dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/menus/[name].ts

@@ -0,0 +1,145 @@
+/**
+ * Single menu endpoint
+ *
+ * GET    /_dineway/api/menus/:name - Get menu with items
+ * PUT    /_dineway/api/menus/:name - Update menu metadata
+ * DELETE /_dineway/api/menus/:name - Delete menu
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, unwrapResult } from "#api/error.js";
+import { handleMenuDelete, handleMenuGet, handleMenuUpdate } from "#api/handlers/menus.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { updateMenuBody } from "#api/schemas.js";
+import {
+	logMenuActivity,
+	menuApiRouteSource,
+	MenuHitlPayloadBuilder,
+	RiskPolicyEvaluator,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const updateMenuHitlBody = updateMenuBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const deleteMenuQuery = z.object({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const name = params.name!;
+
+	const denied = requirePerm(user, "menus:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleMenuGet(dineway.db, name);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch menu", "MENU_GET_ERROR");
+	}
+};
+
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const name = params.name!;
+
+	const denied = requirePerm(user, "menus:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, updateMenuHitlBody);
+		if (isParseError(body)) return body;
+
+		const { hitlRequestId, ...menuInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildUpdateMenuRequest({
+			name,
+			...menuInput,
+		});
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleMenuUpdate(dineway.db, name, menuInput);
+		if (!result.success) return unwrapResult(result);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "updated",
+			menuName: result.data.name,
+			...menuApiRouteSource("updated"),
+			summary: `Updated menu ${result.data.name}`,
+			detail: {
+				label: result.data.label,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to update menu", "MENU_UPDATE_ERROR");
+	}
+};
+
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const name = params.name!;
+
+	const denied = requirePerm(user, "menus:manage");
+	if (denied) return denied;
+
+	const query = parseQuery(new URL(request.url), deleteMenuQuery);
+	if (isParseError(query)) return query;
+
+	try {
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildDeleteMenuRequest({ name });
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId: query.hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleMenuDelete(dineway.db, name);
+		if (!result.success) return unwrapResult(result);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "deleted",
+			menuName: name,
+			...menuApiRouteSource("deleted"),
+			summary: `Deleted menu ${name}`,
+			detail: {
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to delete menu", "MENU_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/menus/index.ts

@@ -0,0 +1,91 @@
+/**
+ * Menus list and create endpoints
+ *
+ * GET  /_dineway/api/menus - List all menus
+ * POST /_dineway/api/menus - Create menu
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, unwrapResult } from "#api/error.js";
+import { handleMenuCreate, handleMenuList } from "#api/handlers/menus.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { createMenuBody } from "#api/schemas.js";
+import {
+	logMenuActivity,
+	menuApiRouteSource,
+	MenuHitlPayloadBuilder,
+	RiskPolicyEvaluator,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const createMenuHitlBody = createMenuBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+
+	const denied = requirePerm(user, "menus:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleMenuList(dineway.db);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch menus", "MENU_LIST_ERROR");
+	}
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	const denied = requirePerm(user, "menus:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, createMenuHitlBody);
+		if (isParseError(body)) return body;
+
+		const { hitlRequestId, ...menuInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildCreateMenuRequest(menuInput);
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleMenuCreate(dineway.db, menuInput);
+		if (!result.success) return unwrapResult(result, 201);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "created",
+			menuName: result.data.name,
+			...menuApiRouteSource("created"),
+			summary: `Created menu ${result.data.name}`,
+			detail: {
+				label: result.data.label,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create menu", "MENU_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/authorize.ts

@@ -0,0 +1,430 @@
+/**
+ * GET/POST /_dineway/oauth/authorize
+ *
+ * OAuth 2.1 Authorization Endpoint. Handles both the consent page (GET)
+ * and consent submission (POST).
+ *
+ * GET: Renders an HTML consent page showing which client is requesting
+ *      access and which scopes are being requested.
+ * POST: Processes the user's decision (approve/deny) and redirects
+ *       to the client's redirect_uri with an authorization code or error.
+ *
+ * Requires an authenticated session (not token auth). If unauthenticated,
+ * redirects to login with a return URL.
+ */
+
+import type { APIRoute } from "astro";
+
+import { escapeHtml } from "#api/escape.js";
+import {
+	buildDeniedRedirect,
+	handleAuthorizationApproval,
+} from "#api/handlers/oauth-authorization.js";
+import { lookupOAuthClient, validateClientRedirectUri } from "#api/handlers/oauth-clients.js";
+import { validateRedirectUri } from "#api/oauth/redirect-uri.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { ALL_VALID_SCOPES } from "#auth/api-tokens.js";
+import {
+	disabledExperimentalSiteContextWorkflowScopes,
+	filterExperimentalSiteContextWorkflowScopes,
+	getExperimentalSiteContextWorkflowScopesDisabledMessage,
+} from "#site-context/experimental-workflows.js";
+
+export const prerender = false;
+
+// ---------------------------------------------------------------------------
+// CSRF (SEC-18): Double-submit cookie pattern
+// ---------------------------------------------------------------------------
+
+const CSRF_COOKIE_NAME = "dineway_oauth_csrf";
+
+/** Generate a 32-byte random token as hex. */
+function generateCsrfToken(): string {
+	const bytes = new Uint8Array(32);
+	crypto.getRandomValues(bytes);
+	return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+/** Build the Set-Cookie header value for the CSRF token. */
+function csrfCookieHeader(token: string, request: Request, siteUrl?: string): string {
+	// SameSite=Strict prevents cross-site form submission.
+	// HttpOnly: the token value is embedded in the form hidden field server-side,
+	// so JS never needs to read the cookie. HttpOnly adds defense-in-depth.
+	// Secure is set when:
+	//   - siteUrl is configured and uses https (proxy case — request may be http internally), OR
+	//   - the actual request is over https (non-proxy case, preserve existing behavior — H-2)
+	const isSecure = siteUrl
+		? siteUrl.startsWith("https:")
+		: new URL(request.url).protocol === "https:";
+	const secure = isSecure ? "; Secure" : "";
+	return `${CSRF_COOKIE_NAME}=${token}; Path=/_dineway/oauth/authorize; HttpOnly; SameSite=Strict${secure}`;
+}
+
+/** Extract the CSRF token from the request's cookies. */
+function getCsrfCookie(request: Request): string | null {
+	const cookieHeader = request.headers.get("Cookie");
+	if (!cookieHeader) return null;
+	const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${CSRF_COOKIE_NAME}=([^;]+)`));
+	return match?.[1] ?? null;
+}
+
+// ---------------------------------------------------------------------------
+// Human-readable scope labels
+// ---------------------------------------------------------------------------
+
+const SCOPE_LABELS: Record<string, string> = {
+	"content:read": "Read content (posts, pages, etc.)",
+	"content:write": "Create, edit, and delete content",
+	"media:read": "View media files",
+	"media:write": "Upload and manage media files",
+	"schema:read": "View collection schemas",
+	"schema:write": "Create and modify collection schemas",
+	admin: "Full administrative access",
+};
+
+// ---------------------------------------------------------------------------
+// GET: Render consent page
+// ---------------------------------------------------------------------------
+
+export const GET: APIRoute = async ({ url, request, locals }) => {
+	const { dineway, user } = locals;
+
+	// Validate required OAuth params before rendering
+	const clientId = url.searchParams.get("client_id");
+	const redirectUri = url.searchParams.get("redirect_uri");
+	const responseType = url.searchParams.get("response_type");
+	const codeChallenge = url.searchParams.get("code_challenge");
+	const codeChallengeMethod = url.searchParams.get("code_challenge_method");
+	const scope = url.searchParams.get("scope");
+	const state = url.searchParams.get("state");
+
+	// Basic validation — detailed validation happens on POST
+	if (!clientId || !redirectUri || responseType !== "code" || !codeChallenge) {
+		return new Response(
+			renderErrorPage("Invalid authorization request. Missing required parameters."),
+			{
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			},
+		);
+	}
+
+	if (codeChallengeMethod && codeChallengeMethod !== "S256") {
+		return new Response(renderErrorPage("Only S256 code challenge method is supported."), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" },
+		});
+	}
+
+	// Validate client_id is registered and redirect_uri is in the allowlist.
+	// This check happens BEFORE authentication so we never redirect to an
+	// unregistered URI (even for the login redirect, we only redirect to our
+	// own login page, not to the client's redirect_uri).
+	if (dineway?.db) {
+		const client = await lookupOAuthClient(dineway.db, clientId);
+		if (!client) {
+			return new Response(renderErrorPage("Unknown client application."), {
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			});
+		}
+
+		const clientUriError = validateClientRedirectUri(redirectUri, client.redirectUris);
+		if (clientUriError) {
+			return new Response(renderErrorPage("The redirect URI is not registered for this client."), {
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			});
+		}
+	}
+
+	// If not authenticated, redirect to login with return URL
+	if (!user) {
+		const loginUrl = new URL("/_dineway/admin/login", getPublicOrigin(url, dineway?.config));
+		loginUrl.searchParams.set("redirect", url.pathname + url.search);
+		return Response.redirect(loginUrl.toString(), 302);
+	}
+
+	// Parse and validate scopes
+	const rawRequestedScopes = (scope ?? "").split(" ").filter(Boolean);
+	const disabledWorkflowScopes = disabledExperimentalSiteContextWorkflowScopes(rawRequestedScopes);
+	if (disabledWorkflowScopes.length > 0) {
+		return new Response(
+			renderErrorPage(getExperimentalSiteContextWorkflowScopesDisabledMessage()),
+			{
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			},
+		);
+	}
+	const validSet = new Set<string>(filterExperimentalSiteContextWorkflowScopes(ALL_VALID_SCOPES));
+	const requestedScopes = rawRequestedScopes.filter((s) => validSet.has(s));
+
+	if (requestedScopes.length === 0) {
+		return new Response(renderErrorPage("No valid scopes requested."), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" },
+		});
+	}
+
+	// SEC-18: Generate CSRF token for the consent form (double-submit cookie pattern)
+	const csrfToken = generateCsrfToken();
+
+	// Render the consent page
+	const html = renderConsentPage({
+		clientId,
+		scopes: requestedScopes,
+		redirectUri,
+		responseType,
+		codeChallenge,
+		codeChallengeMethod: codeChallengeMethod ?? "S256",
+		state: state ?? "",
+		resource: url.searchParams.get("resource") ?? "",
+		userName: user.name ?? user.email,
+		csrfToken,
+	});
+
+	return new Response(html, {
+		headers: {
+			"Content-Type": "text/html; charset=utf-8",
+			"Set-Cookie": csrfCookieHeader(csrfToken, request, getPublicOrigin(url, dineway?.config)),
+		},
+	});
+};
+
+// ---------------------------------------------------------------------------
+// POST: Process consent
+// ---------------------------------------------------------------------------
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return new Response(renderErrorPage("Dineway is not initialized."), {
+			status: 500,
+			headers: { "Content-Type": "text/html; charset=utf-8" },
+		});
+	}
+
+	if (!user) {
+		return new Response(renderErrorPage("Authentication required."), {
+			status: 401,
+			headers: { "Content-Type": "text/html; charset=utf-8" },
+		});
+	}
+
+	const formData = await request.formData();
+	const field = (name: string, fallback = ""): string => {
+		const v = formData.get(name);
+		return typeof v === "string" ? v : fallback;
+	};
+
+	// SEC-18: Validate CSRF token (double-submit cookie pattern).
+	// The form includes a hidden csrf_token field; the cookie has the same value.
+	// An attacker cannot read the cookie to forge the form field (HttpOnly + SameSite=Strict).
+	const formCsrf = field("csrf_token");
+	const cookieCsrf = getCsrfCookie(request);
+	const csrfError = new Response(
+		renderErrorPage("Invalid or missing CSRF token. Please try again."),
+		{ status: 403, headers: { "Content-Type": "text/html; charset=utf-8" } },
+	);
+	if (!formCsrf || !cookieCsrf) return csrfError;
+
+	// Constant-time comparison: hash both values to fixed-length 32-byte digests,
+	// then XOR every byte pair. This avoids non-standard timing-safe helpers and
+	// works across the supported Node/Web Crypto path.
+	// The SHA-256 pre-hash ensures fixed length, eliminating length-leaking.
+	const csrfEncoder = new TextEncoder();
+	const [csrfHashA, csrfHashB] = await Promise.all([
+		crypto.subtle.digest("SHA-256", csrfEncoder.encode(formCsrf)),
+		crypto.subtle.digest("SHA-256", csrfEncoder.encode(cookieCsrf)),
+	]);
+	const a = new Uint8Array(csrfHashA);
+	const b = new Uint8Array(csrfHashB);
+	let diff = 0;
+	// eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion -- tsgo needs these
+	for (let i = 0; i < a.length; i++) diff |= a[i]! ^ b[i]!;
+	if (diff !== 0) return csrfError;
+
+	const action = field("action");
+	const redirectUri = field("redirect_uri");
+	const state = field("state") || undefined;
+
+	if (!redirectUri) {
+		return new Response(renderErrorPage("Missing redirect_uri."), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" },
+		});
+	}
+
+	// Validate redirect_uri scheme/host before using it for any redirect
+	const uriError = validateRedirectUri(redirectUri);
+	if (uriError) {
+		return new Response(renderErrorPage(escapeHtml(uriError)), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" },
+		});
+	}
+
+	// User denied — SEC-44: validate redirect_uri against client's registered URIs
+	// before redirecting, to prevent open redirect on the deny path.
+	if (action === "deny") {
+		const clientId = field("client_id");
+		if (!clientId) {
+			return new Response(renderErrorPage("Missing client_id."), {
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			});
+		}
+
+		const client = await lookupOAuthClient(dineway.db, clientId);
+		if (!client) {
+			return new Response(renderErrorPage("Unknown client application."), {
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			});
+		}
+
+		const clientUriError = validateClientRedirectUri(redirectUri, client.redirectUris);
+		if (clientUriError) {
+			return new Response(renderErrorPage("The redirect URI is not registered for this client."), {
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			});
+		}
+
+		const denyUrl = buildDeniedRedirect(redirectUri, state);
+		return Response.redirect(denyUrl, 302);
+	}
+
+	// User approved — process the authorization
+	const result = await handleAuthorizationApproval(dineway.db, user.id, user.role, {
+		response_type: field("response_type", "code"),
+		client_id: field("client_id"),
+		redirect_uri: redirectUri,
+		scope: field("scope"),
+		state,
+		code_challenge: field("code_challenge"),
+		code_challenge_method: field("code_challenge_method", "S256"),
+		resource: field("resource") || undefined,
+	});
+
+	if (!result.success) {
+		const errMsg = result.error?.message ?? "Authorization failed";
+		// On error, redirect back with error params — use generic description to avoid
+		// leaking internal error details to the (already-validated) redirect target
+		try {
+			const errorUrl = new URL(redirectUri);
+			errorUrl.searchParams.set("error", "server_error");
+			errorUrl.searchParams.set("error_description", "Authorization failed");
+			if (state) errorUrl.searchParams.set("state", state);
+			return Response.redirect(errorUrl.toString(), 302);
+		} catch {
+			return new Response(renderErrorPage(escapeHtml(errMsg)), {
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			});
+		}
+	}
+
+	return Response.redirect(result.data.redirect_url, 302);
+};
+
+// ---------------------------------------------------------------------------
+// HTML rendering
+// ---------------------------------------------------------------------------
+
+function renderConsentPage(params: {
+	clientId: string;
+	scopes: string[];
+	redirectUri: string;
+	responseType: string;
+	codeChallenge: string;
+	codeChallengeMethod: string;
+	state: string;
+	resource: string;
+	userName: string;
+	csrfToken: string;
+}): string {
+	const scopeList = params.scopes
+		.map((s) => {
+			const label = SCOPE_LABELS[s] ?? s;
+			return `<li>${escapeHtml(label)}</li>`;
+		})
+		.join("\n");
+
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorize Application — Dineway</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body { font-family: system-ui, -apple-system, sans-serif; background: #0a0a0a; color: #e5e5e5; display: flex; justify-content: center; align-items: center; min-height: 100vh; padding: 1rem; }
+  .card { background: #171717; border: 1px solid #262626; border-radius: 12px; max-width: 420px; width: 100%; padding: 2rem; }
+  h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 0.5rem; }
+  .client-id { color: #a3a3a3; font-size: 0.875rem; word-break: break-all; margin-bottom: 1.5rem; }
+  .user { color: #a3a3a3; font-size: 0.875rem; margin-bottom: 1rem; }
+  h2 { font-size: 0.875rem; font-weight: 500; color: #a3a3a3; text-transform: uppercase; letter-spacing: 0.05em; margin-bottom: 0.75rem; }
+  ul { list-style: none; margin-bottom: 1.5rem; }
+  li { padding: 0.5rem 0; border-bottom: 1px solid #262626; font-size: 0.875rem; }
+  li:last-child { border-bottom: none; }
+  .actions { display: flex; gap: 0.75rem; }
+  button { flex: 1; padding: 0.625rem 1rem; border-radius: 8px; border: none; font-size: 0.875rem; font-weight: 500; cursor: pointer; }
+  .approve { background: #2563eb; color: white; }
+  .approve:hover { background: #1d4ed8; }
+  .deny { background: #262626; color: #e5e5e5; }
+  .deny:hover { background: #333; }
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Authorize Application</h1>
+  <p class="client-id">${escapeHtml(params.clientId)}</p>
+  <p class="user">Signed in as <strong>${escapeHtml(params.userName)}</strong></p>
+  <h2>Permissions requested</h2>
+  <ul>${scopeList}</ul>
+  <form method="POST">
+    <input type="hidden" name="csrf_token" value="${escapeHtml(params.csrfToken)}">
+    <input type="hidden" name="response_type" value="${escapeHtml(params.responseType)}">
+    <input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
+    <input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
+    <input type="hidden" name="scope" value="${escapeHtml(params.scopes.join(" "))}">
+    <input type="hidden" name="state" value="${escapeHtml(params.state)}">
+    <input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
+    <input type="hidden" name="code_challenge_method" value="${escapeHtml(params.codeChallengeMethod)}">
+    <input type="hidden" name="resource" value="${escapeHtml(params.resource)}">
+    <div class="actions">
+      <button type="submit" name="action" value="deny" class="deny">Deny</button>
+      <button type="submit" name="action" value="approve" class="approve">Approve</button>
+    </div>
+  </form>
+</div>
+</body>
+</html>`;
+}
+
+function renderErrorPage(message: string): string {
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorization Error — Dineway</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body { font-family: system-ui, -apple-system, sans-serif; background: #0a0a0a; color: #e5e5e5; display: flex; justify-content: center; align-items: center; min-height: 100vh; padding: 1rem; }
+  .card { background: #171717; border: 1px solid #262626; border-radius: 12px; max-width: 420px; width: 100%; padding: 2rem; }
+  h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 1rem; color: #ef4444; }
+  p { font-size: 0.875rem; color: #a3a3a3; }
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Authorization Error</h1>
+  <p>${escapeHtml(message)}</p>
+</div>
+</body>
+</html>`;
+}