dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/auth/dev-bypass.ts

@@ -0,0 +1,139 @@
+/**
+ * POST /_dineway/api/auth/dev-bypass
+ * GET  /_dineway/api/auth/dev-bypass
+ *
+ * Development-only endpoint to bypass passkey authentication.
+ * Creates or uses a test admin user and establishes a session.
+ *
+ * ONLY available when import.meta.env.DEV is true.
+ *
+ * Usage:
+ * - GET with redirect: /_dineway/api/auth/dev-bypass?redirect=/_dineway/admin
+ * - POST for API: Returns JSON with user info
+ *
+ * For agent/browser testing, navigate to:
+ *   /_dineway/api/auth/dev-bypass?redirect=/_dineway/admin
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { ulid } from "ulidx";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { escapeHtml } from "#api/escape.js";
+import { isSafeRedirect } from "#api/redirect.js";
+import { runMigrations } from "#db/migrations/runner.js";
+
+const DEV_USER_EMAIL = "dev@dineway.local";
+const DEV_USER_NAME = "Dev Admin";
+
+// RBAC role levels (matching @dineway-ai/auth)
+const ROLE_ADMIN = 50;
+
+async function handleDevBypass(context: Parameters<APIRoute>[0]): Promise<Response> {
+	// CRITICAL: Only allow in development mode
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Dev bypass is only available in development mode", 403);
+	}
+
+	const { locals, url, session } = context;
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		// Ensure migrations are run
+		await runMigrations(dineway.db);
+
+		// Find or create dev user (direct DB access to avoid @dineway-ai/auth import issues in dev)
+		const existingUser = await dineway.db
+			.selectFrom("users")
+			.selectAll()
+			.where("email", "=", DEV_USER_EMAIL)
+			.executeTakeFirst();
+
+		let user: { id: string; email: string; name: string; role: number };
+
+		if (!existingUser) {
+			const now = new Date().toISOString();
+			const newUser = {
+				id: ulid(),
+				email: DEV_USER_EMAIL,
+				name: DEV_USER_NAME,
+				role: ROLE_ADMIN,
+				email_verified: 1,
+				created_at: now,
+				updated_at: now,
+			};
+
+			await dineway.db.insertInto("users").values(newUser).execute();
+
+			user = {
+				id: newUser.id,
+				email: newUser.email,
+				name: newUser.name,
+				role: newUser.role,
+			};
+			console.log("[dev-bypass] Created dev admin user:", user.email);
+		} else {
+			user = {
+				id: existingUser.id,
+				email: existingUser.email,
+				name: existingUser.name || DEV_USER_NAME,
+				role: existingUser.role,
+			};
+		}
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		// Check for redirect parameter
+		const redirect = url.searchParams.get("redirect");
+
+		if (redirect) {
+			// Validate redirect is a safe local path (prevent open redirect via //evil.com or /\evil.com)
+			if (!isSafeRedirect(redirect)) {
+				return apiError("INVALID_REDIRECT", "Redirect must be a local path", 400);
+			}
+
+			// Return an HTML page with meta-refresh redirect
+			// This ensures the session is fully saved before redirect
+			const safeRedirect = escapeHtml(redirect);
+			const html = `<!DOCTYPE html>
+<html>
+<head>
+	<meta http-equiv="refresh" content="0;url=${safeRedirect}">
+</head>
+<body>Redirecting...</body>
+</html>`;
+			return new Response(html, {
+				status: 200,
+				headers: { "Content-Type": "text/html" },
+			});
+		}
+
+		// Return JSON response
+		return apiSuccess({
+			success: true,
+			message: "Dev session created",
+			user: {
+				id: user.id,
+				email: user.email,
+				name: user.name,
+				role: user.role,
+			},
+		});
+	} catch (error) {
+		return handleError(error, "Dev bypass setup failed", "DEV_BYPASS_ERROR");
+	}
+}
+
+// Support both GET and POST
+export const GET: APIRoute = handleDevBypass;
+export const POST: APIRoute = handleDevBypass;

package/src/astro/routes/api/auth/invite/accept.ts

@@ -0,0 +1,52 @@
+/**
+ * GET /_dineway/api/auth/invite/accept
+ *
+ * Validate an invite token and return invite data for the UI.
+ * This is called when the invitee clicks the email link.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { validateInvite, InviteError, roleFromLevel } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const token = url.searchParams.get("token");
+
+	if (!token) {
+		return apiError("MISSING_PARAM", "Token is required", 400);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(dineway.db);
+		const invite = await validateInvite(adapter, token);
+
+		return apiSuccess({
+			success: true,
+			email: invite.email,
+			role: invite.role,
+			roleName: roleFromLevel(invite.role),
+		});
+	} catch (error) {
+		if (error instanceof InviteError) {
+			const statusMap: Record<string, number> = {
+				invalid_token: 404,
+				token_expired: 410,
+				user_exists: 409,
+			};
+			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
+		}
+
+		return handleError(error, "Failed to validate invite", "INVITE_VALIDATE_ERROR");
+	}
+};

package/src/astro/routes/api/auth/invite/complete.ts

@@ -0,0 +1,86 @@
+/**
+ * POST /_dineway/api/auth/invite/complete
+ *
+ * Complete the invite by registering a passkey for the new user.
+ * This creates the user account and establishes a session.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { completeInvite, InviteError } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { verifyRegistrationResponse, registerPasskey } from "@dineway-ai/auth/passkey";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { inviteCompleteBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals, session }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, inviteCompleteBody);
+		if (isParseError(body)) return body;
+
+		const adapter = createKyselyAdapter(dineway.db);
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const options = new OptionsRepository(dineway.db);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+
+		// Verify the passkey registration response
+		const challengeStore = createChallengeStore(dineway.db);
+		const verified = await verifyRegistrationResponse(
+			passkeyConfig,
+			body.credential,
+			challengeStore,
+		);
+
+		// Complete the invite - creates the user
+		const user = await completeInvite(adapter, body.token, {
+			name: body.name,
+		});
+
+		// Register the passkey for the new user
+		await registerPasskey(adapter, user.id, verified, "Initial passkey");
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		return apiSuccess({
+			success: true,
+			user: {
+				id: user.id,
+				email: user.email,
+				name: user.name,
+				role: user.role,
+			},
+		});
+	} catch (error) {
+		if (error instanceof InviteError) {
+			const statusMap: Record<string, number> = {
+				invalid_token: 404,
+				token_expired: 410,
+				user_exists: 409,
+			};
+			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
+		}
+
+		return handleError(error, "Failed to complete invite", "INVITE_COMPLETE_ERROR");
+	}
+};

package/src/astro/routes/api/auth/invite/index.ts

@@ -0,0 +1,99 @@
+/**
+ * POST /_dineway/api/auth/invite
+ *
+ * Create an invite for a new user. Admin only.
+ *
+ * When an email provider is configured (via the plugin email pipeline),
+ * the invite email is sent automatically.
+ * When no provider is configured, returns the invite URL for the admin
+ * to share manually (copy-link fallback).
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createInvite, InviteError, Role } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { inviteCreateBody } from "#api/schemas.js";
+import { getSiteBaseUrl } from "#api/site-url.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	if (!user || user.role < Role.ADMIN) {
+		return apiError("FORBIDDEN", "Admin privileges required", 403);
+	}
+
+	const adapter = createKyselyAdapter(dineway.db);
+
+	try {
+		const body = await parseBody(request, inviteCreateBody);
+		if (isParseError(body)) return body;
+
+		// Default to AUTHOR role if not specified (Zod validates the level)
+		const role = body.role ?? Role.AUTHOR;
+
+		// Get site config for invite email
+		const options = new OptionsRepository(dineway.db);
+		const siteName = (await options.get<string>("dineway:site_title")) || "Dineway";
+
+		// Use stored site URL to prevent Host header spoofing in invite emails
+		const baseUrl = await getSiteBaseUrl(dineway.db, request);
+
+		// Build email sender from the plugin pipeline (if available)
+		const emailSend = dineway.email?.isAvailable()
+			? (message: { to: string; subject: string; text: string; html?: string }) =>
+					dineway.email!.send(message, "system")
+			: undefined;
+
+		const result = await createInvite(
+			{
+				baseUrl,
+				siteName,
+				email: emailSend,
+			},
+			adapter,
+			body.email,
+			role,
+			user.id,
+		);
+
+		if (emailSend) {
+			// Email was sent
+			return apiSuccess({
+				success: true,
+				message: `Invite sent to ${body.email}`,
+			});
+		}
+
+		// No email provider — return the invite URL for manual sharing
+		return apiSuccess(
+			{
+				success: true,
+				message: "Invite created. No email provider configured — share the link manually.",
+				inviteUrl: result.url,
+			},
+			200,
+		);
+	} catch (error) {
+		if (error instanceof InviteError) {
+			const statusMap: Record<string, number> = {
+				user_exists: 409,
+				invalid_token: 400,
+				token_expired: 400,
+			};
+			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
+		}
+
+		return handleError(error, "Failed to create invite", "INVITE_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/auth/invite/register-options.ts

@@ -0,0 +1,73 @@
+/**
+ * POST /_dineway/api/auth/invite/register-options
+ *
+ * Generate WebAuthn registration options for an invited user.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { validateInvite, InviteError } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { generateRegistrationOptions } from "@dineway-ai/auth/passkey";
+import { ulid } from "ulidx";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { inviteRegisterOptionsBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, inviteRegisterOptionsBody);
+		if (isParseError(body)) return body;
+
+		const adapter = createKyselyAdapter(dineway.db);
+		const invite = await validateInvite(adapter, body.token);
+
+		const url = new URL(request.url);
+		const optionsRepo = new OptionsRepository(dineway.db);
+		const siteName = (await optionsRepo.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+
+		const challengeStore = createChallengeStore(dineway.db);
+		const registrationOptions = await generateRegistrationOptions(
+			passkeyConfig,
+			{
+				id: ulid(),
+				email: invite.email,
+				name: body.name || null,
+			},
+			[],
+			challengeStore,
+		);
+
+		return apiSuccess({ options: registrationOptions });
+	} catch (error) {
+		if (error instanceof InviteError) {
+			const statusMap: Record<string, number> = {
+				invalid_token: 404,
+				token_expired: 410,
+				user_exists: 409,
+			};
+			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
+		}
+
+		return handleError(
+			error,
+			"Failed to generate registration options",
+			"INVITE_REGISTER_OPTIONS_ERROR",
+		);
+	}
+};

package/src/astro/routes/api/auth/logout.ts

@@ -0,0 +1,40 @@
+/**
+ * POST /_dineway/api/auth/logout
+ *
+ * Destroys the current session and logs the user out.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { apiSuccess, handleError } from "#api/error.js";
+import { isSafeRedirect } from "#api/redirect.js";
+
+export const POST: APIRoute = async ({ session, url }) => {
+	try {
+		// Destroy session
+		if (session) {
+			session.destroy();
+		}
+
+		// Check for redirect parameter
+		const redirect = url.searchParams.get("redirect");
+
+		if (isSafeRedirect(redirect)) {
+			return new Response(null, {
+				status: 302,
+				headers: { Location: redirect },
+			});
+		}
+
+		return apiSuccess({
+			success: true,
+			message: "Logged out successfully",
+		});
+	} catch (error) {
+		return handleError(error, "Logout failed", "LOGOUT_ERROR");
+	}
+};
+
+// No GET handler — logout must be POST-only to prevent CSRF via link/img tags

package/src/astro/routes/api/auth/magic-link/send.ts

@@ -0,0 +1,90 @@
+/**
+ * POST /_dineway/api/auth/magic-link/send
+ *
+ * Send a magic link email for passwordless authentication.
+ * Always returns success to avoid revealing whether email exists.
+ *
+ * Rate limited: 3 requests per 5 minutes per IP.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { sendMagicLink, type MagicLinkConfig } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError, apiSuccess } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { magicLinkSendBody } from "#api/schemas.js";
+import { getSiteBaseUrl } from "#api/site-url.js";
+import { checkRateLimit, getClientIp } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		// Parse request body first — avoids consuming rate limit slots on
+		// malformed requests and normalizes timing between rate-limited
+		// and real paths (parse cost evens out the response time).
+		const body = await parseBody(request, magicLinkSendBody);
+		if (isParseError(body)) return body;
+
+		// Rate limit: 3 requests per 300 seconds (5 minutes) per IP
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
+		const rateLimit = await checkRateLimit(dineway.db, ip, "magic-link/send", 3, 300);
+		if (!rateLimit.allowed) {
+			// Return success-shaped response to avoid revealing rate limit
+			// (which could leak information about email enumeration attempts)
+			return apiSuccess({
+				success: true,
+				message: "If an account exists for this email, a magic link has been sent.",
+			});
+		}
+
+		// Check if email pipeline is available
+		if (!dineway.email?.isAvailable()) {
+			return apiError(
+				"EMAIL_NOT_CONFIGURED",
+				"Email is not configured. Magic link authentication requires an email provider.",
+				503,
+			);
+		}
+
+		// Build magic link config using stored site URL (not request Host header)
+		const options = new OptionsRepository(dineway.db);
+		const baseUrl = await getSiteBaseUrl(dineway.db, request);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? "Dineway";
+
+		const config: MagicLinkConfig = {
+			baseUrl,
+			siteName,
+			email: (message) => dineway.email!.send(message, "system"),
+		};
+
+		// Send magic link (silently fails if user doesn't exist)
+		const adapter = createKyselyAdapter(dineway.db);
+		await sendMagicLink(config, adapter, body.email.toLowerCase());
+
+		// Always return success to avoid revealing if email exists
+		return apiSuccess({
+			success: true,
+			message: "If an account exists for this email, a magic link has been sent.",
+		});
+	} catch (error) {
+		console.error("Magic link send error:", error);
+
+		// Still return success to avoid revealing information
+		// Log the error but don't expose it to the client
+		return apiSuccess({
+			success: true,
+			message: "If an account exists for this email, a magic link has been sent.",
+		});
+	}
+};

package/src/astro/routes/api/auth/magic-link/verify.ts

@@ -0,0 +1,71 @@
+/**
+ * GET /_dineway/api/auth/magic-link/verify
+ *
+ * Verify a magic link token and create a session.
+ * Tokens are single-use and expire after 15 minutes.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { verifyMagicLink, MagicLinkError } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+
+import { apiError } from "#api/error.js";
+import { isSafeRedirect } from "#api/redirect.js";
+
+export const GET: APIRoute = async ({ url, locals, session, redirect }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Get token from query params
+	const token = url.searchParams.get("token");
+
+	if (!token) {
+		// Redirect to login with error
+		return redirect("/_dineway/admin/login?error=missing_token");
+	}
+
+	try {
+		// Verify the magic link token
+		const adapter = createKyselyAdapter(dineway.db);
+		const user = await verifyMagicLink(adapter, token);
+
+		// Fire-and-forget cleanup of expired tokens -- prevents accumulation
+		void adapter.deleteExpiredTokens().catch(() => {});
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		// Check for a stored redirect URL (from original request)
+		// Validate redirect is a safe local path (prevent open redirect via //evil.com or /\evil.com)
+		const rawRedirect = url.searchParams.get("redirect");
+		const redirectUrl = isSafeRedirect(rawRedirect) ? rawRedirect : "/_dineway/admin";
+
+		// Redirect to admin dashboard or original URL
+		return redirect(redirectUrl);
+	} catch (error) {
+		console.error("Magic link verify error:", error);
+
+		// Handle specific errors
+		if (error instanceof MagicLinkError) {
+			switch (error.code) {
+				case "invalid_token":
+					return redirect("/_dineway/admin/login?error=invalid_link");
+				case "token_expired":
+					return redirect("/_dineway/admin/login?error=link_expired");
+				case "user_not_found":
+					return redirect("/_dineway/admin/login?error=user_not_found");
+			}
+		}
+
+		// Generic error
+		return redirect("/_dineway/admin/login?error=verification_failed");
+	}
+};