dineway 0.1.9 → 0.1.11

package/src/astro/routes/api/oauth/register.ts

@@ -1,182 +0,0 @@
-/**
- * POST /_dineway/api/oauth/register
- *
- * RFC 7591 Dynamic Client Registration. Public, unauthenticated.
- * MCP clients call this to register before starting the OAuth flow.
- */
-
-import type { APIRoute } from "astro";
-
-import { apiError, handleError } from "#api/error.js";
-import { handleOAuthClientCreate } from "#api/handlers/oauth-clients.js";
-import {
-	disabledExperimentalSiteContextWorkflowScopes,
-	getExperimentalSiteContextWorkflowScopesDisabledMessage,
-} from "#site-context/experimental-workflows.js";
-
-export const prerender = false;
-
-const OAUTH_REGISTRATION_HEADERS: HeadersInit = {
-	"Cache-Control": "no-store",
-	Pragma: "no-cache",
-	"Access-Control-Allow-Origin": "*",
-};
-
-const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
-	"Access-Control-Allow-Origin": "*",
-	"Access-Control-Allow-Methods": "POST, OPTIONS",
-	"Access-Control-Allow-Headers": "Content-Type",
-	"Access-Control-Max-Age": "86400",
-};
-
-const SUPPORTED_GRANT_TYPES = new Set([
-	"authorization_code",
-	"refresh_token",
-	"urn:ietf:params:oauth:grant-type:device_code",
-]);
-const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
-
-function registrationError(description: string, status = 400): Response {
-	return Response.json(
-		{
-			error: "invalid_client_metadata",
-			error_description: description,
-		},
-		{ status, headers: OAUTH_REGISTRATION_HEADERS },
-	);
-}
-
-function isRecord(value: unknown): value is Record<string, unknown> {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-
-function isStringArray(value: unknown): value is string[] {
-	return Array.isArray(value) && value.every((item) => typeof item === "string");
-}
-
-function parseScope(value: unknown): string[] | Response | undefined {
-	if (value === undefined) return undefined;
-	if (typeof value === "string") {
-		const scopes = value.split(" ").filter(Boolean);
-		return scopes.length > 0 ? scopes : undefined;
-	}
-	if (isStringArray(value)) {
-		const scopes = value.filter(Boolean);
-		return scopes.length > 0 ? scopes : undefined;
-	}
-	return registrationError("scope must be a string or array of strings");
-}
-
-function parseSupportedStringArray(
-	value: unknown,
-	field: string,
-	supported: ReadonlySet<string>,
-): string[] | Response | undefined {
-	if (value === undefined) return undefined;
-	if (!isStringArray(value)) {
-		return registrationError(`${field} must be an array of strings`);
-	}
-	const invalidValue = value.find((item) => !supported.has(item));
-	if (invalidValue) {
-		return registrationError(`${field} contains unsupported value: ${invalidValue}`);
-	}
-	return value;
-}
-
-export const OPTIONS: APIRoute = () => {
-	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
-};
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		let body: unknown;
-		try {
-			body = await request.json();
-		} catch {
-			return registrationError("Request body must be valid JSON");
-		}
-
-		if (!isRecord(body)) {
-			return registrationError("Request body must be a JSON object");
-		}
-
-		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) {
-			return registrationError("redirect_uris must be a non-empty array of strings");
-		}
-
-		if (
-			body.token_endpoint_auth_method !== undefined &&
-			body.token_endpoint_auth_method !== "none"
-		) {
-			return registrationError("Only token_endpoint_auth_method=none is supported");
-		}
-
-		const grantTypes = parseSupportedStringArray(
-			body.grant_types,
-			"grant_types",
-			SUPPORTED_GRANT_TYPES,
-		);
-		if (grantTypes instanceof Response) {
-			return grantTypes;
-		}
-
-		const responseTypes = parseSupportedStringArray(
-			body.response_types,
-			"response_types",
-			SUPPORTED_RESPONSE_TYPES,
-		);
-		if (responseTypes instanceof Response) {
-			return responseTypes;
-		}
-
-		const scopes = parseScope(body.scope);
-		if (scopes instanceof Response) {
-			return scopes;
-		}
-		if (scopes) {
-			const disabledWorkflowScopes = disabledExperimentalSiteContextWorkflowScopes(scopes);
-			if (disabledWorkflowScopes.length > 0) {
-				return registrationError(getExperimentalSiteContextWorkflowScopesDisabledMessage());
-			}
-		}
-
-		const clientId = crypto.randomUUID();
-		const clientName =
-			typeof body.client_name === "string" && body.client_name
-				? body.client_name
-				: `dynamic-${clientId.slice(0, 8)}`;
-
-		const result = await handleOAuthClientCreate(dineway.db, {
-			id: clientId,
-			name: clientName,
-			redirectUris: body.redirect_uris,
-			scopes,
-		});
-
-		if (!result.success) {
-			return registrationError(result.error.message);
-		}
-
-		return Response.json(
-			{
-				client_id: result.data.id,
-				client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1000),
-				redirect_uris: result.data.redirectUris,
-				client_name: result.data.name,
-				grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
-				response_types: responseTypes ?? ["code"],
-				token_endpoint_auth_method: "none",
-				scope: result.data.scopes ? result.data.scopes.join(" ") : undefined,
-			},
-			{ status: 201, headers: OAUTH_REGISTRATION_HEADERS },
-		);
-	} catch (error) {
-		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/token/refresh.ts

@@ -1,38 +0,0 @@
-/**
- * POST /_dineway/api/oauth/token/refresh
- *
- * Exchange a refresh token for a new access token.
- * This is an unauthenticated endpoint (the caller presents the refresh token).
- */
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import { handleTokenRefresh } from "#api/handlers/device-flow.js";
-import { isParseError, parseBody } from "#api/parse.js";
-
-export const prerender = false;
-
-const refreshSchema = z.object({
-	refresh_token: z.string().min(1),
-	grant_type: z.string().min(1),
-});
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseBody(request, refreshSchema);
-		if (isParseError(body)) return body;
-
-		const result = await handleTokenRefresh(dineway.db, body);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to refresh token", "TOKEN_REFRESH_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/token/revoke.ts

@@ -1,38 +0,0 @@
-/**
- * POST /_dineway/api/oauth/token/revoke
- *
- * Revoke an access or refresh token (RFC 7009).
- * Always returns 200, even for invalid tokens.
- * This is an unauthenticated endpoint (the caller presents the token to revoke).
- */
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import { handleTokenRevoke } from "#api/handlers/device-flow.js";
-import { isParseError, parseBody } from "#api/parse.js";
-
-export const prerender = false;
-
-const revokeSchema = z.object({
-	token: z.string().min(1),
-});
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseBody(request, revokeSchema);
-		if (isParseError(body)) return body;
-
-		const result = await handleTokenRevoke(dineway.db, body);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to revoke token", "TOKEN_REVOKE_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/token.ts

@@ -1,195 +0,0 @@
-/**
- * POST /_dineway/api/oauth/token
- *
- * Unified token endpoint per OAuth 2.1. Routes by `grant_type`:
- * - authorization_code: Authorization Code + PKCE exchange
- * - urn:ietf:params:oauth:grant-type:device_code: Device Flow
- * - refresh_token: Token refresh
- *
- * Accepts both application/x-www-form-urlencoded (spec-standard) and
- * application/json (for backwards compatibility with existing clients).
- *
- * This is an unauthenticated endpoint — callers present tokens/codes
- * instead of session cookies.
- */
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError } from "#api/error.js";
-import { handleDeviceTokenExchange, handleTokenRefresh } from "#api/handlers/device-flow.js";
-import { handleAuthorizationCodeExchange } from "#api/handlers/oauth-authorization.js";
-
-export const prerender = false;
-
-const OAUTH_TOKEN_HEADERS: HeadersInit = {
-	"Content-Type": "application/json",
-	"Cache-Control": "no-store",
-	Pragma: "no-cache",
-	"Access-Control-Allow-Origin": "*",
-};
-
-const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
-	"Access-Control-Allow-Origin": "*",
-	"Access-Control-Allow-Methods": "POST, OPTIONS",
-	"Access-Control-Allow-Headers": "Content-Type",
-	"Access-Control-Max-Age": "86400",
-};
-
-// ---------------------------------------------------------------------------
-// Parse helpers
-// ---------------------------------------------------------------------------
-
-/**
- * Parse the request body from either form-encoded or JSON.
- * OAuth 2.1 mandates form-encoded, but we accept both.
- */
-async function parseTokenBody(request: Request): Promise<Record<string, string>> {
-	const contentType = request.headers.get("content-type") ?? "";
-
-	if (contentType.includes("application/x-www-form-urlencoded")) {
-		const text = await request.text();
-		const params = new URLSearchParams(text);
-		const result: Record<string, string> = {};
-		for (const [key, value] of params) {
-			result[key] = value;
-		}
-		return result;
-	}
-
-	// Fallback: try JSON
-	try {
-		const json = Object(await request.json()) as Record<string, unknown>;
-		const result: Record<string, string> = {};
-		for (const [key, value] of Object.entries(json)) {
-			if (typeof value === "string") {
-				result[key] = value;
-			} else if (typeof value === "number") {
-				result[key] = String(value);
-			}
-		}
-		return result;
-	} catch {
-		return {};
-	}
-}
-
-// ---------------------------------------------------------------------------
-// Schemas
-// ---------------------------------------------------------------------------
-
-const authCodeSchema = z.object({
-	grant_type: z.literal("authorization_code"),
-	code: z.string().min(1),
-	redirect_uri: z.string().min(1),
-	client_id: z.string().min(1),
-	code_verifier: z.string().min(43).max(128),
-	resource: z.string().optional(),
-});
-
-const deviceCodeSchema = z.object({
-	grant_type: z.literal("urn:ietf:params:oauth:grant-type:device_code"),
-	device_code: z.string().min(1),
-});
-
-const refreshSchema = z.object({
-	grant_type: z.literal("refresh_token"),
-	refresh_token: z.string().min(1),
-});
-
-// ---------------------------------------------------------------------------
-// Handler
-// ---------------------------------------------------------------------------
-
-export const OPTIONS: APIRoute = () => {
-	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
-};
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseTokenBody(request);
-		const grantType = body.grant_type;
-
-		if (!grantType) {
-			return oauthError("invalid_request", "grant_type is required", 400);
-		}
-
-		switch (grantType) {
-			case "authorization_code": {
-				const parsed = authCodeSchema.safeParse(body);
-				if (!parsed.success) {
-					return oauthError("invalid_request", formatZodError(parsed.error), 400);
-				}
-
-				const result = await handleAuthorizationCodeExchange(dineway.db, parsed.data);
-				if (!result.success) {
-					const err = result.error ?? { code: "unknown", message: "Unknown error" };
-					return oauthError(err.code, err.message, 400);
-				}
-				return oauthSuccess(result.data);
-			}
-
-			case "urn:ietf:params:oauth:grant-type:device_code": {
-				const parsed = deviceCodeSchema.safeParse(body);
-				if (!parsed.success) {
-					return oauthError("invalid_request", formatZodError(parsed.error), 400);
-				}
-
-				const result = await handleDeviceTokenExchange(dineway.db, parsed.data);
-				if (!result.success) {
-					const err = result.error ?? { code: "unknown", message: "Unknown error" };
-					// RFC 8628 requires specific error format
-					if (result.deviceFlowError) {
-						return oauthError(result.deviceFlowError, err.message, 400);
-					}
-					return oauthError(err.code, err.message, 400);
-				}
-				return oauthSuccess(result.data);
-			}
-
-			case "refresh_token": {
-				const parsed = refreshSchema.safeParse(body);
-				if (!parsed.success) {
-					return oauthError("invalid_request", formatZodError(parsed.error), 400);
-				}
-
-				const result = await handleTokenRefresh(dineway.db, parsed.data);
-				if (!result.success) {
-					const err = result.error ?? { code: "unknown", message: "Unknown error" };
-					return oauthError(err.code, err.message, 400);
-				}
-				return oauthSuccess(result.data);
-			}
-
-			default:
-				return oauthError("unsupported_grant_type", `Unsupported grant_type: ${grantType}`, 400);
-		}
-	} catch (error) {
-		return handleError(error, "Failed to process token request", "TOKEN_ERROR");
-	}
-};
-
-// ---------------------------------------------------------------------------
-// OAuth response helpers (RFC 6749 §5.1 / §5.2)
-// ---------------------------------------------------------------------------
-
-function oauthSuccess(data: unknown): Response {
-	return Response.json(data, { headers: OAUTH_TOKEN_HEADERS });
-}
-
-function oauthError(error: string, description: string, status: number): Response {
-	return Response.json(
-		{ error, error_description: description },
-		{ status, headers: OAUTH_TOKEN_HEADERS },
-	);
-}
-
-function formatZodError(error: z.ZodError): string {
-	return error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
-}

package/src/astro/routes/api/openapi.json.ts

@@ -1,33 +0,0 @@
-/**
- * OpenAPI spec endpoint
- *
- * GET /_dineway/api/openapi.json
- *
- * Returns the generated OpenAPI 3.1 document. The spec is generated once
- * and cached for the lifetime of the process.
- */
-
-import type { APIRoute } from "astro";
-
-import { generateOpenApiDocument } from "../../../api/openapi/index.js";
-
-export const prerender = false;
-
-let cachedSpec: string | null = null;
-
-export const GET: APIRoute = async ({ locals }) => {
-	if (!cachedSpec) {
-		const maxUploadSize = locals.dineway?.config.maxUploadSize;
-		const doc = generateOpenApiDocument({ maxUploadSize });
-		cachedSpec = JSON.stringify(doc);
-	}
-
-	return new Response(cachedSpec, {
-		status: 200,
-		headers: {
-			"Content-Type": "application/json",
-			"Cache-Control": "public, max-age=3600",
-			"Access-Control-Allow-Origin": "*",
-		},
-	});
-};

package/src/astro/routes/api/plugins/[pluginId]/[...path].ts

@@ -1,109 +0,0 @@
-/**
- * Plugin API routes - dynamic handler for plugin-defined endpoints
- *
- * Routes are mounted at /_dineway/api/plugins/{pluginId}/*
- * Plugins register routes like "POST /do-something" which becomes
- * POST /_dineway/api/plugins/{pluginId}/do-something
- *
- * Routes marked as `public: true` skip authentication and CSRF checks.
- * Private routes (the default) require authentication and appropriate permissions.
- */
-
-import type { APIRoute } from "astro";
-
-import { requirePerm } from "#api/authorize.js";
-import { apiError, apiSuccess } from "#api/error.js";
-import { requireScope } from "#auth/scopes.js";
-
-export const prerender = false;
-
-/**
- * Handle all methods by matching against plugin-defined routes
- */
-const handleRequest: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const pluginId = params.pluginId!;
-	const path = params.path || "";
-	const method = request.method.toUpperCase();
-
-	if (!dineway?.handlePluginApiRoute) {
-		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
-	}
-
-	// Resolve route metadata to decide auth before dispatch
-	const routeMeta = dineway.getPluginRouteMeta(pluginId, `/${path}`);
-
-	if (!routeMeta) {
-		return apiError("NOT_FOUND", "Plugin route not found", 404);
-	}
-
-	// Public routes skip auth, CSRF, and scope checks entirely
-	if (!routeMeta.public) {
-		const isStateChangingMethod = !["GET", "HEAD", "OPTIONS"].includes(method);
-
-		// Private routes require authentication and permission checks
-		const permission = isStateChangingMethod ? "plugins:manage" : "plugins:read";
-		const denied = requirePerm(user, permission);
-		if (denied) return denied;
-
-		// Token scope enforcement — plugin routes require "admin" scope.
-		// Session auth is implicitly full-access (requireScope returns null).
-		const scopeError = requireScope(locals, "admin");
-		if (scopeError) return scopeError;
-
-		// Generic private plugin routes can carry arbitrary plugin-defined payloads,
-		// including secret-bearing config. Until route metadata can describe a
-		// redacted review payload plus immutable reviewed target, API-token writes
-		// stay blocked instead of being routed through generic HITL.
-		if (isStateChangingMethod && locals.authToken?.type === "api_token") {
-			return apiError(
-				"HITL_UNSUPPORTED",
-				"Private plugin routes do not yet support API-token writes without a reviewed redaction contract",
-				409,
-				{
-					reason: "review_contract_missing",
-					pluginId,
-					path: `/${path}`,
-				},
-			);
-		}
-
-		// CSRF protection for state-changing requests on private routes.
-		// Plugin routes use soft auth in the middleware (user resolved but not required),
-		// so the middleware's CSRF check doesn't run. We enforce it here for private routes.
-		// Token-authed requests (which set tokenScopes) are exempt — tokens aren't
-		// ambient credentials like cookies.
-		if (
-			isStateChangingMethod &&
-			!locals.tokenScopes &&
-			request.headers.get("X-Dineway-Request") !== "1"
-		) {
-			return apiError("CSRF_REJECTED", "Missing required header", 403);
-		}
-	}
-
-	const result = await dineway.handlePluginApiRoute(pluginId, method, `/${path}`, request);
-
-	if (!result.success) {
-		const code = result.error?.code ?? "PLUGIN_ERROR";
-		// Pass through messages from known plugin errors (PluginRouteError),
-		// but mask internal errors (unhandled exceptions) to avoid leaking
-		// database errors, file paths, etc. from sandboxed plugins.
-		const message =
-			code === "INTERNAL_ERROR"
-				? "Plugin route error"
-				: (result.error?.message ?? "Plugin route error");
-		// PluginRouteError status is returned at the top level of the result
-		const status = (result as { status?: number }).status ?? (code === "NOT_FOUND" ? 404 : 400);
-		return apiError(code, message, status);
-	}
-
-	return apiSuccess(result.data);
-};
-
-// Export handlers for all HTTP methods
-export const GET = handleRequest;
-export const POST = handleRequest;
-export const PUT = handleRequest;
-export const PATCH = handleRequest;
-export const DELETE = handleRequest;

package/src/astro/routes/api/redirects/404s/index.ts

@@ -1,72 +0,0 @@
-/**
- * 404 log list and management endpoints
- *
- * GET    /_dineway/api/redirects/404s - List 404 log entries
- * DELETE /_dineway/api/redirects/404s - Clear all 404 log entries
- * POST   /_dineway/api/redirects/404s - Prune 404 log entries older than date
- */
-
-import type { APIRoute } from "astro";
-
-import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
-import {
-	handleNotFoundClear,
-	handleNotFoundList,
-	handleNotFoundPrune,
-} from "#api/handlers/redirects.js";
-import { isParseError, parseBody, parseQuery } from "#api/parse.js";
-import { notFoundListQuery, notFoundPruneBody } from "#api/schemas.js";
-
-export const prerender = false;
-
-export const GET: APIRoute = async ({ url, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-
-	const denied = requirePerm(user, "redirects:read");
-	if (denied) return denied;
-
-	try {
-		const query = parseQuery(url, notFoundListQuery);
-		if (isParseError(query)) return query;
-
-		const result = await handleNotFoundList(db, query);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to fetch 404 log", "NOT_FOUND_LIST_ERROR");
-	}
-};
-
-export const DELETE: APIRoute = async ({ locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-
-	const denied = requirePerm(user, "redirects:manage");
-	if (denied) return denied;
-
-	try {
-		const result = await handleNotFoundClear(db);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to clear 404 log", "NOT_FOUND_CLEAR_ERROR");
-	}
-};
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-
-	const denied = requirePerm(user, "redirects:manage");
-	if (denied) return denied;
-
-	try {
-		const body = await parseBody(request, notFoundPruneBody);
-		if (isParseError(body)) return body;
-
-		const result = await handleNotFoundPrune(db, body.olderThan);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to prune 404 log", "NOT_FOUND_PRUNE_ERROR");
-	}
-};