dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/admin/review-requests/[id]/resolve.ts

@@ -0,0 +1,52 @@
+/**
+ * Admin review request resolution
+ *
+ * POST /_dineway/api/admin/review-requests/:id/resolve - Approve or reject a review request
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleReviewRequestResolve } from "#api/handlers/review-requests.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { logReviewRouteActivity, resolveReviewRouteActor } from "#api/review-route-helpers.js";
+import { reviewRequestResolveBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+
+	if (!id) {
+		return apiError("VALIDATION_ERROR", "Review request ID required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "content:edit_any");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, reviewRequestResolveBody);
+		if (isParseError(body)) return body;
+
+		const result = await handleReviewRequestResolve(dineway.db, id, {
+			decision: body.decision,
+			reviewNote: body.reviewNote,
+			actor: resolveReviewRouteActor(locals),
+		});
+		if (!result.success) return unwrapResult(result);
+
+		await logReviewRouteActivity(dineway.db, locals, {
+			actionType: body.decision === "approved" ? "review.approved" : "review.rejected",
+			item: result.data.item,
+		});
+
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to resolve review request", "REVIEW_REQUEST_RESOLVE_ERROR");
+	}
+};

package/src/astro/routes/api/admin/review-requests/index.ts

@@ -0,0 +1,35 @@
+/**
+ * Admin review requests
+ *
+ * GET /_dineway/api/admin/review-requests - List review requests
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleReviewRequestList } from "#api/handlers/review-requests.js";
+import { isParseError, parseQuery } from "#api/parse.js";
+import { reviewRequestListQuery } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway, user } = locals;
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "content:edit_any");
+	if (denied) return denied;
+
+	try {
+		const query = parseQuery(url, reviewRequestListQuery);
+		if (isParseError(query)) return query;
+
+		const result = await handleReviewRequestList(dineway.db, query);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to list review requests", "REVIEW_REQUEST_LIST_ERROR");
+	}
+};

package/src/astro/routes/api/admin/themes/marketplace/[id]/index.ts

@@ -0,0 +1,33 @@
+/**
+ * Theme marketplace detail proxy endpoint
+ *
+ * GET /_dineway/api/admin/themes/marketplace/:id - Get theme details
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, unwrapResult } from "#api/error.js";
+import { handleThemeGetDetail } from "#api/index.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "plugins:read");
+	if (denied) return denied;
+
+	if (!id) {
+		return apiError("INVALID_REQUEST", "Theme ID required", 400);
+	}
+
+	const result = await handleThemeGetDetail(dineway.config.marketplace, id);
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/admin/themes/marketplace/[id]/thumbnail.ts

@@ -0,0 +1,62 @@
+/**
+ * Theme marketplace thumbnail proxy
+ *
+ * GET /_dineway/api/admin/themes/marketplace/:id/thumbnail - Proxy thumbnail from marketplace
+ *
+ * Avoids CORS/auth issues when the marketplace service is behind
+ * external auth or on a different origin.
+ * The admin UI uses this instead of linking directly.
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError } from "#api/error.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, url, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "plugins:read");
+	if (denied) return denied;
+
+	const marketplaceUrl = dineway.config.marketplace;
+	if (!marketplaceUrl || !id) {
+		return apiError("NOT_CONFIGURED", "Marketplace not configured", 400);
+	}
+
+	const width = url.searchParams.get("w");
+	const target = new URL(`/api/v1/themes/${encodeURIComponent(id)}/thumbnail`, marketplaceUrl);
+	if (width) target.searchParams.set("w", width);
+
+	try {
+		const resp = await fetch(target.href);
+		if (!resp.ok) {
+			// Allowlist: only forward Content-Type from upstream.
+			// Never copy all upstream headers (denylist approach leaks
+			// headers we haven't anticipated).
+			return new Response(resp.body, {
+				status: resp.status,
+				headers: {
+					"Content-Type": resp.headers.get("Content-Type") ?? "application/octet-stream",
+					"Cache-Control": "private, no-store",
+				},
+			});
+		}
+
+		return new Response(resp.body, {
+			headers: {
+				"Content-Type": resp.headers.get("Content-Type") ?? "image/png",
+				"Cache-Control": "private, no-store",
+			},
+		});
+	} catch {
+		return apiError("PROXY_ERROR", "Failed to fetch thumbnail", 502);
+	}
+};

package/src/astro/routes/api/admin/themes/marketplace/index.ts

@@ -0,0 +1,45 @@
+/**
+ * Theme marketplace search proxy endpoint
+ *
+ * GET /_dineway/api/admin/themes/marketplace - Search marketplace themes
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, unwrapResult } from "#api/error.js";
+import { handleThemeSearch } from "#api/index.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "plugins:read");
+	if (denied) return denied;
+
+	const query = url.searchParams.get("q") ?? undefined;
+	const keyword = url.searchParams.get("keyword") ?? undefined;
+	const sortParam = url.searchParams.get("sort");
+	const validSorts = new Set(["name", "created", "updated"]);
+	let sort: "name" | "created" | "updated" | undefined;
+	if (sortParam && validSorts.has(sortParam)) {
+		sort = sortParam as "name" | "created" | "updated"; // eslint-disable-line typescript-eslint(no-unsafe-type-assertion) -- validated by Set.has()
+	}
+	const cursor = url.searchParams.get("cursor") ?? undefined;
+	const limitParam = url.searchParams.get("limit");
+	const limit = limitParam ? Math.min(Math.max(1, parseInt(limitParam, 10) || 50), 100) : undefined;
+
+	const result = await handleThemeSearch(dineway.config.marketplace, query, {
+		keyword,
+		sort,
+		cursor,
+		limit,
+	});
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/admin/users/[id]/disable.ts

@@ -0,0 +1,72 @@
+/**
+ * User disable endpoint
+ *
+ * POST /_dineway/api/admin/users/:id/disable - Soft-disable a user
+ */
+
+import { Role } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import type { APIRoute } from "astro";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { withTransaction } from "#db/transaction.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ params, locals }) => {
+	const { dineway, user: currentUser } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Database not configured", 500);
+	}
+
+	if (!currentUser || currentUser.role < Role.ADMIN) {
+		return apiError("FORBIDDEN", "Admin privileges required", 403);
+	}
+
+	const { id } = params;
+
+	if (!id) {
+		return apiError("VALIDATION_ERROR", "User ID required", 400);
+	}
+
+	// Prevent disabling self
+	if (id === currentUser.id) {
+		return apiError("VALIDATION_ERROR", "Cannot disable your own account", 400);
+	}
+
+	try {
+		return await withTransaction(dineway.db, async (trx) => {
+			const adapter = createKyselyAdapter(trx);
+
+			// Get target user
+			const targetUser = await adapter.getUserById(id);
+			if (!targetUser) {
+				return apiError("NOT_FOUND", "User not found", 404);
+			}
+
+			// Check if this would leave no active admins
+			if (targetUser.role === Role.ADMIN) {
+				const adminCount = await adapter.countAdmins();
+				if (adminCount <= 1) {
+					return apiError(
+						"VALIDATION_ERROR",
+						"Cannot disable the last admin. Promote another user first.",
+						400,
+					);
+				}
+			}
+
+			// Disable user
+			await adapter.updateUser(id, { disabled: true });
+
+			// SEC-43: Revoke all OAuth tokens for the disabled user.
+			// Without this, existing refresh tokens remain valid for up to 90 days.
+			await trx.deleteFrom("_dineway_oauth_tokens").where("user_id", "=", id).execute();
+
+			return apiSuccess({ success: true });
+		});
+	} catch (error) {
+		return handleError(error, "Failed to disable user", "USER_DISABLE_ERROR");
+	}
+};

package/src/astro/routes/api/admin/users/[id]/enable.ts

@@ -0,0 +1,48 @@
+/**
+ * User enable endpoint
+ *
+ * POST /_dineway/api/admin/users/:id/enable - Re-enable a disabled user
+ */
+
+import { Role } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import type { APIRoute } from "astro";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Database not configured", 500);
+	}
+
+	if (!user || user.role < Role.ADMIN) {
+		return apiError("FORBIDDEN", "Admin privileges required", 403);
+	}
+
+	const adapter = createKyselyAdapter(dineway.db);
+
+	const { id } = params;
+
+	if (!id) {
+		return apiError("VALIDATION_ERROR", "User ID required", 400);
+	}
+
+	try {
+		// Get target user
+		const targetUser = await adapter.getUserById(id);
+		if (!targetUser) {
+			return apiError("NOT_FOUND", "User not found", 404);
+		}
+
+		// Enable user
+		await adapter.updateUser(id, { disabled: false });
+
+		return apiSuccess({ success: true });
+	} catch (error) {
+		return handleError(error, "Failed to enable user", "USER_ENABLE_ERROR");
+	}
+};

package/src/astro/routes/api/admin/users/[id]/index.ts

@@ -0,0 +1,166 @@
+/**
+ * User management detail endpoint
+ *
+ * GET /_dineway/api/admin/users/:id - Get user details
+ * PUT /_dineway/api/admin/users/:id - Update user
+ */
+
+import { Role } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import type { APIRoute } from "astro";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { userUpdateBody } from "#api/schemas.js";
+import { withTransaction } from "#db/transaction.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user: currentUser } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	if (!currentUser || currentUser.role < Role.ADMIN) {
+		return apiError("FORBIDDEN", "Admin privileges required", 403);
+	}
+
+	const adapter = createKyselyAdapter(dineway.db);
+
+	const { id } = params;
+
+	if (!id) {
+		return apiError("MISSING_PARAM", "User ID required", 400);
+	}
+
+	try {
+		const result = await adapter.getUserWithDetails(id);
+
+		if (!result) {
+			return apiError("NOT_FOUND", "User not found", 404);
+		}
+
+		// Transform for JSON serialization
+		const item = {
+			id: result.user.id,
+			email: result.user.email,
+			name: result.user.name,
+			avatarUrl: result.user.avatarUrl,
+			role: result.user.role,
+			emailVerified: result.user.emailVerified,
+			disabled: result.user.disabled,
+			createdAt: result.user.createdAt.toISOString(),
+			updatedAt: result.user.updatedAt.toISOString(),
+			lastLogin: result.lastLogin?.toISOString() ?? null,
+			credentials: result.credentials.map((c) => ({
+				id: c.id,
+				name: c.name,
+				deviceType: c.deviceType,
+				createdAt: c.createdAt.toISOString(),
+				lastUsedAt: c.lastUsedAt.toISOString(),
+			})),
+			oauthAccounts: result.oauthAccounts.map((a) => ({
+				provider: a.provider,
+				createdAt: a.createdAt.toISOString(),
+			})),
+		};
+
+		return apiSuccess({ item });
+	} catch (error) {
+		return handleError(error, "Failed to get user details", "USER_DETAIL_ERROR");
+	}
+};
+
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user: currentUser } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	if (!currentUser || currentUser.role < Role.ADMIN) {
+		return apiError("FORBIDDEN", "Admin privileges required", 403);
+	}
+
+	const adapter = createKyselyAdapter(dineway.db);
+
+	const { id } = params;
+
+	if (!id) {
+		return apiError("MISSING_PARAM", "User ID required", 400);
+	}
+
+	try {
+		// Get target user
+		const targetUser = await adapter.getUserById(id);
+		if (!targetUser) {
+			return apiError("NOT_FOUND", "User not found", 404);
+		}
+
+		const body = await parseBody(request, userUpdateBody);
+		if (isParseError(body)) return body;
+
+		// Role is already validated as RoleLevel by Zod schema
+		const role = body.role;
+
+		// Prevent editing own role (security: prevents self-demotion/lockout)
+		if (role !== undefined && id === currentUser.id) {
+			return apiError("SELF_ROLE_CHANGE", "Cannot change your own role", 400);
+		}
+
+		// Check email uniqueness if changing email
+		if (body.email && body.email !== targetUser.email) {
+			const existing = await adapter.getUserByEmail(body.email);
+			if (existing) {
+				return apiError("EMAIL_IN_USE", "Email already in use", 409);
+			}
+		}
+
+		return await withTransaction(dineway.db, async (trx) => {
+			const txAdapter = createKyselyAdapter(trx);
+			const latestTargetUser = await txAdapter.getUserById(id);
+			if (!latestTargetUser) {
+				return apiError("NOT_FOUND", "User not found", 404);
+			}
+
+			if (role !== undefined && latestTargetUser.role === Role.ADMIN && role < Role.ADMIN) {
+				const adminCount = await txAdapter.countAdmins();
+				if (adminCount <= 1) {
+					return apiError(
+						"VALIDATION_ERROR",
+						"Cannot demote the last admin. Promote another user first.",
+						400,
+					);
+				}
+			}
+
+			// Update user
+			await txAdapter.updateUser(id, {
+				name: body.name,
+				email: body.email,
+				role,
+			});
+
+			// Fetch updated user
+			const updated = await txAdapter.getUserById(id);
+
+			return apiSuccess({
+				item: {
+					id: updated!.id,
+					email: updated!.email,
+					name: updated!.name,
+					avatarUrl: updated!.avatarUrl,
+					role: updated!.role,
+					emailVerified: updated!.emailVerified,
+					disabled: updated!.disabled,
+					createdAt: updated!.createdAt.toISOString(),
+					updatedAt: updated!.updatedAt.toISOString(),
+				},
+			});
+		});
+	} catch (error) {
+		return handleError(error, "Failed to update user", "USER_UPDATE_ERROR");
+	}
+};

package/src/astro/routes/api/admin/users/[id]/send-recovery.ts

@@ -0,0 +1,72 @@
+/**
+ * Send recovery link endpoint
+ *
+ * POST /_dineway/api/admin/users/:id/send-recovery
+ *
+ * Admin-initiated account recovery — sends a recovery magic link to the user's email.
+ */
+
+import { Role, sendMagicLink, type MagicLinkConfig } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import type { APIRoute } from "astro";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { getSiteBaseUrl } from "#api/site-url.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ request, params, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Database not configured", 500);
+	}
+
+	if (!user || user.role < Role.ADMIN) {
+		return apiError("FORBIDDEN", "Admin privileges required", 403);
+	}
+
+	const { id } = params;
+
+	if (!id) {
+		return apiError("VALIDATION_ERROR", "User ID required", 400);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(dineway.db);
+
+		// Verify target user exists
+		const targetUser = await adapter.getUserById(id);
+		if (!targetUser) {
+			return apiError("NOT_FOUND", "User not found", 404);
+		}
+
+		// Check if email pipeline is available
+		if (!dineway.email?.isAvailable()) {
+			return apiError(
+				"EMAIL_NOT_CONFIGURED",
+				"Email is not configured. Recovery links require an email provider.",
+				503,
+			);
+		}
+
+		// Build config using stored site URL (not request Host header)
+		const options = new OptionsRepository(dineway.db);
+		const baseUrl = await getSiteBaseUrl(dineway.db, request);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? "Dineway";
+
+		const config: MagicLinkConfig = {
+			baseUrl,
+			siteName,
+			email: (message) => dineway.email!.send(message, "system"),
+		};
+
+		// Send recovery link
+		await sendMagicLink(config, adapter, targetUser.email, "recovery");
+
+		return apiSuccess({ success: true, message: "Recovery link sent" });
+	} catch (error) {
+		return handleError(error, "Failed to send recovery link", "RECOVERY_SEND_ERROR");
+	}
+};

package/src/astro/routes/api/admin/users/index.ts

@@ -0,0 +1,66 @@
+/**
+ * User management list endpoint
+ *
+ * GET /_dineway/api/admin/users - List users with search, filter, pagination
+ */
+
+import { Role } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import type { APIRoute } from "astro";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseQuery } from "#api/parse.js";
+import { usersListQuery } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	if (!user || user.role < Role.ADMIN) {
+		return apiError("FORBIDDEN", "Admin privileges required", 403);
+	}
+
+	const adapter = createKyselyAdapter(dineway.db);
+
+	try {
+		// Parse query parameters
+		const query = parseQuery(url, usersListQuery);
+		if (isParseError(query)) return query;
+
+		// Fetch users
+		const result = await adapter.getUsers({
+			search: query.search,
+			role: query.role ? parseInt(query.role, 10) : undefined,
+			cursor: query.cursor,
+			limit: query.limit,
+		});
+
+		// Transform dates to ISO strings for JSON serialization
+		const items = result.items.map((u) => ({
+			id: u.id,
+			email: u.email,
+			name: u.name,
+			avatarUrl: u.avatarUrl,
+			role: u.role,
+			emailVerified: u.emailVerified,
+			disabled: u.disabled,
+			createdAt: u.createdAt.toISOString(),
+			updatedAt: u.updatedAt.toISOString(),
+			lastLogin: u.lastLogin?.toISOString() ?? null,
+			credentialCount: u.credentialCount,
+			oauthProviders: u.oauthProviders,
+		}));
+
+		return apiSuccess({
+			items,
+			nextCursor: result.nextCursor,
+		});
+	} catch (error) {
+		return handleError(error, "Failed to list users", "USER_LIST_ERROR");
+	}
+};