@upend/cli 0.1.0

package/src/services/gateway/auth-routes.ts

@@ -0,0 +1,203 @@
+import { Hono } from "hono";
+import { sql } from "../../lib/db";
+import { signToken, getJWKS } from "../../lib/auth";
+
+export const authRoutes = new Hono();
+
+// JWKS endpoint — public, Neon Authorize fetches this to validate JWTs
+authRoutes.get("/.well-known/jwks.json", async (c) => {
+  const jwks = await getJWKS();
+  return c.json(jwks);
+});
+
+// signup
+authRoutes.post("/auth/signup", async (c) => {
+  const { email, password, role } = await c.req.json();
+  console.log(`[auth] signup attempt: ${email}`);
+  if (!email || !password) return c.json({ error: "email and password required" }, 400);
+
+  const passwordHash = await Bun.password.hash(password, { algorithm: "argon2id" });
+
+  try {
+    const [user] = await sql`
+      INSERT INTO users (email, password_hash, role)
+      VALUES (${email}, ${passwordHash}, ${role || "user"})
+      RETURNING id, email, role, created_at
+    `;
+
+    const token = await signToken(user.id, user.email, user.role);
+    return c.json({ user, token }, 201);
+  } catch (err: any) {
+    if (err.code === "23505") return c.json({ error: "email already exists" }, 409);
+    throw err;
+  }
+});
+
+// login
+authRoutes.post("/auth/login", async (c) => {
+  const { email, password } = await c.req.json();
+  console.log(`[auth] login attempt: ${email}`);
+  if (!email || !password) return c.json({ error: "email and password required" }, 400);
+
+  const [user] = await sql`SELECT * FROM users WHERE email = ${email}`;
+  if (!user) return c.json({ error: "invalid credentials" }, 401);
+
+  const valid = await Bun.password.verify(password, user.passwordHash);
+  if (!valid) return c.json({ error: "invalid credentials" }, 401);
+
+  const token = await signToken(user.id, user.email, user.role);
+  return c.json({
+    user: { id: user.id, email: user.email, role: user.role },
+    token,
+  });
+});
+
+// ---------- SSO / OAuth ----------
+// Generic OAuth flow: works with Google, GitHub, Okta, Azure AD, whatever
+// Configure via env: OAUTH_<PROVIDER>_CLIENT_ID, OAUTH_<PROVIDER>_CLIENT_SECRET, etc.
+
+// initiate OAuth login — redirects to provider
+authRoutes.get("/auth/sso/:provider", async (c) => {
+  const provider = c.req.param("provider");
+  const config = getOAuthConfig(provider);
+  if (!config) return c.json({ error: `unknown provider: ${provider}` }, 400);
+
+  const state = crypto.randomUUID();
+  const redirectUri = `${getBaseUrl(c)}/auth/sso/${provider}/callback`;
+
+  // store state for CSRF validation
+  await sql`
+    INSERT INTO oauth_states (state, provider, created_at)
+    VALUES (${state}, ${provider}, now())
+  `;
+
+  const params = new URLSearchParams({
+    client_id: config.clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: config.scope,
+    state,
+  });
+
+  return c.redirect(`${config.authorizeUrl}?${params}`);
+});
+
+// OAuth callback — exchange code for token, find/create user, issue our JWT
+authRoutes.get("/auth/sso/:provider/callback", async (c) => {
+  const provider = c.req.param("provider");
+  const config = getOAuthConfig(provider);
+  if (!config) return c.json({ error: `unknown provider: ${provider}` }, 400);
+
+  const code = c.req.query("code");
+  const state = c.req.query("state");
+
+  if (!code || !state) return c.json({ error: "missing code or state" }, 400);
+
+  // validate state
+  const [stateRow] = await sql`
+    DELETE FROM oauth_states WHERE state = ${state} AND provider = ${provider}
+    AND created_at > now() - interval '10 minutes'
+    RETURNING *
+  `;
+  if (!stateRow) return c.json({ error: "invalid or expired state" }, 400);
+
+  // exchange code for tokens
+  const redirectUri = `${getBaseUrl(c)}/auth/sso/${provider}/callback`;
+  const tokenRes = await fetch(config.tokenUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      code,
+      redirect_uri: redirectUri,
+      grant_type: "authorization_code",
+    }),
+  });
+
+  const tokens = await tokenRes.json() as any;
+  if (!tokens.access_token) return c.json({ error: "token exchange failed", detail: tokens }, 400);
+
+  // get user info from provider
+  const userInfoRes = await fetch(config.userInfoUrl, {
+    headers: { Authorization: `Bearer ${tokens.access_token}` },
+  });
+  const userInfo = await userInfoRes.json() as any;
+
+  const email = userInfo.email || userInfo.mail;
+  if (!email) return c.json({ error: "could not get email from provider" }, 400);
+
+  // find or create user
+  let [user] = await sql`SELECT * FROM users WHERE email = ${email}`;
+  if (!user) {
+    [user] = await sql`
+      INSERT INTO users (email, password_hash, role)
+      VALUES (${email}, ${"sso:" + provider}, 'user')
+      RETURNING *
+    `;
+  }
+
+  // issue OUR JWT — same as email/password login
+  const token = await signToken(user.id, email, user.role);
+
+  // redirect with token (frontend picks it up)
+  const frontendUrl = process.env.FRONTEND_URL || "/";
+  return c.redirect(`${frontendUrl}?token=${token}`);
+});
+
+// ---------- OAuth provider configs ----------
+
+type OAuthConfig = {
+  clientId: string;
+  clientSecret: string;
+  authorizeUrl: string;
+  tokenUrl: string;
+  userInfoUrl: string;
+  scope: string;
+};
+
+function getOAuthConfig(provider: string): OAuthConfig | null {
+  const prefix = `OAUTH_${provider.toUpperCase()}`;
+  const clientId = process.env[`${prefix}_CLIENT_ID`];
+  const clientSecret = process.env[`${prefix}_CLIENT_SECRET`];
+
+  if (!clientId || !clientSecret) return null;
+
+  const providers: Record<string, Omit<OAuthConfig, "clientId" | "clientSecret">> = {
+    google: {
+      authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+      tokenUrl: "https://oauth2.googleapis.com/token",
+      userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+      scope: "email profile",
+    },
+    github: {
+      authorizeUrl: "https://github.com/login/oauth/authorize",
+      tokenUrl: "https://github.com/login/oauth/access_token",
+      userInfoUrl: "https://api.github.com/user",
+      scope: "user:email",
+    },
+    microsoft: {
+      authorizeUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+      tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+      userInfoUrl: "https://graph.microsoft.com/v1.0/me",
+      scope: "openid email profile",
+    },
+  };
+
+  const p = providers[provider];
+  if (!p) {
+    // generic OIDC — provide all URLs via env
+    const authorizeUrl = process.env[`${prefix}_AUTHORIZE_URL`];
+    const tokenUrl = process.env[`${prefix}_TOKEN_URL`];
+    const userInfoUrl = process.env[`${prefix}_USERINFO_URL`];
+    const scope = process.env[`${prefix}_SCOPE`] || "openid email profile";
+    if (!authorizeUrl || !tokenUrl || !userInfoUrl) return null;
+    return { clientId, clientSecret, authorizeUrl, tokenUrl, userInfoUrl, scope };
+  }
+
+  return { clientId, clientSecret, ...p };
+}
+
+function getBaseUrl(c: any): string {
+  return process.env.BASE_URL || `${c.req.url.split("/auth")[0]}`;
+}

package/src/services/gateway/index.ts

@@ -0,0 +1,64 @@
+import { Hono } from "hono";
+import { logger } from "hono/logger";
+import { timing } from "hono/timing";
+import { cors } from "hono/cors";
+import { authRoutes } from "./auth-routes";
+import { sql } from "../../lib/db";
+import { requireAuth } from "../../lib/middleware";
+
+const app = new Hono();
+
+app.use("*", logger());
+app.use("*", timing());
+app.use("*", cors());
+
+app.get("/", (c) => c.json({ service: "api", status: "up", ts: Date.now() }));
+
+// auth routes — signup, login, SSO, JWKS
+app.route("/", authRoutes);
+
+// schema introspection — used by the dashboard
+app.get("/tables", requireAuth, async (c) => {
+  const tables = await sql`
+    SELECT t.tablename as name,
+      (SELECT count(*) FROM information_schema.columns c WHERE c.table_name = t.tablename AND c.table_schema = 'public') as columns
+    FROM pg_tables t WHERE t.schemaname = 'public' AND t.tablename != '_migrations'
+    ORDER BY t.tablename
+  `;
+  return c.json(tables);
+});
+
+app.get("/tables/:name", requireAuth, async (c) => {
+  const name = c.req.param("name");
+  const columns = await sql`
+    SELECT column_name, data_type, is_nullable, column_default
+    FROM information_schema.columns
+    WHERE table_schema = 'public' AND table_name = ${name}
+    ORDER BY ordinal_position
+  `;
+  return c.json(columns);
+});
+
+// data API info — point apps to Neon Data API (PostgREST)
+app.get("/data", (c) => c.json({
+  message: "Use Neon Data API for data access. Configure it in your Neon console.",
+  setup: {
+    steps: [
+      "1. Enable Data API in Neon console for your project",
+      "2. Set JWKS URL to: <your-upend-domain>/.well-known/jwks.json",
+      "3. Set JWT audience to: upend",
+      "4. Data API exposes all tables in the public schema as REST endpoints",
+    ],
+    docs: "https://neon.com/docs/data-api/overview",
+  },
+  schemas: {
+    public: "User-facing tables (things, users) — exposed via Data API",
+    upend: "Internal tables (sessions, messages) — not exposed",
+    auth: "Auth functions (user_id()) — used by RLS policies",
+  },
+}));
+
+const port = Number(process.env.API_PORT) || 3001;
+console.log(`[api] running on :${port}`);
+
+export default { port, fetch: app.fetch };