emdash 0.8.0 → 0.10.0

package/src/api/handlers/oauth-authorization.ts

@@ -8,7 +8,7 @@
  * utilities. Token infrastructure is shared with the device flow.
  */
 
-import { clampScopes, computeS256Challenge } from "@emdash-cms/auth";
+import { clampScopes, computeS256Challenge, secureCompare } from "@emdash-cms/auth";
 import type { RoleLevel } from "@emdash-cms/auth";
 import { generateCodeVerifier } from "arctic";
 import type { Kysely } from "kysely";
@@ -19,10 +19,12 @@ import {
 	TOKEN_PREFIXES,
 	VALID_SCOPES,
 } from "../../auth/api-tokens.js";
+import { withTransaction } from "../../database/transaction.js";
 import type { Database } from "../../database/types.js";
 import { validateRedirectUri } from "../oauth/redirect-uri.js";
 import type { ApiResult } from "../types.js";
 import { lookupOAuthClient, validateClientRedirectUri } from "./oauth-clients.js";
+import { lookupUserRoleAndStatus } from "./oauth-user-lookup.js";
 
 // ---------------------------------------------------------------------------
 // Constants
@@ -296,8 +298,9 @@ export async function handleAuthorizationCodeExchange(
 		}
 
 		// PKCE verification: SHA256(code_verifier) must match stored code_challenge
+		// Use constant-time comparison to prevent timing side-channels
 		const derivedChallenge = computeS256Challenge(params.code_verifier);
-		if (derivedChallenge !== row.code_challenge) {
+		if (!secureCompare(derivedChallenge, row.code_challenge)) {
 			return {
 				success: false,
 				error: { code: "invalid_grant", message: "PKCE verification failed" },
@@ -312,44 +315,80 @@ export async function handleAuthorizationCodeExchange(
 			};
 		}
 
-		// Issue tokens (same as device flow)
-		const scopes = JSON.parse(row.scopes) as string[];
+		// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).
+		// The user's role may have changed since the authorization code was issued.
+		const userInfo = await lookupUserRoleAndStatus(db, row.user_id);
+		if (!userInfo) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "User not found" },
+			};
+		}
 
+		if (userInfo.disabled) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "User account is disabled" },
+			};
+		}
+
+		// Re-clamp scopes against the user's current role
+		const storedScopes = JSON.parse(row.scopes) as string[];
+		let scopes = clampScopes(storedScopes, userInfo.role);
+
+		// Intersect with client's registered scopes (if restricted)
+		const client = await lookupOAuthClient(db, row.client_id);
+		if (client?.scopes?.length) {
+			scopes = scopes.filter((s: string) => client.scopes!.includes(s));
+		}
+
+		if (scopes.length === 0) {
+			return {
+				success: false,
+				error: {
+					code: "invalid_grant",
+					message: "User role no longer supports any of the requested scopes",
+				},
+			};
+		}
+
+		// Issue tokens (same as device flow)
 		const accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);
 		const accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);
 
 		const refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);
 		const refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);
 
-		// Store access token
-		await db
-			.insertInto("_emdash_oauth_tokens")
-			.values({
-				token_hash: accessToken.hash,
-				token_type: "access",
-				user_id: row.user_id,
-				scopes: JSON.stringify(scopes),
-				client_type: "mcp",
-				expires_at: accessExpires,
-				refresh_token_hash: refreshToken.hash,
-				client_id: row.client_id,
-			})
-			.execute();
-
-		// Store refresh token
-		await db
-			.insertInto("_emdash_oauth_tokens")
-			.values({
-				token_hash: refreshToken.hash,
-				token_type: "refresh",
-				user_id: row.user_id,
-				scopes: JSON.stringify(scopes),
-				client_type: "mcp",
-				expires_at: refreshExpires,
-				refresh_token_hash: null,
-				client_id: row.client_id,
-			})
-			.execute();
+		// Atomically store both tokens in a transaction
+		await withTransaction(db, async (trx) => {
+			await trx
+				.insertInto("_emdash_oauth_tokens")
+				.values({
+					token_hash: accessToken.hash,
+					token_type: "access",
+					user_id: row.user_id,
+					scopes: JSON.stringify(scopes),
+					client_type: "mcp",
+					expires_at: accessExpires,
+					refresh_token_hash: refreshToken.hash,
+					client_id: row.client_id,
+				})
+				.execute();
+
+			await trx
+				.insertInto("_emdash_oauth_tokens")
+				.values({
+					token_hash: refreshToken.hash,
+					token_type: "refresh",
+					user_id: row.user_id,
+					scopes: JSON.stringify(scopes),
+					client_type: "mcp",
+					expires_at: refreshExpires,
+					refresh_token_hash: null,
+					client_id: row.client_id,
+				})
+				.execute();
+		});
 
 		return {
 			success: true,

package/src/api/handlers/revision.ts

@@ -6,6 +6,7 @@ import type { Kysely } from "kysely";
 
 import { ContentRepository } from "../../database/repositories/content.js";
 import { RevisionRepository, type Revision } from "../../database/repositories/revision.js";
+import { withTransaction } from "../../database/transaction.js";
 import type { Database } from "../../database/types.js";
 import type { ApiResult, ContentResponse } from "../types.js";
 
@@ -95,7 +96,6 @@ export async function handleRevisionRestore(
 ): Promise<ApiResult<ContentResponse>> {
 	try {
 		const revisionRepo = new RevisionRepository(db);
-		const contentRepo = new ContentRepository(db);
 
 		// Get the revision
 		const revision = await revisionRepo.findById(revisionId);
@@ -112,22 +112,31 @@ export async function handleRevisionRestore(
 		// Extract _slug from revision data (stored as metadata, not a real column)
 		const { _slug, ...fieldData } = revision.data;
 
-		// Update the content with the revision's data
-		const item = await contentRepo.update(revision.collection, revision.entryId, {
-			data: fieldData,
-			slug: typeof _slug === "string" ? _slug : undefined,
-		});
-
-		// Create a new revision to record the restore, attributed to the caller
-		await revisionRepo.create({
-			collection: revision.collection,
-			entryId: revision.entryId,
-			data: revision.data,
-			authorId: callerUserId,
+		// Atomically update content and create a new revision to record the restore.
+		// If either operation fails, neither is committed (on engines that support
+		// transactions; on D1, withTransaction falls back to sequential execution).
+		const item = await withTransaction(db, async (trx) => {
+			const trxContentRepo = new ContentRepository(trx);
+			const trxRevisionRepo = new RevisionRepository(trx);
+
+			const updated = await trxContentRepo.update(revision.collection, revision.entryId, {
+				data: fieldData,
+				slug: typeof _slug === "string" ? _slug : undefined,
+			});
+
+			await trxRevisionRepo.create({
+				collection: revision.collection,
+				entryId: revision.entryId,
+				data: revision.data,
+				authorId: callerUserId,
+			});
+
+			return updated;
 		});
 
 		// Fire-and-forget: prune old revisions to prevent unbounded growth
-		void revisionRepo.pruneOldRevisions(revision.collection, revision.entryId, 50).catch(() => {});
+		const pruneRepo = new RevisionRepository(db);
+		void pruneRepo.pruneOldRevisions(revision.collection, revision.entryId, 50).catch(() => {});
 
 		return {
 			success: true,