npm - dineway - Versions diffs - 0.1.9 → 0.1.12 - Mend

dineway 0.1.9 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (720) hide show

package/src/astro/routes/api/auth/dev-bypass.ts DELETED Viewed

@@ -1,139 +0,0 @@
-/**
- * POST /_dineway/api/auth/dev-bypass
- * GET  /_dineway/api/auth/dev-bypass
- *
- * Development-only endpoint to bypass passkey authentication.
- * Creates or uses a test admin user and establishes a session.
- *
- * ONLY available when import.meta.env.DEV is true.
- *
- * Usage:
- * - GET with redirect: /_dineway/api/auth/dev-bypass?redirect=/_dineway/admin
- * - POST for API: Returns JSON with user info
- *
- * For agent/browser testing, navigate to:
- *   /_dineway/api/auth/dev-bypass?redirect=/_dineway/admin
- */
-import type { APIRoute } from "astro";
-export const prerender = false;
-import { ulid } from "ulidx";
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-import { escapeHtml } from "#api/escape.js";
-import { isSafeRedirect } from "#api/redirect.js";
-import { runMigrations } from "#db/migrations/runner.js";
-const DEV_USER_EMAIL = "dev@dineway.local";
-const DEV_USER_NAME = "Dev Admin";
-// RBAC role levels (matching @dineway-ai/auth)
-const ROLE_ADMIN = 50;
-async function handleDevBypass(context: Parameters<APIRoute>[0]): Promise<Response> {
-	// CRITICAL: Only allow in development mode
-	if (!import.meta.env.DEV) {
-		return apiError("FORBIDDEN", "Dev bypass is only available in development mode", 403);
-	}
-	const { locals, url, session } = context;
-	const { dineway } = locals;
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-	try {
-		// Ensure migrations are run
-		await runMigrations(dineway.db);
-		// Find or create dev user (direct DB access to avoid @dineway-ai/auth import issues in dev)
-		const existingUser = await dineway.db
-			.selectFrom("users")
-			.selectAll()
-			.where("email", "=", DEV_USER_EMAIL)
-			.executeTakeFirst();
-		let user: { id: string; email: string; name: string; role: number };
-		if (!existingUser) {
-			const now = new Date().toISOString();
-			const newUser = {
-				id: ulid(),
-				email: DEV_USER_EMAIL,
-				name: DEV_USER_NAME,
-				role: ROLE_ADMIN,
-				email_verified: 1,
-				created_at: now,
-				updated_at: now,
-			};
-			await dineway.db.insertInto("users").values(newUser).execute();
-			user = {
-				id: newUser.id,
-				email: newUser.email,
-				name: newUser.name,
-				role: newUser.role,
-			};
-			console.log("[dev-bypass] Created dev admin user:", user.email);
-		} else {
-			user = {
-				id: existingUser.id,
-				email: existingUser.email,
-				name: existingUser.name || DEV_USER_NAME,
-				role: existingUser.role,
-			};
-		}
-		// Create session
-		if (session) {
-			session.set("user", { id: user.id });
-		}
-		// Check for redirect parameter
-		const redirect = url.searchParams.get("redirect");
-		if (redirect) {
-			// Validate redirect is a safe local path (prevent open redirect via //evil.com or /\evil.com)
-			if (!isSafeRedirect(redirect)) {
-				return apiError("INVALID_REDIRECT", "Redirect must be a local path", 400);
-			}
-			// Return an HTML page with meta-refresh redirect
-			// This ensures the session is fully saved before redirect
-			const safeRedirect = escapeHtml(redirect);
-			const html = `<!DOCTYPE html>
-<html>
-<head>
-	<meta http-equiv="refresh" content="0;url=${safeRedirect}">
-</head>
-<body>Redirecting...</body>
-</html>`;
-			return new Response(html, {
-				status: 200,
-				headers: { "Content-Type": "text/html" },
-			});
-		}
-		// Return JSON response
-		return apiSuccess({
-			success: true,
-			message: "Dev session created",
-			user: {
-				id: user.id,
-				email: user.email,
-				name: user.name,
-				role: user.role,
-			},
-		});
-	} catch (error) {
-		return handleError(error, "Dev bypass setup failed", "DEV_BYPASS_ERROR");
-	}
-}
-// Support both GET and POST
-export const GET: APIRoute = handleDevBypass;
-export const POST: APIRoute = handleDevBypass;

package/src/astro/routes/api/auth/invite/accept.ts DELETED Viewed

@@ -1,52 +0,0 @@
-/**
- * GET /_dineway/api/auth/invite/accept
- *
- * Validate an invite token and return invite data for the UI.
- * This is called when the invitee clicks the email link.
- */
-import type { APIRoute } from "astro";
-export const prerender = false;
-import { validateInvite, InviteError, roleFromLevel } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-export const GET: APIRoute = async ({ url, locals }) => {
-	const { dineway } = locals;
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-	const token = url.searchParams.get("token");
-	if (!token) {
-		return apiError("MISSING_PARAM", "Token is required", 400);
-	}
-	try {
-		const adapter = createKyselyAdapter(dineway.db);
-		const invite = await validateInvite(adapter, token);
-		return apiSuccess({
-			success: true,
-			email: invite.email,
-			role: invite.role,
-			roleName: roleFromLevel(invite.role),
-		});
-	} catch (error) {
-		if (error instanceof InviteError) {
-			const statusMap: Record<string, number> = {
-				invalid_token: 404,
-				token_expired: 410,
-				user_exists: 409,
-			};
-			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
-		}
-		return handleError(error, "Failed to validate invite", "INVITE_VALIDATE_ERROR");
-	}
-};

package/src/astro/routes/api/auth/invite/complete.ts DELETED Viewed

@@ -1,86 +0,0 @@
-/**
- * POST /_dineway/api/auth/invite/complete
- *
- * Complete the invite by registering a passkey for the new user.
- * This creates the user account and establishes a session.
- */
-import type { APIRoute } from "astro";
-export const prerender = false;
-import { completeInvite, InviteError } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { verifyRegistrationResponse, registerPasskey } from "@dineway-ai/auth/passkey";
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { getPublicOrigin } from "#api/public-url.js";
-import { inviteCompleteBody } from "#api/schemas.js";
-import { createChallengeStore } from "#auth/challenge-store.js";
-import { getPasskeyConfig } from "#auth/passkey-config.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-export const POST: APIRoute = async ({ request, locals, session }) => {
-	const { dineway } = locals;
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-	try {
-		const body = await parseBody(request, inviteCompleteBody);
-		if (isParseError(body)) return body;
-		const adapter = createKyselyAdapter(dineway.db);
-		// Get passkey config
-		const url = new URL(request.url);
-		const options = new OptionsRepository(dineway.db);
-		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
-		const siteUrl = getPublicOrigin(url, dineway?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
-		// Verify the passkey registration response
-		const challengeStore = createChallengeStore(dineway.db);
-		const verified = await verifyRegistrationResponse(
-			passkeyConfig,
-			body.credential,
-			challengeStore,
-		);
-		// Complete the invite - creates the user
-		const user = await completeInvite(adapter, body.token, {
-			name: body.name,
-		});
-		// Register the passkey for the new user
-		await registerPasskey(adapter, user.id, verified, "Initial passkey");
-		// Create session
-		if (session) {
-			session.set("user", { id: user.id });
-		}
-		return apiSuccess({
-			success: true,
-			user: {
-				id: user.id,
-				email: user.email,
-				name: user.name,
-				role: user.role,
-			},
-		});
-	} catch (error) {
-		if (error instanceof InviteError) {
-			const statusMap: Record<string, number> = {
-				invalid_token: 404,
-				token_expired: 410,
-				user_exists: 409,
-			};
-			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
-		}
-		return handleError(error, "Failed to complete invite", "INVITE_COMPLETE_ERROR");
-	}
-};

package/src/astro/routes/api/auth/invite/index.ts DELETED Viewed

@@ -1,99 +0,0 @@
-/**
- * POST /_dineway/api/auth/invite
- *
- * Create an invite for a new user. Admin only.
- *
- * When an email provider is configured (via the plugin email pipeline),
- * the invite email is sent automatically.
- * When no provider is configured, returns the invite URL for the admin
- * to share manually (copy-link fallback).
- */
-import type { APIRoute } from "astro";
-export const prerender = false;
-import { createInvite, InviteError, Role } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { inviteCreateBody } from "#api/schemas.js";
-import { getSiteBaseUrl } from "#api/site-url.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway, user } = locals;
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-	if (!user || user.role < Role.ADMIN) {
-		return apiError("FORBIDDEN", "Admin privileges required", 403);
-	}
-	const adapter = createKyselyAdapter(dineway.db);
-	try {
-		const body = await parseBody(request, inviteCreateBody);
-		if (isParseError(body)) return body;
-		// Default to AUTHOR role if not specified (Zod validates the level)
-		const role = body.role ?? Role.AUTHOR;
-		// Get site config for invite email
-		const options = new OptionsRepository(dineway.db);
-		const siteName = (await options.get<string>("dineway:site_title")) || "Dineway";
-		// Use stored site URL to prevent Host header spoofing in invite emails
-		const baseUrl = await getSiteBaseUrl(dineway.db, request);
-		// Build email sender from the plugin pipeline (if available)
-		const emailSend = dineway.email?.isAvailable()
-			? (message: { to: string; subject: string; text: string; html?: string }) =>
-					dineway.email!.send(message, "system")
-			: undefined;
-		const result = await createInvite(
-			{
-				baseUrl,
-				siteName,
-				email: emailSend,
-			},
-			adapter,
-			body.email,
-			role,
-			user.id,
-		);
-		if (emailSend) {
-			// Email was sent
-			return apiSuccess({
-				success: true,
-				message: `Invite sent to ${body.email}`,
-			});
-		}
-		// No email provider — return the invite URL for manual sharing
-		return apiSuccess(
-			{
-				success: true,
-				message: "Invite created. No email provider configured — share the link manually.",
-				inviteUrl: result.url,
-			},
-			200,
-		);
-	} catch (error) {
-		if (error instanceof InviteError) {
-			const statusMap: Record<string, number> = {
-				user_exists: 409,
-				invalid_token: 400,
-				token_expired: 400,
-			};
-			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
-		}
-		return handleError(error, "Failed to create invite", "INVITE_CREATE_ERROR");
-	}
-};

package/src/astro/routes/api/auth/invite/register-options.ts DELETED Viewed

@@ -1,73 +0,0 @@
-/**
- * POST /_dineway/api/auth/invite/register-options
- *
- * Generate WebAuthn registration options for an invited user.
- */
-import type { APIRoute } from "astro";
-export const prerender = false;
-import { validateInvite, InviteError } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { generateRegistrationOptions } from "@dineway-ai/auth/passkey";
-import { ulid } from "ulidx";
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { getPublicOrigin } from "#api/public-url.js";
-import { inviteRegisterOptionsBody } from "#api/schemas.js";
-import { createChallengeStore } from "#auth/challenge-store.js";
-import { getPasskeyConfig } from "#auth/passkey-config.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-	try {
-		const body = await parseBody(request, inviteRegisterOptionsBody);
-		if (isParseError(body)) return body;
-		const adapter = createKyselyAdapter(dineway.db);
-		const invite = await validateInvite(adapter, body.token);
-		const url = new URL(request.url);
-		const optionsRepo = new OptionsRepository(dineway.db);
-		const siteName = (await optionsRepo.get<string>("dineway:site_title")) ?? undefined;
-		const siteUrl = getPublicOrigin(url, dineway?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
-		const challengeStore = createChallengeStore(dineway.db);
-		const registrationOptions = await generateRegistrationOptions(
-			passkeyConfig,
-			{
-				id: ulid(),
-				email: invite.email,
-				name: body.name || null,
-			},
-			[],
-			challengeStore,
-		);
-		return apiSuccess({ options: registrationOptions });
-	} catch (error) {
-		if (error instanceof InviteError) {
-			const statusMap: Record<string, number> = {
-				invalid_token: 404,
-				token_expired: 410,
-				user_exists: 409,
-			};
-			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
-		}
-		return handleError(
-			error,
-			"Failed to generate registration options",
-			"INVITE_REGISTER_OPTIONS_ERROR",
-		);
-	}
-};

package/src/astro/routes/api/auth/logout.ts DELETED Viewed

@@ -1,40 +0,0 @@
-/**
- * POST /_dineway/api/auth/logout
- *
- * Destroys the current session and logs the user out.
- */
-import type { APIRoute } from "astro";
-export const prerender = false;
-import { apiSuccess, handleError } from "#api/error.js";
-import { isSafeRedirect } from "#api/redirect.js";
-export const POST: APIRoute = async ({ session, url }) => {
-	try {
-		// Destroy session
-		if (session) {
-			session.destroy();
-		}
-		// Check for redirect parameter
-		const redirect = url.searchParams.get("redirect");
-		if (isSafeRedirect(redirect)) {
-			return new Response(null, {
-				status: 302,
-				headers: { Location: redirect },
-			});
-		}
-		return apiSuccess({
-			success: true,
-			message: "Logged out successfully",
-		});
-	} catch (error) {
-		return handleError(error, "Logout failed", "LOGOUT_ERROR");
-	}
-};
-// No GET handler — logout must be POST-only to prevent CSRF via link/img tags

package/src/astro/routes/api/auth/magic-link/send.ts DELETED Viewed

@@ -1,90 +0,0 @@
-/**
- * POST /_dineway/api/auth/magic-link/send
- *
- * Send a magic link email for passwordless authentication.
- * Always returns success to avoid revealing whether email exists.
- *
- * Rate limited: 3 requests per 5 minutes per IP.
- */
-import type { APIRoute } from "astro";
-export const prerender = false;
-import { sendMagicLink, type MagicLinkConfig } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { apiError, apiSuccess } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { magicLinkSendBody } from "#api/schemas.js";
-import { getSiteBaseUrl } from "#api/site-url.js";
-import { checkRateLimit, getClientIp } from "#auth/rate-limit.js";
-import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
-import { OptionsRepository } from "#db/repositories/options.js";
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-	try {
-		// Parse request body first — avoids consuming rate limit slots on
-		// malformed requests and normalizes timing between rate-limited
-		// and real paths (parse cost evens out the response time).
-		const body = await parseBody(request, magicLinkSendBody);
-		if (isParseError(body)) return body;
-		// Rate limit: 3 requests per 300 seconds (5 minutes) per IP
-		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
-		const rateLimit = await checkRateLimit(dineway.db, ip, "magic-link/send", 3, 300);
-		if (!rateLimit.allowed) {
-			// Return success-shaped response to avoid revealing rate limit
-			// (which could leak information about email enumeration attempts)
-			return apiSuccess({
-				success: true,
-				message: "If an account exists for this email, a magic link has been sent.",
-			});
-		}
-		// Check if email pipeline is available
-		if (!dineway.email?.isAvailable()) {
-			return apiError(
-				"EMAIL_NOT_CONFIGURED",
-				"Email is not configured. Magic link authentication requires an email provider.",
-				503,
-			);
-		}
-		// Build magic link config using stored site URL (not request Host header)
-		const options = new OptionsRepository(dineway.db);
-		const baseUrl = await getSiteBaseUrl(dineway.db, request);
-		const siteName = (await options.get<string>("dineway:site_title")) ?? "Dineway";
-		const config: MagicLinkConfig = {
-			baseUrl,
-			siteName,
-			email: (message) => dineway.email!.send(message, "system"),
-		};
-		// Send magic link (silently fails if user doesn't exist)
-		const adapter = createKyselyAdapter(dineway.db);
-		await sendMagicLink(config, adapter, body.email.toLowerCase());
-		// Always return success to avoid revealing if email exists
-		return apiSuccess({
-			success: true,
-			message: "If an account exists for this email, a magic link has been sent.",
-		});
-	} catch (error) {
-		console.error("Magic link send error:", error);
-		// Still return success to avoid revealing information
-		// Log the error but don't expose it to the client
-		return apiSuccess({
-			success: true,
-			message: "If an account exists for this email, a magic link has been sent.",
-		});
-	}
-};

package/src/astro/routes/api/auth/magic-link/verify.ts DELETED Viewed

@@ -1,71 +0,0 @@
-/**
- * GET /_dineway/api/auth/magic-link/verify
- *
- * Verify a magic link token and create a session.
- * Tokens are single-use and expire after 15 minutes.
- */
-import type { APIRoute } from "astro";
-export const prerender = false;
-import { verifyMagicLink, MagicLinkError } from "@dineway-ai/auth";
-import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { apiError } from "#api/error.js";
-import { isSafeRedirect } from "#api/redirect.js";
-export const GET: APIRoute = async ({ url, locals, session, redirect }) => {
-	const { dineway } = locals;
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-	// Get token from query params
-	const token = url.searchParams.get("token");
-	if (!token) {
-		// Redirect to login with error
-		return redirect("/_dineway/admin/login?error=missing_token");
-	}
-	try {
-		// Verify the magic link token
-		const adapter = createKyselyAdapter(dineway.db);
-		const user = await verifyMagicLink(adapter, token);
-		// Fire-and-forget cleanup of expired tokens -- prevents accumulation
-		void adapter.deleteExpiredTokens().catch(() => {});
-		// Create session
-		if (session) {
-			session.set("user", { id: user.id });
-		}
-		// Check for a stored redirect URL (from original request)
-		// Validate redirect is a safe local path (prevent open redirect via //evil.com or /\evil.com)
-		const rawRedirect = url.searchParams.get("redirect");
-		const redirectUrl = isSafeRedirect(rawRedirect) ? rawRedirect : "/_dineway/admin";
-		// Redirect to admin dashboard or original URL
-		return redirect(redirectUrl);
-	} catch (error) {
-		console.error("Magic link verify error:", error);
-		// Handle specific errors
-		if (error instanceof MagicLinkError) {
-			switch (error.code) {
-				case "invalid_token":
-					return redirect("/_dineway/admin/login?error=invalid_link");
-				case "token_expired":
-					return redirect("/_dineway/admin/login?error=link_expired");
-				case "user_not_found":
-					return redirect("/_dineway/admin/login?error=user_not_found");
-			}
-		}
-		// Generic error
-		return redirect("/_dineway/admin/login?error=verification_failed");
-	}
-};