npm - myaidev-method - Versions diffs - 0.2.8 → 0.2.9 - Mend

myaidev-method 0.2.8 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/.claude/agents/wordpress-admin.md +271 -0
package/.env.example +0 -1
package/PACKAGE_FIXES_SUMMARY.md +319 -0
package/PAYLOADCMS_AUTH_UPDATE.md +248 -0
package/USER_GUIDE.md +260 -0
package/bin/cli.js +36 -0
package/dist/server/.tsbuildinfo +1 -0
package/dist/server/auth/controllers/AuthController.d.ts +34 -0
package/dist/server/auth/controllers/AuthController.d.ts.map +1 -0
package/dist/server/auth/controllers/AuthController.js +43 -0
package/dist/server/auth/controllers/AuthController.js.map +1 -0
package/dist/server/auth/example-usage.d.ts +53 -0
package/dist/server/auth/example-usage.d.ts.map +1 -0
package/dist/server/auth/example-usage.js +129 -0
package/dist/server/auth/example-usage.js.map +1 -0
package/dist/server/auth/index.d.ts +11 -0
package/dist/server/auth/index.d.ts.map +1 -0
package/dist/server/auth/index.js +15 -0
package/dist/server/auth/index.js.map +1 -0
package/dist/server/auth/layers.d.ts +19 -0
package/dist/server/auth/layers.d.ts.map +1 -0
package/dist/server/auth/layers.js +33 -0
package/dist/server/auth/layers.js.map +1 -0
package/dist/server/auth/middleware/authMiddleware.d.ts +24 -0
package/dist/server/auth/middleware/authMiddleware.d.ts.map +1 -0
package/dist/server/auth/middleware/authMiddleware.js +65 -0
package/dist/server/auth/middleware/authMiddleware.js.map +1 -0
package/dist/server/auth/routes/authRoutes.d.ts +11 -0
package/dist/server/auth/routes/authRoutes.d.ts.map +1 -0
package/dist/server/auth/routes/authRoutes.js +213 -0
package/dist/server/auth/routes/authRoutes.js.map +1 -0
package/dist/server/auth/services/AuditLogService.d.ts +21 -0
package/dist/server/auth/services/AuditLogService.d.ts.map +1 -0
package/dist/server/auth/services/AuditLogService.js +28 -0
package/dist/server/auth/services/AuditLogService.js.map +1 -0
package/dist/server/auth/services/AuthService.d.ts +27 -0
package/dist/server/auth/services/AuthService.d.ts.map +1 -0
package/dist/server/auth/services/AuthService.js +246 -0
package/dist/server/auth/services/AuthService.js.map +1 -0
package/dist/server/auth/services/PasswordService.d.ts +12 -0
package/dist/server/auth/services/PasswordService.d.ts.map +1 -0
package/dist/server/auth/services/PasswordService.js +31 -0
package/dist/server/auth/services/PasswordService.js.map +1 -0
package/dist/server/auth/services/SessionRepository.d.ts +24 -0
package/dist/server/auth/services/SessionRepository.d.ts.map +1 -0
package/dist/server/auth/services/SessionRepository.js +101 -0
package/dist/server/auth/services/SessionRepository.js.map +1 -0
package/dist/server/auth/services/TokenService.d.ts +12 -0
package/dist/server/auth/services/TokenService.d.ts.map +1 -0
package/dist/server/auth/services/TokenService.js +86 -0
package/dist/server/auth/services/TokenService.js.map +1 -0
package/dist/server/auth/services/UserRepository.d.ts +23 -0
package/dist/server/auth/services/UserRepository.d.ts.map +1 -0
package/dist/server/auth/services/UserRepository.js +168 -0
package/dist/server/auth/services/UserRepository.js.map +1 -0
package/dist/server/auth/services/example.d.ts +26 -0
package/dist/server/auth/services/example.d.ts.map +1 -0
package/dist/server/auth/services/example.js +221 -0
package/dist/server/auth/services/example.js.map +1 -0
package/dist/server/auth/services/index.d.ts +6 -0
package/dist/server/auth/services/index.d.ts.map +1 -0
package/dist/server/auth/services/index.js +7 -0
package/dist/server/auth/services/index.js.map +1 -0
package/dist/server/database/db.d.ts +28 -0
package/dist/server/database/db.d.ts.map +1 -0
package/dist/server/database/db.js +91 -0
package/dist/server/database/db.js.map +1 -0
package/dist/server/database/schema.sql +95 -0
package/dist/server/hono/app.d.ts +10 -0
package/dist/server/hono/app.d.ts.map +1 -0
package/dist/server/hono/app.js +26 -0
package/dist/server/hono/app.js.map +1 -0
package/dist/server/hono/routes.d.ts +12 -0
package/dist/server/hono/routes.d.ts.map +1 -0
package/dist/server/hono/routes.js +40 -0
package/dist/server/hono/routes.js.map +1 -0
package/dist/server/main.d.ts +2 -0
package/dist/server/main.d.ts.map +1 -0
package/dist/server/main.js +94 -0
package/dist/server/main.js.map +1 -0
package/dist/server/user-management/DirectoryService.d.ts +62 -0
package/dist/server/user-management/DirectoryService.d.ts.map +1 -0
package/dist/server/user-management/DirectoryService.js +201 -0
package/dist/server/user-management/DirectoryService.js.map +1 -0
package/dist/server/user-management/LinuxUserService.d.ts +71 -0
package/dist/server/user-management/LinuxUserService.d.ts.map +1 -0
package/dist/server/user-management/LinuxUserService.js +192 -0
package/dist/server/user-management/LinuxUserService.js.map +1 -0
package/dist/server/user-management/QuotaService.d.ts +59 -0
package/dist/server/user-management/QuotaService.d.ts.map +1 -0
package/dist/server/user-management/QuotaService.js +148 -0
package/dist/server/user-management/QuotaService.js.map +1 -0
package/dist/server/user-management/UserManagementService.d.ts +74 -0
package/dist/server/user-management/UserManagementService.d.ts.map +1 -0
package/dist/server/user-management/UserManagementService.js +122 -0
package/dist/server/user-management/UserManagementService.js.map +1 -0
package/dist/server/user-management/index.d.ts +26 -0
package/dist/server/user-management/index.d.ts.map +1 -0
package/dist/server/user-management/index.js +26 -0
package/dist/server/user-management/index.js.map +1 -0
package/dist/server/user-management/layers.d.ts +27 -0
package/dist/server/user-management/layers.d.ts.map +1 -0
package/dist/server/user-management/layers.js +37 -0
package/dist/server/user-management/layers.js.map +1 -0
package/dist/shared/types.d.ts +94 -0
package/dist/shared/types.d.ts.map +1 -0
package/dist/shared/types.js +32 -0
package/dist/shared/types.js.map +1 -0
package/package.json +25 -5
package/src/lib/payloadcms-utils.js +5 -12
package/src/server/auth/ARCHITECTURE.md +575 -0
package/src/server/auth/IMPLEMENTATION_SUMMARY.md +287 -0
package/src/server/auth/QUICK_START.md +283 -0
package/src/server/auth/README.md +290 -0
package/src/server/auth/controllers/AuthController.ts +129 -0
package/src/server/auth/example-usage.ts +159 -0
package/src/server/auth/index.ts +19 -0
package/src/server/auth/layers.ts +57 -0
package/src/server/auth/middleware/authMiddleware.ts +118 -0
package/src/server/auth/routes/authRoutes.ts +319 -0
package/src/server/auth/services/AuditLogService.ts +81 -0
package/src/server/auth/services/AuthService.ts +408 -0
package/src/server/auth/services/IMPLEMENTATION_SUMMARY.md +404 -0
package/src/server/auth/services/PasswordService.ts +85 -0
package/src/server/auth/services/README.md +361 -0
package/src/server/auth/services/SessionRepository.ts +227 -0
package/src/server/auth/services/TokenService.ts +174 -0
package/src/server/auth/services/UserRepository.ts +318 -0
package/src/server/auth/services/example.ts +346 -0
package/src/server/auth/services/index.ts +6 -0
package/src/server/database/db.ts +161 -0
package/src/server/database/schema.sql +95 -0
package/src/server/hono/app.ts +41 -0
package/src/server/main.ts +115 -0
package/src/server/user-management/DirectoryService.ts +348 -0
package/src/server/user-management/LinuxUserService.ts +338 -0
package/src/server/user-management/QuotaService.ts +256 -0
package/src/server/user-management/README.md +333 -0
package/src/server/user-management/UserManagementService.ts +335 -0
package/src/server/user-management/index.ts +26 -0
package/src/server/user-management/layers.ts +51 -0
package/src/shared/types.ts +111 -0
package/src/templates/claude/agents/payloadcms-publish.md +34 -14
package/src/templates/codex/commands/myai-astro-publish.md +8 -2
package/src/templates/codex/commands/myai-content-writer.md +8 -2
package/src/templates/codex/commands/myai-coolify-deploy.md +8 -2
package/src/templates/codex/commands/myai-dev-architect.md +8 -2
package/src/templates/codex/commands/myai-dev-code.md +8 -2
package/src/templates/codex/commands/myai-dev-docs.md +8 -2
package/src/templates/codex/commands/myai-dev-review.md +8 -2
package/src/templates/codex/commands/myai-dev-test.md +8 -2
package/src/templates/codex/commands/myai-docusaurus-publish.md +8 -2
package/src/templates/codex/commands/myai-mintlify-publish.md +8 -2
package/src/templates/codex/commands/myai-payloadcms-publish.md +17 -3
package/src/templates/codex/commands/myai-sparc-workflow.md +8 -2
package/src/templates/codex/commands/myai-wordpress-admin.md +8 -2
package/src/templates/codex/commands/myai-wordpress-publish.md +8 -2

package/src/server/auth/services/AuthService.ts ADDED Viewed

@@ -0,0 +1,408 @@
+import { Context, Effect, Layer } from "effect";
+import {
+  AuthError,
+  DatabaseError,
+  Session,
+  User,
+  ValidationError,
+} from "../../../shared/types.js";
+import { PasswordService } from "./PasswordService.js";
+import { TokenService } from "./TokenService.js";
+import { UserRepository } from "./UserRepository.js";
+import { SessionRepository } from "./SessionRepository.js";
+import { AuditLogService } from "./AuditLogService.js";
+import { UserManagementService } from "../../user-management/UserManagementService.js";
+const MAX_FAILED_ATTEMPTS = 5;
+const LOCKOUT_DURATION_MS = 15 * 60 * 1000; // 15 minutes
+export interface AuthServiceDeps {
+  readonly register: (
+    username: string,
+    email: string,
+    password: string,
+    ipAddress?: string | null,
+    userAgent?: string | null
+  ) => Effect.Effect<User, AuthError | ValidationError | DatabaseError>;
+  readonly login: (
+    email: string,
+    password: string,
+    ipAddress?: string | null,
+    userAgent?: string | null
+  ) => Effect.Effect<
+    { user: User; token: string; session: Session },
+    AuthError | DatabaseError
+  >;
+  readonly logout: (
+    sessionId: string,
+    userId: string
+  ) => Effect.Effect<void, DatabaseError>;
+  readonly verifyToken: (
+    token: string
+  ) => Effect.Effect<{ user: User; session: Session }, AuthError | DatabaseError>;
+}
+export class AuthService extends Context.Tag("AuthService")<
+  AuthService,
+  AuthServiceDeps
+>() {
+  static Live = Layer.effect(
+    this,
+    Effect.gen(function* () {
+      const passwordService = yield* PasswordService;
+      const tokenService = yield* TokenService;
+      const userRepo = yield* UserRepository;
+      const sessionRepo = yield* SessionRepository;
+      const auditLog = yield* AuditLogService;
+      const userManagement = yield* UserManagementService;
+      const sanitizeLinuxUsername = (username: string): string => {
+        // Convert to lowercase, replace non-alphanumeric with underscore
+        let sanitized = username
+          .toLowerCase()
+          .replace(/[^a-z0-9_]/g, "_")
+          .replace(/^[0-9_]+/, "") // Cannot start with number or underscore
+          .slice(0, 32); // Max length for Linux usernames
+        // Ensure it starts with a letter
+        if (!/^[a-z]/.test(sanitized)) {
+          sanitized = "user_" + sanitized;
+        }
+        return sanitized;
+      };
+      const generateUniqueLinuxUsername = (
+        baseUsername: string
+      ): Effect.Effect<string, DatabaseError> =>
+        Effect.gen(function* () {
+          let linuxUsername = sanitizeLinuxUsername(baseUsername);
+          let counter = 0;
+          // Keep trying until we find a unique username
+          while (true) {
+            const existingUser = yield* userRepo.findByUsername(linuxUsername);
+            if (!existingUser) {
+              return linuxUsername;
+            }
+            counter++;
+            const suffix = `_${counter}`;
+            const maxBase = 32 - suffix.length;
+            linuxUsername =
+              sanitizeLinuxUsername(baseUsername).slice(0, maxBase) + suffix;
+          }
+        });
+      const validateEmail = (email: string): Effect.Effect<void, ValidationError> =>
+        Effect.gen(function* () {
+          const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+          if (!emailRegex.test(email)) {
+            return yield* Effect.fail(
+              new ValidationError("email", "Invalid email format")
+            );
+          }
+        });
+      const validateUsername = (
+        username: string
+      ): Effect.Effect<void, ValidationError> =>
+        Effect.gen(function* () {
+          if (username.length < 3) {
+            return yield* Effect.fail(
+              new ValidationError(
+                "username",
+                "Username must be at least 3 characters long"
+              )
+            );
+          }
+          if (username.length > 32) {
+            return yield* Effect.fail(
+              new ValidationError(
+                "username",
+                "Username must be at most 32 characters long"
+              )
+            );
+          }
+          if (!/^[a-zA-Z0-9_]+$/.test(username)) {
+            return yield* Effect.fail(
+              new ValidationError(
+                "username",
+                "Username can only contain letters, numbers, and underscores"
+              )
+            );
+          }
+        });
+      const isAccountLocked = (user: User): boolean => {
+        if (user.failedLoginAttempts < MAX_FAILED_ATTEMPTS) {
+          return false;
+        }
+        // Check if lockout period has expired
+        const now = Date.now();
+        const lockoutExpiry = user.updatedAt + LOCKOUT_DURATION_MS;
+        return now < lockoutExpiry;
+      };
+      const register: AuthServiceDeps["register"] = (
+        username,
+        email,
+        password,
+        ipAddress = null,
+        userAgent = null
+      ) =>
+        Effect.gen(function* () {
+          // Validate inputs
+          yield* validateUsername(username);
+          yield* validateEmail(email);
+          yield* passwordService.validatePasswordStrength(password);
+          // Check if user already exists
+          const existingEmail = yield* userRepo.findByEmail(email);
+          if (existingEmail) {
+            return yield* Effect.fail(
+              new ValidationError("email", "Email already registered")
+            );
+          }
+          const existingUsername = yield* userRepo.findByUsername(username);
+          if (existingUsername) {
+            return yield* Effect.fail(
+              new ValidationError("username", "Username already taken")
+            );
+          }
+          // Hash password
+          const passwordHash = yield* passwordService.hash(password);
+          // Generate unique Linux username
+          const linuxUsername = yield* generateUniqueLinuxUsername(username);
+          // Create user in database
+          const user = yield* userRepo.create({
+            username,
+            email,
+            passwordHash,
+            linuxUsername,
+          });
+          // Create Linux user with home directory and Claude config
+          // This runs in the background and doesn't block registration
+          // If it fails, user can still authenticate but won't have Linux access
+          yield* userManagement
+            .createUser({
+              username: linuxUsername,
+              email,
+              shell: "/bin/rbash", // Restricted bash for security
+              diskQuotaMB: 2048, // 2GB default quota
+            })
+            .pipe(
+              Effect.catchAll((error) => {
+                // Log the error but don't fail registration
+                console.error(
+                  `Failed to create Linux user for ${linuxUsername}:`,
+                  error
+                );
+                return Effect.succeed(void 0);
+              })
+            );
+          // Log audit event
+          yield* auditLog.log({
+            userId: user.id,
+            action: "USER_REGISTERED",
+            resourceType: "user",
+            resourceId: user.id,
+            ipAddress: ipAddress ?? null,
+            userAgent: userAgent ?? null,
+          });
+          return user;
+        });
+      const login: AuthServiceDeps["login"] = (
+        email,
+        password,
+        ipAddress = null,
+        userAgent = null
+      ) =>
+        Effect.gen(function* () {
+          // Find user by email
+          const user = yield* userRepo.findByEmail(email);
+          if (!user) {
+            return yield* Effect.fail(
+              new AuthError("INVALID_CREDENTIALS", "Invalid email or password")
+            );
+          }
+          // Check if account is locked
+          if (isAccountLocked(user)) {
+            yield* auditLog.log({
+              userId: user.id,
+              action: "LOGIN_FAILED",
+              resourceType: "user",
+              resourceId: user.id,
+              ipAddress: ipAddress ?? null,
+              userAgent: userAgent ?? null,
+              details: "Account locked due to too many failed attempts",
+            });
+            return yield* Effect.fail(
+              new AuthError(
+                "ACCOUNT_LOCKED",
+                "Account is locked due to too many failed login attempts. Please try again in 15 minutes."
+              )
+            );
+          }
+          // Verify password
+          if (!user.passwordHash) {
+            return yield* Effect.fail(
+              new AuthError(
+                "INVALID_CREDENTIALS",
+                "Invalid email or password"
+              )
+            );
+          }
+          const isPasswordValid = yield* passwordService.verify(
+            password,
+            user.passwordHash
+          );
+          if (!isPasswordValid) {
+            // Increment failed login attempts
+            yield* userRepo.incrementFailedLogins(user.id);
+            yield* auditLog.log({
+              userId: user.id,
+              action: "LOGIN_FAILED",
+              resourceType: "user",
+              resourceId: user.id,
+              ipAddress: ipAddress ?? null,
+              userAgent: userAgent ?? null,
+              details: "Invalid password",
+            });
+            return yield* Effect.fail(
+              new AuthError("INVALID_CREDENTIALS", "Invalid email or password")
+            );
+          }
+          // Reset failed login attempts on successful login
+          yield* userRepo.resetFailedLogins(user.id);
+          // Update last login time
+          const updatedUser = yield* userRepo.update(user.id, {
+            lastLoginAt: Date.now(),
+          });
+          // Generate a unique placeholder token to avoid constraint violations
+          const expiresAt = Date.now() + 7 * 24 * 60 * 60 * 1000; // 7 days
+          const placeholderToken = `placeholder_${user.id}_${Date.now()}_${Math.random()}`;
+          const placeholderHash = yield* tokenService.hashToken(placeholderToken);
+          // Create session with placeholder hash
+          const session = yield* sessionRepo.create({
+            userId: user.id,
+            tokenHash: placeholderHash,
+            ipAddress: ipAddress ?? null,
+            userAgent: userAgent ?? null,
+            expiresAt,
+          });
+          // Generate JWT token with the session ID
+          const token = yield* tokenService.generateToken({
+            sub: user.id,
+            username: user.username,
+            email: user.email,
+            jti: session.id,
+          });
+          // Update the session with the actual token hash
+          const actualTokenHash = yield* tokenService.hashToken(token);
+          const finalSession = yield* sessionRepo.updateTokenHash(session.id, actualTokenHash);
+          // Log audit event
+          yield* auditLog.log({
+            userId: user.id,
+            action: "USER_LOGIN",
+            resourceType: "session",
+            resourceId: finalSession.id,
+            ipAddress: ipAddress ?? null,
+            userAgent: userAgent ?? null,
+          });
+          return { user: updatedUser, token, session: finalSession };
+        });
+      const logout: AuthServiceDeps["logout"] = (sessionId, userId) =>
+        Effect.gen(function* () {
+          // Revoke session
+          yield* sessionRepo.revoke(sessionId);
+          // Log audit event
+          yield* auditLog.log({
+            userId,
+            action: "USER_LOGOUT",
+            resourceType: "session",
+            resourceId: sessionId,
+            ipAddress: null,
+            userAgent: null,
+          });
+        });
+      const verifyToken: AuthServiceDeps["verifyToken"] = (token) =>
+        Effect.gen(function* () {
+          // Verify JWT
+          const payload = yield* tokenService.verifyToken(token);
+          // Hash token to find session
+          const tokenHash = yield* tokenService.hashToken(token);
+          const session = yield* sessionRepo.findByTokenHash(tokenHash);
+          if (!session) {
+            return yield* Effect.fail(
+              new AuthError("INVALID_TOKEN", "Session not found")
+            );
+          }
+          // Check if session is expired
+          if (session.expiresAt < Date.now()) {
+            return yield* Effect.fail(
+              new AuthError("TOKEN_EXPIRED", "Session has expired")
+            );
+          }
+          // Check if session is revoked
+          if (session.isRevoked) {
+            return yield* Effect.fail(
+              new AuthError("SESSION_REVOKED", "Session has been revoked")
+            );
+          }
+          // Find user
+          const user = yield* userRepo.findById(payload.sub);
+          if (!user) {
+            return yield* Effect.fail(
+              new AuthError("USER_NOT_FOUND", "User not found")
+            );
+          }
+          // Check if user is active
+          if (!user.isActive) {
+            return yield* Effect.fail(
+              new AuthError("USER_INACTIVE", "User account is inactive")
+            );
+          }
+          return { user, session };
+        });
+      return { register, login, logout, verifyToken };
+    })
+  );
+}