flarecms 0.1.0

package/src/api/routes/content.ts

@@ -0,0 +1,175 @@
+import { Hono } from 'hono';
+import { createDb, ensureUniqueSlug } from '../../db';
+import { sql } from 'kysely';
+import { ulid } from 'ulidx';
+import { dynamicContentSchema } from '../schemas';
+import type { Bindings } from '../index';
+import { apiResponse } from '../lib/response';
+
+import { requireRole, requireScope } from '../middlewares/rbac';
+
+export const contentRoutes = new Hono<{ Bindings: Bindings }>();
+
+// Write operations (POST, PUT, DELETE) restricted to admin or editor roles.
+contentRoutes.post('/:collection', requireScope('write', 'collection_slug'), requireRole(['admin', 'editor']));
+contentRoutes.put('/:collection/*', requireScope('update', 'collection_slug'), requireRole(['admin', 'editor']));
+contentRoutes.delete('/:collection/*', requireScope('delete', 'collection_slug'), requireRole(['admin', 'editor']));
+
+contentRoutes.get('/:collection', requireScope('read', 'collection_slug'), async (c) => {
+  const collection = c.req.param('collection');
+  const db = createDb(c.env.DB);
+
+  const page = Number(c.req.query('page')) || 1;
+  const limit = Math.min(Number(c.req.query('limit')) || 20, 100);
+  const offset = (page - 1) * limit;
+
+  try {
+    // 1. Get total count
+    const countRes = await db.selectFrom(`ec_${collection}` as any)
+      .select(db.fn.count('id').as('count'))
+      .where('status', '!=', 'deleted')
+      .executeTakeFirst();
+
+    const total = Number(countRes?.count || 0);
+    const totalPages = Math.ceil(total / limit);
+
+    // 2. Get data slice
+    const result = await db.selectFrom(`ec_${collection}` as any)
+      .selectAll()
+      .where('status', '!=', 'deleted')
+      .orderBy('created_at', 'desc')
+      .limit(limit)
+      .offset(offset)
+      .execute();
+
+    return apiResponse.paginated(c, result, {
+      page,
+      limit,
+      total,
+      totalPages,
+      hasNextPage: page < totalPages,
+      hasPrevPage: page > 1,
+    });
+  } catch (e: any) {
+    return apiResponse.error(c, e.message);
+  }
+});
+
+contentRoutes.get('/:collection/:id', async (c) => {
+  const collection = c.req.param('collection');
+  const id = c.req.param('id');
+  const db = createDb(c.env.DB);
+  try {
+    const result = await db.selectFrom(`ec_${collection}` as any)
+      .selectAll()
+      .where('id', '=', id)
+      .executeTakeFirst();
+
+    if (!result) return apiResponse.error(c, 'Document not found', 404);
+    return apiResponse.ok(c, result);
+  } catch (e) {
+    return apiResponse.error(c, 'Access error', 404);
+  }
+});
+
+
+contentRoutes.post('/:collection', async (c) => {
+  const collectionName = c.req.param('collection');
+  const db = createDb(c.env.DB);
+
+  // 1. Get collection metadata
+  const collection = await db.selectFrom('fc_collections')
+    .select('id')
+    .where('slug', '=', collectionName)
+    .executeTakeFirst();
+
+  if (!collection) return apiResponse.error(c, 'Collection not found', 404);
+
+  // 2. Check for fields
+  const fieldCount = await db.selectFrom('fc_fields')
+    .select(db.fn.count('id').as('total'))
+    .where('collection_id', '=', collection.id)
+    .executeTakeFirst();
+
+  if (!fieldCount || Number(fieldCount.total) === 0) {
+    return apiResponse.error(c, 'Cannot create documents in a collection without fields. Please define your schema first.');
+  }
+
+  const body = await c.req.json();
+  const parsed = dynamicContentSchema.safeParse(body);
+  if (!parsed.success) {
+    return apiResponse.error(c, parsed.error.format());
+  }
+
+  const id = ulid();
+  const data = parsed.data;
+
+  // Handle Required Columns
+  const baseSlug = data.slug || data.title?.toLowerCase().replace(/[^a-z0-9]+/g, '-') || id;
+  const slug = await ensureUniqueSlug(db, collectionName, baseSlug);
+  const status = data.status || 'draft';
+
+  const doc = {
+    ...data,
+    id,
+    slug,
+    status,
+  };
+
+  try {
+    await db.insertInto(`ec_${collectionName}` as any)
+      .values(doc)
+      .execute();
+    return apiResponse.created(c, { id, slug });
+  } catch (e: any) {
+    return apiResponse.error(c, `Failed query: ${e.message}`);
+  }
+});
+
+contentRoutes.put('/:collection/:id', async (c) => {
+  const collectionName = c.req.param('collection');
+  const id = c.req.param('id');
+  const body = await c.req.json();
+  const parsed = dynamicContentSchema.safeParse(body);
+  if (!parsed.success) {
+    return apiResponse.error(c, parsed.error.format());
+  }
+
+  const db = createDb(c.env.DB);
+  const data = parsed.data;
+
+  // Handle slug change uniqueness
+  let finalData = { ...data };
+  if (data.slug) {
+    const uniqueSlug = await ensureUniqueSlug(db, collectionName, data.slug, id);
+    finalData.slug = uniqueSlug;
+  }
+
+  try {
+    await db.updateTable(`ec_${collectionName}` as any)
+      .set({
+        ...finalData,
+        updated_at: sql`CURRENT_TIMESTAMP`
+      })
+      .where('id', '=', id)
+      .execute();
+    return apiResponse.ok(c, { id, success: true, slug: finalData.slug });
+  } catch (e: any) {
+    return apiResponse.error(c, e.message);
+  }
+});
+
+contentRoutes.delete('/:collection/:id', async (c) => {
+  const collectionName = c.req.param('collection');
+  const id = c.req.param('id');
+  const db = createDb(c.env.DB);
+
+  try {
+    await db.deleteFrom(`ec_${collectionName}` as any)
+      .where('id', '=', id)
+      .execute();
+    return apiResponse.ok(c, { success: true });
+  } catch (e: any) {
+    return apiResponse.error(c, e.message);
+  }
+});

package/src/api/routes/device.ts

@@ -0,0 +1,160 @@
+import { Hono } from 'hono';
+import { createDb } from '../../db';
+import { ulid } from 'ulidx';
+import { deviceCodeRequestSchema, deviceTokenRequestSchema, deviceApproveSchema } from '../schemas/tokens';
+import { encodeHexLowerCase } from '@oslojs/encoding';
+import type { Bindings, Variables } from '../index';
+import { requireRole } from '../middlewares/rbac';
+import { authMiddleware } from '../middlewares/auth';
+import { apiResponse } from '../lib/response';
+
+export const deviceRoutes = new Hono<{ Bindings: Bindings; Variables: Variables }>();
+
+
+/**
+ * 1. CLI requests a device code
+ * Public unauthenticated endpoint
+ */
+deviceRoutes.post('/code', async (c) => {
+  const body = await c.req.json();
+  const parsed = deviceCodeRequestSchema.safeParse(body);
+  if (!parsed.success) return apiResponse.error(c, parsed.error.format());
+
+  const db = createDb(c.env.DB);
+  const clientId = parsed.data.client_id;
+  const requestedScopes = parsed.data.scope ? parsed.data.scope.split(' ') : ['content:read']; // Default Scope
+
+  // Generate Device Code
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  const deviceCode = encodeHexLowerCase(bytes);
+
+  // Generate short user code (ex: ABCD-1234)
+  const userCode = Math.random().toString(36).substring(2, 6).toUpperCase() + '-' + Math.random().toString(36).substring(2, 6).toUpperCase();
+
+  const expiresAt = new Date();
+  expiresAt.setMinutes(expiresAt.getMinutes() + 15); // 15 mins to authorize
+
+  await db.insertInto('fc_device_codes')
+    .values({
+      device_code: deviceCode,
+      user_code: userCode,
+      client_id: clientId,
+      user_id: null,
+      scopes: JSON.stringify(requestedScopes),
+      expires_at: expiresAt.toISOString(),
+    })
+    .execute();
+
+  return apiResponse.ok(c, {
+    device_code: deviceCode,
+    user_code: userCode,
+    verification_uri: new URL(c.req.url).origin + '/device', // Assuming UI is there
+    expires_in: 900,
+    interval: 5
+  });
+});
+
+/**
+ * 2. CLI Polls for token using device code
+ * Public unauthenticated endpoint
+ */
+deviceRoutes.post('/token', async (c) => {
+  const body = await c.req.json();
+  const parsed = deviceTokenRequestSchema.safeParse(body);
+  if (!parsed.success) return apiResponse.error(c, parsed.error.format());
+
+  const db = createDb(c.env.DB);
+  const { device_code, client_id } = parsed.data;
+
+  const codeRecord = await db.selectFrom('fc_device_codes')
+    .selectAll()
+    .where('device_code', '=', device_code)
+    .where('client_id', '=', client_id)
+    .executeTakeFirst();
+
+  if (!codeRecord) return apiResponse.error(c, 'invalid_grant');
+
+  if (new Date(codeRecord.expires_at) < new Date()) {
+    return apiResponse.error(c, 'expired_token');
+  }
+
+  if (!codeRecord.user_id) {
+    return apiResponse.error(c, 'authorization_pending');
+  }
+
+  // Approved! Create a real PAT
+  const randomBytes = new Uint8Array(24);
+  crypto.getRandomValues(randomBytes);
+  const suffix = encodeHexLowerCase(randomBytes);
+  const tokenId = `ec_pat_${ulid()}`;
+  const fullToken = `${tokenId}_${suffix}`;
+
+  const encoder = new TextEncoder();
+  const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(suffix));
+  const hashHex = Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('');
+
+  await db.insertInto('fc_api_tokens')
+    .values({
+      id: tokenId,
+      user_id: codeRecord.user_id,
+      name: `Device Authorization (${client_id})`,
+      hash: hashHex,
+      scopes: codeRecord.scopes, // Inherit requested scopes
+      expires_at: null,
+      last_used_at: null,
+    })
+    .execute();
+
+  // Delete consumed device code
+  await db.deleteFrom('fc_device_codes').where('device_code', '=', device_code).execute();
+
+  return apiResponse.ok(c, {
+    access_token: fullToken,
+    token_type: 'bearer',
+    scope: JSON.parse(codeRecord.scopes).join(' ')
+  });
+});
+
+/**
+ * 3. UI Approves code
+ * Authenticated Endpoint (User must be logged in to approve)
+ */
+// Temporary middleware stack application for this route specifically
+const approvalApp = new Hono<{ Bindings: Bindings; Variables: Variables }>();
+
+approvalApp.use('*', authMiddleware);
+approvalApp.use('*', requireRole(['admin', 'editor']));
+
+approvalApp.post('/verify', async (c) => {
+  const body = await c.req.json();
+  const parsed = deviceApproveSchema.safeParse(body);
+  if (!parsed.success) return apiResponse.error(c, parsed.error.format());
+
+  const user = c.get('user');
+  const db = createDb(c.env.DB);
+  const userCode = parsed.data.user_code.toUpperCase(); // normalize
+
+  const codeRecord = await db.selectFrom('fc_device_codes')
+    .selectAll()
+    .where('user_code', '=', userCode)
+    .where('user_id', 'is', null) // Only unapproved codes
+    .executeTakeFirst();
+
+  if (!codeRecord) return apiResponse.error(c, 'Invalid or expired user code', 404);
+
+  if (new Date(codeRecord.expires_at) < new Date()) {
+    await db.deleteFrom('fc_device_codes').where('user_code', '=', userCode).execute();
+    return apiResponse.error(c, 'Code expired');
+  }
+
+  // Approve it! Attach the user ID
+  await db.updateTable('fc_device_codes')
+    .set({ user_id: user.id })
+    .where('user_code', '=', userCode)
+    .execute();
+
+  return apiResponse.ok(c, { success: true, scopes: JSON.parse(codeRecord.scopes) });
+});
+
+deviceRoutes.route('/', approvalApp);

package/src/api/routes/magic.ts

@@ -0,0 +1,150 @@
+import { Hono } from 'hono';
+import { createDb } from '../../db';
+import { generateSessionToken } from '../../auth';
+import { setCookie } from 'hono/cookie';
+import { magicLinkRequestSchema, magicLinkVerifySchema } from '../schemas/auth';
+import { encodeHexLowerCase } from '@oslojs/encoding';
+import { ulid } from 'ulidx';
+import type { Bindings, Variables } from '../index';
+import { apiResponse } from '../lib/response';
+
+export const magicRoutes = new Hono<{ Bindings: Bindings; Variables: Variables }>();
+
+
+// Generate Magic Link
+magicRoutes.post('/request', async (c) => {
+  const body = await c.req.json();
+  const parsed = magicLinkRequestSchema.safeParse(body);
+  if (!parsed.success) return apiResponse.error(c, parsed.error.format());
+
+  const db = createDb(c.env.DB);
+  const { email } = parsed.data;
+
+  // 1. Check Registration Policy
+  const signupEnabled = await db.selectFrom('options').select('value').where('name', '=', 'flare:signup_enabled').executeTakeFirst();
+  const defaultRole = await db.selectFrom('options').select('value').where('name', '=', 'flare:signup_default_role').executeTakeFirst();
+  const domainRulesRaw = await db.selectFrom('options').select('value').where('name', '=', 'flare:signup_domain_rules').executeTakeFirst();
+  
+  const isEnabled = signupEnabled?.value === 'true';
+  const roleDefault = defaultRole?.value || 'editor';
+  const domainRules = JSON.parse(domainRulesRaw?.value || '{}') as Record<string, string>;
+
+  // 2. Link or Provision User
+  let user = await db.selectFrom('fc_users').selectAll().where('email', '=', email).executeTakeFirst();
+  
+  if (!user) {
+    if (!isEnabled) {
+      return apiResponse.error(c, 'Signups are currently disabled', 403);
+    }
+
+    // Determine role based on domain
+    const domain = email.split('@')[1] || '';
+    const assignedRole = domainRules[domain] || roleDefault;
+
+    // Provision new user
+    const newUser = {
+      id: ulid(),
+      email,
+      password: null,
+      role: assignedRole,
+      disabled: 0,
+    };
+    await db.insertInto('fc_users').values(newUser as any).execute();
+    user = await db.selectFrom('fc_users').selectAll().where('id', '=', newUser.id).executeTakeFirst();
+  }
+
+  if (!user || user.disabled) {
+    return apiResponse.error(c, 'Account disabled or not found', 403);
+  }
+
+  // Generate secure token
+  const randomBytes = new Uint8Array(32);
+  crypto.getRandomValues(randomBytes);
+  const rawToken = encodeHexLowerCase(randomBytes);
+  
+  // Hash for storage
+  const encoder = new TextEncoder();
+  const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(rawToken));
+  const hashHex = Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('');
+
+  const expiresAt = new Date();
+  expiresAt.setMinutes(expiresAt.getMinutes() + 15); // 15 mins expiry
+
+  // Upsert pattern: delete old tokens for this email
+  await db.deleteFrom('fc_verification_tokens').where('identifier', '=', email).execute();
+
+  await db.insertInto('fc_verification_tokens')
+    .values({
+      identifier: email,
+      token: hashHex,
+      expires_at: expiresAt.toISOString(),
+    })
+    .execute();
+
+  // In a real app we'd send an email here using SendGrid/Resend
+  // For now, we simulate logging it
+  console.log(`[MAGIC LINK] -> https://${new URL(c.req.url).hostname}/verify?email=${encodeURIComponent(email)}&token=${rawToken}`);
+
+  return apiResponse.ok(c, { 
+    success: true, 
+    message: 'Magic link sent', 
+    dev_link: `https://${new URL(c.req.url).hostname}/verify?email=${encodeURIComponent(email)}&token=${rawToken}` 
+  });
+});
+
+// Verify Magic Link
+magicRoutes.post('/verify', async (c) => {
+  const body = await c.req.json();
+  const parsed = magicLinkVerifySchema.safeParse(body);
+  if (!parsed.success) return apiResponse.error(c, parsed.error.format());
+
+  const db = createDb(c.env.DB);
+  const { email, token } = parsed.data;
+
+  const user = await db.selectFrom('fc_users').selectAll().where('email', '=', email).executeTakeFirst();
+  if (!user || user.disabled) return apiResponse.error(c, 'Invalid or expired link', 401);
+
+  // Hash provided token
+  const encoder = new TextEncoder();
+  const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(token));
+  const hashHex = Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('');
+
+  const record = await db.selectFrom('fc_verification_tokens')
+    .selectAll()
+    .where('identifier', '=', email)
+    .where('token', '=', hashHex)
+    .executeTakeFirst();
+
+  if (!record) return apiResponse.error(c, 'Invalid or expired link', 401);
+
+  if (new Date(record.expires_at) < new Date()) {
+    await db.deleteFrom('fc_verification_tokens').where('identifier', '=', email).execute();
+    return apiResponse.error(c, 'Link expired', 401);
+  }
+
+  // Success! Delete token and create session
+  await db.deleteFrom('fc_verification_tokens').where('identifier', '=', email).execute();
+
+  const sessionId = generateSessionToken();
+  const expiresAt = new Date();
+  expiresAt.setDate(expiresAt.getDate() + 30);
+
+  await db.insertInto('fc_sessions')
+    .values({
+      id: sessionId,
+      user_id: user.id,
+      expires_at: expiresAt.toISOString(),
+    })
+    .execute();
+
+    setCookie(c, 'session', sessionId, {
+      httpOnly: true,
+      secure: true,
+      sameSite: 'Strict',
+      expires: expiresAt,
+      path: '/'
+    });
+
+
+  return apiResponse.ok(c, { success: true, message: 'Logged in via Magic Link' });
+});