millas 0.2.5 → 0.2.6

package/src/admin/AdminAuth.js

@@ -0,0 +1,281 @@
+'use strict';
+
+const crypto = require('crypto');
+const bcrypt = require('bcryptjs');
+
+/**
+ * AdminAuth
+ *
+ * Handles authentication for the Millas admin panel.
+ *
+ * Uses a signed, httpOnly cookie for sessions — no express-session
+ * or database required. The cookie payload is HMAC-signed with
+ * APP_KEY so it cannot be forged.
+ *
+ * Configuration (in Admin.configure or config/admin.js):
+ *
+ *   Admin.configure({
+ *     auth: {
+ *       // Static user list — good for simple setups
+ *       users: [
+ *         { email: 'admin@example.com', password: 'plain-or-bcrypt-hash', name: 'Admin' },
+ *       ],
+ *
+ *       // OR: use a Model — any model with email + password fields
+ *       model: UserModel,
+ *
+ *       // Cookie settings
+ *       cookieName:  'millas_admin',   // default
+ *       cookieMaxAge: 60 * 60 * 8,     // 8 hours (seconds), default
+ *       rememberAge:  60 * 60 * 24 * 30, // 30 days when "remember me" checked
+ *
+ *       // Rate limiting (per IP)
+ *       maxAttempts: 5,
+ *       lockoutMinutes: 15,
+ *     }
+ *   });
+ *
+ * Disable auth entirely:
+ *   Admin.configure({ auth: false });
+ */
+class AdminAuth {
+  constructor() {
+    this._config = null;
+  }
+
+  configure(authConfig) {
+    if (authConfig === false) {
+      this._config = false;
+      return;
+    }
+
+    this._config = {
+      users:          [],
+      model:          null,
+      cookieName:     'millas_admin',
+      cookieMaxAge:   60 * 60 * 8,
+      rememberAge:    60 * 60 * 24 * 30,
+      maxAttempts:    5,
+      lockoutMinutes: 15,
+      ...authConfig,
+    };
+
+    // Rate limit store: Map<ip, { count, lockedUntil }>
+    this._attempts = new Map();
+  }
+
+  /** Returns true if auth is enabled. */
+  get enabled() {
+    return this._config !== null && this._config !== false;
+  }
+
+  // ─── Middleware ────────────────────────────────────────────────────────────
+
+  /**
+   * Express middleware — allows the request through if the admin session
+   * cookie is valid. Redirects to the login page otherwise.
+   */
+  middleware(prefix) {
+    return (req, res, next) => {
+      if (!this.enabled) return next();
+
+      const loginPath = `${prefix}/login`;
+
+      // Always allow login page and logout
+      if (req.path === '/login' || req.path === `${prefix}/login`) return next();
+      if (req.path === '/logout' || req.path === `${prefix}/logout`) return next();
+
+      const user = this._getSession(req);
+      if (!user) {
+        const returnTo = encodeURIComponent(req.originalUrl);
+        return res.redirect(`${loginPath}?next=${returnTo}`);
+      }
+
+      req.adminUser = user;
+      next();
+    };
+  }
+
+  // ─── Login ─────────────────────────────────────────────────────────────────
+
+  /**
+   * Attempt to log in with email + password.
+   * Returns the user object on success, throws on failure.
+   */
+  async login(req, res, { email, password, remember = false }) {
+    if (!this.enabled) return { email: 'admin', name: 'Admin' };
+
+    const ip = req.ip || req.connection?.remoteAddress || 'unknown';
+    this._checkRateLimit(ip);
+
+    const user = await this._findUser(email);
+
+    if (!user || !await this._checkPassword(password, user.password)) {
+      this._recordFailedAttempt(ip);
+      throw new Error('Invalid email or password.');
+    }
+
+    this._clearAttempts(ip);
+
+    const maxAge = remember
+      ? this._config.rememberAge
+      : this._config.cookieMaxAge;
+
+    this._setSession(res, { email: user.email, name: user.name || user.email }, maxAge);
+
+    return user;
+  }
+
+  /** Destroy the admin session cookie. */
+  logout(res) {
+    res.clearCookie(this._config.cookieName, { path: '/' });
+  }
+
+  // ─── Flash (cookie-based) ─────────────────────────────────────────────────
+
+  /** Store a flash message in a short-lived cookie. */
+  setFlash(res, type, message) {
+    const payload = JSON.stringify({ type, message });
+    res.cookie('millas_flash', Buffer.from(payload).toString('base64'), {
+      httpOnly: true,
+      maxAge:   10 * 1000, // 10 seconds — survives exactly one redirect
+      path:     '/',
+      sameSite: 'lax',
+    });
+  }
+
+  /** Read and clear the flash cookie. */
+  getFlash(req, res) {
+    const raw = this._parseCookies(req)['millas_flash'];
+    if (!raw) return {};
+    // Clear it immediately
+    res.clearCookie('millas_flash', { path: '/' });
+    try {
+      const { type, message } = JSON.parse(Buffer.from(raw, 'base64').toString('utf8'));
+      return { [type]: message };
+    } catch { return {}; }
+  }
+
+  // ─── Session internals ────────────────────────────────────────────────────
+
+  _setSession(res, payload, maxAge) {
+    const name = this._config.cookieName;
+    const data = Buffer.from(JSON.stringify(payload)).toString('base64');
+    const sig  = this._sign(data);
+    const value = `${data}.${sig}`;
+
+    res.cookie(name, value, {
+      httpOnly: true,
+      maxAge:   maxAge * 1000,
+      path:     '/',
+      sameSite: 'lax',
+      // secure: true  — uncomment in production behind HTTPS
+    });
+  }
+
+  _getSession(req) {
+    const name  = this._config.cookieName;
+    const raw   = this._parseCookies(req)[name];
+    if (!raw) return null;
+
+    const dot = raw.lastIndexOf('.');
+    if (dot === -1) return null;
+
+    const data = raw.slice(0, dot);
+    const sig  = raw.slice(dot + 1);
+
+    if (sig !== this._sign(data)) return null;
+
+    try {
+      return JSON.parse(Buffer.from(data, 'base64').toString('utf8'));
+    } catch { return null; }
+  }
+
+  _sign(data) {
+    const secret = process.env.APP_KEY || 'millas-admin-secret-change-me';
+    return crypto.createHmac('sha256', secret).update(data).digest('hex').slice(0, 32);
+  }
+
+  _parseCookies(req) {
+    const header = req.headers.cookie || '';
+    const result = {};
+    for (const part of header.split(';')) {
+      const [k, ...v] = part.trim().split('=');
+      if (k) result[k.trim()] = decodeURIComponent(v.join('='));
+    }
+    return result;
+  }
+
+  // ─── User lookup ──────────────────────────────────────────────────────────
+
+  async _findUser(email) {
+    const cfg = this._config;
+    const normalised = (email || '').trim().toLowerCase();
+
+    // Model-based lookup
+    if (cfg.model) {
+      try {
+        return await cfg.model.findBy('email', normalised);
+      } catch { return null; }
+    }
+
+    // Static user list
+    if (cfg.users && cfg.users.length) {
+      return cfg.users.find(u =>
+        (u.email || '').trim().toLowerCase() === normalised
+      ) || null;
+    }
+
+    return null;
+  }
+
+  async _checkPassword(plain, hash) {
+    if (!plain || !hash) return false;
+    // Support both plain-text passwords (dev) and bcrypt hashes (prod)
+    if (hash.startsWith('$2')) {
+      return bcrypt.compare(String(plain), hash);
+    }
+    // Plain text comparison — warn in development
+    if (process.env.NODE_ENV !== 'production') {
+      process.stderr.write(
+        '[millas admin] Warning: using plain-text password. Use a bcrypt hash in production.\n'
+      );
+    }
+    return plain === hash;
+  }
+
+  // ─── Rate limiting ────────────────────────────────────────────────────────
+
+  _checkRateLimit(ip) {
+    const entry = this._attempts?.get(ip);
+    if (!entry) return;
+
+    if (entry.lockedUntil && Date.now() < entry.lockedUntil) {
+      const mins = Math.ceil((entry.lockedUntil - Date.now()) / 60000);
+      throw new Error(`Too many failed attempts. Try again in ${mins} minute${mins > 1 ? 's' : ''}.`);
+    }
+
+    if (entry.lockedUntil && Date.now() >= entry.lockedUntil) {
+      this._attempts.delete(ip);
+    }
+  }
+
+  _recordFailedAttempt(ip) {
+    const entry = this._attempts?.get(ip) || { count: 0, lockedUntil: null };
+    entry.count++;
+    if (entry.count >= (this._config.maxAttempts || 5)) {
+      const mins = this._config.lockoutMinutes || 15;
+      entry.lockedUntil = Date.now() + mins * 60 * 1000;
+    }
+    this._attempts?.set(ip, entry);
+  }
+
+  _clearAttempts(ip) {
+    this._attempts?.delete(ip);
+  }
+}
+
+// Singleton
+const adminAuth = new AdminAuth();
+module.exports = adminAuth;
+module.exports.AdminAuth = AdminAuth;

package/src/admin/index.js

@@ -1,13 +1,18 @@
 'use strict';
 
 const Admin              = require('./Admin');
+const AdminAuth          = require('./AdminAuth');
+const ActivityLog        = require('./ActivityLog');
 const AdminServiceProvider = require('../providers/AdminServiceProvider');
-const { AdminResource, AdminField, AdminFilter } = require('./resources/AdminResource');
+const { AdminResource, AdminField, AdminFilter, AdminInline } = require('./resources/AdminResource');
 
 module.exports = {
   Admin,
+  AdminAuth,
+  ActivityLog,
   AdminResource,
   AdminField,
   AdminFilter,
+  AdminInline,
   AdminServiceProvider,
 };

package/src/admin/resources/AdminResource.js

@@ -41,19 +41,19 @@ class AdminResource {
   /** @type {typeof import('../orm/model/Model')} The Millas Model class */
   static model = null;
 
-  /** Display name (plural) shown in sidebar and page title */
+  /** Display name (plural) */
   static label = null;
 
   /** Singular label */
   static labelSingular = null;
 
-  /** SVG icon id without the ic- prefix e.g. 'users', 'file', 'tag' */
+  /** SVG icon id (without ic- prefix) */
   static icon = 'table';
 
-  /** Records per page */
+  /** Records per page default */
   static perPage = 20;
 
-  /** Columns to search across (SQL LIKE) */
+  /** Columns to search (SQL LIKE) */
   static searchable = [];
 
   /** Columns users can click to sort */
@@ -72,12 +72,69 @@ class AdminResource {
   static canView = true;
 
   /**
-   * Fields that appear on the form as read-only (shown as text, not input).
-   * Useful for system-managed fields like created_at, updated_at, uuid.
+   * Fields shown as read-only (text) on the edit form.
    * @type {string[]}
    */
   static readonlyFields = [];
 
+  /**
+   * Columns in the list view that link to the detail page.
+   * Defaults to the first column if empty.
+   * @type {string[]}
+   */
+  static listDisplayLinks = [];
+
+  /**
+   * Date field for year/month drill-down filter above the list.
+   * e.g. static dateHierarchy = 'created_at'
+   * @type {string|null}
+   */
+  static dateHierarchy = null;
+
+  /**
+   * Auto-fill mappings: { targetField: sourceField }
+   * When the user types in sourceField, targetField is auto-filled (slugified).
+   * e.g. static prepopulatedFields = { slug: 'title' }
+   * @type {object}
+   */
+  static prepopulatedFields = {};
+
+  /**
+   * Custom bulk actions shown in the bulk action bar when rows are selected.
+   * Each entry: { label, icon, handler: async (ids, model) => void }
+   *
+   * @example
+   *   static actions = [
+   *     {
+   *       label:   'Publish selected',
+   *       icon:    'check',
+   *       handler: async (ids, model) => {
+   *         await model.bulkUpdate(ids.map(id => ({ id, published: true })));
+   *       },
+   *     },
+   *   ];
+   */
+  static actions = [];
+
+  /**
+   * Custom per-row actions shown in the action dropdown menu.
+   * Each entry: { label, icon, href: (row) => string }
+   *           OR { label, icon, action: string }  (POST to /admin/:resource/:id/:action)
+   *
+   * @example
+   *   static rowActions = [
+   *     { label: 'Preview', icon: 'eye', href: (row) => `/posts/${row.slug}` },
+   *     { label: 'Publish', icon: 'check', action: 'publish' },
+   *   ];
+   */
+  static rowActions = [];
+
+  /**
+   * Inline related resource classes shown on the detail/edit page.
+   * @type {typeof AdminInline[]}
+   */
+  static inlines = [];
+
   /** URL-safe slug used in routes */
   static get slug() {
     return (this.label || this.model?.name || 'resource')
@@ -85,9 +142,8 @@ class AdminResource {
   }
 
   /**
-   * Define the fields shown in list, detail, and form views.
-   * Use AdminField.tab('Tab Name') to group fields into tabs on the form.
-   * Must return an array of AdminField instances.
+   * Define the fields for list, detail, and form views.
+   * Use AdminField.tab() and AdminField.fieldset() for layout.
    */
   static fields() {
     if (!this.model?.fields) return [];
@@ -96,10 +152,7 @@ class AdminResource {
     );
   }
 
-  /**
-   * Define filter controls shown in the filter panel.
-   * Must return an array of AdminFilter instances.
-   */
+  /** Define filter controls. */
   static filters() {
     return [];
   }
@@ -108,18 +161,15 @@ class AdminResource {
    * Override to customise how records are fetched.
    * Receives { page, perPage, search, sort, order, filters }
    */
-  static async fetchList({ page = 1, perPage, search, sort = 'id', order = 'desc', filters = {} } = {}) {
+  static async fetchList({ page = 1, perPage, search, sort = 'id', order = 'desc', filters = {}, year, month } = {}) {
     const limit  = perPage || this.perPage;
     const offset = (page - 1) * limit;
 
-    // Start from the public query() entry point — works regardless of
-    // whether the ORM changes have been applied or not.
     let qb = this.model.query().orderBy(sort, order);
 
-    // Search — build OR conditions across all searchable columns
+    // Search
     if (search && this.searchable.length) {
-      const searchable = this.searchable; // capture for closure
-      // Use raw knex where group via the underlying _query
+      const searchable = this.searchable;
       qb._query = qb._query.where(function () {
         for (const col of searchable) {
           this.orWhere(col, 'like', `%${search}%`);
@@ -127,14 +177,19 @@ class AdminResource {
       });
     }
 
-    // Filters — support __ lookups (e.g. created_at__gte) as well as plain equality
+    // Filters (supports __ lookups)
     for (const [key, value] of Object.entries(filters)) {
       if (value !== '' && value !== null && value !== undefined) {
         qb.where(key, value);
       }
     }
 
-    // Run count and data fetch in parallel
+    // Date hierarchy drill-down
+    if (this.dateHierarchy) {
+      if (year)  qb.where(`${this.dateHierarchy}__year`, Number(year));
+      if (month) qb.where(`${this.dateHierarchy}__month`, Number(month));
+    }
+
     const [rows, total] = await Promise.all([
       qb._query.clone().limit(limit).offset(offset),
       qb._query.clone().clearSelect().count('* as count').first()
@@ -249,19 +304,30 @@ class AdminField {
 
   /**
    * Tab separator — splits the form into named tabs.
-   * All fields after this marker belong to this tab until the next one.
+   */
+  static tab(label) {
+    const f = new AdminField('__tab__', 'tab');
+    f._label = label;
+    return f;
+  }
+
+  /**
+   * Fieldset separator — visually groups fields within a tab/form section.
+   * Unlike tabs, fieldsets don't switch panels — they just add a heading.
    *
    *   static fields() {
    *     return [
-   *       AdminField.tab('General'),
-   *       AdminField.text('name'),
-   *       AdminField.tab('Settings'),
+   *       AdminField.fieldset('Personal Info'),
+   *       AdminField.text('name').required(),
+   *       AdminField.email('email').required(),
+   *       AdminField.fieldset('Account Settings'),
+   *       AdminField.select('role', ['admin','user']),
    *       AdminField.boolean('active'),
    *     ];
    *   }
    */
-  static tab(label) {
-    const f = new AdminField('__tab__', 'tab');
+  static fieldset(label) {
+    const f = new AdminField('__fieldset__', 'fieldset');
     f._label = label;
     return f;
   }
@@ -284,8 +350,13 @@ class AdminField {
   help(h)            { this._help = h;             return this; }
   min(n)             { this._min = n;              return this; }
   max(n)             { this._max = n;              return this; }
-  /** Assign this field to a named tab (alternative to using tab() separators). */
   inTab(name)        { this._tab = name;           return this; }
+  /** Make this column link to the detail page in the list view. */
+  link()             { this._isLink = true;        return this; }
+  /** Auto-fill this field by slugifying another field as the user types.
+   *  e.g. AdminField.text('slug').prepopulate('title')
+   */
+  prepopulate(src)   { this._prepopulate = src;    return this; }
 
   // ─── Serialise ─────────────────────────────────────────────────────────────
 
@@ -308,6 +379,8 @@ class AdminField {
       span:        this._span,
       min:         this._min,
       max:         this._max,
+      isLink:      this._isLink      || false,
+      prepopulate: this._prepopulate || null,
     };
   }
 
@@ -372,4 +445,82 @@ class AdminFilter {
   }
 }
 
-module.exports = { AdminResource, AdminField, AdminFilter };
+// ── AdminInline ───────────────────────────────────────────────────────────────
+
+/**
+ * AdminInline
+ *
+ * Displays related records inline on the detail/edit page of a parent resource.
+ * Similar to Django's TabularInline / StackedInline.
+ *
+ * Usage in a parent resource:
+ *
+ *   class PostResource extends AdminResource {
+ *     static inlines = [
+ *       new AdminInline({
+ *         model:      Comment,
+ *         label:      'Comments',
+ *         foreignKey: 'post_id',
+ *         fields:     ['id', 'author', 'body', 'created_at'],
+ *         canCreate:  true,
+ *         canDelete:  true,
+ *         perPage:    10,
+ *       }),
+ *     ];
+ *   }
+ */
+class AdminInline {
+  /**
+   * @param {object} options
+   * @param {class}    options.model       — Millas Model class
+   * @param {string}   options.label       — display label (plural)
+   * @param {string}   options.foreignKey  — FK column on the related table
+   * @param {string[]} [options.fields]    — which columns to show (default: all)
+   * @param {boolean}  [options.canCreate] — show add row button (default: false)
+   * @param {boolean}  [options.canDelete] — show delete button (default: false)
+   * @param {number}   [options.perPage]   — max rows shown (default: 10)
+   */
+  constructor({ model, label, foreignKey, fields = [], canCreate = false, canDelete = false, perPage = 10 }) {
+    this.model      = model;
+    this.label      = label || (model?.name ? model.name + 's' : 'Related');
+    this.foreignKey = foreignKey;
+    this.fields     = fields;
+    this.canCreate  = canCreate;
+    this.canDelete  = canDelete;
+    this.perPage    = perPage;
+  }
+
+  /** Fetch related rows for a given parent id. */
+  async fetchRows(parentId) {
+    if (!this.model || !this.foreignKey) return [];
+    try {
+      const rows = await this.model.query()
+        .where(this.foreignKey, parentId)
+        .limit(this.perPage)
+        .get();
+      return rows.map(r => r.toJSON ? r.toJSON() : r);
+    } catch { return []; }
+  }
+
+  /** Serialise to plain object for template rendering. */
+  toJSON() {
+    const modelFields = this.model?.fields || {};
+    const displayFields = this.fields.length
+      ? this.fields
+      : Object.keys(modelFields).slice(0, 6);
+
+    return {
+      label:      this.label,
+      foreignKey: this.foreignKey,
+      canCreate:  this.canCreate,
+      canDelete:  this.canDelete,
+      fields:     displayFields.map(name => ({
+        name,
+        label: name.replace(/_/g, ' ').replace(/\b\w/g, c => c.toUpperCase()),
+        type:  modelFields[name]?.type || 'text',
+      })),
+    };
+  }
+}
+
+module.exports = { AdminResource, AdminField, AdminFilter, AdminInline };

package/src/admin/views/layouts/base.njk

@@ -200,6 +200,27 @@
       color: var(--text-xmuted);
     }
 
+    /* ── User row ── */
+    .user-row {
+      display: flex; align-items: center; gap: 9px;
+    }
+    .user-avatar {
+      width: 30px; height: 30px; border-radius: 8px;
+      background: var(--primary-dim); color: var(--primary);
+      display: flex; align-items: center; justify-content: center;
+      font-size: 13px; font-weight: 700; flex-shrink: 0;
+    }
+    .user-info { flex: 1; min-width: 0; }
+    .user-name  { font-size: 12.5px; font-weight: 600; color: var(--text-soft); }
+    .user-email { font-size: 11px; color: var(--text-muted); }
+    .logout-btn {
+      flex-shrink: 0; padding: 5px;
+      border-radius: 5px; color: var(--text-muted);
+      display: flex; align-items: center;
+      transition: background .1s, color .1s;
+    }
+    .logout-btn:hover { background: var(--surface3); color: var(--danger); }
+
     /* ════════════════════════════════════════
        MAIN AREA
        ════════════════════════════════════════ */
@@ -933,7 +954,23 @@
     {% endif %}
 
     <div class="sidebar-footer">
-      <div class="sidebar-version flex items-center gap-1">
+      {% if authEnabled and adminUser %}
+      <div class="user-row">
+        <div class="user-avatar">{{ (adminUser.name or adminUser.email or 'A')[0] | upper }}</div>
+        <div class="user-info">
+          <div class="user-name truncate">{{ adminUser.name or adminUser.email }}</div>
+          {% if adminUser.name %}<div class="user-email truncate">{{ adminUser.email }}</div>{% endif %}
+        </div>
+        <a href="{{ adminPrefix }}/logout" class="logout-btn" title="Sign out">
+          <svg viewBox="0 0 24 24" width="15" height="15" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+            <path d="M9 21H5a2 2 0 01-2-2V5a2 2 0 012-2h4"/>
+            <polyline points="16 17 21 12 16 7"/>
+            <line x1="21" y1="12" x2="9" y2="12"/>
+          </svg>
+        </a>
+      </div>
+      {% endif %}
+      <div class="sidebar-version flex items-center gap-1" style="{% if authEnabled and adminUser %}margin-top:10px;padding-top:10px;border-top:1px solid var(--border-soft);{% endif %}">
         <span class="icon icon-12" style="color:var(--text-xmuted)"><svg viewBox="0 0 24 24"><use href="#ic-activity"/></svg></span>
         Millas v0.1.2
       </div>