dineway 0.1.9 → 0.1.12

package/src/astro/routes/api/oauth/device/authorize.ts

@@ -1,45 +0,0 @@
-/**
- * POST /_dineway/api/oauth/device/authorize
- *
- * User submits the user code after logging in via the browser.
- * This endpoint requires authentication (the user must be logged in).
- */
-
-/// <reference types="dineway/locals" />
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import { handleDeviceAuthorize } from "#api/handlers/device-flow.js";
-import { isParseError, parseBody } from "#api/parse.js";
-
-export const prerender = false;
-
-const authorizeSchema = z.object({
-	user_code: z.string().min(1),
-	action: z.enum(["approve", "deny"]).optional(),
-});
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-	const { user } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	if (!user) {
-		return apiError("NOT_AUTHENTICATED", "Authentication required", 401);
-	}
-
-	try {
-		const body = await parseBody(request, authorizeSchema);
-		if (isParseError(body)) return body;
-
-		const result = await handleDeviceAuthorize(dineway.db, user.id, user.role, body);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to authorize device", "AUTHORIZE_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/device/code.ts

@@ -1,56 +0,0 @@
-/**
- * POST /_dineway/api/oauth/device/code
- *
- * Issue a device code + user code for the OAuth Device Flow.
- * This is an unauthenticated endpoint (the CLI doesn't have a token yet).
- *
- * Rate limited: 10 requests per minute per IP.
- */
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import { handleDeviceCodeRequest } from "#api/handlers/device-flow.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { getPublicOrigin } from "#api/public-url.js";
-import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
-import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
-
-export const prerender = false;
-
-const deviceCodeSchema = z.object({
-	client_id: z.string().optional(),
-	scope: z.string().optional(),
-});
-
-export const POST: APIRoute = async ({ request, locals, url }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseBody(request, deviceCodeSchema);
-		if (isParseError(body)) return body;
-
-		// Rate limit: 10 requests per 60 seconds per IP
-		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
-		const rateLimit = await checkRateLimit(dineway.db, ip, "device/code", 10, 60);
-		if (!rateLimit.allowed) {
-			return rateLimitResponse(60);
-		}
-
-		// Build the verification URI — device page lives inside the admin SPA
-		const verificationUri = new URL(
-			"/_dineway/admin/device",
-			getPublicOrigin(url, dineway?.config),
-		).toString();
-
-		const result = await handleDeviceCodeRequest(dineway.db, body, verificationUri);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to create device code", "DEVICE_CODE_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/device/token.ts

@@ -1,70 +0,0 @@
-/**
- * POST /_dineway/api/oauth/device/token
- *
- * CLI polls this endpoint to exchange a device code for tokens.
- * Returns RFC 8628 error codes during the polling phase.
- * This is an unauthenticated endpoint.
- *
- * Rate limited: 12 requests per minute per IP.
- * Also enforces RFC 8628 slow_down: if polled faster than the interval,
- * responds with { error: "slow_down", interval: N } and increases the interval by 5s.
- */
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import { handleDeviceTokenExchange } from "#api/handlers/device-flow.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
-import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
-
-export const prerender = false;
-
-const deviceTokenSchema = z.object({
-	device_code: z.string().min(1),
-	grant_type: z.string().min(1),
-});
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseBody(request, deviceTokenSchema);
-		if (isParseError(body)) return body;
-
-		// Rate limit: 12 requests per 60 seconds per IP
-		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
-		const rateLimit = await checkRateLimit(dineway.db, ip, "device/token", 12, 60);
-		if (!rateLimit.allowed) {
-			return rateLimitResponse(60);
-		}
-
-		const result = await handleDeviceTokenExchange(dineway.db, body);
-
-		// RFC 8628 requires specific error format for device flow errors
-		// RFC 6749 §5.1 requires Cache-Control: no-store + Pragma: no-cache on token responses
-		if (!result.success && result.deviceFlowError) {
-			const errorBody: { error: string; interval?: number } = { error: result.deviceFlowError };
-			if (result.deviceFlowInterval !== undefined) {
-				errorBody.interval = result.deviceFlowInterval;
-			}
-			return Response.json(errorBody, {
-				status: 400,
-				headers: {
-					"Content-Type": "application/json",
-					"Cache-Control": "no-store",
-					Pragma: "no-cache",
-				},
-			});
-		}
-
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to exchange device code", "TOKEN_EXCHANGE_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/register.ts

@@ -1,182 +0,0 @@
-/**
- * POST /_dineway/api/oauth/register
- *
- * RFC 7591 Dynamic Client Registration. Public, unauthenticated.
- * MCP clients call this to register before starting the OAuth flow.
- */
-
-import type { APIRoute } from "astro";
-
-import { apiError, handleError } from "#api/error.js";
-import { handleOAuthClientCreate } from "#api/handlers/oauth-clients.js";
-import {
-	disabledExperimentalSiteContextWorkflowScopes,
-	getExperimentalSiteContextWorkflowScopesDisabledMessage,
-} from "#site-context/experimental-workflows.js";
-
-export const prerender = false;
-
-const OAUTH_REGISTRATION_HEADERS: HeadersInit = {
-	"Cache-Control": "no-store",
-	Pragma: "no-cache",
-	"Access-Control-Allow-Origin": "*",
-};
-
-const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
-	"Access-Control-Allow-Origin": "*",
-	"Access-Control-Allow-Methods": "POST, OPTIONS",
-	"Access-Control-Allow-Headers": "Content-Type",
-	"Access-Control-Max-Age": "86400",
-};
-
-const SUPPORTED_GRANT_TYPES = new Set([
-	"authorization_code",
-	"refresh_token",
-	"urn:ietf:params:oauth:grant-type:device_code",
-]);
-const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
-
-function registrationError(description: string, status = 400): Response {
-	return Response.json(
-		{
-			error: "invalid_client_metadata",
-			error_description: description,
-		},
-		{ status, headers: OAUTH_REGISTRATION_HEADERS },
-	);
-}
-
-function isRecord(value: unknown): value is Record<string, unknown> {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-
-function isStringArray(value: unknown): value is string[] {
-	return Array.isArray(value) && value.every((item) => typeof item === "string");
-}
-
-function parseScope(value: unknown): string[] | Response | undefined {
-	if (value === undefined) return undefined;
-	if (typeof value === "string") {
-		const scopes = value.split(" ").filter(Boolean);
-		return scopes.length > 0 ? scopes : undefined;
-	}
-	if (isStringArray(value)) {
-		const scopes = value.filter(Boolean);
-		return scopes.length > 0 ? scopes : undefined;
-	}
-	return registrationError("scope must be a string or array of strings");
-}
-
-function parseSupportedStringArray(
-	value: unknown,
-	field: string,
-	supported: ReadonlySet<string>,
-): string[] | Response | undefined {
-	if (value === undefined) return undefined;
-	if (!isStringArray(value)) {
-		return registrationError(`${field} must be an array of strings`);
-	}
-	const invalidValue = value.find((item) => !supported.has(item));
-	if (invalidValue) {
-		return registrationError(`${field} contains unsupported value: ${invalidValue}`);
-	}
-	return value;
-}
-
-export const OPTIONS: APIRoute = () => {
-	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
-};
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		let body: unknown;
-		try {
-			body = await request.json();
-		} catch {
-			return registrationError("Request body must be valid JSON");
-		}
-
-		if (!isRecord(body)) {
-			return registrationError("Request body must be a JSON object");
-		}
-
-		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) {
-			return registrationError("redirect_uris must be a non-empty array of strings");
-		}
-
-		if (
-			body.token_endpoint_auth_method !== undefined &&
-			body.token_endpoint_auth_method !== "none"
-		) {
-			return registrationError("Only token_endpoint_auth_method=none is supported");
-		}
-
-		const grantTypes = parseSupportedStringArray(
-			body.grant_types,
-			"grant_types",
-			SUPPORTED_GRANT_TYPES,
-		);
-		if (grantTypes instanceof Response) {
-			return grantTypes;
-		}
-
-		const responseTypes = parseSupportedStringArray(
-			body.response_types,
-			"response_types",
-			SUPPORTED_RESPONSE_TYPES,
-		);
-		if (responseTypes instanceof Response) {
-			return responseTypes;
-		}
-
-		const scopes = parseScope(body.scope);
-		if (scopes instanceof Response) {
-			return scopes;
-		}
-		if (scopes) {
-			const disabledWorkflowScopes = disabledExperimentalSiteContextWorkflowScopes(scopes);
-			if (disabledWorkflowScopes.length > 0) {
-				return registrationError(getExperimentalSiteContextWorkflowScopesDisabledMessage());
-			}
-		}
-
-		const clientId = crypto.randomUUID();
-		const clientName =
-			typeof body.client_name === "string" && body.client_name
-				? body.client_name
-				: `dynamic-${clientId.slice(0, 8)}`;
-
-		const result = await handleOAuthClientCreate(dineway.db, {
-			id: clientId,
-			name: clientName,
-			redirectUris: body.redirect_uris,
-			scopes,
-		});
-
-		if (!result.success) {
-			return registrationError(result.error.message);
-		}
-
-		return Response.json(
-			{
-				client_id: result.data.id,
-				client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1000),
-				redirect_uris: result.data.redirectUris,
-				client_name: result.data.name,
-				grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
-				response_types: responseTypes ?? ["code"],
-				token_endpoint_auth_method: "none",
-				scope: result.data.scopes ? result.data.scopes.join(" ") : undefined,
-			},
-			{ status: 201, headers: OAUTH_REGISTRATION_HEADERS },
-		);
-	} catch (error) {
-		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/token/refresh.ts

@@ -1,38 +0,0 @@
-/**
- * POST /_dineway/api/oauth/token/refresh
- *
- * Exchange a refresh token for a new access token.
- * This is an unauthenticated endpoint (the caller presents the refresh token).
- */
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import { handleTokenRefresh } from "#api/handlers/device-flow.js";
-import { isParseError, parseBody } from "#api/parse.js";
-
-export const prerender = false;
-
-const refreshSchema = z.object({
-	refresh_token: z.string().min(1),
-	grant_type: z.string().min(1),
-});
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseBody(request, refreshSchema);
-		if (isParseError(body)) return body;
-
-		const result = await handleTokenRefresh(dineway.db, body);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to refresh token", "TOKEN_REFRESH_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/token/revoke.ts

@@ -1,38 +0,0 @@
-/**
- * POST /_dineway/api/oauth/token/revoke
- *
- * Revoke an access or refresh token (RFC 7009).
- * Always returns 200, even for invalid tokens.
- * This is an unauthenticated endpoint (the caller presents the token to revoke).
- */
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import { handleTokenRevoke } from "#api/handlers/device-flow.js";
-import { isParseError, parseBody } from "#api/parse.js";
-
-export const prerender = false;
-
-const revokeSchema = z.object({
-	token: z.string().min(1),
-});
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseBody(request, revokeSchema);
-		if (isParseError(body)) return body;
-
-		const result = await handleTokenRevoke(dineway.db, body);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to revoke token", "TOKEN_REVOKE_ERROR");
-	}
-};

package/src/astro/routes/api/oauth/token.ts

@@ -1,195 +0,0 @@
-/**
- * POST /_dineway/api/oauth/token
- *
- * Unified token endpoint per OAuth 2.1. Routes by `grant_type`:
- * - authorization_code: Authorization Code + PKCE exchange
- * - urn:ietf:params:oauth:grant-type:device_code: Device Flow
- * - refresh_token: Token refresh
- *
- * Accepts both application/x-www-form-urlencoded (spec-standard) and
- * application/json (for backwards compatibility with existing clients).
- *
- * This is an unauthenticated endpoint — callers present tokens/codes
- * instead of session cookies.
- */
-
-import type { APIRoute } from "astro";
-import { z } from "zod";
-
-import { apiError, handleError } from "#api/error.js";
-import { handleDeviceTokenExchange, handleTokenRefresh } from "#api/handlers/device-flow.js";
-import { handleAuthorizationCodeExchange } from "#api/handlers/oauth-authorization.js";
-
-export const prerender = false;
-
-const OAUTH_TOKEN_HEADERS: HeadersInit = {
-	"Content-Type": "application/json",
-	"Cache-Control": "no-store",
-	Pragma: "no-cache",
-	"Access-Control-Allow-Origin": "*",
-};
-
-const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
-	"Access-Control-Allow-Origin": "*",
-	"Access-Control-Allow-Methods": "POST, OPTIONS",
-	"Access-Control-Allow-Headers": "Content-Type",
-	"Access-Control-Max-Age": "86400",
-};
-
-// ---------------------------------------------------------------------------
-// Parse helpers
-// ---------------------------------------------------------------------------
-
-/**
- * Parse the request body from either form-encoded or JSON.
- * OAuth 2.1 mandates form-encoded, but we accept both.
- */
-async function parseTokenBody(request: Request): Promise<Record<string, string>> {
-	const contentType = request.headers.get("content-type") ?? "";
-
-	if (contentType.includes("application/x-www-form-urlencoded")) {
-		const text = await request.text();
-		const params = new URLSearchParams(text);
-		const result: Record<string, string> = {};
-		for (const [key, value] of params) {
-			result[key] = value;
-		}
-		return result;
-	}
-
-	// Fallback: try JSON
-	try {
-		const json = Object(await request.json()) as Record<string, unknown>;
-		const result: Record<string, string> = {};
-		for (const [key, value] of Object.entries(json)) {
-			if (typeof value === "string") {
-				result[key] = value;
-			} else if (typeof value === "number") {
-				result[key] = String(value);
-			}
-		}
-		return result;
-	} catch {
-		return {};
-	}
-}
-
-// ---------------------------------------------------------------------------
-// Schemas
-// ---------------------------------------------------------------------------
-
-const authCodeSchema = z.object({
-	grant_type: z.literal("authorization_code"),
-	code: z.string().min(1),
-	redirect_uri: z.string().min(1),
-	client_id: z.string().min(1),
-	code_verifier: z.string().min(43).max(128),
-	resource: z.string().optional(),
-});
-
-const deviceCodeSchema = z.object({
-	grant_type: z.literal("urn:ietf:params:oauth:grant-type:device_code"),
-	device_code: z.string().min(1),
-});
-
-const refreshSchema = z.object({
-	grant_type: z.literal("refresh_token"),
-	refresh_token: z.string().min(1),
-});
-
-// ---------------------------------------------------------------------------
-// Handler
-// ---------------------------------------------------------------------------
-
-export const OPTIONS: APIRoute = () => {
-	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
-};
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway } = locals;
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseTokenBody(request);
-		const grantType = body.grant_type;
-
-		if (!grantType) {
-			return oauthError("invalid_request", "grant_type is required", 400);
-		}
-
-		switch (grantType) {
-			case "authorization_code": {
-				const parsed = authCodeSchema.safeParse(body);
-				if (!parsed.success) {
-					return oauthError("invalid_request", formatZodError(parsed.error), 400);
-				}
-
-				const result = await handleAuthorizationCodeExchange(dineway.db, parsed.data);
-				if (!result.success) {
-					const err = result.error ?? { code: "unknown", message: "Unknown error" };
-					return oauthError(err.code, err.message, 400);
-				}
-				return oauthSuccess(result.data);
-			}
-
-			case "urn:ietf:params:oauth:grant-type:device_code": {
-				const parsed = deviceCodeSchema.safeParse(body);
-				if (!parsed.success) {
-					return oauthError("invalid_request", formatZodError(parsed.error), 400);
-				}
-
-				const result = await handleDeviceTokenExchange(dineway.db, parsed.data);
-				if (!result.success) {
-					const err = result.error ?? { code: "unknown", message: "Unknown error" };
-					// RFC 8628 requires specific error format
-					if (result.deviceFlowError) {
-						return oauthError(result.deviceFlowError, err.message, 400);
-					}
-					return oauthError(err.code, err.message, 400);
-				}
-				return oauthSuccess(result.data);
-			}
-
-			case "refresh_token": {
-				const parsed = refreshSchema.safeParse(body);
-				if (!parsed.success) {
-					return oauthError("invalid_request", formatZodError(parsed.error), 400);
-				}
-
-				const result = await handleTokenRefresh(dineway.db, parsed.data);
-				if (!result.success) {
-					const err = result.error ?? { code: "unknown", message: "Unknown error" };
-					return oauthError(err.code, err.message, 400);
-				}
-				return oauthSuccess(result.data);
-			}
-
-			default:
-				return oauthError("unsupported_grant_type", `Unsupported grant_type: ${grantType}`, 400);
-		}
-	} catch (error) {
-		return handleError(error, "Failed to process token request", "TOKEN_ERROR");
-	}
-};
-
-// ---------------------------------------------------------------------------
-// OAuth response helpers (RFC 6749 §5.1 / §5.2)
-// ---------------------------------------------------------------------------
-
-function oauthSuccess(data: unknown): Response {
-	return Response.json(data, { headers: OAUTH_TOKEN_HEADERS });
-}
-
-function oauthError(error: string, description: string, status: number): Response {
-	return Response.json(
-		{ error, error_description: description },
-		{ status, headers: OAUTH_TOKEN_HEADERS },
-	);
-}
-
-function formatZodError(error: z.ZodError): string {
-	return error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
-}

package/src/astro/routes/api/openapi.json.ts

@@ -1,33 +0,0 @@
-/**
- * OpenAPI spec endpoint
- *
- * GET /_dineway/api/openapi.json
- *
- * Returns the generated OpenAPI 3.1 document. The spec is generated once
- * and cached for the lifetime of the process.
- */
-
-import type { APIRoute } from "astro";
-
-import { generateOpenApiDocument } from "../../../api/openapi/index.js";
-
-export const prerender = false;
-
-let cachedSpec: string | null = null;
-
-export const GET: APIRoute = async ({ locals }) => {
-	if (!cachedSpec) {
-		const maxUploadSize = locals.dineway?.config.maxUploadSize;
-		const doc = generateOpenApiDocument({ maxUploadSize });
-		cachedSpec = JSON.stringify(doc);
-	}
-
-	return new Response(cachedSpec, {
-		status: 200,
-		headers: {
-			"Content-Type": "application/json",
-			"Cache-Control": "public, max-age=3600",
-			"Access-Control-Allow-Origin": "*",
-		},
-	});
-};