create-githat-app 1.8.5 → 1.8.7

package/templates/base/README.md.hbs

@@ -100,6 +100,44 @@ const domains = await list();      // includes verificationStatus
 Once verified, links in emails point to `https://{{domain}}/reset-password?token=…`
 — users never see githat.io.
 
+## Webhooks
+
+Subscribe to GitHat auth events from your backend via HTTP callbacks. Use the
+GitHat dashboard (`/webhooks`) or the `useWebhooks()` hook to register an endpoint:
+
+```ts
+import { useWebhooks } from '@githat/nextjs';
+
+const { create, list, listDeliveries } = useWebhooks();
+const webhook = await create('https://yourapp.com/hooks/githat', ['user.signed_in', 'user.created']);
+// Save webhook.secret — it's shown only once and used to verify HMAC signatures.
+```
+
+Each delivery sends `X-GitHat-Signature: sha256=<hmac>` so you can verify authenticity.
+
+## Active sessions
+
+Users can view and revoke active sessions at `/account/sessions`. Each session
+shows the user agent, IP, country, and last active time. The current session is
+marked "This device". The `useSessions()` hook backs this page:
+
+```ts
+import { useSessions } from '@githat/nextjs';
+const { list, revoke, revokeAll } = useSessions();
+```
+
+## Sign-in activity
+
+`/account/activity` shows an immutable audit log of every auth event
+(sign-ins, MFA toggles, passkey changes, etc.) with IP, country, and device.
+Paginated with `useAuditLog()`:
+
+```ts
+import { useAuditLog } from '@githat/nextjs';
+const { list } = useAuditLog();
+const { events, nextCursor } = await list({ limit: 50 });
+```
+
 ## Two-factor authentication
 
 Users can enable TOTP-based 2FA at `/account/security` (the page is
@@ -143,3 +181,76 @@ model.
 - [Branded Auth Emails Guide](https://githat.io/docs/email-domains)
 - [SDK Reference](https://www.npmjs.com/package/@githat/nextjs)
 - [API Reference](https://githat.io/docs/api)
+
+## Marketplace template
+
+If you scaffolded with `--template marketplace`, your product catalog lives in one place:
+
+```
+src/data/products.ts
+```
+
+### Adding products
+
+Open `src/data/products.ts` and add entries to the `PRODUCTS` array:
+
+```ts
+{
+  id: 'my-product',           // unique, URL-safe string
+  name: 'My product',
+  description: 'A short description shown on the card.',
+  price: 12.99,               // numeric, in your currency's base unit
+  category: 'food',           // must match a slug in src/lib/categories.ts
+  inStock: true,
+}
+```
+
+The homepage, cart shell, and search page all import from this file via
+`getAvailableProducts()` — no other changes needed.
+
+### Adding categories
+
+Open `src/lib/categories.ts` and add entries to the `CATEGORIES` array.
+Keep `slug` values lowercase and hyphen-separated (used in URLs).
+
+### Moving to a real database
+
+When you're ready to persist products in a backend (Postgres, DynamoDB,
+Sebastn), replace `getAvailableProducts()` in `app/page.tsx` with a
+`fetch()` to your API. The `Product` interface in `src/data/products.ts`
+stays the same so your UI components don't need to change.
+
+## File storage
+
+`/account/files` lets users upload files directly to per-app S3 buckets
+via the GitHat storage API. Files never route through the GitHat server —
+the SDK gets a presigned POST URL, uploads directly to S3, then calls
+`/storage/finalize` to record the object.
+
+```tsx
+import { useStorage, StorageDropzone } from '@githat/nextjs';
+
+const { upload, list, getUrl, remove, update } = useStorage();
+
+// Drag-drop upload UI with progress bar (no extra dependencies)
+<StorageDropzone
+  accept="image/*,application/pdf"
+  onUpload={(obj) => console.log('uploaded:', obj.objectId)}
+/>
+
+// Programmatic upload
+const obj = await upload(file, { isPublic: false, metadata: { tag: 'avatar' } });
+
+// List user's files (paginated)
+const { items, nextCursor } = await list({ prefix: 'avatars/', limit: 20 });
+
+// Get a 5-minute presigned download URL (or permanent URL for public objects)
+const { downloadUrl } = await getUrl(obj.objectId);
+```
+
+Key properties:
+- **Per-app S3 buckets** — each app gets its own bucket (`githat-storage-<hash>`)
+  with CORS configured for the app's verified domain.
+- **Static-export-friendly** — no server actions. All storage calls are
+  client-side fetches against the GitHat API.
+- **Private by default** — set `isPublic: true` for public CDN URLs.

package/templates/classroom/app/account/activity/page.tsx.hbs

@@ -0,0 +1,176 @@
+'use client';
+
+import { useEffect, useState } from 'react';
+import { useAuditLog } from '@githat/nextjs';
+import type { AuditEvent, AuditEventType } from '@githat/nextjs';
+
+const EVENT_ICONS: Record<string, string> = {
+  login_success: '✓',
+  login_failed: '✗',
+  mfa_enabled: '🔒',
+  mfa_disabled: '🔓',
+  mfa_challenge_failed: '⚠',
+  password_changed: '🔑',
+  email_verified: '✉',
+  passkey_added: '🔐',
+  passkey_removed: '🗑',
+  magic_link_requested: '✉',
+  session_revoked: '⊗',
+  account_locked: '⛔',
+  user_created: '★',
+};
+
+const EVENT_LABELS: Record<string, string> = {
+  login_success: 'Signed in',
+  login_failed: 'Failed sign-in attempt',
+  mfa_enabled: '2FA enabled',
+  mfa_disabled: '2FA disabled',
+  mfa_challenge_failed: '2FA challenge failed',
+  password_changed: 'Password changed',
+  email_verified: 'Email verified',
+  passkey_added: 'Passkey added',
+  passkey_removed: 'Passkey removed',
+  magic_link_requested: 'Magic link sent',
+  session_revoked: 'Session revoked',
+  account_locked: 'Account locked',
+  user_created: 'Account created',
+};
+
+/**
+ * /account/activity — Sign-in audit log for {{businessName}}.
+ *
+ * Immutable per-user record of auth events. Paginated table view
+ * with type icon, when, IP, user-agent, and country flag.
+ */
+export default function ActivityPage() {
+  const { list } = useAuditLog();
+  const [events, setEvents] = useState<AuditEvent[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [cursor, setCursor] = useState<string | null>(null);
+  const [loadingMore, setLoadingMore] = useState(false);
+
+  async function load(append = false) {
+    if (append) setLoadingMore(true); else setLoading(true);
+    setError(null);
+    try {
+      const result = await list({ limit: 50, ...(append && cursor ? { cursor } : {}) });
+      setEvents((prev) => append ? [...prev, ...result.events] : result.events);
+      setCursor(result.nextCursor);
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err.message : 'Failed to load activity');
+    } finally {
+      if (append) setLoadingMore(false); else setLoading(false);
+    }
+  }
+
+  useEffect(() => { load(); }, []);
+
+  return (
+    <main
+      style=\{{
+        maxWidth: '900px',
+        margin: '0 auto',
+        padding: 'var(--space-8, 2rem) var(--space-4, 1rem)',
+        color: 'var(--fg, #111)',
+      }}
+    >
+      <header style=\{{ marginBottom: '1.5rem' }}>
+        <div style=\{{ display: 'flex', alignItems: 'center', gap: '0.5rem', marginBottom: '0.25rem' }}>
+          <a href="/account/security" style=\{{ color: 'var(--fg-muted, #666)', textDecoration: 'none', fontSize: '0.875rem' }}>
+            Security
+          </a>
+          <span style=\{{ color: 'var(--fg-muted, #666)' }}>›</span>
+          <span style=\{{ fontSize: '0.875rem' }}>Activity</span>
+        </div>
+        <h1 style=\{{ fontSize: '1.875rem', fontWeight: 700, margin: 0 }}>Sign-in activity</h1>
+        <p style=\{{ color: 'var(--fg-muted, #666)', marginTop: '0.25rem' }}>
+          Immutable record of security events for your {{businessName}} account.
+        </p>
+      </header>
+
+      {error && (
+        <div style=\{{ padding: '0.75rem 1rem', background: '#fef2f2', border: '1px solid #fecaca', borderRadius: '6px', color: '#dc2626', marginBottom: '1rem' }}>
+          {error}
+        </div>
+      )}
+
+      {loading ? (
+        <p style=\{{ color: 'var(--fg-muted, #666)' }}>Loading activity...</p>
+      ) : events.length === 0 ? (
+        <p style=\{{ color: 'var(--fg-muted, #666)' }}>No activity found.</p>
+      ) : (
+        <>
+          <div style=\{{ overflowX: 'auto' }}>
+            <table style=\{{ width: '100%', borderCollapse: 'collapse', fontSize: '0.875rem' }}>
+              <thead>
+                <tr style=\{{ borderBottom: '1px solid var(--border, #e5e7eb)', textAlign: 'left' }}>
+                  <th style=\{{ padding: '0.5rem 0.75rem', fontWeight: 600, color: 'var(--fg-muted, #666)', width: '2rem' }}></th>
+                  <th style=\{{ padding: '0.5rem 0.75rem', fontWeight: 600 }}>Event</th>
+                  <th style=\{{ padding: '0.5rem 0.75rem', fontWeight: 600 }}>When</th>
+                  <th style=\{{ padding: '0.5rem 0.75rem', fontWeight: 600 }}>IP</th>
+                  <th style=\{{ padding: '0.5rem 0.75rem', fontWeight: 600 }}>Country</th>
+                  <th style=\{{ padding: '0.5rem 0.75rem', fontWeight: 600 }}>Device</th>
+                </tr>
+              </thead>
+              <tbody>
+                {events.map((evt, i) => {
+                  const meta = evt.metadata as Record<string, string | undefined>;
+                  const ua = meta?.userAgent || '';
+                  const truncatedUa = ua.length > 50 ? ua.slice(0, 50) + '…' : ua;
+                  return (
+                    <tr
+                      key={evt.sk || i}
+                      style=\{{ borderBottom: '1px solid var(--border, #e5e7eb)' }}
+                    >
+                      <td style=\{{ padding: '0.6rem 0.75rem', textAlign: 'center', fontSize: '1rem' }}>
+                        {EVENT_ICONS[evt.action] || '•'}
+                      </td>
+                      <td style=\{{ padding: '0.6rem 0.75rem', fontWeight: 500 }}>
+                        {EVENT_LABELS[evt.action] || evt.action}
+                      </td>
+                      <td style=\{{ padding: '0.6rem 0.75rem', color: 'var(--fg-muted, #666)', whiteSpace: 'nowrap' }}>
+                        {new Date(evt.created_at).toLocaleString()}
+                      </td>
+                      <td style=\{{ padding: '0.6rem 0.75rem', color: 'var(--fg-muted, #666)', fontFamily: 'monospace' }}>
+                        {meta?.ipAddress || '—'}
+                      </td>
+                      <td style=\{{ padding: '0.6rem 0.75rem', color: 'var(--fg-muted, #666)' }}>
+                        {meta?.country || '—'}
+                      </td>
+                      <td
+                        style=\{{ padding: '0.6rem 0.75rem', color: 'var(--fg-muted, #666)', maxWidth: '280px', overflow: 'hidden', textOverflow: 'ellipsis', whiteSpace: 'nowrap' }}
+                        title={ua}
+                      >
+                        {truncatedUa || '—'}
+                      </td>
+                    </tr>
+                  );
+                })}
+              </tbody>
+            </table>
+          </div>
+
+          {cursor && (
+            <div style=\{{ marginTop: '1.5rem', textAlign: 'center' }}>
+              <button
+                onClick={() => load(true)}
+                disabled={loadingMore}
+                style=\{{
+                  padding: '0.5rem 1.5rem',
+                  background: 'transparent',
+                  border: '1px solid var(--border, #e5e7eb)',
+                  borderRadius: '6px',
+                  cursor: loadingMore ? 'not-allowed' : 'pointer',
+                  fontSize: '0.875rem',
+                }}
+              >
+                {loadingMore ? 'Loading...' : 'Load more'}
+              </button>
+            </div>
+          )}
+        </>
+      )}
+    </main>
+  );
+}

package/templates/classroom/app/account/files/page.tsx.hbs

@@ -0,0 +1,241 @@
+'use client';
+
+import { useEffect, useState, useRef } from 'react';
+import { useStorage, StorageDropzone } from '@githat/nextjs';
+import type { StorageObject } from '@githat/nextjs';
+
+/**
+ * /account/files — File storage for {{businessName}}.
+ *
+ * Lists uploaded files with download links. Uses <StorageDropzone/>
+ * for browser-direct uploads to S3 via the GitHat storage API.
+ * Works with Next.js static export — no server actions required.
+ */
+export default function FilesPage() {
+  const { list, getUrl, remove } = useStorage();
+  const [files, setFiles] = useState<StorageObject[]>([]);
+  const [nextCursor, setNextCursor] = useState<string | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [deletingId, setDeletingId] = useState<string | null>(null);
+
+  async function load(cursor?: string) {
+    setLoading(true);
+    setError(null);
+    try {
+      const result = await list({ limit: 20, cursor });
+      if (cursor) {
+        setFiles((prev) => [...prev, ...result.items]);
+      } else {
+        setFiles(result.items);
+      }
+      setNextCursor(result.nextCursor);
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err.message : 'Failed to load files');
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  useEffect(() => { load(); }, []);
+
+  async function handleDownload(objectId: string) {
+    try {
+      const obj = await getUrl(objectId);
+      if (obj.downloadUrl) {
+        window.open(obj.downloadUrl, '_blank', 'noopener,noreferrer');
+      }
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err.message : 'Failed to get download URL');
+    }
+  }
+
+  async function handleDelete(objectId: string) {
+    if (!confirm('Delete this file? This cannot be undone.')) return;
+    setDeletingId(objectId);
+    try {
+      await remove(objectId);
+      setFiles((prev) => prev.filter((f) => f.objectId !== objectId));
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err.message : 'Failed to delete file');
+    } finally {
+      setDeletingId(null);
+    }
+  }
+
+  function formatBytes(bytes: number): string {
+    if (bytes < 1024) return `${bytes} B`;
+    if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+    return `${(bytes / 1024 / 1024).toFixed(1)} MB`;
+  }
+
+  return (
+    <main
+      style=\{{
+        maxWidth: '720px',
+        margin: '0 auto',
+        padding: 'var(--space-8, 2rem) var(--space-4, 1rem)',
+        color: 'var(--fg, #111)',
+      }}
+    >
+      <header style=\{{ marginBottom: '1.5rem' }}>
+        <h1 style=\{{ fontSize: '1.875rem', fontWeight: 700, margin: 0 }}>Files</h1>
+        <p style=\{{ color: 'var(--fg-muted, #666)', marginTop: '0.25rem' }}>
+          Upload and manage files in your {{businessName}} account.
+        </p>
+      </header>
+
+      {/* Upload dropzone */}
+      <StorageDropzone
+        accept="image/*,application/pdf,text/*"
+        onUpload={() => load()}
+        onError={(err) => setError(err.message)}
+        uploadOptions=\{{ isPublic: false }}
+        style=\{{ marginBottom: '1.5rem' }}
+      />
+
+      {error && (
+        <div
+          style=\{{
+            padding: '0.75rem 1rem',
+            background: '#fef2f2',
+            border: '1px solid #fecaca',
+            borderRadius: '6px',
+            color: '#dc2626',
+            marginBottom: '1rem',
+          }}
+        >
+          {error}
+        </div>
+      )}
+
+      {loading && files.length === 0 ? (
+        <p style=\{{ color: 'var(--fg-muted, #666)' }}>Loading files...</p>
+      ) : files.length === 0 ? (
+        <p style=\{{ color: 'var(--fg-muted, #666)', textAlign: 'center', padding: '2rem 0' }}>
+          No files uploaded yet. Drop a file above to get started.
+        </p>
+      ) : (
+        <div style=\{{ display: 'flex', flexDirection: 'column', gap: '0.625rem' }}>
+          {files.map((file) => (
+            <div
+              key={file.objectId}
+              style=\{{
+                display: 'flex',
+                alignItems: 'center',
+                gap: '0.75rem',
+                padding: '0.875rem 1rem',
+                border: '1px solid var(--border, #e5e7eb)',
+                borderRadius: '8px',
+              }}
+            >
+              {/* File icon */}
+              <svg
+                width="20"
+                height="20"
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="#9ca3af"
+                strokeWidth="1.5"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                style=\{{ flexShrink: 0 }}
+                aria-hidden
+              >
+                <path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z" />
+                <polyline points="14 2 14 8 20 8" />
+              </svg>
+
+              {/* File info */}
+              <div style=\{{ flex: 1, minWidth: 0 }}>
+                <p
+                  style=\{{
+                    margin: 0,
+                    fontWeight: 500,
+                    fontSize: '0.9rem',
+                    overflow: 'hidden',
+                    textOverflow: 'ellipsis',
+                    whiteSpace: 'nowrap',
+                  }}
+                >
+                  {file.objectKey}
+                </p>
+                <p style=\{{ margin: '0.125rem 0 0', fontSize: '0.78rem', color: 'var(--fg-muted, #666)' }}>
+                  {formatBytes(file.size)} · {file.contentType} ·{' '}
+                  {new Date(file.uploadedAt).toLocaleDateString()}
+                  {file.isPublic && (
+                    <span
+                      style=\{{
+                        marginLeft: '0.5rem',
+                        padding: '0.1rem 0.4rem',
+                        background: '#dcfce7',
+                        color: '#16a34a',
+                        borderRadius: '4px',
+                        fontSize: '0.7rem',
+                        fontWeight: 600,
+                      }}
+                    >
+                      Public
+                    </span>
+                  )}
+                </p>
+              </div>
+
+              {/* Actions */}
+              <div style=\{{ display: 'flex', gap: '0.5rem', flexShrink: 0 }}>
+                <button
+                  onClick={() => handleDownload(file.objectId)}
+                  style=\{{
+                    padding: '0.35rem 0.75rem',
+                    fontSize: '0.825rem',
+                    border: '1px solid var(--border, #e5e7eb)',
+                    borderRadius: '6px',
+                    background: 'transparent',
+                    cursor: 'pointer',
+                  }}
+                  aria-label={`Download ${file.objectKey}`}
+                >
+                  Download
+                </button>
+                <button
+                  onClick={() => handleDelete(file.objectId)}
+                  disabled={deletingId === file.objectId}
+                  style=\{{
+                    padding: '0.35rem 0.75rem',
+                    fontSize: '0.825rem',
+                    border: '1px solid #fecaca',
+                    borderRadius: '6px',
+                    background: 'transparent',
+                    color: '#dc2626',
+                    cursor: deletingId === file.objectId ? 'not-allowed' : 'pointer',
+                  }}
+                  aria-label={`Delete ${file.objectKey}`}
+                >
+                  {deletingId === file.objectId ? '...' : 'Delete'}
+                </button>
+              </div>
+            </div>
+          ))}
+
+          {nextCursor && (
+            <button
+              onClick={() => load(nextCursor)}
+              disabled={loading}
+              style=\{{
+                padding: '0.6rem 1.25rem',
+                marginTop: '0.5rem',
+                border: '1px solid var(--border, #e5e7eb)',
+                borderRadius: '6px',
+                background: 'transparent',
+                cursor: loading ? 'not-allowed' : 'pointer',
+                fontSize: '0.875rem',
+              }}
+            >
+              {loading ? 'Loading...' : 'Load more'}
+            </button>
+          )}
+        </div>
+      )}
+    </main>
+  );
+}

package/templates/classroom/app/account/security/page.tsx.hbs

@@ -26,7 +26,53 @@ export default function SecurityPage() {
           Manage two-factor authentication for your {{businessName}} account.
         </p>
       </header>
+
       <MfaManager />
+
+      <nav style=\{{ marginTop: '2.5rem', display: 'flex', flexDirection: 'column', gap: '0.75rem' }}>
+        <a
+          href="/account/sessions"
+          style=\{{
+            display: 'flex',
+            alignItems: 'center',
+            justifyContent: 'space-between',
+            padding: '0.875rem 1.25rem',
+            border: '1px solid var(--border, #e5e7eb)',
+            borderRadius: '8px',
+            textDecoration: 'none',
+            color: 'var(--fg, #111)',
+          }}
+        >
+          <div>
+            <div style=\{{ fontWeight: 600, fontSize: '0.9rem' }}>Active sessions</div>
+            <div style=\{{ fontSize: '0.8rem', color: 'var(--fg-muted, #666)', marginTop: '0.125rem' }}>
+              See and revoke devices signed in to your account
+            </div>
+          </div>
+          <span style=\{{ color: 'var(--fg-muted, #666)' }}>›</span>
+        </a>
+        <a
+          href="/account/activity"
+          style=\{{
+            display: 'flex',
+            alignItems: 'center',
+            justifyContent: 'space-between',
+            padding: '0.875rem 1.25rem',
+            border: '1px solid var(--border, #e5e7eb)',
+            borderRadius: '8px',
+            textDecoration: 'none',
+            color: 'var(--fg, #111)',
+          }}
+        >
+          <div>
+            <div style=\{{ fontWeight: 600, fontSize: '0.9rem' }}>Sign-in activity</div>
+            <div style=\{{ fontSize: '0.8rem', color: 'var(--fg-muted, #666)', marginTop: '0.125rem' }}>
+              Review your account&apos;s sign-in history
+            </div>
+          </div>
+          <span style=\{{ color: 'var(--fg-muted, #666)' }}>›</span>
+        </a>
+      </nav>
     </main>
   );
 }