keys/api-key-types";
|
|
6
|
-
/**
|
|
7
|
-
* Hono Environment Variables
|
|
8
|
-
* Passed to generic Hono<HonoEnv> to type `c.get()`
|
|
9
|
-
*/
|
|
10
|
-
export type HonoEnv = {
|
|
11
|
-
Variables: {
|
|
12
|
-
user?: AuthResult | {
|
|
13
|
-
userId?: string;
|
|
14
|
-
roles?: string[];
|
|
15
|
-
};
|
|
16
|
-
driver?: DataDriver;
|
|
17
|
-
/** Set when the request is authenticated via a Service API Key. */
|
|
18
|
-
apiKey?: ApiKeyMasked;
|
|
19
|
-
/** Unique request correlation ID (generated or propagated from X-Request-ID header). */
|
|
20
|
-
requestId?: string;
|
|
21
|
-
};
|
|
22
|
-
};
|
|
23
|
-
/**
|
|
24
|
-
* Configuration for API generation
|
|
25
|
-
*/
|
|
26
|
-
/**
|
|
27
|
-
* Configuration for API generation
|
|
28
|
-
*/
|
|
29
|
-
export interface ApiConfig {
|
|
30
|
-
collections?: EntityCollection[];
|
|
31
|
-
collectionsDir?: string;
|
|
32
|
-
basePath?: string;
|
|
33
|
-
enableGraphQL?: boolean;
|
|
34
|
-
enableREST?: boolean;
|
|
35
|
-
cors?: {
|
|
36
|
-
origin?: string | string[] | boolean;
|
|
37
|
-
credentials?: boolean;
|
|
38
|
-
};
|
|
39
|
-
/** Whether auth is required for API endpoints (default: true) */
|
|
40
|
-
requireAuth?: boolean;
|
|
41
|
-
/** Optional custom validator for authentication */
|
|
42
|
-
authValidator?: (c: import("hono").Context<import("./types").HonoEnv>) => Promise<AuthResult>;
|
|
43
|
-
pagination?: {
|
|
44
|
-
defaultLimit: number;
|
|
45
|
-
maxLimit: number;
|
|
46
|
-
};
|
|
47
|
-
}
|
|
48
|
-
/**
|
|
49
|
-
* Context passed to resolvers and handlers
|
|
50
|
-
*/
|
|
51
|
-
export interface ApiContext {
|
|
52
|
-
user?: AuthResult;
|
|
53
|
-
collections: Map<string, EntityCollection>;
|
|
54
|
-
db: NodePgDatabase;
|
|
55
|
-
}
|
|
56
|
-
/**
|
|
57
|
-
* Standard API response format
|
|
58
|
-
*/
|
|
59
|
-
export interface ApiResponse<T = unknown> {
|
|
60
|
-
data?: T;
|
|
61
|
-
error?: {
|
|
62
|
-
message: string;
|
|
63
|
-
code?: string;
|
|
64
|
-
details?: unknown;
|
|
65
|
-
};
|
|
66
|
-
meta?: {
|
|
67
|
-
total?: number;
|
|
68
|
-
page?: number;
|
|
69
|
-
limit?: number;
|
|
70
|
-
hasMore?: boolean;
|
|
71
|
-
};
|
|
72
|
-
}
|
|
73
|
-
/**
|
|
74
|
-
* Query options for API endpoints
|
|
75
|
-
*/
|
|
76
|
-
export interface QueryOptions {
|
|
77
|
-
limit?: number;
|
|
78
|
-
offset?: number;
|
|
79
|
-
where?: Record<string, unknown>;
|
|
80
|
-
logical?: LogicalCondition;
|
|
81
|
-
orderBy?: Array<{
|
|
82
|
-
field: string;
|
|
83
|
-
direction: "asc" | "desc";
|
|
84
|
-
}>;
|
|
85
|
-
include?: string[];
|
|
86
|
-
/** Columns to return in the response (field-level selection) */
|
|
87
|
-
fields?: string[];
|
|
88
|
-
/** Vector similarity search configuration */
|
|
89
|
-
vectorSearch?: VectorSearchParams;
|
|
90
|
-
}
|
|
91
|
-
/**
|
|
92
|
-
* Relation resolution configuration
|
|
93
|
-
*/
|
|
94
|
-
export interface RelationConfig {
|
|
95
|
-
relationName: string;
|
|
96
|
-
depth?: number;
|
|
97
|
-
include?: string[];
|
|
98
|
-
}
|
|
@@ -1,37 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Adapter Auth Middleware
|
|
3
|
-
*
|
|
4
|
-
* Creates a Hono middleware that delegates authentication to an `AuthAdapter`
|
|
5
|
-
* instead of hardcoded JWT verification. This is used when the user passes
|
|
6
|
-
* an `AuthAdapter` to `initializeRebaseBackend()`.
|
|
7
|
-
*
|
|
8
|
-
* The middleware:
|
|
9
|
-
* 1. Checks for API key tokens (`rk_` prefix) first — these are Rebase-level
|
|
10
|
-
* 2. Falls back to `adapter.verifyRequest(request)` to resolve the user
|
|
11
|
-
* 3. Scopes the DataDriver via `withAuth()` for RLS
|
|
12
|
-
* 4. Enforces auth (401) when `requireAuth` is true and no user is found
|
|
13
|
-
*
|
|
14
|
-
* The behavior is identical to `createAuthMiddleware()` — only the
|
|
15
|
-
* token verification strategy is pluggable.
|
|
16
|
-
*/
|
|
17
|
-
import type { MiddlewareHandler } from "hono";
|
|
18
|
-
import type { DataDriver, AuthAdapter } from "@rebasepro/types";
|
|
19
|
-
import type { HonoEnv } from "../api/types";
|
|
20
|
-
import type { ApiKeyStore } from "./api-keys/api-key-store";
|
|
21
|
-
export interface AdapterAuthMiddlewareOptions {
|
|
22
|
-
/** The auth adapter to delegate verification to. */
|
|
23
|
-
adapter: AuthAdapter;
|
|
24
|
-
/** The DataDriver to scope via withAuth() for RLS. */
|
|
25
|
-
driver: DataDriver;
|
|
26
|
-
/**
|
|
27
|
-
* If true, return 401 when no valid user is resolved.
|
|
28
|
-
* Defaults to `true` (secure by default).
|
|
29
|
-
*/
|
|
30
|
-
requireAuth?: boolean;
|
|
31
|
-
/** Optional API key store — when provided, `rk_` bearer tokens are accepted. */
|
|
32
|
-
apiKeyStore?: ApiKeyStore;
|
|
33
|
-
}
|
|
34
|
-
/**
|
|
35
|
-
* Create a Hono middleware that uses an `AuthAdapter` for request verification.
|
|
36
|
-
*/
|
|
37
|
-
export declare function createAdapterAuthMiddleware(options: AdapterAuthMiddlewareOptions): MiddlewareHandler<HonoEnv>;
|
|
@@ -1,79 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Admin User Operations
|
|
3
|
-
*
|
|
4
|
-
* Shared utilities and orchestration for admin-initiated user management
|
|
5
|
-
* (user creation via REST API, password reset via admin panel).
|
|
6
|
-
*
|
|
7
|
-
* Hook resolution order:
|
|
8
|
-
* 1. Collection-level hook (`auth.onCreateUser` on the collection) — closest to the data
|
|
9
|
-
* 2. Backend-level hook (`AuthHooks.onAdminCreateUser`) — global override
|
|
10
|
-
* 3. Built-in default — framework fallback
|
|
11
|
-
*/
|
|
12
|
-
import type { AuthRepository } from "./interfaces";
|
|
13
|
-
import type { EmailService, EmailConfig } from "../email";
|
|
14
|
-
import type { ResolvedAuthHooks } from "./auth-hooks";
|
|
15
|
-
import type { AuthCollectionConfig } from "@rebasepro/types";
|
|
16
|
-
/**
|
|
17
|
-
* Generate a cryptographically secure random password that meets strength requirements.
|
|
18
|
-
*
|
|
19
|
-
* 16 characters, guaranteed at least one uppercase, one lowercase, one digit.
|
|
20
|
-
* Ambiguous characters (0, O, 1, l, I) are excluded.
|
|
21
|
-
*/
|
|
22
|
-
export declare function generateSecurePassword(): string;
|
|
23
|
-
/**
|
|
24
|
-
* Generate a cryptographically secure random token (80 hex characters).
|
|
25
|
-
*/
|
|
26
|
-
export declare function generateSecureToken(): string;
|
|
27
|
-
/**
|
|
28
|
-
* Hash a token for database storage using SHA-256.
|
|
29
|
-
*/
|
|
30
|
-
export declare function hashToken(token: string): string;
|
|
31
|
-
/**
|
|
32
|
-
* Context needed by admin user creation / password reset operations.
|
|
33
|
-
*/
|
|
34
|
-
export interface AdminUserContext {
|
|
35
|
-
authRepo: AuthRepository;
|
|
36
|
-
emailService?: EmailService;
|
|
37
|
-
emailConfig?: EmailConfig;
|
|
38
|
-
resolvedHooks: ResolvedAuthHooks;
|
|
39
|
-
/** The parsed auth config from the collection (if `auth` is an object, not just `true`). */
|
|
40
|
-
collectionAuthConfig?: AuthCollectionConfig;
|
|
41
|
-
}
|
|
42
|
-
/**
|
|
43
|
-
* Result of preparing user values for admin-initiated creation.
|
|
44
|
-
*/
|
|
45
|
-
export interface AdminUserPrepareResult {
|
|
46
|
-
/** Values ready for `driver.saveEntity()`. */
|
|
47
|
-
values: Record<string, unknown>;
|
|
48
|
-
/** The cleartext password (for returning to admin or sending via email). */
|
|
49
|
-
clearPassword?: string;
|
|
50
|
-
/** Whether the hook already handled the invitation email. */
|
|
51
|
-
hookHandledEmail: boolean;
|
|
52
|
-
/** Whether an invitation was sent (only relevant when hookHandledEmail is true). */
|
|
53
|
-
invitationSent: boolean;
|
|
54
|
-
}
|
|
55
|
-
/**
|
|
56
|
-
* Prepare user values for an admin-initiated user creation.
|
|
57
|
-
*
|
|
58
|
-
* Resolution order:
|
|
59
|
-
* 1. Collection-level `auth.onCreateUser` — closest to the data
|
|
60
|
-
* 2. Backend-level `AuthHooks.onAdminCreateUser` — global override
|
|
61
|
-
* 3. Built-in default — generate password → hash → normalize email
|
|
62
|
-
*
|
|
63
|
-
* The caller is responsible for persisting (via `driver.saveEntity()`).
|
|
64
|
-
*/
|
|
65
|
-
export declare function prepareAdminUserValues(body: Record<string, unknown>, ctx: AdminUserContext): Promise<AdminUserPrepareResult>;
|
|
66
|
-
/**
|
|
67
|
-
* Handle post-creation work for admin-created users.
|
|
68
|
-
*
|
|
69
|
-
* Sends an invitation email (password-reset link) if email is configured
|
|
70
|
-
* and no explicit password was provided. Falls back to returning the
|
|
71
|
-
* temporary password if email fails or is not configured.
|
|
72
|
-
*/
|
|
73
|
-
export declare function finalizeAdminUserCreation(entity: {
|
|
74
|
-
id: string;
|
|
75
|
-
values: Record<string, unknown>;
|
|
76
|
-
}, clearPassword: string | undefined, ctx: AdminUserContext): Promise<{
|
|
77
|
-
temporaryPassword?: string;
|
|
78
|
-
invitationSent: boolean;
|
|
79
|
-
}>;
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Hono middleware for authenticating requests via Service API Keys.
|
|
3
|
-
*
|
|
4
|
-
* This middleware is integrated into `createAuthMiddleware()` and
|
|
5
|
-
* activates only when the bearer token starts with `rk_`. It:
|
|
6
|
-
*
|
|
7
|
-
* 1. Hashes the token with SHA-256
|
|
8
|
-
* 2. Looks up the hash in the `rebase.api_keys` table
|
|
9
|
-
* 3. Validates the key is not revoked and not expired
|
|
10
|
-
* 4. Sets `c.set("user", ...)` and `c.set("apiKey", ...)` for downstream use
|
|
11
|
-
* 5. Scopes the DataDriver via `withAuth()` using the API key's service identity
|
|
12
|
-
*
|
|
13
|
-
* @module
|
|
14
|
-
*/
|
|
15
|
-
import type { Context } from "hono";
|
|
16
|
-
import type { DataDriver } from "@rebasepro/types";
|
|
17
|
-
import type { HonoEnv } from "../../api/types";
|
|
18
|
-
import type { ApiKeyStore } from "./api-key-store";
|
|
19
|
-
/**
|
|
20
|
-
* Check whether a token looks like a Rebase API key.
|
|
21
|
-
*/
|
|
22
|
-
export declare function isApiKeyToken(token: string): boolean;
|
|
23
|
-
/**
|
|
24
|
-
* Options for the API key authentication handler.
|
|
25
|
-
*/
|
|
26
|
-
export interface ApiKeyAuthOptions {
|
|
27
|
-
store: ApiKeyStore;
|
|
28
|
-
driver: DataDriver;
|
|
29
|
-
}
|
|
30
|
-
/**
|
|
31
|
-
* Validate an API key token and populate the Hono context.
|
|
32
|
-
*
|
|
33
|
-
* Returns `true` if the key is valid and context has been populated,
|
|
34
|
-
* or returns an error Response if the key is invalid.
|
|
35
|
-
*
|
|
36
|
-
* This is NOT a standalone middleware — it's called from within
|
|
37
|
-
* `createAuthMiddleware()` when a `rk_` prefixed token is detected.
|
|
38
|
-
*/
|
|
39
|
-
export declare function validateApiKey(c: Context<HonoEnv>, token: string, options: ApiKeyAuthOptions): Promise<Response | true>;
|
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Permission guard for Service API Keys.
|
|
3
|
-
*
|
|
4
|
-
* Checks whether an API key's permission set allows a specific operation
|
|
5
|
-
* on a specific collection. Used by the REST API generator middleware to
|
|
6
|
-
* enforce fine-grained access control.
|
|
7
|
-
*
|
|
8
|
-
* @module
|
|
9
|
-
*/
|
|
10
|
-
import type { ApiKeyPermission } from "./api-key-types";
|
|
11
|
-
/** Operations that map to HTTP methods. */
|
|
12
|
-
export type ApiKeyOperation = "read" | "write" | "delete";
|
|
13
|
-
/**
|
|
14
|
-
* Map an HTTP method string to an `ApiKeyOperation`.
|
|
15
|
-
*
|
|
16
|
-
* - `GET`, `HEAD`, `OPTIONS` → `"read"`
|
|
17
|
-
* - `POST`, `PUT`, `PATCH` → `"write"`
|
|
18
|
-
* - `DELETE` → `"delete"`
|
|
19
|
-
*/
|
|
20
|
-
export declare function httpMethodToOperation(method: string): ApiKeyOperation;
|
|
21
|
-
/**
|
|
22
|
-
* Check whether the given permissions array allows `operation` on `collection`.
|
|
23
|
-
*
|
|
24
|
-
* Supports the `"*"` wildcard for the collection field, which matches any
|
|
25
|
-
* collection. Returns `true` if at least one permission entry grants access.
|
|
26
|
-
*
|
|
27
|
-
* @param permissions - The API key's permission entries.
|
|
28
|
-
* @param collection - The target collection slug.
|
|
29
|
-
* @param operation - The requested operation.
|
|
30
|
-
* @returns `true` if the operation is permitted.
|
|
31
|
-
*/
|
|
32
|
-
export declare function isOperationAllowed(permissions: ApiKeyPermission[], collection: string, operation: ApiKeyOperation): boolean;
|
|
@@ -1,20 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Admin routes for managing Service API Keys.
|
|
3
|
-
*
|
|
4
|
-
* Mounted under `/api/admin/api-keys` with `requireAuth` + `requireAdmin`.
|
|
5
|
-
* All routes return masked keys (never the hash). The full plaintext key
|
|
6
|
-
* is returned exactly once in the POST response.
|
|
7
|
-
*
|
|
8
|
-
* @module
|
|
9
|
-
*/
|
|
10
|
-
import { Hono } from "hono";
|
|
11
|
-
import type { HonoEnv } from "../../api/types";
|
|
12
|
-
import type { ApiKeyStore } from "./api-key-store";
|
|
13
|
-
export interface ApiKeyRouteOptions {
|
|
14
|
-
store: ApiKeyStore;
|
|
15
|
-
serviceKey?: string;
|
|
16
|
-
}
|
|
17
|
-
/**
|
|
18
|
-
* Create admin routes for API key management.
|
|
19
|
-
*/
|
|
20
|
-
export declare function createApiKeyRoutes(options: ApiKeyRouteOptions): Hono<HonoEnv>;
|
|
@@ -1,35 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Database operations for Service API Keys.
|
|
3
|
-
*
|
|
4
|
-
* Uses the DataDriver's `admin.executeSql` capability (same pattern as
|
|
5
|
-
* the cron-store and ensure-tables modules). All data lives in the
|
|
6
|
-
* `rebase.api_keys` table.
|
|
7
|
-
*
|
|
8
|
-
* @module
|
|
9
|
-
*/
|
|
10
|
-
import type { DataDriver } from "@rebasepro/types";
|
|
11
|
-
import type { ApiKey, ApiKeyMasked, ApiKeyWithSecret, CreateApiKeyRequest, UpdateApiKeyRequest } from "./api-key-types";
|
|
12
|
-
export interface ApiKeyStore {
|
|
13
|
-
/** Ensure the `rebase.api_keys` table exists. Called once on startup. */
|
|
14
|
-
ensureTable(): Promise<void>;
|
|
15
|
-
/** Create a new API key. Returns the full plaintext key exactly once. */
|
|
16
|
-
createApiKey(request: CreateApiKeyRequest, createdBy: string): Promise<ApiKeyWithSecret>;
|
|
17
|
-
/** Look up an API key by its SHA-256 hash. Returns `null` if not found. */
|
|
18
|
-
findByKeyHash(hash: string): Promise<ApiKey | null>;
|
|
19
|
-
/** List all API keys (masked, never includes hash). */
|
|
20
|
-
listApiKeys(): Promise<ApiKeyMasked[]>;
|
|
21
|
-
/** Get a single API key by ID (masked). */
|
|
22
|
-
getApiKeyById(id: string): Promise<ApiKeyMasked | null>;
|
|
23
|
-
/** Update name, permissions, rate_limit, or expires_at. */
|
|
24
|
-
updateApiKey(id: string, updates: UpdateApiKeyRequest): Promise<ApiKeyMasked | null>;
|
|
25
|
-
/** Soft-delete: set `revoked_at` to now. */
|
|
26
|
-
revokeApiKey(id: string): Promise<boolean>;
|
|
27
|
-
/** Touch `last_used_at` to the current timestamp. */
|
|
28
|
-
updateLastUsed(id: string): Promise<void>;
|
|
29
|
-
}
|
|
30
|
-
/**
|
|
31
|
-
* Create an `ApiKeyStore` backed by the driver's SQL admin capability.
|
|
32
|
-
*
|
|
33
|
-
* Returns `undefined` if the driver does not support `executeSql`.
|
|
34
|
-
*/
|
|
35
|
-
export declare function createApiKeyStore(driver: DataDriver): ApiKeyStore | undefined;
|
|
@@ -1,88 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Type definitions for Service API Keys.
|
|
3
|
-
*
|
|
4
|
-
* API keys provide machine-to-machine authentication for scripts, cron jobs,
|
|
5
|
-
* and third-party integrations. Each key is scoped to specific collections
|
|
6
|
-
* and operations via the `ApiKeyPermission` model.
|
|
7
|
-
*
|
|
8
|
-
* @module
|
|
9
|
-
*/
|
|
10
|
-
/**
|
|
11
|
-
* A single permission entry scoping an API key to a collection and set of operations.
|
|
12
|
-
*
|
|
13
|
-
* Use `"*"` as the collection value to grant access to all collections.
|
|
14
|
-
*/
|
|
15
|
-
export interface ApiKeyPermission {
|
|
16
|
-
/** Collection slug, or `"*"` for all collections. */
|
|
17
|
-
collection: string;
|
|
18
|
-
/** Allowed operations on the collection. */
|
|
19
|
-
operations: ("read" | "write" | "delete")[];
|
|
20
|
-
}
|
|
21
|
-
/**
|
|
22
|
-
* Full database row for an API key.
|
|
23
|
-
* The `key_hash` is never exposed via the API — only stored for lookup.
|
|
24
|
-
*/
|
|
25
|
-
export interface ApiKey {
|
|
26
|
-
id: string;
|
|
27
|
-
name: string;
|
|
28
|
-
/** First 12 characters of the plaintext key, for display only. */
|
|
29
|
-
key_prefix: string;
|
|
30
|
-
/** SHA-256 hash of the full plaintext key. */
|
|
31
|
-
key_hash: string;
|
|
32
|
-
permissions: ApiKeyPermission[];
|
|
33
|
-
/** Requests per 15-minute window. `null` means unlimited. */
|
|
34
|
-
rate_limit: number | null;
|
|
35
|
-
created_by: string;
|
|
36
|
-
created_at: string;
|
|
37
|
-
updated_at: string;
|
|
38
|
-
last_used_at: string | null;
|
|
39
|
-
expires_at: string | null;
|
|
40
|
-
revoked_at: string | null;
|
|
41
|
-
}
|
|
42
|
-
/**
|
|
43
|
-
* Masked version of an API key, safe for API responses.
|
|
44
|
-
* Omits `key_hash` and shows only the prefix.
|
|
45
|
-
*/
|
|
46
|
-
export interface ApiKeyMasked {
|
|
47
|
-
id: string;
|
|
48
|
-
name: string;
|
|
49
|
-
key_prefix: string;
|
|
50
|
-
permissions: ApiKeyPermission[];
|
|
51
|
-
rate_limit: number | null;
|
|
52
|
-
created_by: string;
|
|
53
|
-
created_at: string;
|
|
54
|
-
updated_at: string;
|
|
55
|
-
last_used_at: string | null;
|
|
56
|
-
expires_at: string | null;
|
|
57
|
-
revoked_at: string | null;
|
|
58
|
-
}
|
|
59
|
-
/**
|
|
60
|
-
* Request body for creating a new API key.
|
|
61
|
-
*/
|
|
62
|
-
export interface CreateApiKeyRequest {
|
|
63
|
-
name: string;
|
|
64
|
-
permissions: ApiKeyPermission[];
|
|
65
|
-
/** Requests per 15-minute window. Omit or `null` for unlimited. */
|
|
66
|
-
rate_limit?: number | null;
|
|
67
|
-
/** ISO-8601 expiration timestamp. Omit for no expiration. */
|
|
68
|
-
expires_at?: string | null;
|
|
69
|
-
}
|
|
70
|
-
/**
|
|
71
|
-
* Request body for updating an existing API key.
|
|
72
|
-
* All fields are optional — only provided fields are updated.
|
|
73
|
-
*/
|
|
74
|
-
export interface UpdateApiKeyRequest {
|
|
75
|
-
name?: string;
|
|
76
|
-
permissions?: ApiKeyPermission[];
|
|
77
|
-
rate_limit?: number | null;
|
|
78
|
-
expires_at?: string | null;
|
|
79
|
-
}
|
|
80
|
-
/**
|
|
81
|
-
* Returned exactly once when a key is created.
|
|
82
|
-
* The `key` field contains the full plaintext key — it is never stored
|
|
83
|
-
* or returned again after creation.
|
|
84
|
-
*/
|
|
85
|
-
export interface ApiKeyWithSecret extends ApiKeyMasked {
|
|
86
|
-
/** Full plaintext API key (e.g. `rk_live_abc123...`). */
|
|
87
|
-
key: string;
|
|
88
|
-
}
|
|
@@ -1,17 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Service API Keys module.
|
|
3
|
-
*
|
|
4
|
-
* Re-exports types, store, middleware, permission guard, and routes
|
|
5
|
-
* for the API key authentication system.
|
|
6
|
-
*
|
|
7
|
-
* @module
|
|
8
|
-
*/
|
|
9
|
-
export type { ApiKey, ApiKeyMasked, ApiKeyPermission, ApiKeyWithSecret, CreateApiKeyRequest, UpdateApiKeyRequest } from "./api-key-types";
|
|
10
|
-
export { createApiKeyStore } from "./api-key-store";
|
|
11
|
-
export type { ApiKeyStore } from "./api-key-store";
|
|
12
|
-
export { isApiKeyToken, validateApiKey } from "./api-key-middleware";
|
|
13
|
-
export type { ApiKeyAuthOptions } from "./api-key-middleware";
|
|
14
|
-
export { httpMethodToOperation, isOperationAllowed } from "./api-key-permission-guard";
|
|
15
|
-
export type { ApiKeyOperation } from "./api-key-permission-guard";
|
|
16
|
-
export { createApiKeyRoutes } from "./api-key-routes";
|
|
17
|
-
export type { ApiKeyRouteOptions } from "./api-key-routes";
|
|
@@ -1,30 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
/**
|
|
3
|
-
* Creates an Apple Sign In OAuth Provider integration.
|
|
4
|
-
*
|
|
5
|
-
* Apple requires a client secret that is a signed JWT, regenerated on each
|
|
6
|
-
* token exchange (valid up to 6 months). This provider handles that automatically.
|
|
7
|
-
*
|
|
8
|
-
* Required Apple Developer configuration:
|
|
9
|
-
* - Services ID (clientId)
|
|
10
|
-
* - Key ID from the private key registered with Apple
|
|
11
|
-
* - Team ID from Apple Developer account
|
|
12
|
-
* - Private key (.p8 file contents) downloaded from Apple Developer portal
|
|
13
|
-
*/
|
|
14
|
-
export declare function createAppleProvider(config: {
|
|
15
|
-
clientId: string;
|
|
16
|
-
teamId: string;
|
|
17
|
-
keyId: string;
|
|
18
|
-
/** The raw PEM contents of the .p8 private key file */
|
|
19
|
-
privateKey: string;
|
|
20
|
-
}): OAuthProvider<{
|
|
21
|
-
code: string;
|
|
22
|
-
redirectUri: string;
|
|
23
|
-
user?: {
|
|
24
|
-
name?: {
|
|
25
|
-
firstName?: string;
|
|
26
|
-
lastName?: string;
|
|
27
|
-
};
|
|
28
|
-
email?: string;
|
|
29
|
-
};
|
|
30
|
-
}>;
|