flarecms 0.1.0

package/src/api/routes/setup.ts

@@ -0,0 +1,307 @@
+import { Hono } from 'hono';
+import { createDb } from '../../db';
+import { hashPassword, generateSessionToken } from '../../auth';
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+} from '@simplewebauthn/server';
+import { setCookie } from 'hono/cookie';
+import { ulid } from 'ulidx';
+import { encodeBase64url } from '@oslojs/encoding';
+import { setupSchema, webauthnOptionsSchema, webauthnVerifySchema } from '../schemas';
+import type { Bindings } from '../index';
+import { apiResponse } from '../lib/response';
+import { runMigrations } from '../../db';
+
+export const setupRoutes = new Hono<{ Bindings: Bindings }>();
+
+// GET /api/setup/status
+// Checks if the system is already configured
+setupRoutes.get('/status', async (c) => {
+  const db = createDb(c.env.DB);
+  try {
+    const admin = await db
+      .selectFrom('fc_users')
+      .select('id')
+      .where('role', '=', 'admin')
+      .executeTakeFirst();
+
+    return apiResponse.ok(c, {
+      isConfigured: !!admin,
+      version: '0.1.0',
+    });
+  } catch (e: any) {
+    // If table doesn't exist, it's definitely not configured
+    return apiResponse.ok(c, {
+      isConfigured: false,
+      needsMigration: true,
+      error: e.message,
+    });
+  }
+});
+
+// POST /api/setup
+// Initial admin creation and system configuration
+setupRoutes.post('/', async (c) => {
+  const body = await c.req.json();
+  const parsed = setupSchema.safeParse(body);
+
+  if (!parsed.success) {
+    return apiResponse.error(c, parsed.error.format());
+  }
+
+  const db = createDb(c.env.DB);
+
+  // 0. Ensure database tables exist
+  try {
+    await runMigrations(db);
+  } catch (e: any) {
+    return apiResponse.error(c, `Migration failed: ${e.message}`, 500);
+  }
+
+  // 1. Check if an admin already exists (prevent re-setup)
+  const existingAdmin = await db
+    .selectFrom('fc_users')
+    .select('id')
+    .where('role', '=', 'admin')
+    .executeTakeFirst();
+
+  if (existingAdmin) {
+    return apiResponse.error(c, 'System is already configured', 403);
+  }
+
+  const { email, password, title } = parsed.data;
+  const userId = ulid();
+  const hashedPassword = await hashPassword(password);
+
+  try {
+    // 2. Create the admin user
+    await db
+      .insertInto('fc_users')
+      .values({
+        id: userId,
+        email,
+        password: hashedPassword,
+        role: 'admin',
+        disabled: 0,
+      })
+      .execute();
+
+    // 3. Save initial settings
+    const settings = [
+      { name: 'flare:site_name', value: title },
+      { name: 'flare:signup_enabled', value: 'false' },
+      { name: 'flare:signup_default_role', value: 'viewer' },
+      { name: 'flare:setup_complete', value: 'true' },
+      { name: 'flare:setup_completed_at', value: new Date().toISOString() },
+    ];
+
+    for (const setting of settings) {
+      await db
+        .insertInto('options')
+        .values(setting)
+        .onConflict((oc) =>
+          oc.column('name').doUpdateSet({ value: setting.value }),
+        )
+        .execute();
+    }
+
+    // 4. Auto-login the new admin
+    const sessionId = generateSessionToken();
+    const expiresAt = new Date();
+    expiresAt.setDate(expiresAt.getDate() + 30);
+
+    await db
+      .insertInto('fc_sessions')
+      .values({
+        id: sessionId,
+        user_id: userId,
+        expires_at: expiresAt.toISOString(),
+      })
+      .execute();
+
+    setCookie(c, 'session', sessionId, {
+      httpOnly: true,
+      secure: true,
+      sameSite: 'Strict',
+      expires: expiresAt,
+      path: '/',
+    });
+
+    return apiResponse.ok(c, {
+      success: true,
+      user: { email, role: 'admin' },
+    });
+  } catch (e: any) {
+    return apiResponse.error(c, `Setup failed: ${e.message}`);
+  }
+});
+
+// Passkey Registration Options (Initial Setup)
+setupRoutes.post('/passkey/options', async (c) => {
+  const body = await c.req.json();
+  const parsed = webauthnOptionsSchema.safeParse(body);
+  if (!parsed.success) return apiResponse.error(c, parsed.error.format());
+
+  const db = createDb(c.env.DB);
+
+  // 0. Ensure database tables exist
+  try {
+    await runMigrations(db);
+  } catch (e: any) {
+    return apiResponse.error(c, `Migration check failed: ${e.message}`, 500);
+  }
+
+  const userCount = await db
+    .selectFrom('fc_users')
+    .select((eb) => eb.fn.countAll<number>().as('count'))
+    .executeTakeFirst();
+
+  if (userCount && userCount.count > 0) {
+    return apiResponse.error(c, 'Setup already complete');
+  }
+
+  const tempUserId = ulid();
+
+  const options = await generateRegistrationOptions({
+    rpName: 'FlareCMS',
+    rpID: new URL(c.req.url).hostname,
+    userID: new TextEncoder().encode(tempUserId) as Uint8Array<ArrayBuffer>,
+    userName: parsed.data.email,
+    attestationType: 'none',
+    authenticatorSelection: {
+      residentKey: 'required',
+      userVerification: 'preferred',
+    },
+  });
+
+  // Save challenge to KV temporarily (300s TTL)
+  await c.env.KV.put(
+    `webauthn_reg_${parsed.data.email}`,
+    JSON.stringify({
+      challenge: options.challenge,
+      userId: tempUserId,
+    }),
+    { expirationTtl: 300 },
+  );
+
+  return apiResponse.ok(c, options);
+});
+
+// Passkey Verification (Initial Setup)
+setupRoutes.post('/passkey/verify', async (c) => {
+  const body = await c.req.json();
+  const parsed = webauthnVerifySchema.safeParse(body);
+  if (!parsed.success) return apiResponse.error(c, parsed.error.format());
+
+  const db = createDb(c.env.DB);
+
+  // 0. Ensure database tables exist
+  try {
+    await runMigrations(db);
+  } catch (e: any) {
+    return apiResponse.error(c, `Migration check failed: ${e.message}`, 500);
+  }
+
+  const userCount = await db
+    .selectFrom('fc_users')
+    .select((eb) => eb.fn.countAll<number>().as('count'))
+    .executeTakeFirst();
+  if (userCount && userCount.count > 0) {
+    return apiResponse.error(c, 'Setup already complete');
+  }
+
+  const cachedDataStr = await c.env.KV.get(`webauthn_reg_${parsed.data.email}`);
+  if (!cachedDataStr) {
+    return apiResponse.error(c, 'Registration session expired');
+  }
+
+  const cachedData = JSON.parse(cachedDataStr);
+
+  let verification;
+  try {
+    verification = await verifyRegistrationResponse({
+      response: parsed.data.response,
+      expectedChallenge: cachedData.challenge,
+      expectedOrigin: new URL(c.req.url).origin,
+      expectedRPID: new URL(c.req.url).hostname,
+    });
+  } catch (error: any) {
+    return apiResponse.error(c, error.message);
+  }
+
+  if (verification.verified && verification.registrationInfo) {
+    const { credential } = verification.registrationInfo;
+
+    try {
+      // Create the Admin User
+      await db
+        .insertInto('fc_users')
+        .values({
+          id: cachedData.userId,
+          email: parsed.data.email,
+          password: null, // Passkey only
+          role: 'admin',
+          disabled: 0,
+        })
+        .execute();
+
+      // Create Passkey
+      await db
+        .insertInto('fc_passkeys')
+        .values({
+          id: credential.id,
+          user_id: cachedData.userId,
+          public_key: encodeBase64url(credential.publicKey),
+          counter: credential.counter,
+          device_type: verification.registrationInfo.credentialDeviceType,
+          backed_up: verification.registrationInfo.credentialBackedUp ? 1 : 0,
+          transports: JSON.stringify(
+            parsed.data.response.response.transports || [],
+          ),
+        })
+        .execute();
+
+      await db
+        .insertInto('options')
+        .values([
+          { name: 'flare:setup_complete', value: 'true' },
+          { name: 'flare:site_title', value: 'FlareCMS (Passkey Setup)' },
+        ])
+        .execute();
+
+      // Generate session directly for setup flow convenience
+      const sessionId = generateSessionToken();
+      const expiresAt = new Date();
+      expiresAt.setDate(expiresAt.getDate() + 30);
+
+      await db
+        .insertInto('fc_sessions')
+        .values({
+          id: sessionId,
+          user_id: cachedData.userId,
+          expires_at: expiresAt.toISOString(),
+        })
+        .execute();
+
+      setCookie(c, 'session', sessionId, {
+        httpOnly: true,
+        secure: true,
+        sameSite: 'Strict',
+        expires: expiresAt,
+        path: '/',
+      });
+
+      await c.env.KV.delete(`webauthn_reg_${parsed.data.email}`);
+
+      return apiResponse.ok(c, {
+        success: true,
+        message: 'Setup completed with Passkey',
+      });
+    } catch (e: any) {
+      return apiResponse.error(c, `Setup failed during storage: ${e.message}`);
+    }
+  }
+
+  return apiResponse.error(c, 'Passkey verification failed');
+});

package/src/api/routes/tokens.ts

@@ -0,0 +1,80 @@
+import { Hono } from 'hono';
+import { createDb } from '../../db';
+import { ulid } from 'ulidx';
+import { tokenCreateSchema } from '../schemas/tokens';
+import { encodeHexLowerCase } from '@oslojs/encoding';
+import type { Bindings, Variables } from '../index';
+import { requireRole } from '../middlewares/rbac';
+import { apiResponse } from '../lib/response';
+
+export const tokenRoutes = new Hono<{ Bindings: Bindings; Variables: Variables }>();
+
+
+// Tokens can only be managed by admins for now
+tokenRoutes.use('*', requireRole(['admin']));
+
+// Generate Personal Access Token
+tokenRoutes.post('/', async (c) => {
+  const body = await c.req.json();
+  const parsed = tokenCreateSchema.safeParse(body);
+  if (!parsed.success) return apiResponse.error(c, parsed.error.format());
+
+  const db = createDb(c.env.DB);
+  const user = c.get('user');
+
+  const randomBytes = new Uint8Array(24);
+  crypto.getRandomValues(randomBytes);
+  const suffix = encodeHexLowerCase(randomBytes);
+  
+  // Example token output: ec_pat_01H..._a1b2c3d4
+  const tokenId = `ec_pat_${ulid()}`;
+  const fullToken = `${tokenId}_${suffix}`;
+  
+  // Here we only hash the suffix for storage for security
+  // but save tokenId as Primary Key for quick lookups
+  const encoder = new TextEncoder();
+  const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(suffix));
+  const hashHex = Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('');
+
+  await db.insertInto('fc_api_tokens')
+    .values({
+      id: tokenId,
+      user_id: user.id,
+      name: parsed.data.name,
+      hash: hashHex,
+      scopes: JSON.stringify(parsed.data.scopes),
+      expires_at: null,
+      last_used_at: null,
+    })
+    .execute();
+
+  // Return the full unhashed token ONLY ONCE
+  return apiResponse.ok(c, { token: fullToken, id: tokenId, name: parsed.data.name });
+});
+
+// List User Tokens
+tokenRoutes.get('/', async (c) => {
+  const db = createDb(c.env.DB);
+  const user = c.get('user');
+  
+  const tokens = await db.selectFrom('fc_api_tokens')
+    .select(['id', 'name', 'scopes', 'created_at', 'last_used_at'])
+    .where('user_id', '=', user.id)
+    .execute();
+
+  return apiResponse.ok(c, tokens.map(t => ({ ...t, scopes: JSON.parse(t.scopes) })));
+});
+
+// Revoke Token
+tokenRoutes.delete('/:id', async (c) => {
+  const id = c.req.param('id');
+  const db = createDb(c.env.DB);
+  const user = c.get('user');
+
+  await db.deleteFrom('fc_api_tokens')
+    .where('id', '=', id)
+    .where('user_id', '=', user.id) // Only allow revoking own tokens
+    .execute();
+
+  return apiResponse.ok(c, { success: true });
+});

package/src/api/schemas/auth.ts

@@ -0,0 +1,15 @@
+import { z } from 'zod';
+
+export const magicLinkRequestSchema = z.object({
+  email: z.string().email('Valid email required'),
+});
+
+export const magicLinkVerifySchema = z.object({
+  email: z.string().email(),
+  token: z.string().min(1, 'Token is required'),
+});
+
+export const oauthCallbackSchema = z.object({
+  code: z.string().min(1, 'Authorization code is required'),
+  state: z.string().optional()
+});

package/src/api/schemas/index.ts

@@ -0,0 +1,51 @@
+import { z } from 'zod';
+
+export const loginSchema = z.object({
+  email: z.email({ message: 'Invalid email address' }),
+  password: z.string().min(1, { message: 'Password is required' }),
+});
+
+export const signupSchema = z.object({
+  email: z.email({ message: 'Invalid email address' }),
+  password: z.string().min(6, { message: 'Password must be at least 6 characters' }),
+});
+
+export const collectionSchema = z.object({
+  slug: z.string().min(1, { message: 'Slug is required' }),
+  label: z.string().min(1, { message: 'Label is required' }),
+  labelSingular: z.string().optional(),
+  description: z.string().optional(),
+  icon: z.string().optional(),
+  isPublic: z.boolean().optional(),
+  features: z.array(z.string()).optional(),
+  urlPattern: z.string().optional(),
+});
+
+export const fieldSchema = z.object({
+  slug: z.string().min(1, { message: 'Slug is required' }),
+  label: z.string().min(1, { message: 'Label is required' }),
+  type: z.string().min(1, { message: 'Type is required' }),
+  required: z.boolean().optional(),
+});
+
+export const setupSchema = z.object({
+  title: z.string().min(1, { message: 'Site title is required' }),
+  email: z.email({ message: 'Invalid email address' }),
+  password: z.string().min(6, { message: 'Password must be at least 6 characters' }),
+  name: z.string().optional(),
+});
+
+export const dynamicContentSchema = z.object({
+  slug: z.string().optional(),
+  status: z.string().optional(),
+  title: z.string().optional(),
+}).loose();
+
+export const webauthnOptionsSchema = z.object({
+  email: z.string().email()
+});
+
+export const webauthnVerifySchema = z.object({
+  email: z.string().email(),
+  response: z.any()
+});

package/src/api/schemas/tokens.ts

@@ -0,0 +1,24 @@
+import { z } from 'zod';
+
+export const tokenCreateSchema = z.object({
+  name: z.string().min(1, 'Name is required'),
+  scopes: z.array(z.object({
+    resource: z.string(),
+    actions: z.array(z.string()),
+  })).min(1, 'At least one scope is required'),
+});
+
+export const deviceCodeRequestSchema = z.object({
+  client_id: z.string(),
+  scope: z.string().optional() // Space separated scopes
+});
+
+export const deviceTokenRequestSchema = z.object({
+  client_id: z.string(),
+  device_code: z.string(),
+  grant_type: z.literal('urn:ietf:params:oauth:grant-type:device_code')
+});
+
+export const deviceApproveSchema = z.object({
+  user_code: z.string()
+});

package/src/auth/index.ts

@@ -0,0 +1,28 @@
+import { decodeHex, encodeHexLowerCase } from "@oslojs/encoding";
+
+/**
+ * Generate a random token for sessions
+ */
+export function generateSessionToken(): string {
+  const bytes = new Uint8Array(20);
+  crypto.getRandomValues(bytes);
+  return encodeHexLowerCase(bytes);
+}
+
+/**
+ * Hash a password using SHA-256 (for ultra-lightweight worker usage)
+ * Note: In a real production app, you might want Scrypt or Argon2id,
+ * but those can be slow on the Edge. SHA-256 + Salt is a light starting point.
+ */
+export async function hashPassword(password: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(password);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+}
+
+export async function verifyPassword(password: string, hash: string): Promise<boolean> {
+  const newHash = await hashPassword(password);
+  return newHash === hash;
+}