@sonicjs-cms/core 2.16.0 → 2.17.0

package/dist/{chunk-WLSIUKNM.js → chunk-LZJLWW7E.js}

@@ -1,17 +1,17 @@
-import { getCacheService, CACHE_CONFIGS, SettingsService, getLogger, getAppInstance, buildRouteList, CATEGORY_INFO } from './chunk-TBJY2FF7.js';
-import { requireAuth, requireRole, isPluginActive, optionalAuth, rateLimit, AuthManager, logActivity, generateCsrfToken } from './chunk-Y5EH32F5.js';
-import { PluginService, PLUGIN_REGISTRY, findPluginByCodeName, createContentFromSubmission } from './chunk-INSDRCG3.js';
-import { MigrationService } from './chunk-VFQUULAV.js';
+import { getCacheService, CACHE_CONFIGS, SettingsService, getLogger, getAppInstance, buildRouteList, CATEGORY_INFO } from './chunk-QFWHAFEO.js';
+import { requireAuth, requireRole, isPluginActive, optionalAuth, rateLimit, AuthManager, getJwtExpirySecondsFromDb, getJwtRefreshGraceSecondsFromDb, logActivity, generateCsrfToken } from './chunk-S7K4FRJ2.js';
+import { PluginService, PLUGIN_REGISTRY, findPluginByCodeName, createContentFromSubmission } from './chunk-FDXNIZ6N.js';
+import { MigrationService } from './chunk-NMJT6BJR.js';
 import { renderDesignPage, renderCheckboxPage, renderTestimonialsList, renderCodeExamplesList, renderAlert, renderTable, renderPagination, renderConfirmationDialog, getConfirmationDialogScript, renderAdminLayout, adminLayoutV2, renderForm } from './chunk-XWIA3HVX.js';
 import { init_admin_layout_catalyst_template, renderAdminLayoutCatalyst } from './chunk-55RDMDOP.js';
 import { PluginBuilder, TurnstileService } from './chunk-EXNEW5US.js';
-import { QueryFilterBuilder, getCoreVersion, getBlocksFieldConfig, parseBlocksValue } from './chunk-MVSCB4E3.js';
+import { QueryFilterBuilder, getCoreVersion, getBlocksFieldConfig, parseBlocksValue } from './chunk-6F57Z6SD.js';
 import { metricsTracker } from './chunk-FICTAGD4.js';
 import { escapeHtml, sanitizeRichText, sanitizeInput } from './chunk-TQABQWOP.js';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
 import { z } from 'zod';
-import { setCookie } from 'hono/cookie';
+import { setCookie, getCookie } from 'hono/cookie';
 import { html, raw } from 'hono/html';
 
 // src/schemas/index.ts
@@ -2351,7 +2351,7 @@ adminApiRoutes.delete("/collections/:id", async (c) => {
 });
 adminApiRoutes.get("/migrations/status", async (c) => {
   try {
-    const { MigrationService: MigrationService2 } = await import('./migrations-7HQ7LYAL.js');
+    const { MigrationService: MigrationService2 } = await import('./migrations-HQI62CAO.js');
     const db = c.env.DB;
     const migrationService = new MigrationService2(db);
     const status = await migrationService.getMigrationStatus();
@@ -2376,7 +2376,7 @@ adminApiRoutes.post("/migrations/run", async (c) => {
         error: "Unauthorized. Admin access required."
       }, 403);
     }
-    const { MigrationService: MigrationService2 } = await import('./migrations-7HQ7LYAL.js');
+    const { MigrationService: MigrationService2 } = await import('./migrations-HQI62CAO.js');
     const db = c.env.DB;
     const migrationService = new MigrationService2(db);
     const result = await migrationService.runPendingMigrations();
@@ -2398,7 +2398,7 @@ adminApiRoutes.post("/migrations/run", async (c) => {
 });
 adminApiRoutes.get("/migrations/validate", async (c) => {
   try {
-    const { MigrationService: MigrationService2 } = await import('./migrations-7HQ7LYAL.js');
+    const { MigrationService: MigrationService2 } = await import('./migrations-HQI62CAO.js');
     const db = c.env.DB;
     const migrationService = new MigrationService2(db);
     const validation = await migrationService.validateSchema();
@@ -5148,16 +5148,17 @@ var userProfilesPlugin = createUserProfilesPlugin();
 
 // src/routes/auth.ts
 var JWT_SECRET_FALLBACK = "your-super-secret-jwt-key-change-in-production";
-async function setCsrfCookie(c) {
+async function setCsrfCookie(c, maxAge) {
   const secret = c.env?.JWT_SECRET || JWT_SECRET_FALLBACK;
   const isDev = c.env?.ENVIRONMENT === "development" || !c.env?.ENVIRONMENT;
   const csrfToken = await generateCsrfToken(secret);
+  const cookieMaxAge = await getJwtExpirySecondsFromDb(c.env?.DB, c.env);
   setCookie(c, "csrf_token", csrfToken, {
     httpOnly: false,
     secure: !isDev,
     sameSite: "Strict",
     path: "/",
-    maxAge: 86400
+    maxAge: cookieMaxAge
   });
 }
 function clearCsrfCookie(c) {
@@ -5279,13 +5280,13 @@ authRoutes.post(
           await saveCustomData(db, userId, sanitized);
         }
       }
-      const token = await AuthManager.generateToken(userId, normalizedEmail, "viewer", c.env.JWT_SECRET);
+      const tokenTtl = await getJwtExpirySecondsFromDb(c.env.DB, c.env);
+      const token = await AuthManager.generateToken(userId, normalizedEmail, "viewer", c.env.JWT_SECRET, tokenTtl);
       setCookie(c, "auth_token", token, {
         httpOnly: true,
         secure: true,
         sameSite: "Strict",
-        maxAge: 60 * 60 * 24
-        // 24 hours
+        maxAge: tokenTtl
       });
       await setCsrfCookie(c);
       return c.json({
@@ -5348,13 +5349,13 @@ authRoutes.post(
           console.error("Password rehash failed (non-fatal):", rehashError);
         }
       }
-      const token = await AuthManager.generateToken(user.id, user.email, user.role, c.env.JWT_SECRET);
+      const tokenTtl = await getJwtExpirySecondsFromDb(c.env.DB, c.env);
+      const token = await AuthManager.generateToken(user.id, user.email, user.role, c.env.JWT_SECRET, tokenTtl);
       setCookie(c, "auth_token", token, {
         httpOnly: true,
         secure: true,
         sameSite: "Strict",
-        maxAge: 60 * 60 * 24
-        // 24 hours
+        maxAge: tokenTtl
       });
       await setCsrfCookie(c);
       await db.prepare("UPDATE users SET last_login_at = ? WHERE id = ?").bind((/* @__PURE__ */ new Date()).getTime(), user.id).run();
@@ -5418,27 +5419,45 @@ authRoutes.get("/me", requireAuth(), async (c) => {
     return c.json({ error: "Failed to get user" }, 500);
   }
 });
-authRoutes.post("/refresh", requireAuth(), async (c) => {
-  try {
-    const user = c.get("user");
-    if (!user) {
-      return c.json({ error: "Not authenticated" }, 401);
+authRoutes.post(
+  "/refresh",
+  rateLimit({ max: 60, windowMs: 60 * 1e3, keyPrefix: "refresh" }),
+  async (c) => {
+    try {
+      let token = c.req.header("Authorization")?.replace("Bearer ", "");
+      if (!token) token = getCookie(c, "auth_token");
+      if (!token) {
+        return c.json({ error: "Authentication required" }, 401);
+      }
+      const db = c.env.DB;
+      const grace = await getJwtRefreshGraceSecondsFromDb(db, c.env);
+      const payload = await AuthManager.verifyToken(token, c.env.JWT_SECRET, grace);
+      if (!payload) {
+        return c.json({ error: "Invalid or expired token" }, 401);
+      }
+      const row = await db.prepare("SELECT id, email, role, is_active FROM users WHERE id = ?").bind(payload.userId).first();
+      if (!row || !row.is_active) {
+        return c.json({ error: "User is not active" }, 401);
+      }
+      const tokenTtl = await getJwtExpirySecondsFromDb(db, c.env);
+      const newToken = await AuthManager.generateToken(row.id, row.email, row.role, c.env.JWT_SECRET, tokenTtl);
+      setCookie(c, "auth_token", newToken, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "Strict",
+        maxAge: tokenTtl
+      });
+      await setCsrfCookie(c);
+      return c.json({
+        token: newToken,
+        expiresIn: tokenTtl
+      });
+    } catch (error) {
+      console.error("Token refresh error:", error);
+      return c.json({ error: "Token refresh failed" }, 500);
     }
-    const token = await AuthManager.generateToken(user.userId, user.email, user.role, c.env.JWT_SECRET);
-    setCookie(c, "auth_token", token, {
-      httpOnly: true,
-      secure: true,
-      sameSite: "Strict",
-      maxAge: 60 * 60 * 24
-      // 24 hours
-    });
-    await setCsrfCookie(c);
-    return c.json({ token });
-  } catch (error) {
-    console.error("Token refresh error:", error);
-    return c.json({ error: "Token refresh failed" }, 500);
   }
-});
+);
 authRoutes.post(
   "/register/form",
   rateLimit({ max: 30, windowMs: 60 * 1e3, keyPrefix: "register" }),
@@ -5523,14 +5542,14 @@ authRoutes.post(
           await saveCustomData(db, userId, sanitized);
         }
       }
-      const token = await AuthManager.generateToken(userId, normalizedEmail, role, c.env.JWT_SECRET);
+      const tokenTtl = await getJwtExpirySecondsFromDb(c.env.DB, c.env);
+      const token = await AuthManager.generateToken(userId, normalizedEmail, role, c.env.JWT_SECRET, tokenTtl);
       setCookie(c, "auth_token", token, {
         httpOnly: true,
         secure: false,
         // Set to true in production with HTTPS
         sameSite: "Strict",
-        maxAge: 60 * 60 * 24
-        // 24 hours
+        maxAge: tokenTtl
       });
       await setCsrfCookie(c);
       const redirectUrl = role === "admin" ? "/admin/dashboard" : "/admin/dashboard";
@@ -5596,14 +5615,14 @@ authRoutes.post(
           console.error("Password rehash failed (non-fatal):", rehashError);
         }
       }
-      const token = await AuthManager.generateToken(user.id, user.email, user.role, c.env.JWT_SECRET);
+      const tokenTtl = await getJwtExpirySecondsFromDb(c.env.DB, c.env);
+      const token = await AuthManager.generateToken(user.id, user.email, user.role, c.env.JWT_SECRET, tokenTtl);
       setCookie(c, "auth_token", token, {
         httpOnly: true,
         secure: false,
         // Set to true in production with HTTPS
         sameSite: "Strict",
-        maxAge: 60 * 60 * 24
-        // 24 hours
+        maxAge: tokenTtl
       });
       await setCsrfCookie(c);
       await db.prepare("UPDATE users SET last_login_at = ? WHERE id = ?").bind((/* @__PURE__ */ new Date()).getTime(), user.id).run();
@@ -5912,13 +5931,13 @@ authRoutes.post("/accept-invitation", async (c) => {
       Date.now(),
       invitedUser.id
     ).run();
-    const authToken = await AuthManager.generateToken(invitedUser.id, invitedUser.email, invitedUser.role, c.env.JWT_SECRET);
+    const tokenTtl = await getJwtExpirySecondsFromDb(c.env.DB, c.env);
+    const authToken = await AuthManager.generateToken(invitedUser.id, invitedUser.email, invitedUser.role, c.env.JWT_SECRET, tokenTtl);
     setCookie(c, "auth_token", authToken, {
       httpOnly: true,
       secure: true,
       sameSite: "Strict",
-      maxAge: 60 * 60 * 24
-      // 24 hours
+      maxAge: tokenTtl
     });
     await setCsrfCookie(c);
     return c.redirect("/admin/dashboard?welcome=true");
@@ -24239,6 +24258,43 @@ function renderSettingsPage(data) {
         }
       }
 
+      async function saveSecuritySettings() {
+        const formData = new FormData();
+        const expiry = document.getElementById('jwtExpiresIn');
+        const grace = document.getElementById('jwtRefreshGraceSeconds');
+        if (expiry) formData.append('jwtExpiresIn', expiry.value);
+        if (grace) formData.append('jwtRefreshGraceSeconds', grace.value);
+
+        const saveBtn = document.querySelector('button[onclick="saveSecuritySettings()"]');
+        const originalText = saveBtn ? saveBtn.innerHTML : '';
+        if (saveBtn) {
+          saveBtn.innerHTML = '<svg class="animate-spin -ml-0.5 mr-1.5 h-5 w-5 inline" fill="none" stroke="currentColor" viewBox="0 0 24 24"><circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle><path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4z"></path></svg>Saving...';
+          saveBtn.disabled = true;
+        }
+
+        try {
+          const response = await fetch('/admin/settings/security', {
+            method: 'POST',
+            body: formData
+          });
+          const result = await response.json();
+          if (result.success) {
+            showNotification(result.message || 'Security settings saved successfully!', 'success');
+          } else {
+            showNotification(result.error || 'Failed to save security settings', 'error');
+          }
+        } catch (error) {
+          console.error('Error saving security settings:', error);
+          showNotification('Failed to save security settings. Please try again.', 'error');
+        } finally {
+          if (saveBtn) {
+            saveBtn.innerHTML = originalText;
+            saveBtn.disabled = false;
+          }
+        }
+      }
+      window.saveSecuritySettings = saveSecuritySettings;
+
       // Migration functions
       window.refreshMigrationStatus = async function() {
         try {
@@ -24821,9 +24877,71 @@ function renderAppearanceSettings(settings) {
   `;
 }
 function renderSecuritySettings(settings) {
+  const jwtExpiresIn = settings?.jwtExpiresIn ?? "30d";
+  const jwtRefreshGraceSeconds = typeof settings?.jwtRefreshGraceSeconds === "number" ? settings.jwtRefreshGraceSeconds : 60 * 60 * 24 * 7;
   return `
     <div class="space-y-6">
-      <!-- WIP Notice -->
+      <!-- Session / JWT card (live) -->
+      <div class="rounded-lg bg-white dark:bg-white/5 p-6 ring-1 ring-inset ring-zinc-950/5 dark:ring-white/10">
+        <h3 class="text-lg/7 font-semibold text-zinc-950 dark:text-white">Session / JWT</h3>
+        <p class="mt-1 text-sm/6 text-zinc-500 dark:text-zinc-400">
+          Configure how long a signed-in session lasts and how long an expired token can still be refreshed.
+          The <code class="text-xs">JWT_EXPIRES_IN</code> and <code class="text-xs">JWT_REFRESH_GRACE_SECONDS</code>
+          environment variables, when set, override the values below.
+        </p>
+
+        <div class="mt-6 grid grid-cols-1 md:grid-cols-2 gap-6">
+          <div>
+            <label for="jwtExpiresIn" class="block text-sm/6 font-medium text-zinc-950 dark:text-white mb-2">
+              JWT Expiration
+            </label>
+            <input
+              type="text"
+              id="jwtExpiresIn"
+              name="jwtExpiresIn"
+              value="${jwtExpiresIn}"
+              placeholder="30d"
+              class="w-full rounded-lg bg-white dark:bg-white/5 px-3 py-2 text-sm/6 text-zinc-950 dark:text-white ring-1 ring-inset ring-zinc-950/10 dark:ring-white/10 placeholder:text-zinc-500 dark:placeholder:text-zinc-400 focus:ring-2 focus:ring-inset focus:ring-indigo-500 dark:focus:ring-indigo-400"
+            />
+            <p class="mt-1 text-xs text-zinc-500 dark:text-zinc-400">
+              Accepts <code>30d</code>, <code>12h</code>, <code>3600s</code>, or bare seconds. Default: 30 days.
+            </p>
+          </div>
+
+          <div>
+            <label for="jwtRefreshGraceSeconds" class="block text-sm/6 font-medium text-zinc-950 dark:text-white mb-2">
+              Refresh Grace Window (seconds)
+            </label>
+            <input
+              type="number"
+              id="jwtRefreshGraceSeconds"
+              name="jwtRefreshGraceSeconds"
+              value="${jwtRefreshGraceSeconds}"
+              min="0"
+              max="7776000"
+              class="w-full rounded-lg bg-white dark:bg-white/5 px-3 py-2 text-sm/6 text-zinc-950 dark:text-white ring-1 ring-inset ring-zinc-950/10 dark:ring-white/10 placeholder:text-zinc-500 dark:placeholder:text-zinc-400 focus:ring-2 focus:ring-inset focus:ring-indigo-500 dark:focus:ring-indigo-400"
+            />
+            <p class="mt-1 text-xs text-zinc-500 dark:text-zinc-400">
+              How long an expired token can still be exchanged at <code>/auth/refresh</code>. Default: 604800 (7 days).
+            </p>
+          </div>
+        </div>
+
+        <div class="mt-6 pt-4 border-t border-zinc-950/5 dark:border-white/10 flex justify-end">
+          <button
+            type="button"
+            onclick="saveSecuritySettings()"
+            class="inline-flex items-center justify-center rounded-lg bg-zinc-950 dark:bg-white px-3.5 py-2.5 text-sm font-semibold text-white dark:text-zinc-950 hover:bg-zinc-800 dark:hover:bg-zinc-100 transition-colors shadow-sm"
+          >
+            <svg class="-ml-0.5 mr-1.5 h-5 w-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+            </svg>
+            Save Session Settings
+          </button>
+        </div>
+      </div>
+
+      <!-- WIP Notice for remaining fields -->
       <div class="rounded-lg bg-blue-50 dark:bg-blue-950/20 p-6 ring-1 ring-inset ring-blue-600/20 dark:ring-blue-500/30">
         <div class="flex items-start space-x-3">
           <svg class="w-6 h-6 text-blue-600 dark:text-blue-400 mt-0.5 flex-shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24">
@@ -24832,7 +24950,7 @@ function renderSecuritySettings(settings) {
           <div class="flex-1">
             <h4 class="text-base/7 font-semibold text-blue-900 dark:text-blue-300">Work in Progress</h4>
             <p class="mt-1 text-sm/6 text-blue-700 dark:text-blue-200">
-              This settings section is currently under development and provided for reference and design feedback only. Changes made here will not be saved.
+              The fields below are under development and provided for reference and design feedback only. Changes made here will not be saved.
             </p>
           </div>
         </div>
@@ -25717,15 +25835,24 @@ adminSettingsRoutes.get("/appearance", (c) => {
   };
   return c.html(renderSettingsPage(pageData));
 });
-adminSettingsRoutes.get("/security", (c) => {
+adminSettingsRoutes.get("/security", async (c) => {
   const user = c.get("user");
+  const db = c.env.DB;
+  const settingsService = new SettingsService(db);
+  const persisted = await settingsService.getSecuritySettings();
+  const mockSettings = getMockSettings(user);
+  mockSettings.security = {
+    ...mockSettings.security,
+    jwtExpiresIn: persisted.jwtExpiresIn,
+    jwtRefreshGraceSeconds: persisted.jwtRefreshGraceSeconds
+  };
   const pageData = {
     user: user ? {
       name: user.email,
       email: user.email,
       role: user.role
     } : void 0,
-    settings: getMockSettings(user),
+    settings: mockSettings,
     activeTab: "security",
     version: c.get("appVersion")
   };
@@ -26036,6 +26163,55 @@ adminSettingsRoutes.post("/general", async (c) => {
     }, 500);
   }
 });
+adminSettingsRoutes.post("/security", async (c) => {
+  try {
+    const user = c.get("user");
+    if (!user || user.role !== "admin") {
+      return c.json({
+        success: false,
+        error: "Unauthorized. Admin access required."
+      }, 403);
+    }
+    const formData = await c.req.formData();
+    const db = c.env.DB;
+    const settingsService = new SettingsService(db);
+    const jwtExpiresInRaw = formData.get("jwtExpiresIn")?.trim() || "";
+    const graceRaw = formData.get("jwtRefreshGraceSeconds")?.trim() || "";
+    if (!/^\d+(?:s|m|h|d)?$/i.test(jwtExpiresInRaw)) {
+      return c.json({
+        success: false,
+        error: "JWT expiration must be a number optionally suffixed with s/m/h/d (e.g. 30d, 12h, 3600)."
+      }, 400);
+    }
+    const graceSeconds = Number.parseInt(graceRaw, 10);
+    if (!Number.isFinite(graceSeconds) || graceSeconds < 0 || graceSeconds > 60 * 60 * 24 * 90) {
+      return c.json({
+        success: false,
+        error: "Refresh grace must be an integer between 0 and 7776000 seconds (90 days)."
+      }, 400);
+    }
+    const success = await settingsService.saveSecuritySettings({
+      jwtExpiresIn: jwtExpiresInRaw,
+      jwtRefreshGraceSeconds: graceSeconds
+    });
+    if (success) {
+      return c.json({
+        success: true,
+        message: "Security settings saved successfully!"
+      });
+    }
+    return c.json({
+      success: false,
+      error: "Failed to save settings"
+    }, 500);
+  } catch (error) {
+    console.error("Error saving security settings:", error);
+    return c.json({
+      success: false,
+      error: "Failed to save settings. Please try again."
+    }, 500);
+  }
+});
 adminSettingsRoutes.post("/", async (c) => {
   return c.redirect("/admin/settings/general");
 });
@@ -28960,5 +29136,5 @@ var ROUTES_INFO = {
 };
 
 export { ROUTES_INFO, adminCheckboxRoutes, adminCollectionsRoutes, adminDesignRoutes, adminFormsRoutes, adminLogsRoutes, adminMediaRoutes, adminPluginRoutes, adminSettingsRoutes, admin_api_default, admin_code_examples_default, admin_content_default, admin_testimonials_default, api_content_crud_default, api_default, api_media_default, api_system_default, auth_default, createUserProfilesPlugin, defineUserProfile, getConfirmationDialogScript2 as getConfirmationDialogScript, getUserProfileConfig, public_forms_default, renderConfirmationDialog2 as renderConfirmationDialog, router, router2, test_cleanup_default, userProfilesPlugin, userRoutes };
-//# sourceMappingURL=chunk-WLSIUKNM.js.map
-//# sourceMappingURL=chunk-WLSIUKNM.js.map
+//# sourceMappingURL=chunk-LZJLWW7E.js.map
+//# sourceMappingURL=chunk-LZJLWW7E.js.map