dineway 0.1.3 → 0.1.4

package/src/astro/routes/api/oauth/token.ts

@@ -0,0 +1,184 @@
+/**
+ * POST /_dineway/api/oauth/token
+ *
+ * Unified token endpoint per OAuth 2.1. Routes by `grant_type`:
+ * - authorization_code: Authorization Code + PKCE exchange
+ * - urn:ietf:params:oauth:grant-type:device_code: Device Flow
+ * - refresh_token: Token refresh
+ *
+ * Accepts both application/x-www-form-urlencoded (spec-standard) and
+ * application/json (for backwards compatibility with existing clients).
+ *
+ * This is an unauthenticated endpoint — callers present tokens/codes
+ * instead of session cookies.
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { apiError, handleError } from "#api/error.js";
+import { handleDeviceTokenExchange, handleTokenRefresh } from "#api/handlers/device-flow.js";
+import { handleAuthorizationCodeExchange } from "#api/handlers/oauth-authorization.js";
+
+export const prerender = false;
+
+// ---------------------------------------------------------------------------
+// Parse helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse the request body from either form-encoded or JSON.
+ * OAuth 2.1 mandates form-encoded, but we accept both.
+ */
+async function parseTokenBody(request: Request): Promise<Record<string, string>> {
+	const contentType = request.headers.get("content-type") ?? "";
+
+	if (contentType.includes("application/x-www-form-urlencoded")) {
+		const text = await request.text();
+		const params = new URLSearchParams(text);
+		const result: Record<string, string> = {};
+		for (const [key, value] of params) {
+			result[key] = value;
+		}
+		return result;
+	}
+
+	// Fallback: try JSON
+	try {
+		const json = Object(await request.json()) as Record<string, unknown>;
+		const result: Record<string, string> = {};
+		for (const [key, value] of Object.entries(json)) {
+			if (typeof value === "string") {
+				result[key] = value;
+			} else if (typeof value === "number") {
+				result[key] = String(value);
+			}
+		}
+		return result;
+	} catch {
+		return {};
+	}
+}
+
+// ---------------------------------------------------------------------------
+// Schemas
+// ---------------------------------------------------------------------------
+
+const authCodeSchema = z.object({
+	grant_type: z.literal("authorization_code"),
+	code: z.string().min(1),
+	redirect_uri: z.string().min(1),
+	client_id: z.string().min(1),
+	code_verifier: z.string().min(43).max(128),
+	resource: z.string().optional(),
+});
+
+const deviceCodeSchema = z.object({
+	grant_type: z.literal("urn:ietf:params:oauth:grant-type:device_code"),
+	device_code: z.string().min(1),
+});
+
+const refreshSchema = z.object({
+	grant_type: z.literal("refresh_token"),
+	refresh_token: z.string().min(1),
+});
+
+// ---------------------------------------------------------------------------
+// Handler
+// ---------------------------------------------------------------------------
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseTokenBody(request);
+		const grantType = body.grant_type;
+
+		if (!grantType) {
+			return oauthError("invalid_request", "grant_type is required", 400);
+		}
+
+		switch (grantType) {
+			case "authorization_code": {
+				const parsed = authCodeSchema.safeParse(body);
+				if (!parsed.success) {
+					return oauthError("invalid_request", formatZodError(parsed.error), 400);
+				}
+
+				const result = await handleAuthorizationCodeExchange(dineway.db, parsed.data);
+				if (!result.success) {
+					const err = result.error ?? { code: "unknown", message: "Unknown error" };
+					return oauthError(err.code, err.message, 400);
+				}
+				return oauthSuccess(result.data);
+			}
+
+			case "urn:ietf:params:oauth:grant-type:device_code": {
+				const parsed = deviceCodeSchema.safeParse(body);
+				if (!parsed.success) {
+					return oauthError("invalid_request", formatZodError(parsed.error), 400);
+				}
+
+				const result = await handleDeviceTokenExchange(dineway.db, parsed.data);
+				if (!result.success) {
+					const err = result.error ?? { code: "unknown", message: "Unknown error" };
+					// RFC 8628 requires specific error format
+					if (result.deviceFlowError) {
+						return oauthError(result.deviceFlowError, err.message, 400);
+					}
+					return oauthError(err.code, err.message, 400);
+				}
+				return oauthSuccess(result.data);
+			}
+
+			case "refresh_token": {
+				const parsed = refreshSchema.safeParse(body);
+				if (!parsed.success) {
+					return oauthError("invalid_request", formatZodError(parsed.error), 400);
+				}
+
+				const result = await handleTokenRefresh(dineway.db, parsed.data);
+				if (!result.success) {
+					const err = result.error ?? { code: "unknown", message: "Unknown error" };
+					return oauthError(err.code, err.message, 400);
+				}
+				return oauthSuccess(result.data);
+			}
+
+			default:
+				return oauthError("unsupported_grant_type", `Unsupported grant_type: ${grantType}`, 400);
+		}
+	} catch (error) {
+		return handleError(error, "Failed to process token request", "TOKEN_ERROR");
+	}
+};
+
+// ---------------------------------------------------------------------------
+// OAuth response helpers (RFC 6749 §5.1 / §5.2)
+// ---------------------------------------------------------------------------
+
+/** RFC 6749 §5.1 requires Cache-Control: no-store and Pragma: no-cache on token responses */
+const OAUTH_TOKEN_HEADERS: HeadersInit = {
+	"Content-Type": "application/json",
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+};
+
+function oauthSuccess(data: unknown): Response {
+	return Response.json(data, { headers: OAUTH_TOKEN_HEADERS });
+}
+
+function oauthError(error: string, description: string, status: number): Response {
+	return Response.json(
+		{ error, error_description: description },
+		{ status, headers: OAUTH_TOKEN_HEADERS },
+	);
+}
+
+function formatZodError(error: z.ZodError): string {
+	return error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+}

package/src/astro/routes/api/openapi.json.ts

@@ -0,0 +1,32 @@
+/**
+ * OpenAPI spec endpoint
+ *
+ * GET /_dineway/api/openapi.json
+ *
+ * Returns the generated OpenAPI 3.1 document. The spec is generated once
+ * and cached for the lifetime of the process.
+ */
+
+import type { APIRoute } from "astro";
+
+import { generateOpenApiDocument } from "../../../api/openapi/index.js";
+
+export const prerender = false;
+
+let cachedSpec: string | null = null;
+
+export const GET: APIRoute = async () => {
+	if (!cachedSpec) {
+		const doc = generateOpenApiDocument();
+		cachedSpec = JSON.stringify(doc);
+	}
+
+	return new Response(cachedSpec, {
+		status: 200,
+		headers: {
+			"Content-Type": "application/json",
+			"Cache-Control": "public, max-age=3600",
+			"Access-Control-Allow-Origin": "*",
+		},
+	});
+};

package/src/astro/routes/api/plugins/[pluginId]/[...path].ts

@@ -0,0 +1,92 @@
+/**
+ * Plugin API routes - dynamic handler for plugin-defined endpoints
+ *
+ * Routes are mounted at /_dineway/api/plugins/{pluginId}/*
+ * Plugins register routes like "POST /do-something" which becomes
+ * POST /_dineway/api/plugins/{pluginId}/do-something
+ *
+ * Routes marked as `public: true` skip authentication and CSRF checks.
+ * Private routes (the default) require authentication and appropriate permissions.
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess } from "#api/error.js";
+import { requireScope } from "#auth/scopes.js";
+
+export const prerender = false;
+
+/**
+ * Handle all methods by matching against plugin-defined routes
+ */
+const handleRequest: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const pluginId = params.pluginId!;
+	const path = params.path || "";
+	const method = request.method.toUpperCase();
+
+	if (!dineway?.handlePluginApiRoute) {
+		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
+	}
+
+	// Resolve route metadata to decide auth before dispatch
+	const routeMeta = dineway.getPluginRouteMeta(pluginId, `/${path}`);
+
+	if (!routeMeta) {
+		return apiError("NOT_FOUND", "Plugin route not found", 404);
+	}
+
+	// Public routes skip auth, CSRF, and scope checks entirely
+	if (!routeMeta.public) {
+		// Private routes require authentication and permission checks
+		const permission = ["GET", "HEAD", "OPTIONS"].includes(method)
+			? "plugins:read"
+			: "plugins:manage";
+		const denied = requirePerm(user, permission);
+		if (denied) return denied;
+
+		// Token scope enforcement — plugin routes require "admin" scope.
+		// Session auth is implicitly full-access (requireScope returns null).
+		const scopeError = requireScope(locals, "admin");
+		if (scopeError) return scopeError;
+
+		// CSRF protection for state-changing requests on private routes.
+		// Plugin routes use soft auth in the middleware (user resolved but not required),
+		// so the middleware's CSRF check doesn't run. We enforce it here for private routes.
+		// Token-authed requests (which set tokenScopes) are exempt — tokens aren't
+		// ambient credentials like cookies.
+		if (
+			!["GET", "HEAD", "OPTIONS"].includes(method) &&
+			!locals.tokenScopes &&
+			request.headers.get("X-Dineway-Request") !== "1"
+		) {
+			return apiError("CSRF_REJECTED", "Missing required header", 403);
+		}
+	}
+
+	const result = await dineway.handlePluginApiRoute(pluginId, method, `/${path}`, request);
+
+	if (!result.success) {
+		const code = result.error?.code ?? "PLUGIN_ERROR";
+		// Pass through messages from known plugin errors (PluginRouteError),
+		// but mask internal errors (unhandled exceptions) to avoid leaking
+		// database errors, file paths, etc. from sandboxed plugins.
+		const message =
+			code === "INTERNAL_ERROR"
+				? "Plugin route error"
+				: (result.error?.message ?? "Plugin route error");
+		// PluginRouteError status is returned at the top level of the result
+		const status = (result as { status?: number }).status ?? (code === "NOT_FOUND" ? 404 : 400);
+		return apiError(code, message, status);
+	}
+
+	return apiSuccess(result.data);
+};
+
+// Export handlers for all HTTP methods
+export const GET = handleRequest;
+export const POST = handleRequest;
+export const PUT = handleRequest;
+export const PATCH = handleRequest;
+export const DELETE = handleRequest;

package/src/astro/routes/api/redirects/404s/index.ts

@@ -0,0 +1,72 @@
+/**
+ * 404 log list and management endpoints
+ *
+ * GET    /_dineway/api/redirects/404s - List 404 log entries
+ * DELETE /_dineway/api/redirects/404s - Clear all 404 log entries
+ * POST   /_dineway/api/redirects/404s - Prune 404 log entries older than date
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, unwrapResult } from "#api/error.js";
+import {
+	handleNotFoundClear,
+	handleNotFoundList,
+	handleNotFoundPrune,
+} from "#api/handlers/redirects.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { notFoundListQuery, notFoundPruneBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "redirects:read");
+	if (denied) return denied;
+
+	try {
+		const query = parseQuery(url, notFoundListQuery);
+		if (isParseError(query)) return query;
+
+		const result = await handleNotFoundList(db, query);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch 404 log", "NOT_FOUND_LIST_ERROR");
+	}
+};
+
+export const DELETE: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "redirects:manage");
+	if (denied) return denied;
+
+	try {
+		const result = await handleNotFoundClear(db);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to clear 404 log", "NOT_FOUND_CLEAR_ERROR");
+	}
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "redirects:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, notFoundPruneBody);
+		if (isParseError(body)) return body;
+
+		const result = await handleNotFoundPrune(db, body.olderThan);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to prune 404 log", "NOT_FOUND_PRUNE_ERROR");
+	}
+};

package/src/astro/routes/api/redirects/404s/summary.ts

@@ -0,0 +1,33 @@
+/**
+ * 404 summary endpoint
+ *
+ * GET /_dineway/api/redirects/404s/summary - Get 404 summary grouped by path
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, unwrapResult } from "#api/error.js";
+import { handleNotFoundSummary } from "#api/handlers/redirects.js";
+import { isParseError, parseQuery } from "#api/parse.js";
+import { notFoundSummaryQuery } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "redirects:read");
+	if (denied) return denied;
+
+	try {
+		const query = parseQuery(url, notFoundSummaryQuery);
+		if (isParseError(query)) return query;
+
+		const result = await handleNotFoundSummary(db, query.limit);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch 404 summary", "NOT_FOUND_SUMMARY_ERROR");
+	}
+};

package/src/astro/routes/api/redirects/[id].ts

@@ -0,0 +1,84 @@
+/**
+ * Redirect by ID endpoints
+ *
+ * GET    /_dineway/api/redirects/:id - Get redirect
+ * PUT    /_dineway/api/redirects/:id - Update redirect
+ * DELETE /_dineway/api/redirects/:id - Delete redirect
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import {
+	handleRedirectDelete,
+	handleRedirectGet,
+	handleRedirectUpdate,
+} from "#api/handlers/redirects.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { updateRedirectBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { id } = params;
+
+	const denied = requirePerm(user, "redirects:read");
+	if (denied) return denied;
+
+	if (!id) {
+		return apiError("VALIDATION_ERROR", "id is required", 400);
+	}
+
+	try {
+		const result = await handleRedirectGet(db, id);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch redirect", "REDIRECT_GET_ERROR");
+	}
+};
+
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { id } = params;
+
+	const denied = requirePerm(user, "redirects:manage");
+	if (denied) return denied;
+
+	if (!id) {
+		return apiError("VALIDATION_ERROR", "id is required", 400);
+	}
+
+	try {
+		const body = await parseBody(request, updateRedirectBody);
+		if (isParseError(body)) return body;
+
+		const result = await handleRedirectUpdate(db, id, body);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to update redirect", "REDIRECT_UPDATE_ERROR");
+	}
+};
+
+export const DELETE: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { id } = params;
+
+	const denied = requirePerm(user, "redirects:manage");
+	if (denied) return denied;
+
+	if (!id) {
+		return apiError("VALIDATION_ERROR", "id is required", 400);
+	}
+
+	try {
+		const result = await handleRedirectDelete(db, id);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to delete redirect", "REDIRECT_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/redirects/index.ts

@@ -0,0 +1,52 @@
+/**
+ * Redirects list and create endpoints
+ *
+ * GET  /_dineway/api/redirects - List redirects (with filters)
+ * POST /_dineway/api/redirects - Create redirect
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, unwrapResult } from "#api/error.js";
+import { handleRedirectCreate, handleRedirectList } from "#api/handlers/redirects.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { createRedirectBody, redirectsListQuery } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "redirects:read");
+	if (denied) return denied;
+
+	try {
+		const query = parseQuery(url, redirectsListQuery);
+		if (isParseError(query)) return query;
+
+		const result = await handleRedirectList(db, query);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch redirects", "REDIRECT_LIST_ERROR");
+	}
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "redirects:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, createRedirectBody);
+		if (isParseError(body)) return body;
+
+		const result = await handleRedirectCreate(db, body);
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create redirect", "REDIRECT_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/revisions/[revisionId]/index.ts

@@ -0,0 +1,29 @@
+/**
+ * Single revision endpoint - injected by Dineway integration
+ *
+ * GET  /_dineway/api/revisions/{revisionId} - Get revision details
+ * POST /_dineway/api/revisions/{revisionId}/restore - Restore revision
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, unwrapResult } from "#api/error.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const revisionId = params.revisionId!;
+
+	const denied = requirePerm(user, "content:read");
+	if (denied) return denied;
+
+	if (!dineway?.handleRevisionGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
+	}
+
+	const result = await dineway.handleRevisionGet(revisionId);
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/revisions/[revisionId]/restore.ts

@@ -0,0 +1,62 @@
+/**
+ * Restore revision endpoint - injected by Dineway integration
+ *
+ * POST /_dineway/api/revisions/{revisionId}/restore - Restore revision
+ */
+
+import type { APIRoute } from "astro";
+
+import { requireOwnerPerm } from "#api/authorize.js";
+import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const revisionId = params.revisionId!;
+
+	if (
+		!dineway?.handleRevisionRestore ||
+		!dineway?.handleRevisionGet ||
+		!dineway?.handleContentGet
+	) {
+		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
+	}
+
+	// Fetch the revision to discover which content entry it belongs to
+	const revision = await dineway.handleRevisionGet(revisionId);
+	if (!revision.success) {
+		return apiError(
+			revision.error?.code ?? "UNKNOWN_ERROR",
+			revision.error?.message ?? "Revision not found",
+			mapErrorStatus(revision.error?.code),
+		);
+	}
+
+	const collection = revision.data?.item?.collection;
+	const entryId = revision.data?.item?.entryId;
+
+	if (!collection || !entryId) {
+		return apiError("INVALID_REVISION", "Revision is missing collection or entry reference", 400);
+	}
+
+	// Fetch the content entry to check ownership
+	const existing = await dineway.handleContentGet(collection, entryId);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "UNKNOWN_ERROR",
+			existing.error?.message ?? "Content not found",
+			mapErrorStatus(existing.error?.code),
+		);
+	}
+
+	const authorId = existing.data?.item?.authorId ?? "";
+
+	// Check ownership: authors can only restore their own content, editors+ can restore any
+	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
+	if (denied) return denied;
+
+	const result = await dineway.handleRevisionRestore(revisionId, user!.id);
+
+	return unwrapResult(result);
+};