dineway 0.1.3 → 0.1.4

package/src/astro/routes/api/taxonomies/[name]/terms/index.ts

@@ -0,0 +1,69 @@
+/**
+ * Taxonomy terms list and create endpoint
+ *
+ * GET /_dineway/api/taxonomies/:name/terms - List all terms (tree for hierarchical)
+ * POST /_dineway/api/taxonomies/:name/terms - Create a new term
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleTermCreate, handleTermList } from "#api/handlers/taxonomies.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { createTermBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+/**
+ * List all terms for a taxonomy
+ */
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const { name } = params;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleTermList(dineway.db, name);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to list terms", "TERM_LIST_ERROR");
+	}
+};
+
+/**
+ * Create a new term
+ */
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { name } = params;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, createTermBody);
+		if (isParseError(body)) return body;
+
+		const result = await handleTermCreate(dineway.db, name, body);
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create term", "TERM_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/taxonomies/index.ts

@@ -0,0 +1,59 @@
+/**
+ * Taxonomy definitions endpoint
+ *
+ * GET  /_dineway/api/taxonomies - List all taxonomy definitions
+ * POST /_dineway/api/taxonomies - Create a custom taxonomy definition
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleTaxonomyCreate, handleTaxonomyList } from "#api/handlers/taxonomies.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { createTaxonomyDefBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+/**
+ * List taxonomy definitions
+ */
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleTaxonomyList(dineway.db);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to list taxonomies", "TAXONOMY_LIST_ERROR");
+	}
+};
+
+/**
+ * Create a custom taxonomy definition
+ */
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, createTaxonomyDefBody);
+		if (isParseError(body)) return body;
+
+		const result = await handleTaxonomyCreate(dineway.db, body);
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create taxonomy", "TAXONOMY_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/themes/preview.ts

@@ -0,0 +1,78 @@
+/**
+ * Theme preview signing endpoint
+ *
+ * POST /_dineway/api/themes/preview
+ *
+ * Generates a signed preview URL for the "Try with my data" feature.
+ * The PREVIEW_SECRET must be set in the environment (shared with the preview sidecar).
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess } from "#api/error.js";
+import { getPublicOrigin } from "#api/public-url.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ request, url, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "plugins:read");
+	if (denied) return denied;
+
+	const secret = import.meta.env.DINEWAY_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
+	if (!secret) {
+		return apiError("NOT_CONFIGURED", "PREVIEW_SECRET is not configured", 500);
+	}
+
+	let body: { previewUrl: string };
+	try {
+		body = await request.json();
+	} catch {
+		return apiError("INVALID_REQUEST", "Invalid JSON body", 400);
+	}
+
+	if (!body.previewUrl || typeof body.previewUrl !== "string") {
+		return apiError("INVALID_REQUEST", "previewUrl is required", 400);
+	}
+
+	// Validate previewUrl is a valid HTTPS URL
+	let parsedPreviewUrl: URL;
+	try {
+		parsedPreviewUrl = new URL(body.previewUrl);
+	} catch {
+		return apiError("INVALID_REQUEST", "previewUrl must be a valid URL", 400);
+	}
+
+	if (parsedPreviewUrl.protocol !== "https:") {
+		return apiError("INVALID_REQUEST", "previewUrl must use HTTPS", 400);
+	}
+
+	const source = getPublicOrigin(url, dineway?.config);
+	const ttl = 3600; // 1 hour
+	const exp = Math.floor(Date.now() / 1000) + ttl;
+
+	// HMAC-SHA256 sign: message = "source:exp"
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey(
+		"raw",
+		encoder.encode(secret),
+		{ name: "HMAC", hash: "SHA-256" },
+		false,
+		["sign"],
+	);
+	const buffer = await crypto.subtle.sign("HMAC", key, encoder.encode(`${source}:${exp}`));
+	const sig = Array.from(new Uint8Array(buffer), (b) => b.toString(16).padStart(2, "0")).join("");
+
+	const previewUrl = new URL(body.previewUrl);
+	previewUrl.searchParams.set("source", source);
+	previewUrl.searchParams.set("exp", String(exp));
+	previewUrl.searchParams.set("sig", sig);
+
+	return apiSuccess({ url: previewUrl.toString() });
+};

package/src/astro/routes/api/typegen.ts

@@ -0,0 +1,114 @@
+/**
+ * Typegen endpoint - generates dineway-env.d.ts content
+ *
+ * POST /_dineway/api/typegen - Generate types and return as JSON
+ * GET /_dineway/api/typegen - Return types as text (for preview/debugging)
+ *
+ * The caller (integration or CLI) is responsible for writing the file to disk.
+ * This endpoint only generates the content — it has no filesystem access, so it
+ * stays portable across runtimes where the project root or Node filesystem APIs
+ * are not available here.
+ *
+ * Dev-only endpoint - disabled in production.
+ */
+
+import type { APIRoute } from "astro";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import type { SchemaRegistry } from "#schema/registry.js";
+
+export const prerender = false;
+
+/**
+ * Safely list collections, returning empty array if tables don't exist yet
+ */
+async function safeListCollections(registry: SchemaRegistry) {
+	try {
+		return await registry.listCollections();
+	} catch (error) {
+		// Handle missing tables for new sites that haven't run setup yet
+		if (error instanceof Error && error.message.includes("no such table")) {
+			return [];
+		}
+		throw error;
+	}
+}
+
+/**
+ * Generate types content and metadata from the current schema.
+ */
+async function generateTypes(registry: SchemaRegistry) {
+	const { generateTypesFile, generateSchemaHash } = await import("#schema/zod-generator.js");
+
+	const collections = await safeListCollections(registry);
+	const collectionsWithFields = await Promise.all(
+		collections.map(async (c) => {
+			const fields = await registry.listFields(c.id);
+			return { ...c, fields };
+		}),
+	);
+
+	const types = generateTypesFile(collectionsWithFields);
+	const hash: string = await generateSchemaHash(collectionsWithFields);
+
+	return { types, hash, collections: collections.length };
+}
+
+/**
+ * GET - Return types as plain text (for preview/debugging)
+ */
+export const GET: APIRoute = async ({ locals }) => {
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Typegen is only available in development", 403);
+	}
+
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
+	}
+
+	try {
+		const { SchemaRegistry } = await import("#schema/registry.js");
+		const registry = new SchemaRegistry(dineway.db);
+		const { types } = await generateTypes(registry);
+
+		return new Response(types, {
+			status: 200,
+			headers: {
+				"Content-Type": "text/typescript",
+				"Cache-Control": "private, no-store",
+			},
+		});
+	} catch (error) {
+		return handleError(error, "Typegen failed", "TYPEGEN_ERROR");
+	}
+};
+
+/**
+ * POST - Generate types and return as JSON
+ *
+ * The caller writes the file to disk. Response shape:
+ * { types: string, hash: string, collections: number }
+ */
+export const POST: APIRoute = async ({ locals }) => {
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Typegen is only available in development", 403);
+	}
+
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
+	}
+
+	try {
+		const { SchemaRegistry } = await import("#schema/registry.js");
+		const registry = new SchemaRegistry(dineway.db);
+		const result = await generateTypes(registry);
+
+		return apiSuccess(result);
+	} catch (error) {
+		return handleError(error, "Typegen failed", "TYPEGEN_ERROR");
+	}
+};

package/src/astro/routes/api/well-known/auth.ts

@@ -0,0 +1,69 @@
+/**
+ * GET /_dineway/.well-known/auth
+ *
+ * Auth discovery endpoint. Returns available auth mechanisms.
+ * Public, unauthenticated. Used by CLI to determine how to authenticate.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getAuthMode } from "#auth/mode.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway } = locals;
+
+	// Build discovery response
+	const config = dineway?.config;
+	const authMode = config ? getAuthMode(config) : null;
+
+	const isExternal = authMode?.type === "external";
+
+	// Try to read site name from DB options
+	let siteName = "Dineway";
+	if (dineway?.db) {
+		try {
+			const options = new OptionsRepository(dineway.db);
+			siteName = (await options.get<string>("dineway:site_title")) || "Dineway";
+		} catch {
+			// DB may not be initialized yet
+		}
+	}
+
+	const response: Record<string, unknown> = {
+		instance: {
+			name: siteName,
+			version: "0.1.0",
+		},
+		auth: {
+			mode: isExternal ? "external" : "passkey",
+			...(isExternal && authMode.type === "external"
+				? { external_provider: authMode.entrypoint }
+				: {}),
+			methods: {
+				device_flow: !isExternal
+					? {
+							client_id: "dineway-cli",
+							device_authorization_endpoint: "/_dineway/api/oauth/device/code",
+							token_endpoint: "/_dineway/api/oauth/device/token",
+						}
+					: undefined,
+				authorization_code: !isExternal
+					? {
+							authorization_endpoint: "/_dineway/oauth/authorize",
+							token_endpoint: "/_dineway/api/oauth/token",
+						}
+					: undefined,
+				api_tokens: true,
+			},
+		},
+	};
+
+	return Response.json(response, {
+		headers: {
+			"Cache-Control": "no-store",
+		},
+	});
+};

package/src/astro/routes/api/well-known/oauth-authorization-server.ts

@@ -0,0 +1,45 @@
+/**
+ * GET /_dineway/.well-known/oauth-authorization-server
+ *
+ * RFC 8414 Authorization Server Metadata. Tells MCP clients which
+ * endpoints to use for OAuth authorization, token exchange, etc.
+ *
+ * Public, unauthenticated.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getPublicOrigin } from "#api/public-url.js";
+import { VALID_SCOPES } from "#auth/api-tokens.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const origin = getPublicOrigin(url, locals.dineway?.config);
+	const issuer = `${origin}/_dineway`;
+
+	return Response.json(
+		{
+			issuer,
+			authorization_endpoint: `${origin}/_dineway/oauth/authorize`,
+			token_endpoint: `${origin}/_dineway/api/oauth/token`,
+			scopes_supported: [...VALID_SCOPES],
+			response_types_supported: ["code"],
+			grant_types_supported: [
+				"authorization_code",
+				"refresh_token",
+				"urn:ietf:params:oauth:grant-type:device_code",
+			],
+			code_challenge_methods_supported: ["S256"],
+			token_endpoint_auth_methods_supported: ["none"],
+			client_id_metadata_document_supported: true,
+			device_authorization_endpoint: `${origin}/_dineway/api/oauth/device/code`,
+		},
+		{
+			headers: {
+				"Cache-Control": "public, max-age=3600",
+				"Access-Control-Allow-Origin": "*",
+			},
+		},
+	);
+};

package/src/astro/routes/api/well-known/oauth-protected-resource.ts

@@ -0,0 +1,38 @@
+/**
+ * GET /.well-known/oauth-protected-resource
+ *
+ * RFC 9728 Protected Resource Metadata. Tells MCP clients where to find
+ * the authorization server. Injected at the site root (not under /_dineway/)
+ * because RFC 9728 requires it at the well-known URI of the resource's origin.
+ *
+ * Also serves as `/.well-known/oauth-protected-resource/_dineway/api/mcp`
+ * (path-scoped variant) when Astro's routing allows.
+ *
+ * Public, unauthenticated.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getPublicOrigin } from "#api/public-url.js";
+import { VALID_SCOPES } from "#auth/api-tokens.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const origin = getPublicOrigin(url, locals.dineway?.config);
+
+	return Response.json(
+		{
+			resource: `${origin}/_dineway/api/mcp`,
+			authorization_servers: [`${origin}/_dineway`],
+			scopes_supported: [...VALID_SCOPES],
+			bearer_methods_supported: ["header"],
+		},
+		{
+			headers: {
+				"Cache-Control": "public, max-age=3600",
+				"Access-Control-Allow-Origin": "*",
+			},
+		},
+	);
+};

package/src/astro/routes/api/widget-areas/[name]/reorder.ts

@@ -0,0 +1,72 @@
+/**
+ * Reorder widgets endpoint
+ *
+ * POST /_dineway/api/widget-areas/:name/reorder
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { reorderWidgetsBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name } = params;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "name is required", 400);
+	}
+
+	try {
+		// Get the area
+		const area = await db
+			.selectFrom("_dineway_widget_areas")
+			.select("id")
+			.where("name", "=", name)
+			.executeTakeFirst();
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		const body = await parseBody(request, reorderWidgetsBody);
+		if (isParseError(body)) return body;
+
+		// Verify all widget IDs belong to this area
+		const existingWidgets = await db
+			.selectFrom("_dineway_widgets")
+			.select("id")
+			.where("area_id", "=", area.id)
+			.execute();
+
+		const existingIds = new Set(existingWidgets.map((w) => w.id));
+		for (const id of body.widgetIds) {
+			if (!existingIds.has(id)) {
+				return apiError("VALIDATION_ERROR", `Widget "${id}" not found in area "${name}"`, 400);
+			}
+		}
+
+		// Update sort_order for each widget
+		await Promise.all(
+			body.widgetIds.map((id, index) =>
+				db
+					.updateTable("_dineway_widgets")
+					.set({ sort_order: index })
+					.where("id", "=", id)
+					.execute(),
+			),
+		);
+
+		return apiSuccess({ success: true });
+	} catch (error) {
+		return handleError(error, "Failed to reorder widgets", "WIDGET_REORDER_ERROR");
+	}
+};

package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts

@@ -0,0 +1,127 @@
+/**
+ * Single widget endpoints
+ *
+ * PUT    /_dineway/api/widget-areas/:name/widgets/:id - Update widget
+ * DELETE /_dineway/api/widget-areas/:name/widgets/:id - Delete widget
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { updateWidgetBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name, id } = params;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	if (!name || !id) {
+		return apiError("VALIDATION_ERROR", "name and id are required", 400);
+	}
+
+	try {
+		// Get the area
+		const area = await db
+			.selectFrom("_dineway_widget_areas")
+			.select("id")
+			.where("name", "=", name)
+			.executeTakeFirst();
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		// Check widget exists and belongs to this area
+		const existingWidget = await db
+			.selectFrom("_dineway_widgets")
+			.select("id")
+			.where("id", "=", id)
+			.where("area_id", "=", area.id)
+			.executeTakeFirst();
+
+		if (!existingWidget) {
+			return apiError("NOT_FOUND", `Widget "${id}" not found in area "${name}"`, 404);
+		}
+
+		const body = await parseBody(request, updateWidgetBody);
+		if (isParseError(body)) return body;
+
+		// Build update object (only update provided fields)
+		const updates: Record<string, unknown> = {};
+		if (body.title !== undefined) updates.title = body.title || null;
+		if (body.type !== undefined) updates.type = body.type;
+		if (body.content !== undefined)
+			updates.content = body.content ? JSON.stringify(body.content) : null;
+		if (body.menuName !== undefined) updates.menu_name = body.menuName || null;
+		if (body.componentId !== undefined) updates.component_id = body.componentId || null;
+		if (body.componentProps !== undefined)
+			updates.component_props = body.componentProps ? JSON.stringify(body.componentProps) : null;
+
+		if (Object.keys(updates).length === 0) {
+			return apiError("VALIDATION_ERROR", "No fields to update", 400);
+		}
+
+		await db.updateTable("_dineway_widgets").set(updates).where("id", "=", id).execute();
+
+		const widget = await db
+			.selectFrom("_dineway_widgets")
+			.selectAll()
+			.where("id", "=", id)
+			.executeTakeFirstOrThrow();
+
+		return apiSuccess(widget);
+	} catch (error) {
+		return handleError(error, "Failed to update widget", "WIDGET_UPDATE_ERROR");
+	}
+};
+
+export const DELETE: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name, id } = params;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	if (!name || !id) {
+		return apiError("VALIDATION_ERROR", "name and id are required", 400);
+	}
+
+	try {
+		// Get the area
+		const area = await db
+			.selectFrom("_dineway_widget_areas")
+			.select("id")
+			.where("name", "=", name)
+			.executeTakeFirst();
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		// Check widget exists and belongs to this area
+		const existingWidget = await db
+			.selectFrom("_dineway_widgets")
+			.select("id")
+			.where("id", "=", id)
+			.where("area_id", "=", area.id)
+			.executeTakeFirst();
+
+		if (!existingWidget) {
+			return apiError("NOT_FOUND", `Widget "${id}" not found in area "${name}"`, 404);
+		}
+
+		await db.deleteFrom("_dineway_widgets").where("id", "=", id).execute();
+
+		return apiSuccess({ deleted: true });
+	} catch (error) {
+		return handleError(error, "Failed to delete widget", "WIDGET_DELETE_ERROR");
+	}
+};