dineway 0.1.9 → 0.1.11

package/src/astro/routes/api/auth/passkey/register/options.ts

@@ -1,88 +0,0 @@
-/**
- * POST /_dineway/api/auth/passkey/register/options
- *
- * Get WebAuthn registration options for adding a new passkey (authenticated user)
- */
-
-import type { APIRoute } from "astro";
-
-export const prerender = false;
-
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { generateRegistrationOptions } from "@dineway-ai/auth/passkey";
-
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-import { isParseError, parseOptionalBody } from "#api/parse.js";
-import { getPublicOrigin } from "#api/public-url.js";
-import { passkeyRegisterOptionsBody } from "#api/schemas.js";
-import { createChallengeStore } from "#auth/challenge-store.js";
-import { getPasskeyConfig } from "#auth/passkey-config.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-
-const MAX_PASSKEYS = 10;
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway, user } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	// Require authentication
-	if (!user) {
-		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
-	}
-
-	try {
-		const adapter = createKyselyAdapter(dineway.db);
-
-		// Check passkey limit
-		const count = await adapter.countCredentialsByUserId(user.id);
-		if (count >= MAX_PASSKEYS) {
-			return apiError("PASSKEY_LIMIT", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);
-		}
-
-		// Parse optional name from request
-		const body = await parseOptionalBody(request, passkeyRegisterOptionsBody, {});
-		if (isParseError(body)) return body;
-
-		// Get existing credentials for excludeCredentials
-		const existingCredentials = await adapter.getCredentialsByUserId(user.id);
-
-		// Get passkey config
-		const url = new URL(request.url);
-		const optionsRepo = new OptionsRepository(dineway.db);
-		const siteName = (await optionsRepo.get<string>("dineway:site_title")) ?? undefined;
-		const siteUrl = getPublicOrigin(url, dineway?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
-
-		// Generate registration options
-		const challengeStore = createChallengeStore(dineway.db);
-		const registrationOptions = await generateRegistrationOptions(
-			passkeyConfig,
-			{ id: user.id, email: user.email, name: user.name },
-			existingCredentials,
-			challengeStore,
-		);
-
-		// Store the passkey name in the challenge metadata if provided
-		// We'll retrieve it during verification
-		if (body.name) {
-			// Store name with challenge for later retrieval
-			// The challenge store will need this when verifying
-			await optionsRepo.set(`dineway:passkey_pending:${user.id}`, {
-				name: body.name,
-			});
-		}
-
-		return apiSuccess({
-			options: registrationOptions,
-		});
-	} catch (error) {
-		return handleError(
-			error,
-			"Failed to generate registration options",
-			"PASSKEY_REGISTER_OPTIONS_ERROR",
-		);
-	}
-};

package/src/astro/routes/api/auth/passkey/register/verify.ts

@@ -1,119 +0,0 @@
-/**
- * POST /_dineway/api/auth/passkey/register/verify
- *
- * Verify and store a new passkey credential (authenticated user)
- */
-
-import type { APIRoute } from "astro";
-
-export const prerender = false;
-
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { verifyRegistrationResponse, registerPasskey } from "@dineway-ai/auth/passkey";
-
-import { apiError, apiSuccess } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { getPublicOrigin } from "#api/public-url.js";
-import { passkeyRegisterVerifyBody } from "#api/schemas.js";
-import { createChallengeStore } from "#auth/challenge-store.js";
-import { getPasskeyConfig } from "#auth/passkey-config.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-
-const MAX_PASSKEYS = 10;
-
-interface PasskeyResponse {
-	id: string;
-	name: string | null;
-	deviceType: "singleDevice" | "multiDevice";
-	backedUp: boolean;
-	createdAt: string;
-	lastUsedAt: string;
-}
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway, user } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	// Require authentication
-	if (!user) {
-		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
-	}
-
-	try {
-		const adapter = createKyselyAdapter(dineway.db);
-
-		// Check passkey limit again (in case of concurrent requests)
-		const count = await adapter.countCredentialsByUserId(user.id);
-		if (count >= MAX_PASSKEYS) {
-			return apiError("PASSKEY_LIMIT", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);
-		}
-
-		// Parse request body
-		const body = await parseBody(request, passkeyRegisterVerifyBody);
-		if (isParseError(body)) return body;
-
-		// Get passkey config
-		const url = new URL(request.url);
-		const optionsRepo = new OptionsRepository(dineway.db);
-		const siteName = (await optionsRepo.get<string>("dineway:site_title")) ?? undefined;
-		const siteUrl = getPublicOrigin(url, dineway?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
-
-		// Verify the registration response
-		const challengeStore = createChallengeStore(dineway.db);
-		const verified = await verifyRegistrationResponse(
-			passkeyConfig,
-			body.credential,
-			challengeStore,
-		);
-
-		// Get passkey name - prefer body.name, then check stored pending name
-		let passKeyName: string | undefined = body.name ?? undefined;
-		if (!passKeyName) {
-			const pending = await optionsRepo.get<{ name?: string }>(
-				`dineway:passkey_pending:${user.id}`,
-			);
-			if (pending?.name) {
-				passKeyName = pending.name;
-			}
-		}
-
-		// Clean up pending state
-		await optionsRepo.delete(`dineway:passkey_pending:${user.id}`);
-
-		// Register the passkey
-		const credential = await registerPasskey(adapter, user.id, verified, passKeyName);
-
-		// Return the new passkey info
-		const passkey: PasskeyResponse = {
-			id: credential.id,
-			name: credential.name,
-			deviceType: credential.deviceType,
-			backedUp: credential.backedUp,
-			createdAt: credential.createdAt.toISOString(),
-			lastUsedAt: credential.lastUsedAt.toISOString(),
-		};
-
-		return apiSuccess({ passkey });
-	} catch (error) {
-		console.error("Passkey registration verify error:", error);
-
-		// Handle specific errors
-		const message = error instanceof Error ? error.message : "";
-
-		// Check for duplicate credential error
-		if (message.includes("credential_exists") || message.includes("already")) {
-			return apiError("CREDENTIAL_EXISTS", "This passkey is already registered", 400);
-		}
-
-		// Check for challenge errors
-		if (message.includes("challenge") || message.includes("expired")) {
-			return apiError("CHALLENGE_EXPIRED", "Registration expired. Please try again.", 400);
-		}
-
-		return apiError("PASSKEY_REGISTER_ERROR", "Registration failed", 500);
-	}
-};

package/src/astro/routes/api/auth/passkey/verify.ts

@@ -1,72 +0,0 @@
-/**
- * POST /_dineway/api/auth/passkey/verify
- *
- * Verify a passkey authentication and create a session
- */
-
-import type { APIRoute } from "astro";
-
-export const prerender = false;
-
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { authenticateWithPasskey, PasskeyAuthenticationError } from "@dineway-ai/auth/passkey";
-
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { getPublicOrigin } from "#api/public-url.js";
-import { passkeyVerifyBody } from "#api/schemas.js";
-import { createChallengeStore } from "#auth/challenge-store.js";
-import { getPasskeyConfig } from "#auth/passkey-config.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-
-export const POST: APIRoute = async ({ request, locals, session }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseBody(request, passkeyVerifyBody);
-		if (isParseError(body)) return body;
-
-		// Get passkey config
-		const url = new URL(request.url);
-		const options = new OptionsRepository(dineway.db);
-		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
-		const siteUrl = getPublicOrigin(url, dineway?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
-
-		// Authenticate with passkey
-		const adapter = createKyselyAdapter(dineway.db);
-		const challengeStore = createChallengeStore(dineway.db);
-
-		const user = await authenticateWithPasskey(
-			passkeyConfig,
-			adapter,
-			body.credential,
-			challengeStore,
-		);
-
-		// Create session
-		if (session) {
-			session.set("user", { id: user.id });
-		}
-
-		return apiSuccess({
-			success: true,
-			user: {
-				id: user.id,
-				email: user.email,
-				name: user.name,
-				role: user.role,
-			},
-		});
-	} catch (error) {
-		if (error instanceof PasskeyAuthenticationError) {
-			return apiError("UNAUTHORIZED", "Authentication failed", 401);
-		}
-
-		return handleError(error, "Authentication failed", "PASSKEY_VERIFY_ERROR");
-	}
-};

package/src/astro/routes/api/auth/signup/complete.ts

@@ -1,87 +0,0 @@
-/**
- * POST /_dineway/api/auth/signup/complete
- *
- * Complete self-signup by registering a passkey for the new user.
- * This creates the user account and establishes a session.
- */
-
-import type { APIRoute } from "astro";
-
-export const prerender = false;
-
-import { completeSignup, SignupError } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { verifyRegistrationResponse, registerPasskey } from "@dineway-ai/auth/passkey";
-
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { getPublicOrigin } from "#api/public-url.js";
-import { signupCompleteBody } from "#api/schemas.js";
-import { createChallengeStore } from "#auth/challenge-store.js";
-import { getPasskeyConfig } from "#auth/passkey-config.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-
-export const POST: APIRoute = async ({ request, locals, session }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseBody(request, signupCompleteBody);
-		if (isParseError(body)) return body;
-
-		const adapter = createKyselyAdapter(dineway.db);
-
-		// Get passkey config
-		const url = new URL(request.url);
-		const options = new OptionsRepository(dineway.db);
-		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
-		const siteUrl = getPublicOrigin(url, dineway?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
-
-		// Verify the passkey registration response
-		const challengeStore = createChallengeStore(dineway.db);
-		const verified = await verifyRegistrationResponse(
-			passkeyConfig,
-			body.credential,
-			challengeStore,
-		);
-
-		// Complete the signup - creates the user
-		const user = await completeSignup(adapter, body.token, {
-			name: body.name,
-		});
-
-		// Register the passkey for the new user
-		await registerPasskey(adapter, user.id, verified, "Initial passkey");
-
-		// Create session
-		if (session) {
-			session.set("user", { id: user.id });
-		}
-
-		return apiSuccess({
-			success: true,
-			user: {
-				id: user.id,
-				email: user.email,
-				name: user.name,
-				role: user.role,
-			},
-		});
-	} catch (error) {
-		if (error instanceof SignupError) {
-			const statusMap: Record<string, number> = {
-				invalid_token: 404,
-				token_expired: 410,
-				user_exists: 409,
-				domain_not_allowed: 403,
-			};
-			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
-		}
-
-		return handleError(error, "Failed to complete signup", "SIGNUP_COMPLETE_ERROR");
-	}
-};

package/src/astro/routes/api/auth/signup/request.ts

@@ -1,89 +0,0 @@
-/**
- * POST /_dineway/api/auth/signup/request
- *
- * Request self-signup. Sends verification email if domain is allowed.
- * Always returns 200 to prevent email enumeration.
- *
- * Rate limited: 3 requests per 5 minutes per IP. Mirrors magic-link/send.
- */
-
-import type { APIRoute } from "astro";
-
-export const prerender = false;
-
-import { requestSignup } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-
-import { apiError, apiSuccess } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { signupRequestBody } from "#api/schemas.js";
-import { getSiteBaseUrl } from "#api/site-url.js";
-import { checkRateLimit, getClientIp } from "#auth/rate-limit.js";
-import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-
-const GENERIC_SUCCESS = {
-	success: true,
-	message: "If your email domain is allowed, you'll receive a verification email.",
-};
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	// Check if email pipeline is available
-	if (!dineway.email?.isAvailable()) {
-		return apiError(
-			"EMAIL_NOT_CONFIGURED",
-			"Email not configured. Self-signup is unavailable.",
-			503,
-		);
-	}
-
-	try {
-		const body = await parseBody(request, signupRequestBody);
-		if (isParseError(body)) return body;
-
-		// Rate limit: 3 requests per 300 seconds per IP. Return the same
-		// response as the normal path so callers cannot observe the limit.
-		const trustedHeaders = getTrustedProxyHeaders(dineway.config);
-		const ip = getClientIp(request, trustedHeaders);
-		const rateLimit = await checkRateLimit(dineway.db, ip, "signup/request", 3, 300);
-		if (!rateLimit.allowed) {
-			return apiSuccess(GENERIC_SUCCESS);
-		}
-
-		const adapter = createKyselyAdapter(dineway.db);
-
-		// Get site config for signup email
-		const options = new OptionsRepository(dineway.db);
-		const siteName = (await options.get<string>("dineway:site_title")) || "Dineway";
-
-		// Use stored site URL to prevent Host header spoofing in signup emails
-		const baseUrl = await getSiteBaseUrl(dineway.db, request);
-
-		// Request signup - this handles all checks internally and fails silently
-		// if domain not allowed or user exists (to prevent enumeration)
-		await requestSignup(
-			{
-				baseUrl,
-				siteName,
-				email: (message) => dineway.email!.send(message, "system"),
-			},
-			adapter,
-			body.email.toLowerCase().trim(),
-		);
-
-		// Always return success to prevent email enumeration
-		return apiSuccess(GENERIC_SUCCESS);
-	} catch (error) {
-		console.error("Signup request error:", error);
-
-		// Don't reveal internal errors - just return generic success
-		// to prevent information leakage
-		return apiSuccess(GENERIC_SUCCESS);
-	}
-};

package/src/astro/routes/api/auth/signup/verify.ts

@@ -1,53 +0,0 @@
-/**
- * GET /_dineway/api/auth/signup/verify
- *
- * Validate a signup verification token (called when user clicks email link).
- * Returns the email and role for the UI to display.
- */
-
-import type { APIRoute } from "astro";
-
-export const prerender = false;
-
-import { validateSignupToken, SignupError, roleFromLevel } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-
-export const GET: APIRoute = async ({ url, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	const token = url.searchParams.get("token");
-
-	if (!token) {
-		return apiError("MISSING_PARAM", "Token is required", 400);
-	}
-
-	try {
-		const adapter = createKyselyAdapter(dineway.db);
-		const result = await validateSignupToken(adapter, token);
-
-		return apiSuccess({
-			success: true,
-			email: result.email,
-			role: result.role,
-			roleName: roleFromLevel(result.role),
-		});
-	} catch (error) {
-		if (error instanceof SignupError) {
-			const statusMap: Record<string, number> = {
-				invalid_token: 404,
-				token_expired: 410,
-				user_exists: 409,
-				domain_not_allowed: 403,
-			};
-			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
-		}
-
-		return handleError(error, "Failed to validate signup token", "SIGNUP_VERIFY_ERROR");
-	}
-};