dineway 0.1.3 → 0.1.4

package/src/astro/routes/api/auth/passkey/[id].ts

@@ -0,0 +1,124 @@
+/**
+ * PATCH/DELETE /_dineway/api/auth/passkey/[id]
+ *
+ * Rename or delete a passkey
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { passkeyRenameBody } from "#api/schemas.js";
+
+interface PasskeyResponse {
+	id: string;
+	name: string | null;
+	deviceType: "singleDevice" | "multiDevice";
+	backedUp: boolean;
+	createdAt: string;
+	lastUsedAt: string;
+}
+
+/**
+ * PATCH - Rename a passkey
+ */
+export const PATCH: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	if (!id) {
+		return apiError("MISSING_PARAM", "Passkey ID is required", 400);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(dineway.db);
+
+		// Get the credential and verify ownership
+		const credential = await adapter.getCredentialById(id);
+
+		if (!credential || credential.userId !== user.id) {
+			return apiError("NOT_FOUND", "Passkey not found", 404);
+		}
+
+		// Parse request body
+		const body = await parseBody(request, passkeyRenameBody);
+		if (isParseError(body)) return body;
+
+		// Update the name
+		const trimmedName = body.name.trim() || null;
+		await adapter.updateCredentialName(id, trimmedName);
+
+		// Return updated passkey info
+		const passkey: PasskeyResponse = {
+			id: credential.id,
+			name: trimmedName,
+			deviceType: credential.deviceType,
+			backedUp: credential.backedUp,
+			createdAt: credential.createdAt.toISOString(),
+			lastUsedAt: credential.lastUsedAt.toISOString(),
+		};
+
+		return apiSuccess({ passkey });
+	} catch (error) {
+		return handleError(error, "Failed to rename passkey", "PASSKEY_RENAME_ERROR");
+	}
+};
+
+/**
+ * DELETE - Remove a passkey
+ */
+export const DELETE: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	if (!id) {
+		return apiError("MISSING_PARAM", "Passkey ID is required", 400);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(dineway.db);
+
+		// Get the credential and verify ownership
+		const credential = await adapter.getCredentialById(id);
+
+		if (!credential || credential.userId !== user.id) {
+			return apiError("NOT_FOUND", "Passkey not found", 404);
+		}
+
+		// Check that this isn't the last passkey
+		const count = await adapter.countCredentialsByUserId(user.id);
+
+		if (count <= 1) {
+			return apiError("LAST_PASSKEY", "Cannot remove your last passkey", 400);
+		}
+
+		// Delete the passkey
+		await adapter.deleteCredential(id);
+
+		return apiSuccess({ success: true });
+	} catch (error) {
+		return handleError(error, "Failed to delete passkey", "PASSKEY_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/auth/passkey/index.ts

@@ -0,0 +1,54 @@
+/**
+ * GET /_dineway/api/auth/passkey
+ *
+ * List all passkeys for the authenticated user
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+
+interface PasskeyResponse {
+	id: string;
+	name: string | null;
+	deviceType: "singleDevice" | "multiDevice";
+	backedUp: boolean;
+	createdAt: string;
+	lastUsedAt: string;
+}
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(dineway.db);
+		const credentials = await adapter.getCredentialsByUserId(user.id);
+
+		// Map to public response format (exclude sensitive fields)
+		const passkeys: PasskeyResponse[] = credentials.map((cred) => ({
+			id: cred.id,
+			name: cred.name,
+			deviceType: cred.deviceType,
+			backedUp: cred.backedUp,
+			createdAt: cred.createdAt.toISOString(),
+			lastUsedAt: cred.lastUsedAt.toISOString(),
+		}));
+
+		return apiSuccess({ items: passkeys });
+	} catch (error) {
+		return handleError(error, "Failed to list passkeys", "PASSKEY_LIST_ERROR");
+	}
+};

package/src/astro/routes/api/auth/passkey/options.ts

@@ -0,0 +1,84 @@
+/**
+ * POST /_dineway/api/auth/passkey/options
+ *
+ * Get authentication options for passkey login.
+ *
+ * Rate limited: 10 requests per minute per IP.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { generateAuthenticationOptions } from "@dineway-ai/auth/passkey";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { passkeyOptionsBody } from "#api/schemas.js";
+import { createChallengeStore, cleanupExpiredChallenges } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		// Fire-and-forget cleanup of expired challenges -- prevents accumulation
+		void cleanupExpiredChallenges(dineway.db).catch(() => {});
+
+		// Parse body before rate limiting so malformed requests don't consume slots
+		const body = await parseOptionalBody(request, passkeyOptionsBody, {});
+		if (isParseError(body)) return body;
+
+		// Rate limit: 10 requests per 60 seconds per IP
+		const ip = getClientIp(request);
+		const rateLimit = await checkRateLimit(dineway.db, ip, "passkey/options", 10, 60);
+		if (!rateLimit.allowed) {
+			return rateLimitResponse(60);
+		}
+
+		const adapter = createKyselyAdapter(dineway.db);
+
+		// Get credentials to allow
+		let credentials: Awaited<ReturnType<typeof adapter.getCredentialsByUserId>> = [];
+
+		if (body.email) {
+			// Get credentials for specific user
+			const user = await adapter.getUserByEmail(body.email);
+			if (user) {
+				credentials = await adapter.getCredentialsByUserId(user.id);
+			}
+			// Don't reveal if user exists - just return empty allowCredentials
+		}
+		// If no email provided, allowCredentials will be undefined (allow any discoverable credential)
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const options = new OptionsRepository(dineway.db);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+
+		// Generate authentication options
+		const challengeStore = createChallengeStore(dineway.db);
+		const authOptions = await generateAuthenticationOptions(
+			passkeyConfig,
+			credentials,
+			challengeStore,
+		);
+
+		return apiSuccess({
+			success: true,
+			options: authOptions,
+		});
+	} catch (error) {
+		return handleError(error, "Failed to generate passkey options", "PASSKEY_OPTIONS_ERROR");
+	}
+};

package/src/astro/routes/api/auth/passkey/register/options.ts

@@ -0,0 +1,88 @@
+/**
+ * POST /_dineway/api/auth/passkey/register/options
+ *
+ * Get WebAuthn registration options for adding a new passkey (authenticated user)
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { generateRegistrationOptions } from "@dineway-ai/auth/passkey";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { passkeyRegisterOptionsBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+const MAX_PASSKEYS = 10;
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(dineway.db);
+
+		// Check passkey limit
+		const count = await adapter.countCredentialsByUserId(user.id);
+		if (count >= MAX_PASSKEYS) {
+			return apiError("PASSKEY_LIMIT", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);
+		}
+
+		// Parse optional name from request
+		const body = await parseOptionalBody(request, passkeyRegisterOptionsBody, {});
+		if (isParseError(body)) return body;
+
+		// Get existing credentials for excludeCredentials
+		const existingCredentials = await adapter.getCredentialsByUserId(user.id);
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const optionsRepo = new OptionsRepository(dineway.db);
+		const siteName = (await optionsRepo.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+
+		// Generate registration options
+		const challengeStore = createChallengeStore(dineway.db);
+		const registrationOptions = await generateRegistrationOptions(
+			passkeyConfig,
+			{ id: user.id, email: user.email, name: user.name },
+			existingCredentials,
+			challengeStore,
+		);
+
+		// Store the passkey name in the challenge metadata if provided
+		// We'll retrieve it during verification
+		if (body.name) {
+			// Store name with challenge for later retrieval
+			// The challenge store will need this when verifying
+			await optionsRepo.set(`dineway:passkey_pending:${user.id}`, {
+				name: body.name,
+			});
+		}
+
+		return apiSuccess({
+			options: registrationOptions,
+		});
+	} catch (error) {
+		return handleError(
+			error,
+			"Failed to generate registration options",
+			"PASSKEY_REGISTER_OPTIONS_ERROR",
+		);
+	}
+};

package/src/astro/routes/api/auth/passkey/register/verify.ts

@@ -0,0 +1,119 @@
+/**
+ * POST /_dineway/api/auth/passkey/register/verify
+ *
+ * Verify and store a new passkey credential (authenticated user)
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { verifyRegistrationResponse, registerPasskey } from "@dineway-ai/auth/passkey";
+
+import { apiError, apiSuccess } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { passkeyRegisterVerifyBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+const MAX_PASSKEYS = 10;
+
+interface PasskeyResponse {
+	id: string;
+	name: string | null;
+	deviceType: "singleDevice" | "multiDevice";
+	backedUp: boolean;
+	createdAt: string;
+	lastUsedAt: string;
+}
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(dineway.db);
+
+		// Check passkey limit again (in case of concurrent requests)
+		const count = await adapter.countCredentialsByUserId(user.id);
+		if (count >= MAX_PASSKEYS) {
+			return apiError("PASSKEY_LIMIT", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);
+		}
+
+		// Parse request body
+		const body = await parseBody(request, passkeyRegisterVerifyBody);
+		if (isParseError(body)) return body;
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const optionsRepo = new OptionsRepository(dineway.db);
+		const siteName = (await optionsRepo.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+
+		// Verify the registration response
+		const challengeStore = createChallengeStore(dineway.db);
+		const verified = await verifyRegistrationResponse(
+			passkeyConfig,
+			body.credential,
+			challengeStore,
+		);
+
+		// Get passkey name - prefer body.name, then check stored pending name
+		let passKeyName: string | undefined = body.name ?? undefined;
+		if (!passKeyName) {
+			const pending = await optionsRepo.get<{ name?: string }>(
+				`dineway:passkey_pending:${user.id}`,
+			);
+			if (pending?.name) {
+				passKeyName = pending.name;
+			}
+		}
+
+		// Clean up pending state
+		await optionsRepo.delete(`dineway:passkey_pending:${user.id}`);
+
+		// Register the passkey
+		const credential = await registerPasskey(adapter, user.id, verified, passKeyName);
+
+		// Return the new passkey info
+		const passkey: PasskeyResponse = {
+			id: credential.id,
+			name: credential.name,
+			deviceType: credential.deviceType,
+			backedUp: credential.backedUp,
+			createdAt: credential.createdAt.toISOString(),
+			lastUsedAt: credential.lastUsedAt.toISOString(),
+		};
+
+		return apiSuccess({ passkey });
+	} catch (error) {
+		console.error("Passkey registration verify error:", error);
+
+		// Handle specific errors
+		const message = error instanceof Error ? error.message : "";
+
+		// Check for duplicate credential error
+		if (message.includes("credential_exists") || message.includes("already")) {
+			return apiError("CREDENTIAL_EXISTS", "This passkey is already registered", 400);
+		}
+
+		// Check for challenge errors
+		if (message.includes("challenge") || message.includes("expired")) {
+			return apiError("CHALLENGE_EXPIRED", "Registration expired. Please try again.", 400);
+		}
+
+		return apiError("PASSKEY_REGISTER_ERROR", "Registration failed", 500);
+	}
+};

package/src/astro/routes/api/auth/passkey/verify.ts

@@ -0,0 +1,68 @@
+/**
+ * POST /_dineway/api/auth/passkey/verify
+ *
+ * Verify a passkey authentication and create a session
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { authenticateWithPasskey } from "@dineway-ai/auth/passkey";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { passkeyVerifyBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals, session }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, passkeyVerifyBody);
+		if (isParseError(body)) return body;
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const options = new OptionsRepository(dineway.db);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+
+		// Authenticate with passkey
+		const adapter = createKyselyAdapter(dineway.db);
+		const challengeStore = createChallengeStore(dineway.db);
+
+		const user = await authenticateWithPasskey(
+			passkeyConfig,
+			adapter,
+			body.credential,
+			challengeStore,
+		);
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		return apiSuccess({
+			success: true,
+			user: {
+				id: user.id,
+				email: user.email,
+				name: user.name,
+				role: user.role,
+			},
+		});
+	} catch (error) {
+		return handleError(error, "Authentication failed", "PASSKEY_VERIFY_ERROR");
+	}
+};

package/src/astro/routes/api/auth/signup/complete.ts

@@ -0,0 +1,87 @@
+/**
+ * POST /_dineway/api/auth/signup/complete
+ *
+ * Complete self-signup by registering a passkey for the new user.
+ * This creates the user account and establishes a session.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { completeSignup, SignupError } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { verifyRegistrationResponse, registerPasskey } from "@dineway-ai/auth/passkey";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { signupCompleteBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals, session }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, signupCompleteBody);
+		if (isParseError(body)) return body;
+
+		const adapter = createKyselyAdapter(dineway.db);
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const options = new OptionsRepository(dineway.db);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+
+		// Verify the passkey registration response
+		const challengeStore = createChallengeStore(dineway.db);
+		const verified = await verifyRegistrationResponse(
+			passkeyConfig,
+			body.credential,
+			challengeStore,
+		);
+
+		// Complete the signup - creates the user
+		const user = await completeSignup(adapter, body.token, {
+			name: body.name,
+		});
+
+		// Register the passkey for the new user
+		await registerPasskey(adapter, user.id, verified, "Initial passkey");
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		return apiSuccess({
+			success: true,
+			user: {
+				id: user.id,
+				email: user.email,
+				name: user.name,
+				role: user.role,
+			},
+		});
+	} catch (error) {
+		if (error instanceof SignupError) {
+			const statusMap: Record<string, number> = {
+				invalid_token: 404,
+				token_expired: 410,
+				user_exists: 409,
+				domain_not_allowed: 403,
+			};
+			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
+		}
+
+		return handleError(error, "Failed to complete signup", "SIGNUP_COMPLETE_ERROR");
+	}
+};