@zooid/server 0.0.1

package/src/middleware/auth.ts

@@ -0,0 +1,103 @@
+import { createMiddleware } from 'hono/factory';
+import type { Bindings, Variables, ZooidJWT } from '../types';
+import { verifyToken } from '../lib/jwt';
+
+type Env = { Bindings: Bindings; Variables: Variables };
+
+export function requireAuth() {
+  return createMiddleware<Env>(async (c, next) => {
+    const authHeader = c.req.header('Authorization');
+    if (!authHeader?.startsWith('Bearer ')) {
+      return c.json({ error: 'Missing or invalid Authorization header' }, 401);
+    }
+
+    const token = authHeader.slice(7);
+    try {
+      const payload = await verifyToken(token, c.env.ZOOID_JWT_SECRET);
+      c.set('jwtPayload', payload);
+    } catch {
+      return c.json({ error: 'Invalid or expired token' }, 401);
+    }
+
+    await next();
+  });
+}
+
+export function requireScope(
+  scope: string,
+  options?: { channelParam?: string },
+) {
+  return createMiddleware<Env>(async (c, next) => {
+    const payload = c.get('jwtPayload') as ZooidJWT;
+
+    // Admin can do anything
+    if (payload.scope === 'admin') {
+      await next();
+      return;
+    }
+
+    // Check scope matches
+    if (payload.scope !== scope) {
+      return c.json({ error: 'Insufficient permissions' }, 403);
+    }
+
+    // Check channel matches if channel-scoped
+    if (options?.channelParam) {
+      const channelId = c.req.param(options.channelParam);
+      if (payload.channel !== channelId) {
+        return c.json({ error: 'Token not valid for this channel' }, 403);
+      }
+    }
+
+    await next();
+  });
+}
+
+export function requireSubscribeIfPrivate(channelParam: string) {
+  return createMiddleware<Env>(async (c, next) => {
+    const channelId = c.req.param(channelParam);
+    const db = c.env.DB;
+
+    const channel = await db
+      .prepare('SELECT is_public FROM channels WHERE id = ?')
+      .bind(channelId)
+      .first<{ is_public: number }>();
+
+    if (!channel) {
+      return c.json({ error: 'Channel not found' }, 404);
+    }
+
+    if (channel.is_public === 1) {
+      c.set('channelIsPublic', true);
+      await next();
+      return;
+    }
+
+    const authHeader = c.req.header('Authorization');
+    const queryToken = c.req.query('token');
+    const rawToken = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : queryToken ?? null;
+
+    if (!rawToken) {
+      return c.json(
+        { error: 'Subscribe token required for private channel' },
+        401,
+      );
+    }
+
+    const token = rawToken;
+    try {
+      const payload = await verifyToken(token, c.env.ZOOID_JWT_SECRET);
+      if (payload.scope !== 'admin' && payload.scope !== 'subscribe') {
+        return c.json({ error: 'Insufficient permissions' }, 403);
+      }
+      if (payload.scope === 'subscribe' && payload.channel !== channelId) {
+        return c.json({ error: 'Token not valid for this channel' }, 403);
+      }
+      c.set('jwtPayload', payload);
+    } catch {
+      return c.json({ error: 'Invalid or expired token' }, 401);
+    }
+
+    await next();
+  });
+}

package/src/routes/channels.test.ts

@@ -0,0 +1,335 @@
+import { describe, it, expect, beforeAll, beforeEach } from 'vitest';
+import { env } from 'cloudflare:test';
+import app from '../index';
+import { setupTestDb, cleanTestDb } from '../test-utils';
+import { createToken } from '../lib/jwt';
+
+const JWT_SECRET = 'test-jwt-secret';
+
+async function authRequest(
+  path: string,
+  options: RequestInit = {},
+  scope: 'admin' | 'publish' | 'subscribe' = 'admin',
+  channel?: string,
+) {
+  const token = await createToken({ scope, channel }, JWT_SECRET);
+  const headers = new Headers(options.headers);
+  headers.set('Authorization', `Bearer ${token}`);
+  headers.set('Content-Type', 'application/json');
+  return app.request(
+    path,
+    { ...options, headers },
+    { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+  );
+}
+
+describe('Channel routes', () => {
+  beforeAll(async () => {
+    await setupTestDb();
+  });
+
+  beforeEach(async () => {
+    await cleanTestDb();
+  });
+
+  describe('POST /channels', () => {
+    it('creates a channel with admin token', async () => {
+      const res = await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({
+          id: 'test-channel',
+          name: 'Test Channel',
+          description: 'A test channel',
+          is_public: true,
+        }),
+      });
+
+      expect(res.status).toBe(201);
+      const body = (await res.json()) as {
+        id: string;
+        publish_token: string;
+        subscribe_token: string;
+      };
+      expect(body.id).toBe('test-channel');
+      expect(body.publish_token).toBeTruthy();
+      expect(body.subscribe_token).toBeTruthy();
+    });
+
+    it('rejects without auth', async () => {
+      const res = await app.request(
+        '/api/v1/channels',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ id: 'test-channel', name: 'Test Channel' }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+
+      expect(res.status).toBe(401);
+    });
+
+    it('rejects with non-admin token', async () => {
+      const res = await authRequest(
+        '/api/v1/channels',
+        {
+          method: 'POST',
+          body: JSON.stringify({ id: 'test-channel', name: 'Test Channel' }),
+        },
+        'publish',
+        'some-channel',
+      );
+
+      expect(res.status).toBe(403);
+    });
+
+    it('rejects invalid channel ID (too short)', async () => {
+      const res = await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({ id: 'ab', name: 'Bad Channel' }),
+      });
+
+      expect(res.status).toBe(400);
+    });
+
+    it('rejects invalid channel ID (uppercase)', async () => {
+      const res = await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({ id: 'MyChannel', name: 'Bad Channel' }),
+      });
+
+      expect(res.status).toBe(400);
+    });
+
+    it('rejects duplicate channel ID', async () => {
+      await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({ id: 'test-channel', name: 'Test Channel' }),
+      });
+
+      const res = await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({ id: 'test-channel', name: 'Duplicate' }),
+      });
+
+      expect(res.status).toBe(409);
+    });
+
+    it('accepts optional schema field', async () => {
+      const schema = {
+        type: 'object',
+        properties: { market: { type: 'string' } },
+        required: ['market'],
+      };
+
+      const res = await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({
+          id: 'schema-channel',
+          name: 'Schema Channel',
+          schema,
+        }),
+      });
+
+      expect(res.status).toBe(201);
+    });
+
+    it('creates a strict channel with schema', async () => {
+      const schema = {
+        alert: {
+          required: ['level'],
+          properties: { level: { type: 'string' } },
+        },
+      };
+
+      const res = await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({
+          id: 'strict-channel',
+          name: 'Strict Channel',
+          schema,
+          strict: true,
+        }),
+      });
+
+      expect(res.status).toBe(201);
+    });
+
+    it('rejects strict channel without schema', async () => {
+      const res = await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({
+          id: 'strict-no-schema',
+          name: 'Bad Strict',
+          strict: true,
+        }),
+      });
+
+      expect(res.status).toBe(400);
+      const body = (await res.json()) as { error: string };
+      expect(body.error).toContain('schema');
+    });
+
+    it('creates a channel with tags', async () => {
+      const res = await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({
+          id: 'tagged-channel',
+          name: 'Tagged Channel',
+          tags: ['ai', 'crypto'],
+        }),
+      });
+
+      expect(res.status).toBe(201);
+    });
+  });
+
+  describe('GET /channels', () => {
+    it('returns empty list when no channels exist', async () => {
+      const res = await app.request(
+        '/api/v1/channels',
+        {},
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { channels: unknown[] };
+      expect(body.channels).toEqual([]);
+    });
+
+    it('lists all channels (no auth required)', async () => {
+      await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({ id: 'channel-a', name: 'Channel A' }),
+      });
+      await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({ id: 'channel-b', name: 'Channel B' }),
+      });
+
+      const res = await app.request(
+        '/api/v1/channels',
+        {},
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      expect(res.status).toBe(200);
+
+      const body = (await res.json()) as {
+        channels: Array<{ id: string; name: string }>;
+      };
+      expect(body.channels).toHaveLength(2);
+      expect(body.channels[0].id).toBeTruthy();
+      expect(body.channels[0].name).toBeTruthy();
+    });
+
+    it('lists channels with tags', async () => {
+      await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({
+          id: 'tagged-list',
+          name: 'Tagged List',
+          tags: ['ai', 'agents'],
+        }),
+      });
+
+      const res = await app.request(
+        '/api/v1/channels',
+        {},
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      const body = (await res.json()) as {
+        channels: Array<{ id: string; tags: string[] }>;
+      };
+
+      const ch = body.channels.find((c) => c.id === 'tagged-list')!;
+      expect(ch.tags).toEqual(['ai', 'agents']);
+    });
+
+    it('lists channels without tags as empty array', async () => {
+      await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({
+          id: 'no-tags-list',
+          name: 'No Tags',
+        }),
+      });
+
+      const res = await app.request(
+        '/api/v1/channels',
+        {},
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      const body = (await res.json()) as {
+        channels: Array<{ id: string; tags: string[] }>;
+      };
+
+      const ch = body.channels.find((c) => c.id === 'no-tags-list')!;
+      expect(ch.tags).toEqual([]);
+    });
+
+    it('includes event_count and last_event_at fields', async () => {
+      await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({ id: 'count-channel', name: 'Count Channel' }),
+      });
+
+      const res = await app.request(
+        '/api/v1/channels',
+        {},
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      const body = (await res.json()) as {
+        channels: Array<{ event_count: number; last_event_at: string | null }>;
+      };
+
+      expect(body.channels[0]).toHaveProperty('event_count');
+      expect(body.channels[0]).toHaveProperty('last_event_at');
+    });
+  });
+
+  describe('POST /channels/:channelId/publishers', () => {
+    it('adds a publisher to a channel', async () => {
+      await authRequest('/api/v1/channels', {
+        method: 'POST',
+        body: JSON.stringify({ id: 'pub-channel', name: 'Pub Channel' }),
+      });
+
+      const res = await authRequest('/api/v1/channels/pub-channel/publishers', {
+        method: 'POST',
+        body: JSON.stringify({ name: 'whale-bot' }),
+      });
+
+      expect(res.status).toBe(201);
+      const body = (await res.json()) as {
+        id: string;
+        name: string;
+        publish_token: string;
+      };
+      expect(body.id).toBeTruthy();
+      expect(body.name).toBe('whale-bot');
+      expect(body.publish_token).toBeTruthy();
+    });
+
+    it('rejects without admin token', async () => {
+      const res = await authRequest(
+        '/api/v1/channels/pub-channel/publishers',
+        {
+          method: 'POST',
+          body: JSON.stringify({ name: 'whale-bot' }),
+        },
+        'subscribe',
+        'pub-channel',
+      );
+
+      expect(res.status).toBe(403);
+    });
+
+    it('returns 404 for non-existent channel', async () => {
+      const res = await authRequest('/api/v1/channels/nonexistent/publishers', {
+        method: 'POST',
+        body: JSON.stringify({ name: 'whale-bot' }),
+      });
+
+      expect(res.status).toBe(404);
+    });
+  });
+});

package/src/routes/channels.ts

@@ -0,0 +1,220 @@
+import { OpenAPIRoute } from 'chanfana';
+import { z } from 'zod';
+import type { Context } from 'hono';
+import type { Bindings, Variables } from '../types';
+import { isValidChannelId } from '../lib/validation';
+import { generateUlid } from '../lib/ulid';
+import { createToken } from '../lib/jwt';
+import {
+  createChannel,
+  getChannel,
+  listChannels,
+  createPublisher,
+} from '../db/queries';
+
+type Env = { Bindings: Bindings; Variables: Variables };
+
+export class ListChannels extends OpenAPIRoute {
+  schema = {
+    summary: 'List channels',
+    tags: ['Channels'],
+    responses: {
+      200: {
+        description: 'List of channels',
+        content: {
+          'application/json': {
+            schema: z.object({
+              channels: z.array(
+                z.object({
+                  id: z.string(),
+                  name: z.string(),
+                  description: z.string().nullable(),
+                  tags: z.array(z.string()),
+                  is_public: z.boolean(),
+                  event_count: z.number(),
+                  last_event_at: z.string().nullable(),
+                  created_at: z.string(),
+                }),
+              ),
+            }),
+          },
+        },
+      },
+    },
+  };
+
+  async handle(c: Context<Env>) {
+    const list = await listChannels(c.env.DB);
+    return c.json({ channels: list });
+  }
+}
+
+export class CreateChannel extends OpenAPIRoute {
+  schema = {
+    summary: 'Create a channel',
+    tags: ['Channels'],
+    security: [{ bearerAuth: [] }],
+    request: {
+      body: {
+        content: {
+          'application/json': {
+            schema: z.object({
+              id: z.string().min(3).max(64),
+              name: z.string().min(1),
+              description: z.string().optional(),
+              tags: z.array(z.string()).optional(),
+              is_public: z.boolean().optional(),
+              schema: z.record(z.string(), z.unknown()).optional(),
+              strict: z.boolean().optional(),
+            }),
+          },
+        },
+      },
+    },
+    responses: {
+      201: {
+        description: 'Channel created',
+        content: {
+          'application/json': {
+            schema: z.object({
+              id: z.string(),
+              publish_token: z.string(),
+              subscribe_token: z.string(),
+            }),
+          },
+        },
+      },
+      400: {
+        description: 'Validation error',
+        content: {
+          'application/json': {
+            schema: z.object({ error: z.string() }),
+          },
+        },
+      },
+      409: {
+        description: 'Channel already exists',
+        content: {
+          'application/json': {
+            schema: z.object({ error: z.string() }),
+          },
+        },
+      },
+    },
+  };
+
+  async handle(c: Context<Env>) {
+    const data = await this.getValidatedData<typeof this.schema>();
+    const body = data.body;
+
+    if (!isValidChannelId(body.id)) {
+      return c.json(
+        {
+          error:
+            'Invalid channel ID. Must be 3-64 chars, lowercase alphanumeric + hyphens, no leading/trailing hyphens.',
+        },
+        400,
+      );
+    }
+
+    if (body.strict && !body.schema) {
+      return c.json({ error: 'strict channels require a schema' }, 400);
+    }
+
+    const existing = await getChannel(c.env.DB, body.id);
+    if (existing) {
+      return c.json({ error: 'Channel already exists' }, 409);
+    }
+
+    const channel = await createChannel(c.env.DB, body);
+
+    const publishToken = await createToken(
+      { scope: 'publish', channel: channel.id, sub: generateUlid() },
+      c.env.ZOOID_JWT_SECRET,
+    );
+    const subscribeToken = await createToken(
+      { scope: 'subscribe', channel: channel.id, sub: generateUlid() },
+      c.env.ZOOID_JWT_SECRET,
+    );
+
+    return c.json(
+      {
+        id: channel.id,
+        publish_token: publishToken,
+        subscribe_token: subscribeToken,
+      },
+      201,
+    );
+  }
+}
+
+export class AddPublisher extends OpenAPIRoute {
+  schema = {
+    summary: 'Add a publisher to a channel',
+    tags: ['Channels'],
+    security: [{ bearerAuth: [] }],
+    request: {
+      params: z.object({
+        channelId: z.string(),
+      }),
+      body: {
+        content: {
+          'application/json': {
+            schema: z.object({
+              name: z.string().min(1),
+            }),
+          },
+        },
+      },
+    },
+    responses: {
+      201: {
+        description: 'Publisher added',
+        content: {
+          'application/json': {
+            schema: z.object({
+              id: z.string(),
+              name: z.string(),
+              publish_token: z.string(),
+            }),
+          },
+        },
+      },
+      404: {
+        description: 'Channel not found',
+        content: {
+          'application/json': {
+            schema: z.object({ error: z.string() }),
+          },
+        },
+      },
+    },
+  };
+
+  async handle(c: Context<Env>) {
+    const data = await this.getValidatedData<typeof this.schema>();
+    const { channelId } = data.params;
+    const body = data.body;
+
+    const channel = await getChannel(c.env.DB, channelId);
+    if (!channel) {
+      return c.json({ error: 'Channel not found' }, 404);
+    }
+
+    const publisher = await createPublisher(c.env.DB, channelId, body.name);
+
+    const publishToken = await createToken(
+      { scope: 'publish', channel: channelId, sub: publisher.id },
+      c.env.ZOOID_JWT_SECRET,
+    );
+
+    return c.json(
+      {
+        id: publisher.id,
+        name: publisher.name,
+        publish_token: publishToken,
+      },
+      201,
+    );
+  }
+}