mantenimento-app 2.2.9 → 2.3.2

package/scripts/auth-url-check.mjs

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+/**
+ * auth-url-check.mjs
+ *
+ * Validates the full autologin URL-login pipeline end-to-end:
+ *   1. Calls /api/auth/url-login/start  (generates token on server)
+ *   2. Calls /api/auth/url-login/exchange  (redeems token for session)
+ *   3. Reports ok / error with details
+ *
+ * Usage:
+ *   node scripts/auth-url-check.mjs \
+ *     --backendUrl=https://mantenimento-app.onrender.com \
+ *     --bootstrapKey=<BOOTSTRAP_KEY> \
+ *     [--sub=favagit] [--verbose]
+ *
+ * Env vars (used as fallback if CLI args are absent):
+ *   AUTH_URL_LOGIN_BOOTSTRAP_KEY
+ *   AUTH_URL_LOGIN_BACKEND_URL   (defaults to http://localhost:3001)
+ *   AUTH_URL_LOGIN_ALLOWED_USER  (first in comma-separated list used as default sub)
+ */
+
+import { readFileSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+
+// ── Load .env from project root (best-effort, no hard dep on dotenv) ──────────
+const __dir = dirname(fileURLToPath(import.meta.url));
+const envPath = resolve(__dir, '..', '.env');
+try {
+  const envContent = readFileSync(envPath, 'utf8');
+  for (const line of envContent.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx < 1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    const raw = trimmed.slice(eqIdx + 1).trim();
+    const val = raw.replace(/^['"]|['"]$/g, '');
+    if (!(key in process.env)) process.env[key] = val;
+  }
+} catch {
+  // .env not found — ok, rely on environment
+}
+
+// ── CLI args ──────────────────────────────────────────────────────────────────
+const args = process.argv.slice(2);
+const getArg = (name, fallback = '') => {
+  const prefix = `--${name}=`;
+  const found = args.find((a) => a.startsWith(prefix));
+  return found ? found.slice(prefix.length) : fallback;
+};
+const hasFlag = (name) => args.includes(`--${name}`);
+
+const backendUrl = (
+  getArg('backendUrl',
+    process.env.AUTH_URL_LOGIN_BACKEND_URL || 'http://localhost:3001'
+  )
+).replace(/\/$/, '');
+
+const bootstrapKey = getArg(
+  'bootstrapKey',
+  process.env.AUTH_URL_LOGIN_BOOTSTRAP_KEY || ''
+);
+
+const defaultSub = (process.env.AUTH_URL_LOGIN_ALLOWED_USER || 'favagit')
+  .split(',')[0].trim();
+const sub = getArg('sub', defaultSub);
+const verbose = hasFlag('verbose');
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+const ok  = (msg) => console.log(`  \x1b[32m✓\x1b[0m  ${msg}`);
+const err = (msg) => console.log(`  \x1b[31m✗\x1b[0m  ${msg}`);
+const inf = (msg) => verbose && console.log(`  \x1b[90m→  ${msg}\x1b[0m`);
+
+// ── Pre-flight checks ─────────────────────────────────────────────────────────
+console.log('\n\x1b[1mauth:url-check\x1b[0m — autologin pipeline validation');
+console.log('─'.repeat(50));
+console.log(`  backend : ${backendUrl}`);
+console.log(`  subject : ${sub}`);
+console.log('─'.repeat(50));
+
+let exitCode = 0;
+
+if (!bootstrapKey) {
+  err('AUTH_URL_LOGIN_BOOTSTRAP_KEY is not set (--bootstrapKey= or env var)');
+  process.exit(1);
+}
+
+// ── Step 1: generate token via /start ─────────────────────────────────────────
+let loginUrl = '';
+let authToken = '';
+
+try {
+  const startUrl = `${backendUrl}/api/auth/url-login/start?k=${encodeURIComponent(bootstrapKey)}&sub=${encodeURIComponent(sub)}&format=json`;
+  inf(`GET ${startUrl.replace(bootstrapKey, '<BOOTSTRAP_KEY>')}`);
+
+  const res = await fetch(startUrl);
+  const body = await res.json().catch(() => null);
+
+  if (!res.ok || !body?.ok) {
+    err(`/start returned ${res.status}: ${JSON.stringify(body)}`);
+    process.exit(1);
+  }
+
+  loginUrl = body.url || '';
+  ok(`/api/auth/url-login/start → ${res.status} ok`);
+  inf(`returned url: ${loginUrl}`);
+
+  // Extract authToken from returned URL
+  const urlObj = new URL(loginUrl);
+  authToken = urlObj.searchParams.get('authToken') || '';
+  if (!authToken) {
+    // Try hash fragment
+    const hash = urlObj.hash.slice(1);
+    authToken = new URLSearchParams(hash).get('authToken') || '';
+  }
+
+  if (!authToken) {
+    err('authToken not found in the URL returned by /start');
+    process.exit(1);
+  }
+  ok(`authToken extracted (${authToken.length} chars)`);
+} catch (e) {
+  err(`/start request failed: ${e.message}`);
+  process.exit(1);
+}
+
+// ── Step 2: exchange token via /exchange ─────────────────────────────────────
+try {
+  const exchangeUrl = `${backendUrl}/api/auth/url-login/exchange`;
+  inf(`POST ${exchangeUrl}  token length=${authToken.length}`);
+
+  const res = await fetch(exchangeUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ token: authToken }),
+  });
+
+  const body = await res.json().catch(() => null);
+
+  if (!res.ok || !body?.ok) {
+    err(`/exchange returned ${res.status}: ${JSON.stringify(body)}`);
+    exitCode = 1;
+  } else {
+    const email = body.session?.user?.email || body.user?.email || '(unknown)';
+    ok(`/api/auth/url-login/exchange → ${res.status} ok`);
+    ok(`Logged in as: ${email}`);
+    if (verbose && body.session?.access_token) {
+      inf(`access_token (first 32): ${body.session.access_token.slice(0, 32)}...`);
+    }
+  }
+} catch (e) {
+  err(`/exchange request failed: ${e.message}`);
+  exitCode = 1;
+}
+
+// ── Summary ───────────────────────────────────────────────────────────────────
+console.log('─'.repeat(50));
+if (exitCode === 0) {
+  console.log('\x1b[32m\x1b[1m  PASSED\x1b[0m — autologin pipeline is functional');
+  console.log(`\n  Share this link (valid for ~120 s):\n  ${loginUrl}\n`);
+} else {
+  console.log('\x1b[31m\x1b[1m  FAILED\x1b[0m — see errors above');
+}
+console.log();
+process.exit(exitCode);

package/scripts/create-url-login-token.mjs

@@ -0,0 +1,52 @@
+#!/usr/bin/env node
+import crypto from 'crypto';
+
+const args = process.argv.slice(2);
+const getArg = (name, fallback = '') => {
+  const prefix = `--${name}=`;
+  const found = args.find((arg) => arg.startsWith(prefix));
+  return found ? found.slice(prefix.length) : fallback;
+};
+
+const secret = String(getArg('secret', process.env.AUTH_URL_LOGIN_SECRET || '')).trim();
+const subject = String(getArg('sub', process.env.AUTH_URL_LOGIN_ALLOWED_USER || 'favagit')).trim().toLowerCase();
+const ttlSecRaw = Number(getArg('ttl', process.env.AUTH_URL_LOGIN_TTL_SEC || '120'));
+const ttlSec = Number.isFinite(ttlSecRaw) ? Math.max(30, Math.min(180, Math.floor(ttlSecRaw))) : 120;
+const baseUrl = String(getArg('baseUrl', 'https://favagit.github.io/mantenimento-app/')).trim();
+
+if (!secret) {
+  console.error('Missing AUTH_URL_LOGIN_SECRET (env or --secret=...).');
+  process.exit(1);
+}
+if (!subject) {
+  console.error('Missing subject (--sub=...).');
+  process.exit(1);
+}
+
+const toBase64Url = (value) => Buffer.from(value)
+  .toString('base64')
+  .replace(/\+/g, '-')
+  .replace(/\//g, '_')
+  .replace(/=+$/g, '');
+
+const now = Math.floor(Date.now() / 1000);
+const payload = {
+  sub: subject,
+  aud: 'url-login',
+  iat: now,
+  exp: now + ttlSec,
+  jti: typeof crypto.randomUUID === 'function'
+    ? crypto.randomUUID()
+    : crypto.randomBytes(16).toString('hex')
+};
+
+const payloadPart = toBase64Url(JSON.stringify(payload));
+const signatureHex = crypto.createHmac('sha256', secret).update(payloadPart).digest('hex');
+const signaturePart = toBase64Url(Buffer.from(signatureHex, 'hex'));
+const token = `${payloadPart}.${signaturePart}`;
+
+const joiner = baseUrl.includes('?') ? '&' : '?';
+const url = `${baseUrl}${joiner}autologin=1&authToken=${encodeURIComponent(token)}`;
+
+console.log('token:', token);
+console.log('url  :', url);

package/scripts/manage-donor-users.mjs

@@ -0,0 +1,229 @@
+#!/usr/bin/env node
+import fs from 'fs';
+import path from 'path';
+
+function loadDotEnvFromWorkspaceRoot() {
+  try {
+    const root = process.cwd();
+    const envPath = path.join(root, '.env');
+    if (!fs.existsSync(envPath)) return;
+
+    const content = fs.readFileSync(envPath, 'utf8');
+    const lines = String(content || '').split(/\r?\n/);
+    for (const line of lines) {
+      const trimmed = String(line || '').trim();
+      if (!trimmed || trimmed.startsWith('#')) continue;
+      const idx = trimmed.indexOf('=');
+      if (idx <= 0) continue;
+      const key = trimmed.slice(0, idx).trim();
+      const value = trimmed.slice(idx + 1).trim().replace(/^['"]|['"]$/g, '');
+      if (!key || process.env[key] != null) continue;
+      process.env[key] = value;
+    }
+  } catch (_) {
+    // best effort only
+  }
+}
+
+loadDotEnvFromWorkspaceRoot();
+
+const args = process.argv.slice(2);
+const getArg = (name, fallback = '') => {
+  const prefix = `--${name}=`;
+  const found = args.find((arg) => arg.startsWith(prefix));
+  return found ? found.slice(prefix.length) : fallback;
+};
+const hasFlag = (name) => args.includes(`--${name}`);
+
+const mode = String(getArg('mode', '') || '').trim().toLowerCase();
+const usernamesRaw = String(getArg('users', '') || '').trim();
+const emailsRaw = String(getArg('emails', '') || '').trim();
+const dryRun = hasFlag('dry-run');
+
+const supabaseUrl = String(process.env.DONOR_ADMIN_SUPABASE_URL || process.env.AUTH_URL_LOGIN_SUPABASE_URL || '').trim().replace(/\/+$/, '');
+const serviceRoleKey = String(process.env.DONOR_ADMIN_SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_SERVICE_ROLE_KEY || '').trim();
+
+function fail(message) {
+  console.error(message);
+  process.exit(1);
+}
+
+function parseCsv(value) {
+  return String(value || '')
+    .split(',')
+    .map((v) => v.trim().toLowerCase())
+    .filter(Boolean);
+}
+
+function usage() {
+  console.log([
+    'Usage:',
+    '  node scripts/manage-donor-users.mjs --mode=grant --users=favagit,fabio.vacchino',
+    '  node scripts/manage-donor-users.mjs --mode=revoke --users=favagit',
+    '  node scripts/manage-donor-users.mjs --mode=grant --emails=user1@example.com,user2@example.com',
+    '',
+    'Options:',
+    '  --mode=grant|revoke      Required',
+    '  --users=a,b,c            Comma-separated username local parts (email before @)',
+    '  --emails=a@x.com,b@y.it  Comma-separated full emails',
+    '  --dry-run                Print actions without writing changes',
+    '',
+    'Environment variables:',
+    '  DONOR_ADMIN_SUPABASE_URL',
+    '  DONOR_ADMIN_SUPABASE_SERVICE_ROLE_KEY'
+  ].join('\n'));
+}
+
+if (!mode || !['grant', 'revoke'].includes(mode)) {
+  usage();
+  fail('\nMissing or invalid --mode. Use grant or revoke.');
+}
+
+const targetUsers = new Set(parseCsv(usernamesRaw));
+const targetEmails = new Set(parseCsv(emailsRaw));
+if (!targetUsers.size && !targetEmails.size) {
+  usage();
+  fail('\nSpecify at least one target via --users or --emails.');
+}
+
+if (!supabaseUrl) {
+  fail('Missing DONOR_ADMIN_SUPABASE_URL (or AUTH_URL_LOGIN_SUPABASE_URL).');
+}
+if (!serviceRoleKey) {
+  fail('Missing DONOR_ADMIN_SUPABASE_SERVICE_ROLE_KEY (or SUPABASE_SERVICE_ROLE_KEY).');
+}
+
+const headers = {
+  apikey: serviceRoleKey,
+  Authorization: `Bearer ${serviceRoleKey}`,
+  'Content-Type': 'application/json'
+};
+
+async function fetchJson(url, options = {}) {
+  const res = await fetch(url, options);
+  const body = await res.json().catch(() => ({}));
+  return { ok: res.ok, status: res.status, body };
+}
+
+async function listAllUsers() {
+  const out = [];
+  let page = 1;
+  while (true) {
+    const url = `${supabaseUrl}/auth/v1/admin/users?page=${page}&per_page=1000`;
+    const response = await fetchJson(url, { headers });
+    if (!response.ok) {
+      const err = String(response.body?.msg || response.body?.error || `HTTP ${response.status}`);
+      fail(`Cannot list users: ${err}`);
+    }
+
+    const users = Array.isArray(response.body?.users) ? response.body.users : [];
+    out.push(...users);
+    if (!users.length || users.length < 1000) break;
+    page += 1;
+  }
+  return out;
+}
+
+function emailLocalPart(email) {
+  return String(email || '').trim().toLowerCase().split('@')[0] || '';
+}
+
+function shouldTargetUser(user) {
+  const email = String(user?.email || '').trim().toLowerCase();
+  const local = emailLocalPart(email);
+  if (targetEmails.has(email)) return true;
+  if (targetUsers.has(local)) return true;
+  return false;
+}
+
+function truthy(value) {
+  if (value === true || value === 1) return true;
+  const normalized = String(value || '').trim().toLowerCase();
+  return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on';
+}
+
+function patchUserMetadata(existingMeta, selectedMode) {
+  const next = { ...(existingMeta && typeof existingMeta === 'object' ? existingMeta : {}) };
+  if (selectedMode === 'grant') {
+    next.is_donor = true;
+    next.role = 'donor';
+    return next;
+  }
+
+  delete next.is_donor;
+  delete next.isDonor;
+  delete next.premium;
+  if (String(next.role || '').trim().toLowerCase() === 'donor') {
+    delete next.role;
+  }
+  return next;
+}
+
+function isAlreadyAligned(existingMeta, selectedMode) {
+  const meta = existingMeta && typeof existingMeta === 'object' ? existingMeta : {};
+  if (selectedMode === 'grant') {
+    return truthy(meta.is_donor) && String(meta.role || '').trim().toLowerCase() === 'donor';
+  }
+
+  return !truthy(meta.is_donor)
+    && !truthy(meta.isDonor)
+    && !truthy(meta.premium)
+    && String(meta.role || '').trim().toLowerCase() !== 'donor';
+}
+
+async function updateUserMetadata(userId, nextMeta) {
+  const url = `${supabaseUrl}/auth/v1/admin/users/${encodeURIComponent(userId)}`;
+  const response = await fetchJson(url, {
+    method: 'PUT',
+    headers,
+    body: JSON.stringify({ user_metadata: nextMeta })
+  });
+
+  if (!response.ok) {
+    const err = String(response.body?.msg || response.body?.error || `HTTP ${response.status}`);
+    throw new Error(err);
+  }
+}
+
+(async () => {
+  const allUsers = await listAllUsers();
+  const targets = allUsers.filter(shouldTargetUser);
+
+  if (!targets.length) {
+    console.log('No matching users found.');
+    process.exit(0);
+  }
+
+  let changed = 0;
+  let skipped = 0;
+
+  for (const user of targets) {
+    const email = String(user?.email || '').trim().toLowerCase();
+    const userId = String(user?.id || '').trim();
+    const currentMeta = user?.user_metadata && typeof user.user_metadata === 'object' ? user.user_metadata : {};
+
+    if (!userId || !email) {
+      skipped += 1;
+      continue;
+    }
+
+    if (isAlreadyAligned(currentMeta, mode)) {
+      console.log(`[skip] ${email} already aligned for mode=${mode}`);
+      skipped += 1;
+      continue;
+    }
+
+    const nextMeta = patchUserMetadata(currentMeta, mode);
+    if (dryRun) {
+      console.log(`[dry-run] would ${mode} donor for ${email}`);
+      changed += 1;
+      continue;
+    }
+
+    await updateUserMetadata(userId, nextMeta);
+    console.log(`[ok] ${mode} donor for ${email}`);
+    changed += 1;
+  }
+
+  console.log(`Done. targets=${targets.length} changed=${changed} skipped=${skipped} dryRun=${dryRun}`);
+})();

package/scripts/sql/grant-donor.sql

@@ -0,0 +1,22 @@
+-- Grant donor/premium entitlement globally (server-side) to selected users.
+-- Usage in Supabase SQL Editor:
+--   1) Edit the usernames/emails in the WHERE clause.
+--   2) Run the script.
+
+update auth.users
+set raw_user_meta_data =
+  coalesce(raw_user_meta_data, '{}'::jsonb)
+  || jsonb_build_object(
+    'is_donor', true,
+    'role', 'donor'
+  )
+where lower(split_part(email, '@', 1)) in ('favagit', 'fabio.vacchino');
+
+-- Verification
+select
+  id,
+  email,
+  raw_user_meta_data->>'is_donor' as is_donor,
+  raw_user_meta_data->>'role' as role
+from auth.users
+where lower(split_part(email, '@', 1)) in ('favagit', 'fabio.vacchino');

package/scripts/sql/revoke-donor.sql

@@ -0,0 +1,19 @@
+-- Revoke donor/premium entitlement globally (server-side) from selected users.
+-- Usage in Supabase SQL Editor:
+--   1) Edit the usernames/emails in the WHERE clause.
+--   2) Run the script.
+
+update auth.users
+set raw_user_meta_data =
+  (coalesce(raw_user_meta_data, '{}'::jsonb) - 'is_donor' - 'isDonor' - 'premium' - 'role')
+where lower(split_part(email, '@', 1)) in ('favagit', 'fabio.vacchino');
+
+-- Verification
+select
+  id,
+  email,
+  raw_user_meta_data->>'is_donor' as is_donor,
+  raw_user_meta_data->>'role' as role,
+  raw_user_meta_data->>'premium' as premium
+from auth.users
+where lower(split_part(email, '@', 1)) in ('favagit', 'fabio.vacchino');