dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/oauth/device/authorize.ts

@@ -0,0 +1,45 @@
+/**
+ * POST /_dineway/api/oauth/device/authorize
+ *
+ * User submits the user code after logging in via the browser.
+ * This endpoint requires authentication (the user must be logged in).
+ */
+
+/// <reference types="dineway/locals" />
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { handleDeviceAuthorize } from "#api/handlers/device-flow.js";
+import { isParseError, parseBody } from "#api/parse.js";
+
+export const prerender = false;
+
+const authorizeSchema = z.object({
+	user_code: z.string().min(1),
+	action: z.enum(["approve", "deny"]).optional(),
+});
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+	const { user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Authentication required", 401);
+	}
+
+	try {
+		const body = await parseBody(request, authorizeSchema);
+		if (isParseError(body)) return body;
+
+		const result = await handleDeviceAuthorize(dineway.db, user.id, user.role, body);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to authorize device", "AUTHORIZE_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/device/code.ts

@@ -0,0 +1,56 @@
+/**
+ * POST /_dineway/api/oauth/device/code
+ *
+ * Issue a device code + user code for the OAuth Device Flow.
+ * This is an unauthenticated endpoint (the CLI doesn't have a token yet).
+ *
+ * Rate limited: 10 requests per minute per IP.
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { handleDeviceCodeRequest } from "#api/handlers/device-flow.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
+
+export const prerender = false;
+
+const deviceCodeSchema = z.object({
+	client_id: z.string().optional(),
+	scope: z.string().optional(),
+});
+
+export const POST: APIRoute = async ({ request, locals, url }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, deviceCodeSchema);
+		if (isParseError(body)) return body;
+
+		// Rate limit: 10 requests per 60 seconds per IP
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
+		const rateLimit = await checkRateLimit(dineway.db, ip, "device/code", 10, 60);
+		if (!rateLimit.allowed) {
+			return rateLimitResponse(60);
+		}
+
+		// Build the verification URI — device page lives inside the admin SPA
+		const verificationUri = new URL(
+			"/_dineway/admin/device",
+			getPublicOrigin(url, dineway?.config),
+		).toString();
+
+		const result = await handleDeviceCodeRequest(dineway.db, body, verificationUri);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to create device code", "DEVICE_CODE_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/device/token.ts

@@ -0,0 +1,70 @@
+/**
+ * POST /_dineway/api/oauth/device/token
+ *
+ * CLI polls this endpoint to exchange a device code for tokens.
+ * Returns RFC 8628 error codes during the polling phase.
+ * This is an unauthenticated endpoint.
+ *
+ * Rate limited: 12 requests per minute per IP.
+ * Also enforces RFC 8628 slow_down: if polled faster than the interval,
+ * responds with { error: "slow_down", interval: N } and increases the interval by 5s.
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { handleDeviceTokenExchange } from "#api/handlers/device-flow.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
+
+export const prerender = false;
+
+const deviceTokenSchema = z.object({
+	device_code: z.string().min(1),
+	grant_type: z.string().min(1),
+});
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, deviceTokenSchema);
+		if (isParseError(body)) return body;
+
+		// Rate limit: 12 requests per 60 seconds per IP
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
+		const rateLimit = await checkRateLimit(dineway.db, ip, "device/token", 12, 60);
+		if (!rateLimit.allowed) {
+			return rateLimitResponse(60);
+		}
+
+		const result = await handleDeviceTokenExchange(dineway.db, body);
+
+		// RFC 8628 requires specific error format for device flow errors
+		// RFC 6749 §5.1 requires Cache-Control: no-store + Pragma: no-cache on token responses
+		if (!result.success && result.deviceFlowError) {
+			const errorBody: { error: string; interval?: number } = { error: result.deviceFlowError };
+			if (result.deviceFlowInterval !== undefined) {
+				errorBody.interval = result.deviceFlowInterval;
+			}
+			return Response.json(errorBody, {
+				status: 400,
+				headers: {
+					"Content-Type": "application/json",
+					"Cache-Control": "no-store",
+					Pragma: "no-cache",
+				},
+			});
+		}
+
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to exchange device code", "TOKEN_EXCHANGE_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/register.ts

@@ -0,0 +1,182 @@
+/**
+ * POST /_dineway/api/oauth/register
+ *
+ * RFC 7591 Dynamic Client Registration. Public, unauthenticated.
+ * MCP clients call this to register before starting the OAuth flow.
+ */
+
+import type { APIRoute } from "astro";
+
+import { apiError, handleError } from "#api/error.js";
+import { handleOAuthClientCreate } from "#api/handlers/oauth-clients.js";
+import {
+	disabledExperimentalSiteContextWorkflowScopes,
+	getExperimentalSiteContextWorkflowScopesDisabledMessage,
+} from "#site-context/experimental-workflows.js";
+
+export const prerender = false;
+
+const OAUTH_REGISTRATION_HEADERS: HeadersInit = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	"Access-Control-Allow-Origin": "*",
+};
+
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
+};
+
+const SUPPORTED_GRANT_TYPES = new Set([
+	"authorization_code",
+	"refresh_token",
+	"urn:ietf:params:oauth:grant-type:device_code",
+]);
+const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
+
+function registrationError(description: string, status = 400): Response {
+	return Response.json(
+		{
+			error: "invalid_client_metadata",
+			error_description: description,
+		},
+		{ status, headers: OAUTH_REGISTRATION_HEADERS },
+	);
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+function isStringArray(value: unknown): value is string[] {
+	return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+
+function parseScope(value: unknown): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (typeof value === "string") {
+		const scopes = value.split(" ").filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	if (isStringArray(value)) {
+		const scopes = value.filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	return registrationError("scope must be a string or array of strings");
+}
+
+function parseSupportedStringArray(
+	value: unknown,
+	field: string,
+	supported: ReadonlySet<string>,
+): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (!isStringArray(value)) {
+		return registrationError(`${field} must be an array of strings`);
+	}
+	const invalidValue = value.find((item) => !supported.has(item));
+	if (invalidValue) {
+		return registrationError(`${field} contains unsupported value: ${invalidValue}`);
+	}
+	return value;
+}
+
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		let body: unknown;
+		try {
+			body = await request.json();
+		} catch {
+			return registrationError("Request body must be valid JSON");
+		}
+
+		if (!isRecord(body)) {
+			return registrationError("Request body must be a JSON object");
+		}
+
+		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) {
+			return registrationError("redirect_uris must be a non-empty array of strings");
+		}
+
+		if (
+			body.token_endpoint_auth_method !== undefined &&
+			body.token_endpoint_auth_method !== "none"
+		) {
+			return registrationError("Only token_endpoint_auth_method=none is supported");
+		}
+
+		const grantTypes = parseSupportedStringArray(
+			body.grant_types,
+			"grant_types",
+			SUPPORTED_GRANT_TYPES,
+		);
+		if (grantTypes instanceof Response) {
+			return grantTypes;
+		}
+
+		const responseTypes = parseSupportedStringArray(
+			body.response_types,
+			"response_types",
+			SUPPORTED_RESPONSE_TYPES,
+		);
+		if (responseTypes instanceof Response) {
+			return responseTypes;
+		}
+
+		const scopes = parseScope(body.scope);
+		if (scopes instanceof Response) {
+			return scopes;
+		}
+		if (scopes) {
+			const disabledWorkflowScopes = disabledExperimentalSiteContextWorkflowScopes(scopes);
+			if (disabledWorkflowScopes.length > 0) {
+				return registrationError(getExperimentalSiteContextWorkflowScopesDisabledMessage());
+			}
+		}
+
+		const clientId = crypto.randomUUID();
+		const clientName =
+			typeof body.client_name === "string" && body.client_name
+				? body.client_name
+				: `dynamic-${clientId.slice(0, 8)}`;
+
+		const result = await handleOAuthClientCreate(dineway.db, {
+			id: clientId,
+			name: clientName,
+			redirectUris: body.redirect_uris,
+			scopes,
+		});
+
+		if (!result.success) {
+			return registrationError(result.error.message);
+		}
+
+		return Response.json(
+			{
+				client_id: result.data.id,
+				client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1000),
+				redirect_uris: result.data.redirectUris,
+				client_name: result.data.name,
+				grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
+				response_types: responseTypes ?? ["code"],
+				token_endpoint_auth_method: "none",
+				scope: result.data.scopes ? result.data.scopes.join(" ") : undefined,
+			},
+			{ status: 201, headers: OAUTH_REGISTRATION_HEADERS },
+		);
+	} catch (error) {
+		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/token/refresh.ts

@@ -0,0 +1,38 @@
+/**
+ * POST /_dineway/api/oauth/token/refresh
+ *
+ * Exchange a refresh token for a new access token.
+ * This is an unauthenticated endpoint (the caller presents the refresh token).
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { handleTokenRefresh } from "#api/handlers/device-flow.js";
+import { isParseError, parseBody } from "#api/parse.js";
+
+export const prerender = false;
+
+const refreshSchema = z.object({
+	refresh_token: z.string().min(1),
+	grant_type: z.string().min(1),
+});
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, refreshSchema);
+		if (isParseError(body)) return body;
+
+		const result = await handleTokenRefresh(dineway.db, body);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to refresh token", "TOKEN_REFRESH_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/token/revoke.ts

@@ -0,0 +1,38 @@
+/**
+ * POST /_dineway/api/oauth/token/revoke
+ *
+ * Revoke an access or refresh token (RFC 7009).
+ * Always returns 200, even for invalid tokens.
+ * This is an unauthenticated endpoint (the caller presents the token to revoke).
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { handleTokenRevoke } from "#api/handlers/device-flow.js";
+import { isParseError, parseBody } from "#api/parse.js";
+
+export const prerender = false;
+
+const revokeSchema = z.object({
+	token: z.string().min(1),
+});
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, revokeSchema);
+		if (isParseError(body)) return body;
+
+		const result = await handleTokenRevoke(dineway.db, body);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to revoke token", "TOKEN_REVOKE_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/token.ts

@@ -0,0 +1,195 @@
+/**
+ * POST /_dineway/api/oauth/token
+ *
+ * Unified token endpoint per OAuth 2.1. Routes by `grant_type`:
+ * - authorization_code: Authorization Code + PKCE exchange
+ * - urn:ietf:params:oauth:grant-type:device_code: Device Flow
+ * - refresh_token: Token refresh
+ *
+ * Accepts both application/x-www-form-urlencoded (spec-standard) and
+ * application/json (for backwards compatibility with existing clients).
+ *
+ * This is an unauthenticated endpoint — callers present tokens/codes
+ * instead of session cookies.
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { apiError, handleError } from "#api/error.js";
+import { handleDeviceTokenExchange, handleTokenRefresh } from "#api/handlers/device-flow.js";
+import { handleAuthorizationCodeExchange } from "#api/handlers/oauth-authorization.js";
+
+export const prerender = false;
+
+const OAUTH_TOKEN_HEADERS: HeadersInit = {
+	"Content-Type": "application/json",
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	"Access-Control-Allow-Origin": "*",
+};
+
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
+};
+
+// ---------------------------------------------------------------------------
+// Parse helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse the request body from either form-encoded or JSON.
+ * OAuth 2.1 mandates form-encoded, but we accept both.
+ */
+async function parseTokenBody(request: Request): Promise<Record<string, string>> {
+	const contentType = request.headers.get("content-type") ?? "";
+
+	if (contentType.includes("application/x-www-form-urlencoded")) {
+		const text = await request.text();
+		const params = new URLSearchParams(text);
+		const result: Record<string, string> = {};
+		for (const [key, value] of params) {
+			result[key] = value;
+		}
+		return result;
+	}
+
+	// Fallback: try JSON
+	try {
+		const json = Object(await request.json()) as Record<string, unknown>;
+		const result: Record<string, string> = {};
+		for (const [key, value] of Object.entries(json)) {
+			if (typeof value === "string") {
+				result[key] = value;
+			} else if (typeof value === "number") {
+				result[key] = String(value);
+			}
+		}
+		return result;
+	} catch {
+		return {};
+	}
+}
+
+// ---------------------------------------------------------------------------
+// Schemas
+// ---------------------------------------------------------------------------
+
+const authCodeSchema = z.object({
+	grant_type: z.literal("authorization_code"),
+	code: z.string().min(1),
+	redirect_uri: z.string().min(1),
+	client_id: z.string().min(1),
+	code_verifier: z.string().min(43).max(128),
+	resource: z.string().optional(),
+});
+
+const deviceCodeSchema = z.object({
+	grant_type: z.literal("urn:ietf:params:oauth:grant-type:device_code"),
+	device_code: z.string().min(1),
+});
+
+const refreshSchema = z.object({
+	grant_type: z.literal("refresh_token"),
+	refresh_token: z.string().min(1),
+});
+
+// ---------------------------------------------------------------------------
+// Handler
+// ---------------------------------------------------------------------------
+
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseTokenBody(request);
+		const grantType = body.grant_type;
+
+		if (!grantType) {
+			return oauthError("invalid_request", "grant_type is required", 400);
+		}
+
+		switch (grantType) {
+			case "authorization_code": {
+				const parsed = authCodeSchema.safeParse(body);
+				if (!parsed.success) {
+					return oauthError("invalid_request", formatZodError(parsed.error), 400);
+				}
+
+				const result = await handleAuthorizationCodeExchange(dineway.db, parsed.data);
+				if (!result.success) {
+					const err = result.error ?? { code: "unknown", message: "Unknown error" };
+					return oauthError(err.code, err.message, 400);
+				}
+				return oauthSuccess(result.data);
+			}
+
+			case "urn:ietf:params:oauth:grant-type:device_code": {
+				const parsed = deviceCodeSchema.safeParse(body);
+				if (!parsed.success) {
+					return oauthError("invalid_request", formatZodError(parsed.error), 400);
+				}
+
+				const result = await handleDeviceTokenExchange(dineway.db, parsed.data);
+				if (!result.success) {
+					const err = result.error ?? { code: "unknown", message: "Unknown error" };
+					// RFC 8628 requires specific error format
+					if (result.deviceFlowError) {
+						return oauthError(result.deviceFlowError, err.message, 400);
+					}
+					return oauthError(err.code, err.message, 400);
+				}
+				return oauthSuccess(result.data);
+			}
+
+			case "refresh_token": {
+				const parsed = refreshSchema.safeParse(body);
+				if (!parsed.success) {
+					return oauthError("invalid_request", formatZodError(parsed.error), 400);
+				}
+
+				const result = await handleTokenRefresh(dineway.db, parsed.data);
+				if (!result.success) {
+					const err = result.error ?? { code: "unknown", message: "Unknown error" };
+					return oauthError(err.code, err.message, 400);
+				}
+				return oauthSuccess(result.data);
+			}
+
+			default:
+				return oauthError("unsupported_grant_type", `Unsupported grant_type: ${grantType}`, 400);
+		}
+	} catch (error) {
+		return handleError(error, "Failed to process token request", "TOKEN_ERROR");
+	}
+};
+
+// ---------------------------------------------------------------------------
+// OAuth response helpers (RFC 6749 §5.1 / §5.2)
+// ---------------------------------------------------------------------------
+
+function oauthSuccess(data: unknown): Response {
+	return Response.json(data, { headers: OAUTH_TOKEN_HEADERS });
+}
+
+function oauthError(error: string, description: string, status: number): Response {
+	return Response.json(
+		{ error, error_description: description },
+		{ status, headers: OAUTH_TOKEN_HEADERS },
+	);
+}
+
+function formatZodError(error: z.ZodError): string {
+	return error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+}

package/src/astro/routes/api/openapi.json.ts

@@ -0,0 +1,33 @@
+/**
+ * OpenAPI spec endpoint
+ *
+ * GET /_dineway/api/openapi.json
+ *
+ * Returns the generated OpenAPI 3.1 document. The spec is generated once
+ * and cached for the lifetime of the process.
+ */
+
+import type { APIRoute } from "astro";
+
+import { generateOpenApiDocument } from "../../../api/openapi/index.js";
+
+export const prerender = false;
+
+let cachedSpec: string | null = null;
+
+export const GET: APIRoute = async ({ locals }) => {
+	if (!cachedSpec) {
+		const maxUploadSize = locals.dineway?.config.maxUploadSize;
+		const doc = generateOpenApiDocument({ maxUploadSize });
+		cachedSpec = JSON.stringify(doc);
+	}
+
+	return new Response(cachedSpec, {
+		status: 200,
+		headers: {
+			"Content-Type": "application/json",
+			"Cache-Control": "public, max-age=3600",
+			"Access-Control-Allow-Origin": "*",
+		},
+	});
+};