create-svc 0.1.10 → 0.1.11

package/templates/variants/bun-connectrpc/test/waitlist.integration.test.ts

@@ -0,0 +1,71 @@
+import { afterEach, beforeEach, expect, test } from "bun:test";
+import { SQL } from "bun";
+import { createDb } from "../src/db/client";
+import { WaitlistRepository } from "../src/db/repository";
+import { DefaultWaitlistService } from "../src/waitlist/service";
+import { createRpcService } from "../src/index";
+
+const databaseUrl = Bun.env.DATABASE_URL?.trim();
+const integrationTest = databaseUrl ? test : test.skip;
+
+let sql: SQL | null = null;
+
+beforeEach(async () => {
+  if (!databaseUrl) {
+    return;
+  }
+  sql = new SQL(databaseUrl);
+  await sql.unsafe(`
+    truncate table
+      waitlist_triggers,
+      waitlist_entries
+    restart identity cascade
+  `);
+});
+
+afterEach(async () => {
+  await sql?.end();
+  sql = null;
+});
+
+integrationTest("waitlist rpc join is idempotent and records triggers", async () => {
+  const rpc = createRpcService(new DefaultWaitlistService(new WaitlistRepository(createDb(databaseUrl))));
+
+  const first = await rpc.joinWaitlist!({
+    email: "Founder@Example.com",
+    name: "Founder",
+    company: "Example Co",
+    source: "homepage",
+  } as any, undefined as never);
+  expect(first.created).toBe(true);
+  expect(first.entry!.email).toBe("founder@example.com");
+
+  const second = await rpc.joinWaitlist!({ email: "founder@example.com" } as any, undefined as never);
+  expect(second.created).toBe(false);
+  expect(second.entry!.id).toBe(first.entry!.id);
+
+  const trigger = await rpc.recordTrigger!({
+    type: "cron.digest",
+    entryId: first.entry!.id,
+    payloadJson: "{}",
+  } as any, undefined as never);
+  expect(trigger.trigger).toMatchObject({
+    type: "cron.digest",
+    entryId: first.entry!.id,
+    status: "queued",
+  });
+
+  const updated = await rpc.updateWaitlistEntry!({
+    entryId: first.entry!.id,
+    status: "invited",
+  } as any, undefined as never);
+  expect(updated.entry).toMatchObject({ id: first.entry!.id, status: "invited" });
+
+  const list = await rpc.listWaitlistEntries!({ status: "invited" } as any, undefined as never);
+  const entries = list.entries ?? [];
+  expect(entries).toHaveLength(1);
+  expect(entries[0]).toMatchObject({ id: first.entry!.id, status: "invited" });
+
+  const exported = await rpc.exportWaitlistEntries!({ status: "invited" } as any, undefined as never);
+  expect(exported.csv).toContain("founder@example.com");
+});

package/templates/variants/bun-hono/Makefile

@@ -1,9 +1,9 @@
-.PHONY: dev migrate gen lint test bootstrap deploy cleanup
+.PHONY: dev migrate gen lint test create deploy dashboards auth destroy
 
-CLOUDRUN := npx --no-install svc-cloudrun
+SERVICE := npx --no-install service
 
 dev:
-	bun run ./src/index.ts
+	bun run dev
 
 migrate:
 	bun run ./scripts/migrate.ts
@@ -17,11 +17,17 @@ lint:
 test:
 	bun test
 
-bootstrap:
-	$(CLOUDRUN) bootstrap
+create:
+	$(SERVICE) create
 
 deploy:
-	$(CLOUDRUN) deploy $(ARGS)
+	$(SERVICE) deploy $(ARGS)
 
-cleanup:
-	$(CLOUDRUN) cleanup $(ARGS)
+dashboards:
+	$(SERVICE) dashboards
+
+auth:
+	$(SERVICE) auth $(ARGS)
+
+destroy:
+	$(SERVICE) destroy $(ARGS)

package/templates/variants/bun-hono/migrations/0000_init.sql

@@ -1,63 +1,20 @@
-create table if not exists users (
+create table if not exists waitlist_entries (
   id text primary key,
-  username text not null unique,
-  display_name text,
+  email text not null unique,
+  name text,
+  company text,
+  source text,
+  status text not null default 'joined',
   created_at timestamptz not null default now(),
   updated_at timestamptz not null default now()
 );
 
-create table if not exists conversations (
+create table if not exists waitlist_triggers (
   id text primary key,
-  title text,
-  created_by_user_id text not null references users(id),
-  deleted_at timestamptz,
-  created_at timestamptz not null default now(),
-  updated_at timestamptz not null default now()
-);
-
-create table if not exists conversation_participants (
-  conversation_id text not null references conversations(id) on delete cascade,
-  user_id text not null references users(id) on delete cascade,
-  joined_at timestamptz not null default now(),
-  primary key (conversation_id, user_id)
-);
-
-create table if not exists messages (
-  id text primary key,
-  conversation_id text not null references conversations(id) on delete cascade,
-  user_id text not null references users(id),
-  body text not null,
-  edited_at timestamptz,
-  deleted_at timestamptz,
-  created_at timestamptz not null default now(),
-  updated_at timestamptz not null default now()
-);
-
-create table if not exists attachments (
-  id text primary key,
-  conversation_id text not null references conversations(id) on delete cascade,
-  message_id text references messages(id),
-  uploaded_by_user_id text not null references users(id),
-  storage_bucket text not null,
-  storage_key text not null,
-  content_type text not null,
-  byte_size integer not null,
-  filename text not null,
-  status text not null,
-  deleted_at timestamptz,
-  created_at timestamptz not null default now(),
-  updated_at timestamptz not null default now()
-);
-
-create table if not exists webhook_events (
-  id text primary key,
-  provider text not null,
-  external_event_id text not null,
-  event_type text not null,
-  signature_valid text not null,
-  status text not null,
+  type text not null,
+  entry_id text references waitlist_entries(id),
+  status text not null default 'queued',
   payload_json text not null,
-  received_at timestamptz not null default now(),
-  processed_at timestamptz,
-  unique(provider, external_event_id)
+  created_at timestamptz not null default now(),
+  processed_at timestamptz
 );

package/templates/variants/bun-hono/package.json

@@ -3,21 +3,28 @@
   "private": true,
   "type": "module",
   "bin": {
-    "svc-cloudrun": "./scripts/cloudrun/cli.ts"
+    "service": "./scripts/cloudrun/cli.ts"
   },
   "scripts": {
-    "dev": "bun run ./src/index.ts",
+    "dev": "bun run ./scripts/dev.ts bun run ./src/index.ts",
+    "service": "bun run ./scripts/cloudrun/cli.ts",
     "migrate": "bun run ./scripts/migrate.ts",
     "gen": "bun run ./scripts/codegen.ts",
     "lint": "bunx tsc --noEmit",
     "test": "bun test",
-    "bootstrap": "bun run ./scripts/cloudrun/cli.ts bootstrap",
+    "create": "bun run ./scripts/cloudrun/cli.ts create",
     "deploy": "bun run ./scripts/cloudrun/cli.ts deploy",
-    "cleanup": "bun run ./scripts/cloudrun/cli.ts cleanup"
+    "dashboards": "bun run ./scripts/cloudrun/cli.ts dashboards",
+    "auth": "bun run ./scripts/cloudrun/cli.ts auth",
+    "destroy": "bun run ./scripts/cloudrun/cli.ts destroy"
   },
   "dependencies": {
-    "@google-cloud/storage": "^7.17.2",
+    "@anmho/authctl": "0.1.1",
     "@clack/prompts": "^1.2.0",
+    "@temporalio/activity": "1.17.1",
+    "@temporalio/client": "1.17.1",
+    "@temporalio/worker": "1.17.1",
+    "@temporalio/workflow": "1.17.1",
     "drizzle-orm": "^0.44.5",
     "@neondatabase/api-client": "^2.7.1",
     "hono": "^4.10.1"

package/templates/variants/bun-hono/scripts/migrate.ts

@@ -1,4 +1,7 @@
 import { SQL } from "bun";
+import { ensureLocalPostgres } from "./local-docker";
+
+await ensureLocalPostgres();
 
 const databaseUrl = Bun.env.DATABASE_URL?.trim();
 if (!databaseUrl) {
@@ -7,7 +10,7 @@ if (!databaseUrl) {
 
 const client = new SQL(databaseUrl);
 await waitForDatabase(client);
-const migrationId = "0000_init_chat";
+const migrationId = "0000_init_waitlist";
 const migrationSql = await Bun.file(new URL("../migrations/0000_init.sql", import.meta.url)).text();
 
 await client.unsafe(`create table if not exists schema_migrations (

package/templates/variants/bun-hono/src/auth.ts

@@ -0,0 +1,181 @@
+type AuthConfig = {
+  enabled: boolean;
+  issuer: string;
+  audience: string;
+  jwksUrl: string;
+};
+
+type JwtHeader = {
+  alg?: string;
+  kid?: string;
+};
+
+type JwtClaims = {
+  iss?: string;
+  aud?: string | string[];
+  exp?: number;
+  nbf?: number;
+  sub?: string;
+  client_id?: string;
+  scope?: string;
+};
+
+type Jwk = JsonWebKey & {
+  kid?: string;
+};
+
+type Jwks = {
+  keys: Jwk[];
+};
+
+const encoder = new TextEncoder();
+const jwksCache = new Map<string, { expiresAt: number; jwks: Jwks }>();
+
+export function authMiddleware(getConfig = authConfigFromEnv) {
+  return async (context: any, next: () => Promise<void>) => {
+    const config = getConfig();
+    if (!config.enabled) {
+      await next();
+      return;
+    }
+
+    const authorization = context.req.header("authorization") ?? "";
+    const token = bearerToken(authorization);
+    if (!token) {
+      return context.json({ error: "missing bearer token", code: "unauthorized" }, 401);
+    }
+
+    try {
+      await verifyAccessToken(token, config);
+      await next();
+    } catch {
+      return context.json({ error: "invalid bearer token", code: "unauthorized" }, 401);
+    }
+  };
+}
+
+export function authConfigFromEnv(): AuthConfig {
+  return {
+    enabled: truthy(Bun.env.AUTH_ENABLED),
+    issuer: Bun.env.AUTH_ISSUER ?? "",
+    audience: Bun.env.AUTH_AUDIENCE ?? "",
+    jwksUrl: Bun.env.AUTH_JWKS_URL ?? "",
+  };
+}
+
+async function verifyAccessToken(token: string, config: AuthConfig): Promise<JwtClaims> {
+  const parts = token.split(".");
+  if (parts.length !== 3 || !config.issuer || !config.audience || !config.jwksUrl) {
+    throw new Error("invalid auth config or token");
+  }
+
+  const [encodedHeader, encodedPayload, encodedSignature] = parts;
+  const header = decodeJSON<JwtHeader>(encodedHeader);
+  const claims = decodeJSON<JwtClaims>(encodedPayload);
+  const jwks = await fetchJwks(config.jwksUrl);
+  const key = selectKey(jwks, header);
+  if (!key || !header.alg) {
+    throw new Error("matching jwk not found");
+  }
+
+  const algorithm = importAlgorithm(header.alg, key);
+  const cryptoKey = await crypto.subtle.importKey("jwk", key, algorithm.import, false, ["verify"]);
+  const verified = await crypto.subtle.verify(
+    algorithm.verify,
+    cryptoKey,
+    toArrayBuffer(decodeBase64Url(encodedSignature)),
+    encoder.encode(`${encodedHeader}.${encodedPayload}`)
+  );
+  if (!verified) {
+    throw new Error("bad signature");
+  }
+
+  validateClaims(claims, config);
+  return claims;
+}
+
+async function fetchJwks(jwksUrl: string): Promise<Jwks> {
+  const cached = jwksCache.get(jwksUrl);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.jwks;
+  }
+
+  const response = await fetch(jwksUrl);
+  if (!response.ok) {
+    throw new Error(`jwks fetch failed: ${response.status}`);
+  }
+  const jwks = (await response.json()) as Jwks;
+  jwksCache.set(jwksUrl, { jwks, expiresAt: Date.now() + 5 * 60 * 1000 });
+  return jwks;
+}
+
+function selectKey(jwks: Jwks, header: JwtHeader): Jwk | undefined {
+  if (header.kid) {
+    return jwks.keys.find((key) => key.kid === header.kid);
+  }
+  return jwks.keys.length === 1 ? jwks.keys[0] : undefined;
+}
+
+function importAlgorithm(alg: string, key: JsonWebKey) {
+  if (alg === "RS256") {
+    return {
+      import: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      verify: { name: "RSASSA-PKCS1-v1_5" },
+    } as const;
+  }
+  if (alg === "ES256" && key.crv === "P-256") {
+    return {
+      import: { name: "ECDSA", namedCurve: "P-256" },
+      verify: { name: "ECDSA", hash: "SHA-256" },
+    } as const;
+  }
+  if (alg === "EdDSA" && key.crv === "Ed25519") {
+    return {
+      import: { name: "Ed25519" },
+      verify: { name: "Ed25519" },
+    } as const;
+  }
+  throw new Error(`unsupported jwt alg: ${alg}`);
+}
+
+function validateClaims(claims: JwtClaims, config: AuthConfig) {
+  const now = Math.floor(Date.now() / 1000);
+  if (claims.iss !== config.issuer) {
+    throw new Error("issuer mismatch");
+  }
+  if (!audienceMatches(claims.aud, config.audience)) {
+    throw new Error("audience mismatch");
+  }
+  if (typeof claims.exp !== "number" || claims.exp <= now - 30) {
+    throw new Error("token expired");
+  }
+  if (typeof claims.nbf === "number" && claims.nbf > now + 30) {
+    throw new Error("token not active");
+  }
+}
+
+function audienceMatches(audience: JwtClaims["aud"], expected: string) {
+  return Array.isArray(audience) ? audience.includes(expected) : audience === expected;
+}
+
+function decodeJSON<T>(value: string): T {
+  return JSON.parse(new TextDecoder().decode(decodeBase64Url(value))) as T;
+}
+
+function decodeBase64Url(value: string): Uint8Array {
+  const base64 = value.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(value.length / 4) * 4, "=");
+  return Uint8Array.from(atob(base64), (char) => char.charCodeAt(0));
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength) as ArrayBuffer;
+}
+
+function bearerToken(value: string) {
+  const [scheme, token] = value.trim().split(/\s+/, 2);
+  return /^Bearer$/i.test(scheme) ? token : "";
+}
+
+function truthy(value: string | undefined) {
+  return ["1", "true", "yes", "on"].includes((value ?? "").trim().toLowerCase());
+}