dineway 0.1.3 → 0.1.4

package/src/astro/routes/api/auth/invite/index.ts

@@ -0,0 +1,99 @@
+/**
+ * POST /_dineway/api/auth/invite
+ *
+ * Create an invite for a new user. Admin only.
+ *
+ * When an email provider is configured (via the plugin email pipeline),
+ * the invite email is sent automatically.
+ * When no provider is configured, returns the invite URL for the admin
+ * to share manually (copy-link fallback).
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createInvite, InviteError, Role } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { inviteCreateBody } from "#api/schemas.js";
+import { getSiteBaseUrl } from "#api/site-url.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	if (!user || user.role < Role.ADMIN) {
+		return apiError("FORBIDDEN", "Admin privileges required", 403);
+	}
+
+	const adapter = createKyselyAdapter(dineway.db);
+
+	try {
+		const body = await parseBody(request, inviteCreateBody);
+		if (isParseError(body)) return body;
+
+		// Default to AUTHOR role if not specified (Zod validates the level)
+		const role = body.role ?? Role.AUTHOR;
+
+		// Get site config for invite email
+		const options = new OptionsRepository(dineway.db);
+		const siteName = (await options.get<string>("dineway:site_title")) || "Dineway";
+
+		// Use stored site URL to prevent Host header spoofing in invite emails
+		const baseUrl = await getSiteBaseUrl(dineway.db, request);
+
+		// Build email sender from the plugin pipeline (if available)
+		const emailSend = dineway.email?.isAvailable()
+			? (message: { to: string; subject: string; text: string; html?: string }) =>
+					dineway.email!.send(message, "system")
+			: undefined;
+
+		const result = await createInvite(
+			{
+				baseUrl,
+				siteName,
+				email: emailSend,
+			},
+			adapter,
+			body.email,
+			role,
+			user.id,
+		);
+
+		if (emailSend) {
+			// Email was sent
+			return apiSuccess({
+				success: true,
+				message: `Invite sent to ${body.email}`,
+			});
+		}
+
+		// No email provider — return the invite URL for manual sharing
+		return apiSuccess(
+			{
+				success: true,
+				message: "Invite created. No email provider configured — share the link manually.",
+				inviteUrl: result.url,
+			},
+			200,
+		);
+	} catch (error) {
+		if (error instanceof InviteError) {
+			const statusMap: Record<string, number> = {
+				user_exists: 409,
+				invalid_token: 400,
+				token_expired: 400,
+			};
+			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
+		}
+
+		return handleError(error, "Failed to create invite", "INVITE_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/auth/logout.ts

@@ -0,0 +1,40 @@
+/**
+ * POST /_dineway/api/auth/logout
+ *
+ * Destroys the current session and logs the user out.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { apiSuccess, handleError } from "#api/error.js";
+import { isSafeRedirect } from "#api/redirect.js";
+
+export const POST: APIRoute = async ({ session, url }) => {
+	try {
+		// Destroy session
+		if (session) {
+			session.destroy();
+		}
+
+		// Check for redirect parameter
+		const redirect = url.searchParams.get("redirect");
+
+		if (isSafeRedirect(redirect)) {
+			return new Response(null, {
+				status: 302,
+				headers: { Location: redirect },
+			});
+		}
+
+		return apiSuccess({
+			success: true,
+			message: "Logged out successfully",
+		});
+	} catch (error) {
+		return handleError(error, "Logout failed", "LOGOUT_ERROR");
+	}
+};
+
+// No GET handler — logout must be POST-only to prevent CSRF via link/img tags

package/src/astro/routes/api/auth/magic-link/send.ts

@@ -0,0 +1,89 @@
+/**
+ * POST /_dineway/api/auth/magic-link/send
+ *
+ * Send a magic link email for passwordless authentication.
+ * Always returns success to avoid revealing whether email exists.
+ *
+ * Rate limited: 3 requests per 5 minutes per IP.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { sendMagicLink, type MagicLinkConfig } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError, apiSuccess } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { magicLinkSendBody } from "#api/schemas.js";
+import { getSiteBaseUrl } from "#api/site-url.js";
+import { checkRateLimit, getClientIp } from "#auth/rate-limit.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		// Parse request body first — avoids consuming rate limit slots on
+		// malformed requests and normalizes timing between rate-limited
+		// and real paths (parse cost evens out the response time).
+		const body = await parseBody(request, magicLinkSendBody);
+		if (isParseError(body)) return body;
+
+		// Rate limit: 3 requests per 300 seconds (5 minutes) per IP
+		const ip = getClientIp(request);
+		const rateLimit = await checkRateLimit(dineway.db, ip, "magic-link/send", 3, 300);
+		if (!rateLimit.allowed) {
+			// Return success-shaped response to avoid revealing rate limit
+			// (which could leak information about email enumeration attempts)
+			return apiSuccess({
+				success: true,
+				message: "If an account exists for this email, a magic link has been sent.",
+			});
+		}
+
+		// Check if email pipeline is available
+		if (!dineway.email?.isAvailable()) {
+			return apiError(
+				"EMAIL_NOT_CONFIGURED",
+				"Email is not configured. Magic link authentication requires an email provider.",
+				503,
+			);
+		}
+
+		// Build magic link config using stored site URL (not request Host header)
+		const options = new OptionsRepository(dineway.db);
+		const baseUrl = await getSiteBaseUrl(dineway.db, request);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? "Dineway";
+
+		const config: MagicLinkConfig = {
+			baseUrl,
+			siteName,
+			email: (message) => dineway.email!.send(message, "system"),
+		};
+
+		// Send magic link (silently fails if user doesn't exist)
+		const adapter = createKyselyAdapter(dineway.db);
+		await sendMagicLink(config, adapter, body.email.toLowerCase());
+
+		// Always return success to avoid revealing if email exists
+		return apiSuccess({
+			success: true,
+			message: "If an account exists for this email, a magic link has been sent.",
+		});
+	} catch (error) {
+		console.error("Magic link send error:", error);
+
+		// Still return success to avoid revealing information
+		// Log the error but don't expose it to the client
+		return apiSuccess({
+			success: true,
+			message: "If an account exists for this email, a magic link has been sent.",
+		});
+	}
+};

package/src/astro/routes/api/auth/magic-link/verify.ts

@@ -0,0 +1,71 @@
+/**
+ * GET /_dineway/api/auth/magic-link/verify
+ *
+ * Verify a magic link token and create a session.
+ * Tokens are single-use and expire after 15 minutes.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { verifyMagicLink, MagicLinkError } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError } from "#api/error.js";
+import { isSafeRedirect } from "#api/redirect.js";
+
+export const GET: APIRoute = async ({ url, locals, session, redirect }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Get token from query params
+	const token = url.searchParams.get("token");
+
+	if (!token) {
+		// Redirect to login with error
+		return redirect("/_dineway/admin/login?error=missing_token");
+	}
+
+	try {
+		// Verify the magic link token
+		const adapter = createKyselyAdapter(dineway.db);
+		const user = await verifyMagicLink(adapter, token);
+
+		// Fire-and-forget cleanup of expired tokens -- prevents accumulation
+		void adapter.deleteExpiredTokens().catch(() => {});
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		// Check for a stored redirect URL (from original request)
+		// Validate redirect is a safe local path (prevent open redirect via //evil.com or /\evil.com)
+		const rawRedirect = url.searchParams.get("redirect");
+		const redirectUrl = isSafeRedirect(rawRedirect) ? rawRedirect : "/_dineway/admin";
+
+		// Redirect to admin dashboard or original URL
+		return redirect(redirectUrl);
+	} catch (error) {
+		console.error("Magic link verify error:", error);
+
+		// Handle specific errors
+		if (error instanceof MagicLinkError) {
+			switch (error.code) {
+				case "invalid_token":
+					return redirect("/_dineway/admin/login?error=invalid_link");
+				case "token_expired":
+					return redirect("/_dineway/admin/login?error=link_expired");
+				case "user_not_found":
+					return redirect("/_dineway/admin/login?error=user_not_found");
+			}
+		}
+
+		// Generic error
+		return redirect("/_dineway/admin/login?error=verification_failed");
+	}
+};

package/src/astro/routes/api/auth/me.ts

@@ -0,0 +1,60 @@
+/**
+ * GET /_dineway/api/auth/me
+ *
+ * Returns the current authenticated user's info.
+ * Used by the admin UI to display user info in the header.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { apiError, apiSuccess } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { authMeActionBody } from "#api/schemas.js";
+
+export const GET: APIRoute = async ({ locals, session }) => {
+	const { user } = locals;
+
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	// Check if this is the user's first login (for welcome modal)
+	// We track this in the session to show the modal only once
+	const hasSeenWelcome = await session?.get("hasSeenWelcome");
+	const isFirstLogin = !hasSeenWelcome;
+
+	// Return safe user info (no sensitive data)
+	return apiSuccess({
+		id: user.id,
+		email: user.email,
+		name: user.name,
+		role: user.role,
+		avatarUrl: user.avatarUrl,
+		isFirstLogin,
+	});
+};
+
+/**
+ * POST /_dineway/api/auth/me
+ *
+ * Mark that the user has seen the welcome modal.
+ */
+export const POST: APIRoute = async ({ request, locals, session }) => {
+	const { user } = locals;
+
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	const body = await parseBody(request, authMeActionBody);
+	if (isParseError(body)) return body;
+
+	if (body.action === "dismissWelcome") {
+		session?.set("hasSeenWelcome", true);
+		return apiSuccess({ success: true });
+	}
+
+	return apiError("UNKNOWN_ACTION", "Unknown action", 400);
+};

package/src/astro/routes/api/auth/oauth/[provider]/callback.ts

@@ -0,0 +1,221 @@
+/**
+ * GET /_dineway/api/auth/oauth/[provider]/callback
+ *
+ * Handle OAuth callback from provider
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import {
+	handleOAuthCallback,
+	OAuthError,
+	Role,
+	type OAuthConsumerConfig,
+	type RoleLevel,
+} from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { getPublicOrigin } from "#api/public-url.js";
+import { createOAuthStateStore } from "#auth/oauth-state-store.js";
+
+type ProviderName = "github" | "google";
+
+const VALID_PROVIDERS = new Set<string>(["github", "google"]);
+
+function isValidProvider(provider: string): provider is ProviderName {
+	return VALID_PROVIDERS.has(provider);
+}
+
+/** Safely extract a string value from an env-like record */
+function envString(env: Record<string, unknown>, ...keys: string[]): string | undefined {
+	for (const key of keys) {
+		const val = env[key];
+		if (typeof val === "string" && val) return val;
+	}
+	return undefined;
+}
+
+/**
+ * Get OAuth config from environment variables
+ */
+function getOAuthConfig(env: Record<string, unknown>): OAuthConsumerConfig["providers"] {
+	const providers: OAuthConsumerConfig["providers"] = {};
+
+	// GitHub
+	const githubClientId = envString(env, "DINEWAY_OAUTH_GITHUB_CLIENT_ID", "GITHUB_CLIENT_ID");
+	const githubClientSecret = envString(
+		env,
+		"DINEWAY_OAUTH_GITHUB_CLIENT_SECRET",
+		"GITHUB_CLIENT_SECRET",
+	);
+	if (githubClientId && githubClientSecret) {
+		providers.github = {
+			clientId: githubClientId,
+			clientSecret: githubClientSecret,
+		};
+	}
+
+	// Google
+	const googleClientId = envString(env, "DINEWAY_OAUTH_GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_ID");
+	const googleClientSecret = envString(
+		env,
+		"DINEWAY_OAUTH_GOOGLE_CLIENT_SECRET",
+		"GOOGLE_CLIENT_SECRET",
+	);
+	if (googleClientId && googleClientSecret) {
+		providers.google = {
+			clientId: googleClientId,
+			clientSecret: googleClientSecret,
+		};
+	}
+
+	return providers;
+}
+
+export const GET: APIRoute = async ({ params, request, locals, session, redirect }) => {
+	const { dineway } = locals;
+	const provider = params.provider;
+
+	// Validate provider
+	if (!provider || !isValidProvider(provider)) {
+		return redirect(
+			`/_dineway/admin/login?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
+		);
+	}
+
+	if (!dineway?.db) {
+		return redirect(
+			`/_dineway/admin/login?error=server_error&message=${encodeURIComponent("Database not configured")}`,
+		);
+	}
+
+	const url = new URL(request.url);
+	const code = url.searchParams.get("code");
+	const state = url.searchParams.get("state");
+	const error = url.searchParams.get("error");
+	const errorDescription = url.searchParams.get("error_description");
+
+	// Handle OAuth errors from provider
+	if (error) {
+		const message = errorDescription || error;
+		return redirect(
+			`/_dineway/admin/login?error=oauth_denied&message=${encodeURIComponent(message)}`,
+		);
+	}
+
+	// Validate required params
+	if (!code || !state) {
+		return redirect(
+			`/_dineway/admin/login?error=invalid_callback&message=${encodeURIComponent("Missing code or state parameter")}`,
+		);
+	}
+
+	try {
+		// Get OAuth providers from the adapter/runtime env when available,
+		// otherwise fall back to the Node build env.
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- some adapters inject locals.runtime.env at runtime; App.Locals intentionally stays generic
+		const runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
+		const env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);
+		const providers = getOAuthConfig(env);
+
+		if (!providers[provider]) {
+			return redirect(
+				`/_dineway/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`,
+			);
+		}
+
+		const config: OAuthConsumerConfig = {
+			baseUrl: `${getPublicOrigin(url, dineway?.config)}/_dineway`,
+			providers,
+			canSelfSignup: async (email: string) => {
+				// Extract domain from email
+				const domain = email.split("@")[1]?.toLowerCase();
+				if (!domain) {
+					return null;
+				}
+
+				// Check allowed_domains table for a matching, enabled entry
+				const entry = await dineway.db
+					.selectFrom("allowed_domains")
+					.selectAll()
+					.where("domain", "=", domain)
+					.where("enabled", "=", 1)
+					.executeTakeFirst();
+
+				if (!entry) {
+					return null;
+				}
+
+				// Map the stored role level to the Role enum
+				const roleLevel = entry.default_role;
+				const roleMap: Record<number, RoleLevel> = {
+					50: Role.ADMIN,
+					40: Role.EDITOR,
+					30: Role.AUTHOR,
+					20: Role.CONTRIBUTOR,
+					10: Role.SUBSCRIBER,
+				};
+				const role = roleMap[roleLevel] ?? Role.CONTRIBUTOR;
+				if (!roleMap[roleLevel]) {
+					console.warn(
+						`[oauth] Unknown role level ${roleLevel} for domain ${domain}, defaulting to CONTRIBUTOR`,
+					);
+				}
+
+				return { allowed: true, role };
+			},
+		};
+
+		const adapter = createKyselyAdapter(dineway.db);
+		const stateStore = createOAuthStateStore(dineway.db);
+
+		const user = await handleOAuthCallback(config, adapter, provider, code, state, stateStore);
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		// Redirect to admin dashboard
+		return redirect("/_dineway/admin");
+	} catch (callbackError) {
+		console.error("OAuth callback error:", callbackError);
+
+		let message = "Authentication failed";
+		let errorCode = "oauth_error";
+
+		if (callbackError instanceof OAuthError) {
+			errorCode = callbackError.code;
+
+			// Map all error codes to user-friendly messages (never expose raw error.message)
+			switch (callbackError.code) {
+				case "invalid_state":
+					message = "OAuth session expired or invalid. Please try again.";
+					break;
+				case "signup_not_allowed":
+					message = "Self-signup is not allowed for your email. Please contact an administrator.";
+					break;
+				case "user_not_found":
+					message = "Your account was not found. It may have been deleted.";
+					break;
+				case "token_exchange_failed":
+					message = "Failed to complete authentication. Please try again.";
+					break;
+				case "profile_fetch_failed":
+					message = "Failed to retrieve your profile. Please try again.";
+					break;
+				default:
+					message = "Authentication failed. Please try again.";
+					break;
+			}
+		}
+		// For generic errors, keep the default "Authentication failed" message
+
+		return redirect(
+			`/_dineway/admin/login?error=${errorCode}&message=${encodeURIComponent(message)}`,
+		);
+	}
+};

package/src/astro/routes/api/auth/oauth/[provider].ts

@@ -0,0 +1,120 @@
+/**
+ * GET /_dineway/api/auth/oauth/[provider]
+ *
+ * Start OAuth flow - redirects to provider authorization URL
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createAuthorizationUrl, type OAuthConsumerConfig } from "@dineway-ai/auth";
+
+import { getPublicOrigin } from "#api/public-url.js";
+import { createOAuthStateStore } from "#auth/oauth-state-store.js";
+
+type ProviderName = "github" | "google";
+
+const VALID_PROVIDERS = new Set<string>(["github", "google"]);
+
+function isValidProvider(provider: string): provider is ProviderName {
+	return VALID_PROVIDERS.has(provider);
+}
+
+/** Safely extract a string value from an env-like record */
+function envString(env: Record<string, unknown>, ...keys: string[]): string | undefined {
+	for (const key of keys) {
+		const val = env[key];
+		if (typeof val === "string" && val) return val;
+	}
+	return undefined;
+}
+
+/**
+ * Get OAuth config from environment variables
+ */
+function getOAuthConfig(env: Record<string, unknown>): OAuthConsumerConfig["providers"] {
+	const providers: OAuthConsumerConfig["providers"] = {};
+
+	// GitHub
+	const githubClientId = envString(env, "DINEWAY_OAUTH_GITHUB_CLIENT_ID", "GITHUB_CLIENT_ID");
+	const githubClientSecret = envString(
+		env,
+		"DINEWAY_OAUTH_GITHUB_CLIENT_SECRET",
+		"GITHUB_CLIENT_SECRET",
+	);
+	if (githubClientId && githubClientSecret) {
+		providers.github = {
+			clientId: githubClientId,
+			clientSecret: githubClientSecret,
+		};
+	}
+
+	// Google
+	const googleClientId = envString(env, "DINEWAY_OAUTH_GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_ID");
+	const googleClientSecret = envString(
+		env,
+		"DINEWAY_OAUTH_GOOGLE_CLIENT_SECRET",
+		"GOOGLE_CLIENT_SECRET",
+	);
+	if (googleClientId && googleClientSecret) {
+		providers.google = {
+			clientId: googleClientId,
+			clientSecret: googleClientSecret,
+		};
+	}
+
+	return providers;
+}
+
+export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
+	const { dineway } = locals;
+	const provider = params.provider;
+
+	// Validate provider
+	if (!provider || !isValidProvider(provider)) {
+		return redirect(
+			`/_dineway/admin/login?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
+		);
+	}
+
+	if (!dineway?.db) {
+		return redirect(
+			`/_dineway/admin/login?error=server_error&message=${encodeURIComponent("Database not configured")}`,
+		);
+	}
+
+	try {
+		const url = new URL(request.url);
+
+		// Get OAuth providers from the adapter/runtime env when available,
+		// otherwise fall back to the Node build env.
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- some adapters inject locals.runtime.env at runtime; App.Locals intentionally stays generic
+		const runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
+		const env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);
+		const providers = getOAuthConfig(env);
+
+		if (!providers[provider]) {
+			return redirect(
+				`/_dineway/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`,
+			);
+		}
+
+		const config: OAuthConsumerConfig = {
+			baseUrl: `${getPublicOrigin(url, dineway?.config)}/_dineway`,
+			providers,
+		};
+
+		const stateStore = createOAuthStateStore(dineway.db);
+
+		const { url: authUrl } = await createAuthorizationUrl(config, provider, stateStore);
+
+		return redirect(authUrl);
+	} catch (error) {
+		console.error("OAuth initiation error:", error);
+		return redirect(
+			`/_dineway/admin/login?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`,
+		);
+	}
+};