emdash 0.0.0-b → 0.0.2

package/src/astro/routes/api/auth/oauth/[provider]/callback.ts

@@ -0,0 +1,219 @@
+/**
+ * GET /_emdash/api/auth/oauth/[provider]/callback
+ *
+ * Handle OAuth callback from provider
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import {
+	handleOAuthCallback,
+	OAuthError,
+	Role,
+	type OAuthConsumerConfig,
+	type RoleLevel,
+} from "@emdash-cms/auth";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+
+import { createOAuthStateStore } from "#auth/oauth-state-store.js";
+
+type ProviderName = "github" | "google";
+
+const VALID_PROVIDERS = new Set<string>(["github", "google"]);
+
+function isValidProvider(provider: string): provider is ProviderName {
+	return VALID_PROVIDERS.has(provider);
+}
+
+/** Safely extract a string value from an env-like record */
+function envString(env: Record<string, unknown>, ...keys: string[]): string | undefined {
+	for (const key of keys) {
+		const val = env[key];
+		if (typeof val === "string" && val) return val;
+	}
+	return undefined;
+}
+
+/**
+ * Get OAuth config from environment variables
+ */
+function getOAuthConfig(env: Record<string, unknown>): OAuthConsumerConfig["providers"] {
+	const providers: OAuthConsumerConfig["providers"] = {};
+
+	// GitHub
+	const githubClientId = envString(env, "EMDASH_OAUTH_GITHUB_CLIENT_ID", "GITHUB_CLIENT_ID");
+	const githubClientSecret = envString(
+		env,
+		"EMDASH_OAUTH_GITHUB_CLIENT_SECRET",
+		"GITHUB_CLIENT_SECRET",
+	);
+	if (githubClientId && githubClientSecret) {
+		providers.github = {
+			clientId: githubClientId,
+			clientSecret: githubClientSecret,
+		};
+	}
+
+	// Google
+	const googleClientId = envString(env, "EMDASH_OAUTH_GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_ID");
+	const googleClientSecret = envString(
+		env,
+		"EMDASH_OAUTH_GOOGLE_CLIENT_SECRET",
+		"GOOGLE_CLIENT_SECRET",
+	);
+	if (googleClientId && googleClientSecret) {
+		providers.google = {
+			clientId: googleClientId,
+			clientSecret: googleClientSecret,
+		};
+	}
+
+	return providers;
+}
+
+export const GET: APIRoute = async ({ params, request, locals, session, redirect }) => {
+	const { emdash } = locals;
+	const provider = params.provider;
+
+	// Validate provider
+	if (!provider || !isValidProvider(provider)) {
+		return redirect(
+			`/_emdash/admin/login?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
+		);
+	}
+
+	if (!emdash?.db) {
+		return redirect(
+			`/_emdash/admin/login?error=server_error&message=${encodeURIComponent("Database not configured")}`,
+		);
+	}
+
+	const url = new URL(request.url);
+	const code = url.searchParams.get("code");
+	const state = url.searchParams.get("state");
+	const error = url.searchParams.get("error");
+	const errorDescription = url.searchParams.get("error_description");
+
+	// Handle OAuth errors from provider
+	if (error) {
+		const message = errorDescription || error;
+		return redirect(
+			`/_emdash/admin/login?error=oauth_denied&message=${encodeURIComponent(message)}`,
+		);
+	}
+
+	// Validate required params
+	if (!code || !state) {
+		return redirect(
+			`/_emdash/admin/login?error=invalid_callback&message=${encodeURIComponent("Missing code or state parameter")}`,
+		);
+	}
+
+	try {
+		// Get OAuth providers from environment
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
+		const runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
+		const env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);
+		const providers = getOAuthConfig(env);
+
+		if (!providers[provider]) {
+			return redirect(
+				`/_emdash/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`,
+			);
+		}
+
+		const config: OAuthConsumerConfig = {
+			baseUrl: `${url.origin}/_emdash`,
+			providers,
+			canSelfSignup: async (email: string) => {
+				// Extract domain from email
+				const domain = email.split("@")[1]?.toLowerCase();
+				if (!domain) {
+					return null;
+				}
+
+				// Check allowed_domains table for a matching, enabled entry
+				const entry = await emdash.db
+					.selectFrom("allowed_domains")
+					.selectAll()
+					.where("domain", "=", domain)
+					.where("enabled", "=", 1)
+					.executeTakeFirst();
+
+				if (!entry) {
+					return null;
+				}
+
+				// Map the stored role level to the Role enum
+				const roleLevel = entry.default_role;
+				const roleMap: Record<number, RoleLevel> = {
+					50: Role.ADMIN,
+					40: Role.EDITOR,
+					30: Role.AUTHOR,
+					20: Role.CONTRIBUTOR,
+					10: Role.SUBSCRIBER,
+				};
+				const role = roleMap[roleLevel] ?? Role.CONTRIBUTOR;
+				if (!roleMap[roleLevel]) {
+					console.warn(
+						`[oauth] Unknown role level ${roleLevel} for domain ${domain}, defaulting to CONTRIBUTOR`,
+					);
+				}
+
+				return { allowed: true, role };
+			},
+		};
+
+		const adapter = createKyselyAdapter(emdash.db);
+		const stateStore = createOAuthStateStore(emdash.db);
+
+		const user = await handleOAuthCallback(config, adapter, provider, code, state, stateStore);
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		// Redirect to admin dashboard
+		return redirect("/_emdash/admin");
+	} catch (callbackError) {
+		console.error("OAuth callback error:", callbackError);
+
+		let message = "Authentication failed";
+		let errorCode = "oauth_error";
+
+		if (callbackError instanceof OAuthError) {
+			errorCode = callbackError.code;
+
+			// Map all error codes to user-friendly messages (never expose raw error.message)
+			switch (callbackError.code) {
+				case "invalid_state":
+					message = "OAuth session expired or invalid. Please try again.";
+					break;
+				case "signup_not_allowed":
+					message = "Self-signup is not allowed for your email. Please contact an administrator.";
+					break;
+				case "user_not_found":
+					message = "Your account was not found. It may have been deleted.";
+					break;
+				case "token_exchange_failed":
+					message = "Failed to complete authentication. Please try again.";
+					break;
+				case "profile_fetch_failed":
+					message = "Failed to retrieve your profile. Please try again.";
+					break;
+				default:
+					message = "Authentication failed. Please try again.";
+					break;
+			}
+		}
+		// For generic errors, keep the default "Authentication failed" message
+
+		return redirect(
+			`/_emdash/admin/login?error=${errorCode}&message=${encodeURIComponent(message)}`,
+		);
+	}
+};

package/src/astro/routes/api/auth/oauth/[provider].ts

@@ -0,0 +1,119 @@
+/**
+ * GET /_emdash/api/auth/oauth/[provider]
+ *
+ * Start OAuth flow - redirects to provider authorization URL
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createAuthorizationUrl, type OAuthConsumerConfig } from "@emdash-cms/auth";
+
+import { createOAuthStateStore } from "#auth/oauth-state-store.js";
+
+type ProviderName = "github" | "google";
+
+const VALID_PROVIDERS = new Set<string>(["github", "google"]);
+
+function isValidProvider(provider: string): provider is ProviderName {
+	return VALID_PROVIDERS.has(provider);
+}
+
+/** Safely extract a string value from an env-like record */
+function envString(env: Record<string, unknown>, ...keys: string[]): string | undefined {
+	for (const key of keys) {
+		const val = env[key];
+		if (typeof val === "string" && val) return val;
+	}
+	return undefined;
+}
+
+/**
+ * Get OAuth config from environment variables
+ */
+function getOAuthConfig(env: Record<string, unknown>): OAuthConsumerConfig["providers"] {
+	const providers: OAuthConsumerConfig["providers"] = {};
+
+	// GitHub
+	const githubClientId = envString(env, "EMDASH_OAUTH_GITHUB_CLIENT_ID", "GITHUB_CLIENT_ID");
+	const githubClientSecret = envString(
+		env,
+		"EMDASH_OAUTH_GITHUB_CLIENT_SECRET",
+		"GITHUB_CLIENT_SECRET",
+	);
+	if (githubClientId && githubClientSecret) {
+		providers.github = {
+			clientId: githubClientId,
+			clientSecret: githubClientSecret,
+		};
+	}
+
+	// Google
+	const googleClientId = envString(env, "EMDASH_OAUTH_GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_ID");
+	const googleClientSecret = envString(
+		env,
+		"EMDASH_OAUTH_GOOGLE_CLIENT_SECRET",
+		"GOOGLE_CLIENT_SECRET",
+	);
+	if (googleClientId && googleClientSecret) {
+		providers.google = {
+			clientId: googleClientId,
+			clientSecret: googleClientSecret,
+		};
+	}
+
+	return providers;
+}
+
+export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
+	const { emdash } = locals;
+	const provider = params.provider;
+
+	// Validate provider
+	if (!provider || !isValidProvider(provider)) {
+		return redirect(
+			`/_emdash/admin/login?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
+		);
+	}
+
+	if (!emdash?.db) {
+		return redirect(
+			`/_emdash/admin/login?error=server_error&message=${encodeURIComponent("Database not configured")}`,
+		);
+	}
+
+	try {
+		const url = new URL(request.url);
+
+		// Get OAuth providers from environment
+		// Access via locals.runtime for Cloudflare, or import.meta.env for Node
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
+		const runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
+		const env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);
+		const providers = getOAuthConfig(env);
+
+		if (!providers[provider]) {
+			return redirect(
+				`/_emdash/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`,
+			);
+		}
+
+		const config: OAuthConsumerConfig = {
+			baseUrl: `${url.origin}/_emdash`,
+			providers,
+		};
+
+		const stateStore = createOAuthStateStore(emdash.db);
+
+		const { url: authUrl } = await createAuthorizationUrl(config, provider, stateStore);
+
+		return redirect(authUrl);
+	} catch (error) {
+		console.error("OAuth initiation error:", error);
+		return redirect(
+			`/_emdash/admin/login?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`,
+		);
+	}
+};

package/src/astro/routes/api/auth/passkey/[id].ts

@@ -0,0 +1,124 @@
+/**
+ * PATCH/DELETE /_emdash/api/auth/passkey/[id]
+ *
+ * Rename or delete a passkey
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { passkeyRenameBody } from "#api/schemas.js";
+
+interface PasskeyResponse {
+	id: string;
+	name: string | null;
+	deviceType: "singleDevice" | "multiDevice";
+	backedUp: boolean;
+	createdAt: string;
+	lastUsedAt: string;
+}
+
+/**
+ * PATCH - Rename a passkey
+ */
+export const PATCH: APIRoute = async ({ params, request, locals }) => {
+	const { emdash, user } = locals;
+	const { id } = params;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	if (!id) {
+		return apiError("MISSING_PARAM", "Passkey ID is required", 400);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(emdash.db);
+
+		// Get the credential and verify ownership
+		const credential = await adapter.getCredentialById(id);
+
+		if (!credential || credential.userId !== user.id) {
+			return apiError("NOT_FOUND", "Passkey not found", 404);
+		}
+
+		// Parse request body
+		const body = await parseBody(request, passkeyRenameBody);
+		if (isParseError(body)) return body;
+
+		// Update the name
+		const trimmedName = body.name.trim() || null;
+		await adapter.updateCredentialName(id, trimmedName);
+
+		// Return updated passkey info
+		const passkey: PasskeyResponse = {
+			id: credential.id,
+			name: trimmedName,
+			deviceType: credential.deviceType,
+			backedUp: credential.backedUp,
+			createdAt: credential.createdAt.toISOString(),
+			lastUsedAt: credential.lastUsedAt.toISOString(),
+		};
+
+		return apiSuccess({ passkey });
+	} catch (error) {
+		return handleError(error, "Failed to rename passkey", "PASSKEY_RENAME_ERROR");
+	}
+};
+
+/**
+ * DELETE - Remove a passkey
+ */
+export const DELETE: APIRoute = async ({ params, locals }) => {
+	const { emdash, user } = locals;
+	const { id } = params;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	if (!id) {
+		return apiError("MISSING_PARAM", "Passkey ID is required", 400);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(emdash.db);
+
+		// Get the credential and verify ownership
+		const credential = await adapter.getCredentialById(id);
+
+		if (!credential || credential.userId !== user.id) {
+			return apiError("NOT_FOUND", "Passkey not found", 404);
+		}
+
+		// Check that this isn't the last passkey
+		const count = await adapter.countCredentialsByUserId(user.id);
+
+		if (count <= 1) {
+			return apiError("LAST_PASSKEY", "Cannot remove your last passkey", 400);
+		}
+
+		// Delete the passkey
+		await adapter.deleteCredential(id);
+
+		return apiSuccess({ success: true });
+	} catch (error) {
+		return handleError(error, "Failed to delete passkey", "PASSKEY_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/auth/passkey/index.ts

@@ -0,0 +1,54 @@
+/**
+ * GET /_emdash/api/auth/passkey
+ *
+ * List all passkeys for the authenticated user
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+
+interface PasskeyResponse {
+	id: string;
+	name: string | null;
+	deviceType: "singleDevice" | "multiDevice";
+	backedUp: boolean;
+	createdAt: string;
+	lastUsedAt: string;
+}
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { emdash, user } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(emdash.db);
+		const credentials = await adapter.getCredentialsByUserId(user.id);
+
+		// Map to public response format (exclude sensitive fields)
+		const passkeys: PasskeyResponse[] = credentials.map((cred) => ({
+			id: cred.id,
+			name: cred.name,
+			deviceType: cred.deviceType,
+			backedUp: cred.backedUp,
+			createdAt: cred.createdAt.toISOString(),
+			lastUsedAt: cred.lastUsedAt.toISOString(),
+		}));
+
+		return apiSuccess({ items: passkeys });
+	} catch (error) {
+		return handleError(error, "Failed to list passkeys", "PASSKEY_LIST_ERROR");
+	}
+};

package/src/astro/routes/api/auth/passkey/options.ts

@@ -0,0 +1,82 @@
+/**
+ * POST /_emdash/api/auth/passkey/options
+ *
+ * Get authentication options for passkey login.
+ *
+ * Rate limited: 10 requests per minute per IP.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { generateAuthenticationOptions } from "@emdash-cms/auth/passkey";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { passkeyOptionsBody } from "#api/schemas.js";
+import { createChallengeStore, cleanupExpiredChallenges } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { emdash } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	try {
+		// Fire-and-forget cleanup of expired challenges -- prevents accumulation
+		void cleanupExpiredChallenges(emdash.db).catch(() => {});
+
+		// Parse body before rate limiting so malformed requests don't consume slots
+		const body = await parseOptionalBody(request, passkeyOptionsBody, {});
+		if (isParseError(body)) return body;
+
+		// Rate limit: 10 requests per 60 seconds per IP
+		const ip = getClientIp(request);
+		const rateLimit = await checkRateLimit(emdash.db, ip, "passkey/options", 10, 60);
+		if (!rateLimit.allowed) {
+			return rateLimitResponse(60);
+		}
+
+		const adapter = createKyselyAdapter(emdash.db);
+
+		// Get credentials to allow
+		let credentials: Awaited<ReturnType<typeof adapter.getCredentialsByUserId>> = [];
+
+		if (body.email) {
+			// Get credentials for specific user
+			const user = await adapter.getUserByEmail(body.email);
+			if (user) {
+				credentials = await adapter.getCredentialsByUserId(user.id);
+			}
+			// Don't reveal if user exists - just return empty allowCredentials
+		}
+		// If no email provided, allowCredentials will be undefined (allow any discoverable credential)
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const options = new OptionsRepository(emdash.db);
+		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
+		const passkeyConfig = getPasskeyConfig(url, siteName);
+
+		// Generate authentication options
+		const challengeStore = createChallengeStore(emdash.db);
+		const authOptions = await generateAuthenticationOptions(
+			passkeyConfig,
+			credentials,
+			challengeStore,
+		);
+
+		return apiSuccess({
+			success: true,
+			options: authOptions,
+		});
+	} catch (error) {
+		return handleError(error, "Failed to generate passkey options", "PASSKEY_OPTIONS_ERROR");
+	}
+};

package/src/astro/routes/api/auth/passkey/register/options.ts

@@ -0,0 +1,86 @@
+/**
+ * POST /_emdash/api/auth/passkey/register/options
+ *
+ * Get WebAuthn registration options for adding a new passkey (authenticated user)
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { generateRegistrationOptions } from "@emdash-cms/auth/passkey";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { passkeyRegisterOptionsBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+const MAX_PASSKEYS = 10;
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { emdash, user } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	// Require authentication
+	if (!user) {
+		return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	}
+
+	try {
+		const adapter = createKyselyAdapter(emdash.db);
+
+		// Check passkey limit
+		const count = await adapter.countCredentialsByUserId(user.id);
+		if (count >= MAX_PASSKEYS) {
+			return apiError("PASSKEY_LIMIT", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);
+		}
+
+		// Parse optional name from request
+		const body = await parseOptionalBody(request, passkeyRegisterOptionsBody, {});
+		if (isParseError(body)) return body;
+
+		// Get existing credentials for excludeCredentials
+		const existingCredentials = await adapter.getCredentialsByUserId(user.id);
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const optionsRepo = new OptionsRepository(emdash.db);
+		const siteName = (await optionsRepo.get<string>("emdash:site_title")) ?? undefined;
+		const passkeyConfig = getPasskeyConfig(url, siteName);
+
+		// Generate registration options
+		const challengeStore = createChallengeStore(emdash.db);
+		const registrationOptions = await generateRegistrationOptions(
+			passkeyConfig,
+			{ id: user.id, email: user.email, name: user.name },
+			existingCredentials,
+			challengeStore,
+		);
+
+		// Store the passkey name in the challenge metadata if provided
+		// We'll retrieve it during verification
+		if (body.name) {
+			// Store name with challenge for later retrieval
+			// The challenge store will need this when verifying
+			await optionsRepo.set(`emdash:passkey_pending:${user.id}`, {
+				name: body.name,
+			});
+		}
+
+		return apiSuccess({
+			options: registrationOptions,
+		});
+	} catch (error) {
+		return handleError(
+			error,
+			"Failed to generate registration options",
+			"PASSKEY_REGISTER_OPTIONS_ERROR",
+		);
+	}
+};