instaserve 1.1.11 → 1.1.14

package/README.md

@@ -8,10 +8,27 @@
   </p>
 </div>
 
+## Configuration
+
+Instaserve uses environment variables for Auth0 and Cloudflare R2 integration. Create a `.env` file (if your runner supports it) or pass them before the command.
+
+### Auth0 Variables
+- `AUTH0_DOMAIN`: Your Auth0 domain
+- `AUTH0_CLIENT_ID`: Your Auth0 Client ID
+- `AUTH0_CLIENT_SECRET`: Your Auth0 Client Secret
+
+### Cloudflare R2 Variables (via `lib/r2.js`)
+- `CLOUDFLARE_ACCOUNT_ID`: R2 Account ID
+- `CLOUDFLARE_ACCESS_KEY_ID`: R2 Access Key ID
+- `CLOUDFLARE_SECRET_ACCESS_KEY`: R2 Secret Access Key
+
 ## Usage
 
 <div style="background: white; padding: 15px; border-radius: 6px; box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1); margin: 15px 0;">
-  <pre style="margin: 0;"><code>npx instaserve [options]
+  <pre style="margin: 0;"><code># Run with env vars
+AUTH0_DOMAIN=... AUTH0_CLIENT_ID=... npx instaserve [options]
+
+# Generate routes file
 npx instaserve generate-routes</code></pre>
 </div>
 
@@ -238,3 +255,49 @@ export default {
     }
 }
 ```
+
+## Library Modules
+
+The `lib/` directory contains useful modules for authentication, storage, and database manipulation.
+
+### Auth0 (`lib/auth0.js`)
+Provides authentication routes and `req.user` handling via Auth0.
+- **Routes:** `GET /login`, `GET /logout`, `GET /callback`
+- **Usage:** Import and spread into your routes.
+  ```javascript
+  import auth0 from './lib/auth0.js';
+  
+  export default {
+    ...auth0,
+    // other routes
+  }
+  ```
+
+### R2 Storage (`lib/r2.js`)
+Utilities for Cloudflare R2 or S3-compatible object storage.
+- **Features:** `uploadToR2`, `downloadFromR2`, `listR2Files`
+- **Routes:** `fileRoutes` exports helpers for file management.
+- **Usage:**
+  ```javascript
+  import { fileRoutes } from './lib/r2.js';
+  
+  export default {
+    ...fileRoutes,
+    // other routes
+  }
+  ```
+
+### SQLite (`lib/sqlite.js`)
+Provides a local SQLite database with a per-user Key-Value store.
+- **Features:** User management table, KV table.
+- **Routes:** `_auth` middleware, CRUD for KV store (`/api`, `/all`).
+- **Usage:**
+  ```javascript
+  import sqliteRoutes from './lib/sqlite.js';
+  
+  export default {
+    ...sqliteRoutes,
+    // other routes
+  }
+  ```
+```

package/api.txt

@@ -0,0 +1,61 @@
+Instaserve API Documentation
+
+Authentication
+--------------
+GET /login
+  Redirects to Auth0 for sign-in.
+  Sets a secure http-only session cookie ('token') upon success.
+
+GET /logout
+  Logs the user out and clears the session.
+
+Key-Value Store (SQLite)
+------------------------
+* All endpoints require authentication.
+* Data is isolated per user.
+
+POST /api
+  Set a key-value pair.
+  Body (JSON): { "key": "myKey", "value": "myValue" }
+  Returns: { "key": "myKey", "value": "myValue" }
+
+GET /api?key=myKey
+  Retrieve a value by key.
+  Returns: { "key": "myKey", "value": "myValue" }
+
+GET /all
+  List all key-value pairs for the current user.
+  Returns: [ { "key": "key1", "value": "val1" }, ... ]
+
+DELETE /api
+  Delete a key.
+  Body (JSON): { "key": "myKey" }
+  Returns: { "deleted": true, "key": "myKey" }
+
+Storage (R2 / S3)
+-----------------
+* Requires R2 environment variables to be set on the server.
+* Uses the credentials provided in endpoints or server defaults.
+
+POST /upload
+  Upload a file.
+  Body (JSON):
+  {
+    "bucket": "my-bucket-name",
+    "key": "filename.jpg",
+    "body": "base64_encoded_string_contents",
+    "contentType": "image/jpeg"
+  }
+
+POST /files
+  List files in a bucket.
+  Body (JSON): { "bucket": "my-bucket-name" }
+  Returns: List of file objects (key, size, lastModified).
+
+GET /download?bucket=my-bucket-name&key=filename.jpg
+  Download a file directly.
+  (Available via the 'download' route handler)
+
+GET /delete?bucket=my-bucket-name&key=filename.jpg
+  Delete a file.
+  (Available via the 'delete' route handler)

package/lib/auth0.js

@@ -1,9 +1,37 @@
+import crypto from "crypto";
+
+const auth0_domain = process.env.AUTH0_DOMAIN || process.env.auth0_domain;
+const auth0_clientid = process.env.AUTH0_CLIENT_ID || process.env.auth0_clientid;
+const auth0_clientsecret = process.env.AUTH0_CLIENT_SECRET || process.env.auth0_clientsecret;
+
+const LOGGEDIN_REDIRECT = "/";
+const LOGGEDOUT_REDIRECT = "/";
+
+if (!auth0_domain || !auth0_clientid || !auth0_clientsecret) {
+  console.warn("Auth0 environment variables not set! Please set AUTH0_DOMAIN, AUTH0_CLIENT_ID, and AUTH0_CLIENT_SECRET.");
+}
+
+/**
+ * Auth0 Authentication Module
+ * 
+ * Usage:
+ * 1. Import this module in your routes.js file.
+ * 2. Merge it into your default export routes object: `...auth0`.
+ * 3. Ensure 'secrets' is globally available or imported with `auth0_domain`, `auth0_clientid`, and `auth0_clientsecret`.
+ * 4. Ensure `global.sqlite` is initialized (typically by importing lib/sqlite.js).
+ * 
+ * Routes provided:
+ * - GET /login: Initiates Auth0 login flow.
+ * - GET /logout: Clears session and token.
+ * - GET /callback: Handles Auth0 callback, validates token, creates user in DB.
+ */
+
 export default {
   "GET /login": (req, res) => {
-    const REDIRECT_URI = "https://${req.headers.host}/callback";
+    const REDIRECT_URI = `https://${req.headers.host}/callback`;
     const state = crypto.randomBytes(16).toString("hex");
     global.a0state = state;
-    const url = `https://${secrets.auth0_domain}/authorize?response_type=code&client_id=${secrets.auth0_clientid}&redirect_uri=${encodeURIComponent(REDIRECT_URI)}&scope=openid%20profile%20email&state=${encodeURIComponent(state)}`;
+    const url = `https://${auth0_domain}/authorize?response_type=code&client_id=${auth0_clientid}&redirect_uri=${encodeURIComponent(REDIRECT_URI)}&scope=openid%20profile%20email&state=${encodeURIComponent(state)}`;
     res.writeHead(302, { Location: url });
     res.end();
   },
@@ -14,32 +42,37 @@ export default {
       global.sqlite.prepare("UPDATE users SET token = NULL WHERE token = ?").run(token);
     }
     res.setHeader("Set-Cookie", "token=; Path=/; HttpOnly; Secure; SameSite=Lax");
-    res.writeHead(302, { Location: "/" });
+    res.writeHead(302, { Location: LOGGEDOUT_REDIRECT });
     res.end();
   },
   "GET /callback": async (req, res, data) => {
-    const REDIRECT_URI = "https://${req.headers.host}/callback";
-    const tokenRes = await fetch("https://digplan.auth0.com/oauth/token", {
+    const REDIRECT_URI = `https://${req.headers.host}/callback`;
+    const tokenRes = await fetch(`https://${auth0_domain}/oauth/token`, {
       method: "POST",
       headers: { "content-type": "application/json" },
       body: JSON.stringify({
         grant_type: "authorization_code",
-        client_id: secrets.auth0_clientid,
-        client_secret: secrets.auth0_clientsecret,
+        client_id: auth0_clientid,
+        client_secret: auth0_clientsecret,
         code: data.code,
         redirect_uri: REDIRECT_URI
       }),
-    })
+    });
+
     const tokens = await tokenRes.json();
+    if (tokens.error || !tokens.id_token) {
+      console.error("Auth0 Error:", tokens);
+      return `Auth0 Error: ${tokens.error_description || tokens.error || "Unknown error"}`;
+    }
     // decrypt token
     const id_token = tokens.id_token;
     const payload = JSON.parse(Buffer.from(id_token.split('.')[1], 'base64').toString());
     const auth_token = crypto.randomBytes(32).toString("hex");
-    sqlite.prepare("INSERT INTO users (id, username, token) VALUES (?, ?, ?) ON CONFLICT DO UPDATE SET token = ?, name = ?, picture = ?")
+    global.sqlite.prepare("INSERT INTO users (id, username, token) VALUES (?, ?, ?) ON CONFLICT DO UPDATE SET token = ?, name = ?, picture = ?")
       .run(payload.email, payload.name, auth_token, auth_token, payload.name, payload.picture);
     res.setHeader("Set-Cookie", `username=${payload.email}; Path=/;`);
     res.setHeader("Set-Cookie", `name=${payload.name}; Path=/;`);
     res.setHeader("Set-Cookie", `token=${auth_token}; Path=/;`);
-    return `<script>localStorage.setItem('name', '${payload.name}');localStorage.setItem('pic', '${payload.picture}');window.location.href = '/';</script>`;
+    return `<script>localStorage.setItem('name', '${payload.name}');localStorage.setItem('pic', '${payload.picture}');window.location.href = '${LOGGEDIN_REDIRECT}';</script>`;
   }
 }

package/lib/r2.js

@@ -2,6 +2,36 @@ import https from 'https';
 import crypto from 'crypto';
 import { URL } from 'url';
 
+const cloudflareAccessKeyId = process.env.CLOUDFLARE_ACCESS_KEY_ID || process.env.cloudflareAccessKeyId;
+const cloudflareSecretAccessKey = process.env.CLOUDFLARE_SECRET_ACCESS_KEY || process.env.cloudflareSecretAccessKey;
+const cloudflareAccountId = process.env.CLOUDFLARE_ACCOUNT_ID || process.env.cloudflareAccountId;
+
+if (!cloudflareAccessKeyId || !cloudflareSecretAccessKey || !cloudflareAccountId) {
+  console.warn("Cloudflare environment variables not set! Please set CLOUDFLARE_ACCESS_KEY_ID, CLOUDFLARE_SECRET_ACCESS_KEY, and CLOUDFLARE_ACCOUNT_ID.");
+}
+
+/**
+ * Cloudflare R2 / S3-Compatible Storage Module
+ * 
+ * Usage:
+ * 1. Import desired functions or `fileRoutes` from this file.
+ * 2. Requires a `secrets` object with:
+ *    - cloudflareAccessKeyId
+ *    - cloudflareSecretAccessKey
+ *    - cloudflareAccountId
+ * 
+ * Exports:
+ * - uploadToR2(bucket, key, body, contentType, secrets)
+ * - downloadFromR2(bucket, key, secrets)
+ * - deleteFromR2(bucket, key, secrets)
+ * - listR2Files(bucket, prefix, secrets)
+ * - getSignedDownloadUrl(bucket, key, secrets)
+ * 
+ * fileRoutes:
+ * Contains helper handlers for file operations. Note that `upload`, `download`, `delete`
+ * are generic async functions awaiting `data` parameters, while `POST /files` is a standard route.
+ */
+
 // --- Core SigV4 Utilities ---
 
 const hashSHA256 = (str) => crypto.createHash('sha256').update(str).digest('hex');
@@ -177,6 +207,12 @@ function getSignedDownloadUrl(bucket, key, secrets) {
   return signR2('GET', bucket, key, null, ...getSecrets(secrets)).url;
 }
 
+const defaultSecrets = {
+  cloudflareAccessKeyId,
+  cloudflareSecretAccessKey,
+  cloudflareAccountId
+};
+
 export const fileRoutes = {
   upload: async (req, res, data) => {
     try {
@@ -188,27 +224,27 @@ export const fileRoutes = {
       } else {
         body = Buffer.alloc(0);
       }
-      return await uploadToR2(data.bucket, data.key, body, data.contentType, data.secrets);
+      return await uploadToR2(data.bucket, data.key, body, data.contentType, data.secrets || defaultSecrets);
     } catch (e) { return { error: e.message }; }
   },
   download: async (req, res, data) => {
     try {
-      return await downloadFromR2(data.bucket, data.key, data.secrets);
+      return await downloadFromR2(data.bucket, data.key, data.secrets || defaultSecrets);
     } catch (e) { return { error: e.message }; }
   },
   delete: async (req, res, data) => {
     try {
-      return await deleteFromR2(data.bucket, data.key, data.secrets);
+      return await deleteFromR2(data.bucket, data.key, data.secrets || defaultSecrets);
     } catch (e) { return { error: e.message }; }
   },
   "POST /files": async (req, res, data) => {
     try {
-      return await listR2Files(data.bucket, data.prefix, data.secrets);
+      return await listR2Files(data.bucket, data.prefix, data.secrets || defaultSecrets);
     } catch (e) { return { error: e.message }; }
   }
 };
 
-export {
+export default {
   uploadToR2,
   downloadFromR2,
   deleteFromR2,

package/lib/sqlite.js

@@ -1,7 +1,24 @@
+/**
+ * SQLite Database & Key-Value Store Module
+ * 
+ * Usage:
+ * 1. Import this module to initialize the database ('data.db') and tables ('users', 'kv').
+ * 2. Access the database instance via `global.sqlite`.
+ * 3. Exported routes provide a per-user Key-Value store mechanism guarded by the `_auth` middleware.
+ * 
+ * Tables created:
+ * - users: id, username, pass, token, picture, name, email
+ * - kv: key (format: "username:key"), value
+ * 
+ * Routes provided:
+ * - _auth: Middleware for protecting routes (assigns `req.user`).
+ * - POST /api: Set a KV pair for the logged-in user.
+ * - GET /api: Get a value by key.
+ * - GET /all: List all keys/values for the user.
+ * - DELETE /api: Delete a key.
+ */
+
 import Database from "better-sqlite3";
-import { fileRoutes } from "./lib/file-routes.js";
-import secrets from "./secrets.js";
-import crypto from "crypto";
 
 // Initialize database
 global.sqlite = new Database("data.db");
@@ -11,8 +28,8 @@ sqlite.prepare("CREATE TABLE IF NOT EXISTS kv (key TEXT PRIMARY KEY, value TEXT)
 // Combine all routes
 export default {
   _auth: (req, res, data) => {
-    if (req.url.match(/js|html|css/)) return;
-    if (req.url == "/") return 401;
+    if (req.url === '/' || req.url.match(/js|html|css|callback/)) return;
+
     if (req.url.startsWith("/register") || req.url.startsWith("/login")) return;
 
     const token = req.headers.cookie?.split('token=')[1].split(';')[0];

package/package.json

@@ -1,11 +1,12 @@
 {
   "name": "instaserve",
-  "version": "1.1.11",
+  "version": "1.1.14",
   "description": "Instant web stack",
   "main": "module.mjs",
   "bin": "./instaserve",
   "scripts": {
-    "start": "node instaserve"
+    "start": "node instaserve",
+    "test": "./test_api.sh"
   },
   "type": "module",
   "dependencies": {

package/routes-full.js

@@ -0,0 +1,12 @@
+import auth0 from "./lib/auth0.js";
+import { fileRoutes } from "./lib/r2.js";
+import sqlite from "./lib/sqlite.js";
+
+export default {
+  _log: (req, res) => {
+    console.log(req.method, req.url);
+  },
+  ...auth0,
+  ...fileRoutes,
+  ...sqlite
+};

package/test_api.sh

@@ -0,0 +1,170 @@
+#!/bin/bash
+
+# Configuration
+PORT=3001
+BASE_URL="https://127.0.0.1:$PORT"
+DB_FILE="data.db"
+TEST_USER="testuser"
+TEST_TOKEN="test_token_12345"
+TEST_KEY="test_key"
+TEST_VALUE="test_value"
+SERVER_PID=""
+
+# Helper function to run sqlite commands
+run_sqlite() {
+  sqlite3 "$DB_FILE" "$1"
+}
+
+# Cleanup function to kill server and remove test data
+cleanup() {
+  echo ""
+  echo "--- Cleanup ---"
+  
+  if [ -n "$SERVER_PID" ]; then
+    echo "Stopping server (PID: $SERVER_PID)..."
+    kill "$SERVER_PID" 2>/dev/null
+  fi
+
+  echo "Removing test data..."
+  run_sqlite "DELETE FROM users WHERE id = 'test_id';"
+  # run_sqlite "DELETE FROM kv WHERE key = '$TEST_USER:$TEST_KEY';"
+  
+  rm -f server.log
+  echo "Done."
+}
+
+# Register cleanup to run on script exit (success or failure)
+trap cleanup EXIT
+
+# 1. Start the Server
+echo "--- Setup ---"
+echo "Starting Instaserve on port $PORT..."
+# Start server in background, directing output to log
+./instaserve -api ./routes-full.js -secure -port "$PORT" > server.log 2>&1 &
+SERVER_PID=$!
+echo "Server process ID: $SERVER_PID"
+
+# Wait for server to be ready
+echo "Waiting for server to start..."
+MAX_RETRIES=10
+COUNT=0
+STARTED=false
+
+while [ $COUNT -lt $MAX_RETRIES ]; do
+  if grep -q "started on:" server.log; then
+    STARTED=true
+    break
+  fi
+  sleep 1
+  ((COUNT++))
+  echo -n "."
+done
+echo ""
+
+if [ "$STARTED" = false ]; then
+  echo "FAIL: Server failed to start within timeout."
+  echo "Server Log:"
+  cat server.log
+  exit 1
+fi
+
+echo "Server is running!"
+
+# 2. Insert Test User
+echo "Setting up test user in database..."
+# Ensure tables exist (the server creation might race with this if it's the very first run, 
+# but server is confirmed started above, so tables should be there)
+run_sqlite "INSERT OR REPLACE INTO users (id, username, token, name, email) VALUES ('test_id', '$TEST_USER', '$TEST_TOKEN', 'Test User', 'test@example.com');"
+
+
+# 3. Validation Tests
+echo ""
+echo "--- Running Tests ---"
+
+# Test 1: Unauthenticated Access
+echo "- Testing unauthenticated access to /api (Expect 401)..."
+HTTP_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" "$BASE_URL/api")
+if [ "$HTTP_CODE" == "401" ]; then
+  echo "  ✅ PASS"
+else
+  echo "  ❌ FAIL: Returned $HTTP_CODE"
+fi
+
+# Test 2: POST /api (Set Key)
+echo "- Testing POST /api (Set Key)..."
+RESPONSE=$(curl -k -s -X POST "$BASE_URL/api" \
+  -H "Cookie: token=$TEST_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"key\": \"$TEST_KEY\", \"value\": \"$TEST_VALUE\"}")
+
+if [[ "$RESPONSE" == *"$TEST_VALUE"* ]]; then
+  echo "  ✅ PASS: $RESPONSE"
+else
+  echo "  ❌ FAIL: $RESPONSE"
+fi
+
+# Test 3: GET /api (Get Value)
+echo "- Testing GET /api (Get Key)..."
+RESPONSE=$(curl -k -s -G "$BASE_URL/api" \
+  -H "Cookie: token=$TEST_TOKEN" \
+  --data-urlencode "key=$TEST_KEY")
+
+if [[ "$RESPONSE" == *"$TEST_VALUE"* ]]; then
+  echo "  ✅ PASS: $RESPONSE"
+else
+  echo "  ❌ FAIL: $RESPONSE"
+fi
+
+# Test 4: GET /all (List Keys)
+echo "- Testing GET /all..."
+RESPONSE=$(curl -k -s "$BASE_URL/all" \
+  -H "Cookie: token=$TEST_TOKEN")
+
+if [[ "$RESPONSE" == *"$TEST_KEY"* ]]; then
+  echo "  ✅ PASS: Found key in list"
+else
+  echo "  ❌ FAIL: $RESPONSE"
+fi
+
+# 6. Test Authenticated Access (DELETE /api) - Delete Key
+echo "- Testing DELETE /api..."
+RESPONSE=$(curl -k -s -X DELETE "$BASE_URL/api" \
+  -H "Cookie: token=$TEST_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"key\": \"$TEST_KEY\"}")
+
+if [[ "$RESPONSE" == *"deleted"* ]]; then
+  echo "  ✅ PASS: $RESPONSE"
+else
+  echo "  ❌ FAIL: $RESPONSE"
+fi
+
+# 7. Test Login Redirect
+echo "- Testing GET /login (Expect 302 Redirect to Auth0)..."
+LOGIN_HTTP_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" "$BASE_URL/login")
+if [ "$LOGIN_HTTP_CODE" == "302" ]; then
+  echo "  ✅ PASS"
+else
+  echo "  ❌ FAIL: Returned $LOGIN_HTTP_CODE"
+fi
+
+# 8. Test Logout
+echo "- Testing GET /logout (Expect 302 Redirect)..."
+# Use -D - to dump headers, -o /dev/null to discard body
+LOGOUT_HEADERS=$(curl -k -s -D - -o /dev/null "$BASE_URL/logout" -H "Cookie: token=$TEST_TOKEN")
+
+if echo "$LOGOUT_HEADERS" | grep -q "302 Found"; then
+  echo "  ✅ PASS: Redirect confirmed"
+else
+  echo "  ❌ FAIL: No redirect found in headers"
+  echo "$LOGOUT_HEADERS"
+fi
+
+echo "- Verifying token invalidation (Expect 401 on /api)..."
+# Reuse TEST_TOKEN which should now be invalidated in DB
+HTTP_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" "$BASE_URL/api" -H "Cookie: token=$TEST_TOKEN")
+if [ "$HTTP_CODE" == "401" ]; then
+  echo "  ✅ PASS: Token no longer accepted"
+else
+  echo "  ❌ FAIL: Token still valid (Returned $HTTP_CODE)"
+fi