@vltpkg/vsr 0.2.0

package/src/routes/access.ts

@@ -0,0 +1,263 @@
+import { getAuthedUser } from '../utils/auth.ts'
+import { parsePackageSpec } from '../utils/upstream.ts'
+import type {
+  HonoContext,
+  AccessRequest,
+  AccessResponse,
+  TokenScope,
+  AuthUser
+} from '../../types.ts'
+
+interface PackageAccessEntry {
+  name: string
+  collaborators: Record<string, 'read-only' | 'read-write'>
+}
+
+interface PackageListResponse {
+  packages: PackageAccessEntry[]
+  total: number
+}
+
+/**
+ * Lists all packages the authenticated user has access to
+ */
+export async function listPackagesAccess(c: HonoContext) {
+  try {
+    const user = await getAuthedUser({ c })
+    if (!user?.uuid) {
+      return c.json({ error: 'Authentication required' }, 401)
+    }
+
+    // For now, return empty list - this would need to be implemented
+    // based on your specific access control requirements
+    const response: PackageListResponse = {
+      packages: [],
+      total: 0
+    }
+
+    return c.json(response)
+  } catch (error) {
+    console.error('[ACCESS ERROR] Failed to list packages:', error)
+    return c.json({ error: 'Failed to list packages' }, 500)
+  }
+}
+
+/**
+ * Gets the access status for a specific package
+ */
+export async function getPackageAccessStatus(c: HonoContext) {
+  try {
+    const { scope, pkg } = c.req.param()
+    const packageName = scope && pkg ? `${scope}/${pkg}` : scope
+
+    if (!packageName) {
+      return c.json({ error: 'Package name required' }, 400)
+    }
+
+    const user = await getAuthedUser({ c })
+    if (!user?.uuid) {
+      return c.json({ error: 'Authentication required' }, 401)
+    }
+
+    // Check if user has access to this package
+    const hasAccess = await checkPackageAccess(c, packageName, user)
+
+    if (!hasAccess) {
+      return c.json({ error: 'Access denied' }, 403)
+    }
+
+    // Return package access information
+    const response: AccessResponse = {
+      name: packageName,
+      collaborators: {
+        [user.uuid]: 'read-write' // Default the owner to read-write
+      }
+    }
+
+    return c.json(response)
+  } catch (error) {
+    console.error('[ACCESS ERROR] Failed to get package access:', error)
+    return c.json({ error: 'Failed to get package access' }, 500)
+  }
+}
+
+/**
+ * Sets the access status for a specific package
+ */
+export async function setPackageAccessStatus(c: HonoContext) {
+  try {
+    const { scope, pkg } = c.req.param()
+    const packageName = scope && pkg ? `${scope}/${pkg}` : scope
+
+    if (!packageName) {
+      return c.json({ error: 'Package name required' }, 400)
+    }
+
+    const user = await getAuthedUser({ c })
+    if (!user?.uuid) {
+      return c.json({ error: 'Authentication required' }, 401)
+    }
+
+    const body = await c.req.json() as { collaborators: Record<string, 'read-only' | 'read-write'> }
+
+    // Check if user has admin access to this package
+    const hasAdminAccess = await checkPackageAdminAccess(c, packageName, user)
+
+    if (!hasAdminAccess) {
+      return c.json({ error: 'Admin access required' }, 403)
+    }
+
+    // Update package access (this would need to be implemented in your database)
+    // For now, just return the requested access
+    const response: AccessResponse = {
+      name: packageName,
+      collaborators: body.collaborators || {}
+    }
+
+    return c.json(response)
+  } catch (error) {
+    console.error('[ACCESS ERROR] Failed to set package access:', error)
+    return c.json({ error: 'Failed to set package access' }, 500)
+  }
+}
+
+/**
+ * Grants access to a user for a specific package
+ */
+export async function grantPackageAccess(c: HonoContext) {
+  try {
+    const { scope, pkg, username } = c.req.param()
+    const packageName = scope && pkg ? `${scope}/${pkg}` : scope
+
+    if (!packageName || !username) {
+      return c.json({ error: 'Package name and username required' }, 400)
+    }
+
+    const user = await getAuthedUser({ c })
+    if (!user?.uuid) {
+      return c.json({ error: 'Authentication required' }, 401)
+    }
+
+    const body = await c.req.json() as AccessRequest
+
+    // Check if user has admin access to this package
+    const hasAdminAccess = await checkPackageAdminAccess(c, packageName, user)
+
+    if (!hasAdminAccess) {
+      return c.json({ error: 'Admin access required' }, 403)
+    }
+
+    // Grant access (this would need to be implemented in your database)
+    // For now, just return success
+    const response: AccessResponse = {
+      name: packageName,
+      collaborators: {
+        [user.uuid]: 'read-write',
+        [username]: body.permission
+      }
+    }
+
+    return c.json(response)
+  } catch (error) {
+    console.error('[ACCESS ERROR] Failed to grant package access:', error)
+    return c.json({ error: 'Failed to grant package access' }, 500)
+  }
+}
+
+/**
+ * Revokes access from a user for a specific package
+ */
+export async function revokePackageAccess(c: HonoContext) {
+  try {
+    const { scope, pkg, username } = c.req.param()
+    const packageName = scope && pkg ? `${scope}/${pkg}` : scope
+
+    if (!packageName || !username) {
+      return c.json({ error: 'Package name and username required' }, 400)
+    }
+
+    const user = await getAuthedUser({ c })
+    if (!user?.uuid) {
+      return c.json({ error: 'Authentication required' }, 401)
+    }
+
+    // Check if user has admin access to this package
+    const hasAdminAccess = await checkPackageAdminAccess(c, packageName, user)
+
+    if (!hasAdminAccess) {
+      return c.json({ error: 'Admin access required' }, 403)
+    }
+
+    // Prevent users from revoking their own access
+    if (username === user.uuid) {
+      return c.json({ error: 'Cannot revoke your own access' }, 400)
+    }
+
+    // Revoke access (this would need to be implemented in your database)
+    // For now, just return success
+    const response: AccessResponse = {
+      name: packageName,
+      collaborators: {
+        [user.uuid]: 'read-write'
+        // username removed from collaborators
+      }
+    }
+
+    return c.json(response)
+  } catch (error) {
+    console.error('[ACCESS ERROR] Failed to revoke package access:', error)
+    return c.json({ error: 'Failed to revoke package access' }, 500)
+  }
+}
+
+/**
+ * Helper function to check if user has access to a package
+ */
+async function checkPackageAccess(c: HonoContext, packageName: string, user: AuthUser): Promise<boolean> {
+  if (!user.scope || !user.uuid) {
+    return false
+  }
+
+  // Check if user has global access or specific package access
+  for (const scope of user.scope) {
+    if (scope.types.pkg) {
+      // Check for global access
+      if (scope.values.includes('*') && scope.types.pkg.read) {
+        return true
+      }
+
+      // Check for specific package access
+      if (scope.values.includes(packageName) && scope.types.pkg.read) {
+        return true
+      }
+    }
+  }
+
+  return false
+}
+
+/**
+ * Helper function to check if user has admin access to a package
+ */
+async function checkPackageAdminAccess(c: HonoContext, packageName: string, user: AuthUser): Promise<boolean> {
+  if (!user.scope || !user.uuid) {
+    return false
+  }
+
+  // Check if user has global write access or specific package write access
+  for (const scope of user.scope) {
+    if (scope.types.pkg) {
+      // Check for global write access
+      if (scope.values.includes('*') && scope.types.pkg.write) {
+        return true
+      }
+
+      // Check for specific package write access
+      if (scope.values.includes(packageName) && scope.types.pkg.write) {
+        return true
+      }
+    }
+  }
+
+  return false
+}

package/src/routes/auth.ts

@@ -0,0 +1,93 @@
+import { setSignedCookie, getSignedCookie } from 'hono/cookie'
+import { WorkOS } from '@workos-inc/node'
+import type { HonoContext, WorkOSUser, WorkOSAuthResponse, WorkOSAuthResult } from '../../types.ts'
+
+export async function requiresAuth(c: HonoContext, next: () => Promise<void>) {
+  const workos = new WorkOS(c.env.WORKOS_API_KEY, {
+    clientId: c.env.WORKOS_CLIENT_ID
+  })
+
+  try {
+    const sessionData = await getSignedCookie(c, c.env.WORKOS_COOKIE_PASSWORD, 'wos')
+    if (!sessionData) {
+      return c.redirect('/?error=no_session')
+    }
+
+    const session = await workos.userManagement.loadSealedSession({
+      sessionData,
+      cookiePassword: c.env.WORKOS_COOKIE_PASSWORD,
+    })
+
+    const authResponse = await session.authenticate() as WorkOSAuthResponse
+
+    if (authResponse.authenticated) {
+      // User is authenticated and session data can be used
+      const { sessionId, organizationId, role, permissions, user } = authResponse
+      c.set('user', user)
+      console.log('logged in user', user)
+    } else {
+      if (authResponse.reason === 'no_session_cookie_provided') {
+        // Redirect the user to the login page
+        return c.redirect('/?error=unauthorized')
+      }
+      return c.redirect('/?error=authentication_failed')
+    }
+  } catch (error) {
+    console.error('Auth error:', error)
+    return c.redirect('/?error=auth_error')
+  }
+
+  await next()
+}
+
+export async function handleLogin(c: HonoContext) {
+  const workos = new WorkOS(c.env.WORKOS_API_KEY, {
+    clientId: c.env.WORKOS_CLIENT_ID,
+  })
+
+  const authorizationUrl = workos.userManagement.getAuthorizationUrl({
+    provider: c.env.WORKOS_PROVIDER,
+    redirectUri: c.env.WORKOS_REDIRECT_URI,
+    clientId: c.env.WORKOS_CLIENT_ID,
+  })
+
+  return c.redirect(authorizationUrl)
+}
+
+export async function handleCallback(c: HonoContext) {
+  const workos = new WorkOS(c.env.WORKOS_API_KEY, {
+    clientId: c.env.WORKOS_CLIENT_ID,
+  })
+
+  const code = c.req.query('code')
+  console.log('code', code)
+
+  if (!code) {
+    return c.redirect('/?error=no_code')
+  }
+
+  try {
+    const res = await workos.userManagement.authenticateWithCode({
+      code,
+      clientId: c.env.WORKOS_CLIENT_ID,
+      session: {
+        sealSession: true,
+        cookiePassword: c.env.WORKOS_COOKIE_PASSWORD
+      }
+    }) as WorkOSAuthResult
+
+    console.log('res', res)
+
+    if (!res.user) {
+      return c.redirect('/?error=user_not_found')
+    }
+
+    console.log('user code', res.sealedSession)
+    await setSignedCookie(c, 'wos', res.sealedSession, c.env.WORKOS_COOKIE_PASSWORD)
+
+    return c.json({ user: res.user })
+  } catch (error) {
+    console.error('Callback error:', error)
+    return c.redirect('/?error=code_error')
+  }
+}

package/src/routes/index.ts

@@ -0,0 +1,135 @@
+import type { Hono } from 'hono'
+import type { Environment } from '../../types.ts'
+
+// Import all route handlers
+import { getUsername, getUserProfile } from './users.ts'
+import { searchPackages } from './search.ts'
+import { handleStaticAssets, handleFavicon, handleRobots, handleManifest } from './static.ts'
+import { getToken, postToken, putToken, deleteToken } from './tokens.ts'
+import { requiresAuth, handleLogin, handleCallback } from './auth.ts'
+import {
+  listPackagesAccess,
+  getPackageAccessStatus,
+  setPackageAccessStatus,
+  grantPackageAccess,
+  revokePackageAccess
+} from './access.ts'
+import {
+  getPackageTarball,
+  getPackagePackument
+} from './packages.ts'
+
+type HonoApp = Hono<{ Bindings: Environment }>
+
+/**
+ * Add user-related routes to the app
+ */
+export function addUserRoutes(app: HonoApp) {
+  app.get('/-/whoami', getUsername as any)
+  app.get('/-/user', getUserProfile as any)
+}
+
+/**
+ * Add search routes to the app
+ */
+export function addSearchRoutes(app: HonoApp) {
+  app.get('/-/search', searchPackages as any)
+}
+
+/**
+ * Add static asset routes to the app
+ */
+export function addStaticRoutes(app: HonoApp) {
+  app.get('/public/*', handleStaticAssets as any)
+  app.get('/favicon.ico', handleFavicon as any)
+  app.get('/robots.txt', handleRobots as any)
+  app.get('/manifest.json', handleManifest as any)
+}
+
+/**
+ * Add token management routes to the app
+ */
+export function addTokenRoutes(app: HonoApp) {
+  app.get('/-/tokens/:token', getToken as any)
+  app.post('/-/tokens', postToken as any)
+  app.put('/-/tokens/:token', putToken as any)
+  app.delete('/-/tokens/:token', deleteToken as any)
+}
+
+/**
+ * Add authentication routes to the app
+ */
+export function addAuthRoutes(app: HonoApp) {
+  app.get('/-/auth/login', handleLogin as any)
+  app.get('/-/auth/callback', handleCallback as any)
+  app.use('/-/auth/user', requiresAuth as any)
+}
+
+/**
+ * Add package access management routes to the app
+ */
+export function addAccessRoutes(app: HonoApp) {
+  // Package access list
+  app.get('/-/package/list', listPackagesAccess as any)
+
+  // Package access status (unscoped)
+  app.get('/-/package/:pkg/access', getPackageAccessStatus as any)
+  app.put('/-/package/:pkg/access', setPackageAccessStatus as any)
+
+  // Package access status (scoped)
+  app.get('/-/package/:scope%2f:pkg/access', getPackageAccessStatus as any)
+  app.put('/-/package/:scope%2f:pkg/access', setPackageAccessStatus as any)
+
+  // Package collaborators (unscoped)
+  app.put('/-/package/:pkg/collaborators/:username', grantPackageAccess as any)
+  app.delete('/-/package/:pkg/collaborators/:username', revokePackageAccess as any)
+
+  // Package collaborators (scoped)
+  app.put('/-/package/:scope%2f:pkg/collaborators/:username', grantPackageAccess as any)
+  app.delete('/-/package/:scope%2f:pkg/collaborators/:username', revokePackageAccess as any)
+}
+
+/**
+ * Add package routes to the app
+ */
+export function addPackageRoutes(app: HonoApp) {
+  // Package tarball routes
+  app.get('/:scope/:pkg/-/:tarball', getPackageTarball as any)
+  app.get('/:pkg/-/:tarball', getPackageTarball as any)
+
+    // Package packument routes (full package metadata)
+  app.get('/:scope/:pkg', getPackagePackument as any)
+  app.get('/:pkg', getPackagePackument as any)
+
+  // Note: Additional package routes (manifest, publishing, dist-tags) would be added here
+  // They are partially converted in packages.ts but need to be completed
+
+  // Placeholder for remaining package functionality
+  app.all('/*', (c) => c.json({
+    error: 'Package route not fully implemented',
+    message: 'Some package routes are converted but not all functions are exported yet'
+  }, 501) as any)
+}
+
+// Re-export all route handlers for direct use
+export {
+  getUsername,
+  getUserProfile,
+  searchPackages,
+  handleStaticAssets,
+  handleFavicon,
+  handleRobots,
+  handleManifest,
+  getToken,
+  postToken,
+  putToken,
+  deleteToken,
+  requiresAuth,
+  handleLogin,
+  handleCallback,
+  listPackagesAccess,
+  getPackageAccessStatus,
+  setPackageAccessStatus,
+  grantPackageAccess,
+  revokePackageAccess
+}