@zooid/server 0.0.1

package/src/routes/server-meta.ts

@@ -0,0 +1,100 @@
+import { OpenAPIRoute } from 'chanfana';
+import { z } from 'zod';
+import type { Context } from 'hono';
+import type { Bindings, Variables } from '../types';
+import { getServerMeta, upsertServerMeta } from '../db/queries';
+
+type Env = { Bindings: Bindings; Variables: Variables };
+
+export class GetServerMeta extends OpenAPIRoute {
+  schema = {
+    summary: 'Get server metadata',
+    tags: ['Server'],
+    responses: {
+      200: {
+        description: 'Server metadata',
+        content: {
+          'application/json': {
+            schema: z.object({
+              name: z.string(),
+              description: z.string().nullable(),
+              tags: z.array(z.string()),
+              owner: z.string().nullable(),
+              company: z.string().nullable(),
+              email: z.string().nullable(),
+              updated_at: z.string(),
+            }),
+          },
+        },
+      },
+    },
+  };
+
+  async handle(c: Context<Env>) {
+    const meta = await getServerMeta(c.env.DB);
+
+    if (!meta) {
+      return c.json({
+        name: 'Zooid',
+        description: null,
+        tags: [],
+        owner: null,
+        company: null,
+        email: null,
+        updated_at: new Date().toISOString(),
+      });
+    }
+
+    return c.json(meta);
+  }
+}
+
+export class UpdateServerMeta extends OpenAPIRoute {
+  schema = {
+    summary: 'Update server metadata',
+    tags: ['Server'],
+    security: [{ bearerAuth: [] }],
+    request: {
+      body: {
+        content: {
+          'application/json': {
+            schema: z.object({
+              name: z.string().min(1).optional(),
+              description: z.string().nullable().optional(),
+              tags: z.array(z.string()).optional(),
+              owner: z.string().nullable().optional(),
+              company: z.string().nullable().optional(),
+              email: z.string().nullable().optional(),
+            }),
+          },
+        },
+      },
+    },
+    responses: {
+      200: {
+        description: 'Updated server metadata',
+        content: {
+          'application/json': {
+            schema: z.object({
+              name: z.string(),
+              description: z.string().nullable(),
+              tags: z.array(z.string()),
+              owner: z.string().nullable(),
+              company: z.string().nullable(),
+              email: z.string().nullable(),
+              updated_at: z.string(),
+            }),
+          },
+        },
+      },
+    },
+  };
+
+  async handle(c: Context<Env>) {
+    const data = await this.getValidatedData<typeof this.schema>();
+    const body = data.body;
+
+    const meta = await upsertServerMeta(c.env.DB, body);
+    return c.json(meta);
+  }
+}

package/src/routes/webhooks.test.ts

@@ -0,0 +1,238 @@
+import { describe, it, expect, beforeAll, beforeEach } from 'vitest';
+import { env } from 'cloudflare:test';
+import app from '../index';
+import { setupTestDb, cleanTestDb } from '../test-utils';
+import { createToken } from '../lib/jwt';
+
+const JWT_SECRET = 'test-jwt-secret';
+
+async function adminRequest(path: string, options: RequestInit = {}) {
+  const token = await createToken({ scope: 'admin' }, JWT_SECRET);
+  const headers = new Headers(options.headers);
+  headers.set('Authorization', `Bearer ${token}`);
+  headers.set('Content-Type', 'application/json');
+  return app.request(
+    path,
+    { ...options, headers },
+    {
+      ...env,
+      ZOOID_JWT_SECRET: JWT_SECRET,
+    },
+  );
+}
+
+describe('Webhook routes', () => {
+  beforeAll(async () => {
+    await setupTestDb();
+  });
+
+  beforeEach(async () => {
+    await cleanTestDb();
+    await adminRequest('/api/v1/channels', {
+      method: 'POST',
+      body: JSON.stringify({
+        id: 'wh-channel',
+        name: 'WH Channel',
+        is_public: true,
+      }),
+    });
+    await adminRequest('/api/v1/channels', {
+      method: 'POST',
+      body: JSON.stringify({
+        id: 'priv-wh',
+        name: 'Private WH',
+        is_public: false,
+      }),
+    });
+  });
+
+  describe('POST /channels/:channelId/webhooks', () => {
+    it('registers a webhook on a public channel (no auth) with default 3-day TTL', async () => {
+      const res = await app.request(
+        '/api/v1/channels/wh-channel/webhooks',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            url: 'https://example.com/hook',
+            event_types: ['signal'],
+          }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+
+      expect(res.status).toBe(201);
+      const body = (await res.json()) as {
+        id: string;
+        channel_id: string;
+        url: string;
+        expires_at: string;
+      };
+      expect(body.id).toBeTruthy();
+      expect(body.channel_id).toBe('wh-channel');
+      expect(body.url).toBe('https://example.com/hook');
+      expect(body.expires_at).toBeTruthy();
+    });
+
+    it('registers a webhook with custom ttl_seconds', async () => {
+      const res = await app.request(
+        '/api/v1/channels/wh-channel/webhooks',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            url: 'https://example.com/hook',
+            ttl_seconds: 3600,
+          }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+
+      expect(res.status).toBe(201);
+      const body = (await res.json()) as { expires_at: string };
+      const expiresAt = new Date(body.expires_at).getTime();
+      const oneHourFromNow = Date.now() + 3600 * 1000;
+      expect(Math.abs(expiresAt - oneHourFromNow)).toBeLessThan(5000);
+    });
+
+    it('re-registering same URL extends TTL (upsert)', async () => {
+      const res1 = await app.request(
+        '/api/v1/channels/wh-channel/webhooks',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            url: 'https://example.com/hook',
+            ttl_seconds: 3600,
+          }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      const body1 = (await res1.json()) as { id: string; expires_at: string };
+
+      const res2 = await app.request(
+        '/api/v1/channels/wh-channel/webhooks',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            url: 'https://example.com/hook',
+            ttl_seconds: 86400,
+          }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+
+      expect(res2.status).toBe(201);
+      const body2 = (await res2.json()) as { id: string; expires_at: string };
+      expect(body2.id).toBe(body1.id);
+      expect(new Date(body2.expires_at).getTime()).toBeGreaterThan(
+        new Date(body1.expires_at).getTime(),
+      );
+    });
+
+    it('requires subscribe token for private channel', async () => {
+      const res = await app.request(
+        '/api/v1/channels/priv-wh/webhooks',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ url: 'https://example.com/hook' }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      expect(res.status).toBe(401);
+    });
+
+    it('allows subscribe token for private channel', async () => {
+      const token = await createToken(
+        { scope: 'subscribe', channel: 'priv-wh', sub: 'sub-1' },
+        JWT_SECRET,
+      );
+      const res = await app.request(
+        '/api/v1/channels/priv-wh/webhooks',
+        {
+          method: 'POST',
+          headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({ url: 'https://example.com/hook' }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      expect(res.status).toBe(201);
+    });
+
+    it('rejects missing url', async () => {
+      const res = await app.request(
+        '/api/v1/channels/wh-channel/webhooks',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({}),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      expect(res.status).toBe(400);
+    });
+
+    it('returns 404 for non-existent channel', async () => {
+      const res = await app.request(
+        '/api/v1/channels/nonexistent/webhooks',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ url: 'https://example.com/hook' }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      expect(res.status).toBe(404);
+    });
+  });
+
+  describe('DELETE /channels/:channelId/webhooks/:webhookId', () => {
+    it('deletes a webhook with admin token', async () => {
+      const createRes = await app.request(
+        '/api/v1/channels/wh-channel/webhooks',
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ url: 'https://example.com/hook' }),
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      const { id: webhookId } = (await createRes.json()) as { id: string };
+
+      const res = await adminRequest(
+        `/api/v1/channels/wh-channel/webhooks/${webhookId}`,
+        { method: 'DELETE' },
+      );
+      expect(res.status).toBe(204);
+    });
+
+    it('rejects without admin token', async () => {
+      const token = await createToken(
+        { scope: 'subscribe', channel: 'wh-channel', sub: 'sub-1' },
+        JWT_SECRET,
+      );
+      const res = await app.request(
+        '/api/v1/channels/wh-channel/webhooks/some-id',
+        {
+          method: 'DELETE',
+          headers: { Authorization: `Bearer ${token}` },
+        },
+        { ...env, ZOOID_JWT_SECRET: JWT_SECRET },
+      );
+      expect(res.status).toBe(403);
+    });
+
+    it('returns 404 for non-existent webhook', async () => {
+      const res = await adminRequest(
+        '/api/v1/channels/wh-channel/webhooks/nonexistent',
+        { method: 'DELETE' },
+      );
+      expect(res.status).toBe(404);
+    });
+  });
+});

package/src/routes/webhooks.ts

@@ -0,0 +1,111 @@
+import { OpenAPIRoute } from 'chanfana';
+import { z } from 'zod';
+import type { Context } from 'hono';
+import type { Bindings, Variables } from '../types';
+import { createWebhook, deleteWebhook } from '../db/queries';
+
+type Env = { Bindings: Bindings; Variables: Variables };
+
+export class RegisterWebhook extends OpenAPIRoute {
+  schema = {
+    summary: 'Register a webhook',
+    tags: ['Webhooks'],
+    request: {
+      params: z.object({
+        channelId: z.string(),
+      }),
+      body: {
+        content: {
+          'application/json': {
+            schema: z.object({
+              url: z.string().url(),
+              event_types: z.array(z.string()).optional(),
+              ttl_seconds: z.number().int().positive().optional(),
+            }),
+          },
+        },
+      },
+    },
+    responses: {
+      201: {
+        description: 'Webhook registered',
+        content: {
+          'application/json': {
+            schema: z.object({
+              id: z.string(),
+              channel_id: z.string(),
+              url: z.string(),
+              event_types: z.array(z.string()).nullable(),
+              expires_at: z.string(),
+              created_at: z.string(),
+            }),
+          },
+        },
+      },
+      400: {
+        description: 'Validation error',
+        content: {
+          'application/json': {
+            schema: z.object({ error: z.string() }),
+          },
+        },
+      },
+    },
+  };
+
+  async handle(c: Context<Env>) {
+    const data = await this.getValidatedData<typeof this.schema>();
+    const { channelId } = data.params;
+    const body = data.body;
+    const db = c.env.DB;
+
+    const webhook = await createWebhook(db, {
+      channelId,
+      url: body.url,
+      eventTypes: body.event_types,
+      ttlSeconds: body.ttl_seconds,
+    });
+
+    return c.json(webhook, 201);
+  }
+}
+
+export class DeleteWebhook extends OpenAPIRoute {
+  schema = {
+    summary: 'Delete a webhook',
+    tags: ['Webhooks'],
+    security: [{ bearerAuth: [] }],
+    request: {
+      params: z.object({
+        channelId: z.string(),
+        webhookId: z.string(),
+      }),
+    },
+    responses: {
+      204: {
+        description: 'Webhook deleted',
+      },
+      404: {
+        description: 'Webhook not found',
+        content: {
+          'application/json': {
+            schema: z.object({ error: z.string() }),
+          },
+        },
+      },
+    },
+  };
+
+  async handle(c: Context<Env>) {
+    const data = await this.getValidatedData<typeof this.schema>();
+    const { channelId, webhookId } = data.params;
+    const db = c.env.DB;
+
+    const deleted = await deleteWebhook(db, webhookId, channelId);
+    if (!deleted) {
+      return c.json({ error: 'Webhook not found' }, 404);
+    }
+
+    return c.body(null, 204);
+  }
+}

package/src/routes/well-known.test.ts

@@ -0,0 +1,34 @@
+import { describe, it, expect, beforeAll } from 'vitest';
+import { env } from 'cloudflare:test';
+import app from '../index';
+import { setupTestDb } from '../test-utils';
+
+describe('GET /.well-known/zooid.json', () => {
+  beforeAll(() => setupTestDb());
+  it('returns 200 with server metadata', async () => {
+    const res = await app.request('/.well-known/zooid.json', {}, env);
+    expect(res.status).toBe(200);
+
+    const body = (await res.json()) as {
+      version: string;
+      algorithm: string;
+      public_key_format: string;
+      server_id: string;
+      poll_interval: number;
+      delivery: string[];
+    };
+    expect(body.version).toBe('0.1');
+    expect(body.algorithm).toBe('Ed25519');
+    expect(body.public_key_format).toBe('spki');
+    expect(body.server_id).toBeTruthy();
+    expect(body.poll_interval).toBeTypeOf('number');
+    expect(body.delivery).toEqual(
+      expect.arrayContaining(['poll', 'webhook', 'websocket', 'rss']),
+    );
+  });
+
+  it('returns valid JSON content type', async () => {
+    const res = await app.request('/.well-known/zooid.json', {}, env);
+    expect(res.headers.get('content-type')).toContain('application/json');
+  });
+});

package/src/routes/well-known.ts

@@ -0,0 +1,58 @@
+import { Hono } from 'hono';
+import type { Bindings, Variables } from '../types';
+import { getServerMeta } from '../db/queries';
+
+const wellKnown = new Hono<{ Bindings: Bindings; Variables: Variables }>();
+
+// Fixed ASN.1 DER prefix for Ed25519 SPKI (12 bytes)
+const ED25519_SPKI_PREFIX = new Uint8Array([
+  0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,
+]);
+
+/**
+ * Convert a raw Ed25519 public key (base64) to base64url SPKI format.
+ * If the key is already SPKI-length (44 bytes), just convert to base64url.
+ */
+function rawKeyToSpkiBase64Url(base64Key: string): string {
+  const binary = atob(base64Key);
+  const keyBytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    keyBytes[i] = binary.charCodeAt(i);
+  }
+
+  let spkiBytes: Uint8Array;
+  if (keyBytes.length === 32) {
+    // Raw key — wrap in SPKI
+    spkiBytes = new Uint8Array(ED25519_SPKI_PREFIX.length + keyBytes.length);
+    spkiBytes.set(ED25519_SPKI_PREFIX);
+    spkiBytes.set(keyBytes, ED25519_SPKI_PREFIX.length);
+  } else {
+    // Already SPKI (44 bytes) or other format — pass through
+    spkiBytes = keyBytes;
+  }
+
+  let b64 = '';
+  for (const byte of spkiBytes) {
+    b64 += String.fromCharCode(byte);
+  }
+  return btoa(b64).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+wellKnown.get('/.well-known/zooid.json', async (c) => {
+  const pollInterval = parseInt(c.env.ZOOID_POLL_INTERVAL || '30', 10);
+  const meta = await getServerMeta(c.env.DB);
+
+  return c.json({
+    version: '0.1',
+    public_key: c.env.ZOOID_PUBLIC_KEY ? rawKeyToSpkiBase64Url(c.env.ZOOID_PUBLIC_KEY) : '',
+    public_key_format: 'spki',
+    algorithm: 'Ed25519',
+    server_id: c.env.ZOOID_SERVER_ID || 'zooid-local',
+    server_name: meta?.name || c.env.ZOOID_SERVER_NAME || 'Zooid',
+    server_description: meta?.description || c.env.ZOOID_SERVER_DESC || null,
+    poll_interval: pollInterval,
+    delivery: ['poll', 'webhook', 'websocket', 'rss'],
+  });
+});
+
+export { wellKnown };