showpane 0.4.1 → 0.4.2

package/bundle/scaffold/src/lib/token.ts

@@ -0,0 +1,186 @@
+/**
+ * Pure HMAC-SHA256 token signing and verification.
+ *
+ * No Next.js imports. No database calls. Works in Edge, Node, and tsx scripts.
+ * Uses Web Crypto (crypto.subtle) which is available in Node 20+.
+ *
+ * client-auth.ts wraps these with DB lookups and Next.js request/response helpers.
+ * bin/ scripts import these directly for CLI token operations.
+ */
+
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+
+let cachedKey: CryptoKey | null = null;
+let cachedSecret: string | null = null;
+
+export type ClientTokenScope = "session" | "share";
+
+export type ClientTokenPayload = {
+  v: 1;
+  orgId: string;
+  slug: string;
+  scope: ClientTokenScope;
+  exp: number | null;
+  ver: string;
+  jti: string;
+};
+
+export type VerifiedTokenPayload = {
+  orgId: string;
+  slug: string;
+  scope: ClientTokenScope;
+  ver: string;
+};
+
+export function getAuthSecret(): string | null {
+  return process.env.AUTH_SECRET ?? null;
+}
+
+export function isClientAuthConfigured(): boolean {
+  return Boolean(getAuthSecret());
+}
+
+async function getKey(): Promise<CryptoKey | null> {
+  const secret = getAuthSecret();
+  if (!secret) return null;
+
+  if (!cachedKey || cachedSecret !== secret) {
+    cachedKey = await crypto.subtle.importKey(
+      "raw",
+      encoder.encode(secret),
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["sign"]
+    );
+    cachedSecret = secret;
+  }
+  return cachedKey;
+}
+
+async function hmacHex(data: string): Promise<string | null> {
+  const key = await getKey();
+  if (!key) return null;
+  const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
+  return Array.from(new Uint8Array(sig))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+function encodeBase64Url(value: string): string {
+  const bytes = encoder.encode(value);
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+
+function decodeBase64Url(value: string): string | null {
+  try {
+    const padding = "=".repeat((4 - (value.length % 4)) % 4);
+    const binary = atob(value.replace(/-/g, "+").replace(/_/g, "/") + padding);
+    const bytes = Uint8Array.from(binary, (char) => char.charCodeAt(0));
+    return decoder.decode(bytes);
+  } catch {
+    return null;
+  }
+}
+
+function parseTokenPayload(value: string): ClientTokenPayload | null {
+  try {
+    const parsed = JSON.parse(value) as Partial<ClientTokenPayload>;
+    if (
+      parsed.v !== 1 ||
+      typeof parsed.orgId !== "string" ||
+      typeof parsed.slug !== "string" ||
+      (parsed.scope !== "session" && parsed.scope !== "share") ||
+      (parsed.exp !== null && typeof parsed.exp !== "number") ||
+      typeof parsed.ver !== "string" ||
+      typeof parsed.jti !== "string"
+    ) {
+      return null;
+    }
+    return parsed as ClientTokenPayload;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Sign a token payload. Pure crypto, no DB.
+ * Caller provides the full payload including credentialVersion.
+ */
+export async function signTokenPayload(
+  payload: ClientTokenPayload
+): Promise<string | null> {
+  const encodedPayload = encodeBase64Url(JSON.stringify(payload));
+  const sig = await hmacHex(encodedPayload);
+  if (!sig) return null;
+  return `${encodedPayload}.${sig}`;
+}
+
+/**
+ * Build and sign a token. Pure crypto, no DB.
+ * Caller must provide slug, scope, maxAge, and credentialVersion.
+ */
+export async function buildAndSignToken(
+  orgId: string,
+  slug: string,
+  scope: ClientTokenScope,
+  maxAgeSeconds: number | null,
+  credentialVersion: string
+): Promise<string | null> {
+  const payload: ClientTokenPayload = {
+    v: 1,
+    orgId,
+    slug,
+    scope,
+    exp: maxAgeSeconds == null ? null : Math.floor(Date.now() / 1000) + maxAgeSeconds,
+    ver: credentialVersion,
+    jti: crypto.randomUUID(),
+  };
+  return signTokenPayload(payload);
+}
+
+/**
+ * Verify token signature and decode payload. Pure crypto, no DB.
+ * Does NOT check credential version against DB. Caller must do that.
+ * Returns the payload if signature is valid and token is not expired.
+ */
+export async function verifyTokenSignature(
+  token: string,
+  expectedScope?: ClientTokenScope
+): Promise<VerifiedTokenPayload | null> {
+  const dotIndex = token.lastIndexOf(".");
+  if (dotIndex === -1) return null;
+
+  const encodedPayload = token.substring(0, dotIndex);
+  const sig = token.substring(dotIndex + 1);
+  const expected = await hmacHex(encodedPayload);
+  if (!expected) return null;
+
+  // Constant-time comparison
+  if (sig.length !== expected.length) return null;
+  let mismatch = 0;
+  for (let i = 0; i < sig.length; i++) {
+    mismatch |= sig.charCodeAt(i) ^ expected.charCodeAt(i);
+  }
+  if (mismatch !== 0) return null;
+
+  const decodedPayload = decodeBase64Url(encodedPayload);
+  if (!decodedPayload) return null;
+
+  const payload = parseTokenPayload(decodedPayload);
+  if (!payload) return null;
+
+  if (expectedScope && payload.scope !== expectedScope) return null;
+  if (payload.exp != null && payload.exp <= Math.floor(Date.now() / 1000)) return null;
+
+  return { orgId: payload.orgId, slug: payload.slug, scope: payload.scope, ver: payload.ver };
+}
+
+/** Max age constants */
+export const SESSION_TOKEN_MAX_AGE_SECONDS = 60 * 60 * 24 * 7; // 7 days
+export const SHARE_TOKEN_MAX_AGE_SECONDS = null;
+export const SHARE_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 365 * 10; // 10 years

package/bundle/scaffold/src/lib/utils.ts

@@ -0,0 +1,6 @@
+import { clsx, type ClassValue } from "clsx";
+import { twMerge } from "tailwind-merge";
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs));
+}

package/bundle/scaffold/src/middleware.ts

@@ -0,0 +1,61 @@
+export const runtime = "nodejs";
+
+import { NextRequest, NextResponse } from "next/server";
+import { getAuthenticatedPortal } from "@/lib/client-auth";
+
+export async function middleware(req: NextRequest) {
+  const { pathname } = req.nextUrl;
+
+  // Login page: if already authenticated, redirect to portal
+  if (pathname === "/client") {
+    try {
+      const portal = await getAuthenticatedPortal(req);
+      if (portal) {
+        return NextResponse.redirect(new URL(`/client/${portal.slug}`, req.url));
+      }
+    } catch (e) {
+      console.error("Middleware: DB error checking auth on login page", e);
+      // Fail open — show the login page
+    }
+    return NextResponse.next();
+  }
+
+  // Share link routes handle their own token verification
+  if (pathname.includes("/s/")) {
+    return NextResponse.next();
+  }
+
+  // API routes and static files pass through
+  if (pathname.startsWith("/api/") || pathname.startsWith("/_next/")) {
+    return NextResponse.next();
+  }
+
+  // Portal pages require authentication
+  if (pathname.startsWith("/client/")) {
+    try {
+      const portal = await getAuthenticatedPortal(req);
+      if (!portal) {
+        return NextResponse.redirect(new URL("/client", req.url));
+      }
+      // Ensure the URL slug matches the authenticated slug
+      const urlSlug = pathname.split("/")[2];
+      if (urlSlug !== portal.slug) {
+        return NextResponse.redirect(new URL("/client", req.url));
+      }
+      return NextResponse.next();
+    } catch (e) {
+      console.error("Middleware: DB error checking auth on portal page", e);
+      // Fail closed — redirect to login
+      return NextResponse.redirect(new URL("/client", req.url));
+    }
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: [
+    "/((?!_next|.*\\..*).*)",
+    "/(api|trpc)(.*)",
+  ],
+};

package/bundle/scaffold/tailwind.config.ts

@@ -0,0 +1,15 @@
+import type { Config } from "tailwindcss";
+
+const config: Config = {
+  content: ["./src/**/*.{js,ts,jsx,tsx,mdx}"],
+  theme: {
+    extend: {
+      colors: {
+        primary: "var(--color-primary)",
+      },
+    },
+  },
+  plugins: [],
+};
+
+export default config;

package/bundle/scaffold/tsconfig.json

@@ -0,0 +1,23 @@
+{
+  "compilerOptions": {
+    "target": "ES2017",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [{ "name": "next" }],
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}

package/bundle/scaffold/vitest.config.ts

@@ -0,0 +1,13 @@
+import { defineConfig } from "vitest/config";
+import path from "path";
+
+export default defineConfig({
+  test: {
+    globals: true,
+  },
+  resolve: {
+    alias: {
+      "@": path.resolve(__dirname, "./src"),
+    },
+  },
+});

package/bundle/toolchain/VERSION

@@ -0,0 +1 @@
+1.1.0 (requires app >= 0.2.0)

package/bundle/toolchain/bin/check-slug.ts

@@ -0,0 +1,59 @@
+import { PrismaClient } from "@/lib/prisma-client";
+
+const SLUG_PATTERN = /^[a-z0-9][a-z0-9-]{0,48}[a-z0-9]$/;
+const RESERVED = new Set([
+  "api", "client", "s", "admin", "static", "_next", "health", "example",
+]);
+
+function fail(reason: string, message: string): never {
+  console.error(JSON.stringify({ valid: false, reason, message }));
+  process.exit(1);
+}
+
+function success(): never {
+  console.log(JSON.stringify({ valid: true }));
+  process.exit(0);
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+
+  if (args.includes("--help")) {
+    console.log("Usage: check-slug --slug <slug> --org-id <orgId>");
+    console.log("Validates a portal slug for format, reserved names, and uniqueness.");
+    process.exit(0);
+  }
+
+  const getArg = (flag: string) => { const i = args.indexOf(flag); return i !== -1 ? args[i + 1] : undefined; };
+  const slug = getArg("--slug");
+  const orgId = getArg("--org-id");
+
+  if (!slug || !orgId) fail("args", "Missing --slug or --org-id");
+
+  // Format check: lowercase alphanumeric + hyphens, 2-50 chars
+  if (slug.length < 2 || slug.length > 50 || !SLUG_PATTERN.test(slug)) {
+    fail("format", "Slug must be 2-50 chars, lowercase alphanumeric and hyphens, cannot start/end with hyphen");
+  }
+
+  // Reserved names
+  if (RESERVED.has(slug)) {
+    fail("reserved", `"${slug}" is a reserved name`);
+  }
+
+  // DB uniqueness
+  const prisma = new PrismaClient();
+  try {
+    const existing = await prisma.clientPortal.findUnique({
+      where: { organizationId_slug: { organizationId: orgId, slug } },
+    });
+    if (existing) fail("taken", `Slug "${slug}" is already in use`);
+    success();
+  } finally {
+    await prisma.$disconnect();
+  }
+}
+
+main().catch((e) => {
+  console.error(JSON.stringify({ valid: false, reason: "error", message: String(e) }));
+  process.exit(1);
+});

package/bundle/toolchain/bin/create-deploy-bundle.ts

@@ -0,0 +1,93 @@
+import AdmZip from "adm-zip";
+import { readFileSync, readdirSync, statSync } from "node:fs";
+import path from "node:path";
+
+function fail(message: string): never {
+  console.error(JSON.stringify({ ok: false, error: message }));
+  process.exit(1);
+}
+
+function walkFiles(dir: string, root: string, out: Set<string>) {
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    const fullPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      walkFiles(fullPath, root, out);
+      continue;
+    }
+    out.add(path.relative(root, fullPath));
+  }
+}
+
+function collectTracedFiles(appPath: string): Set<string> {
+  const files = new Set<string>();
+  const outputRoot = path.join(appPath, ".vercel", "output");
+  const functionsRoot = path.join(outputRoot, "functions");
+
+  walkFiles(outputRoot, appPath, files);
+
+  const queue = [functionsRoot];
+  while (queue.length > 0) {
+    const current = queue.pop();
+    if (!current) continue;
+    for (const entry of readdirSync(current, { withFileTypes: true })) {
+      const fullPath = path.join(current, entry.name);
+      if (entry.isDirectory()) {
+        queue.push(fullPath);
+        continue;
+      }
+      if (entry.name !== ".vc-config.json") continue;
+
+      const config = JSON.parse(readFileSync(fullPath, "utf8")) as {
+        filePathMap?: Record<string, string>;
+      };
+      for (const relativePath of Object.values(config.filePathMap ?? {})) {
+        files.add(relativePath);
+      }
+    }
+  }
+
+  return files;
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+  const outputIndex = args.indexOf("--output");
+  const outputPath = outputIndex !== -1 ? args[outputIndex + 1] : undefined;
+
+  if (!outputPath) {
+    fail("Missing --output");
+  }
+
+  const appPath = process.cwd();
+  const outputRoot = path.join(appPath, ".vercel", "output");
+  if (!statSync(outputRoot, { throwIfNoEntry: false })?.isDirectory()) {
+    fail("Missing .vercel/output. Run a prebuilt Vercel build first.");
+  }
+
+  const zip = new AdmZip();
+  const tracedFiles = collectTracedFiles(appPath);
+
+  for (const relativePath of tracedFiles) {
+    const normalized = relativePath.replace(/\\/g, "/");
+
+    if (normalized === ".env" || normalized.startsWith(".env.")) {
+      zip.addFile(normalized, Buffer.from("NODE_ENV=production\n"));
+      continue;
+    }
+
+    const fullPath = path.join(appPath, relativePath);
+    const stat = statSync(fullPath, { throwIfNoEntry: false });
+    if (!stat?.isFile()) {
+      continue;
+    }
+
+    zip.addLocalFile(fullPath, path.dirname(normalized), path.basename(normalized));
+  }
+
+  zip.writeZip(outputPath);
+  console.log(JSON.stringify({ ok: true, outputPath, fileCount: tracedFiles.size }));
+}
+
+main().catch((error) => {
+  fail(String(error));
+});

package/bundle/toolchain/bin/create-portal.ts

@@ -0,0 +1,71 @@
+import { PrismaClient } from "@/lib/prisma-client";
+import bcrypt from "bcryptjs";
+import crypto from "node:crypto";
+
+const SLUG_PATTERN = /^[a-z0-9][a-z0-9-]{0,48}[a-z0-9]$/;
+const RESERVED = new Set([
+  "api", "client", "s", "admin", "static", "_next", "health", "example",
+]);
+
+function fail(message: string): never {
+  console.error(JSON.stringify({ ok: false, error: message }));
+  process.exit(1);
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+
+  if (args.includes("--help")) {
+    console.log("Usage: create-portal --slug <slug> --company <name> --org-id <orgId>");
+    console.log("Creates a new client portal with auto-generated credentials.");
+    process.exit(0);
+  }
+
+  const getArg = (flag: string) => { const i = args.indexOf(flag); return i !== -1 ? args[i + 1] : undefined; };
+  const slug = getArg("--slug");
+  const company = getArg("--company");
+  const orgId = getArg("--org-id");
+
+  if (!slug || !company || !orgId) fail("Missing --slug, --company, or --org-id");
+
+  // Validate slug
+  if (slug.length < 2 || slug.length > 50 || !SLUG_PATTERN.test(slug)) {
+    fail("Invalid slug format: 2-50 chars, lowercase alphanumeric and hyphens");
+  }
+  if (RESERVED.has(slug)) fail(`"${slug}" is a reserved name`);
+
+  const username = slug;
+  const password = crypto.randomBytes(16).toString("base64url");
+  const passwordHash = await bcrypt.hash(password, 10);
+
+  const prisma = new PrismaClient();
+  try {
+    // Check uniqueness
+    const existing = await prisma.clientPortal.findUnique({
+      where: { organizationId_slug: { organizationId: orgId, slug } },
+    });
+    if (existing) fail(`Slug "${slug}" already exists`);
+
+    const portal = await prisma.clientPortal.create({
+      data: {
+        organizationId: orgId,
+        slug,
+        companyName: company,
+        username,
+        passwordHash,
+      },
+    });
+
+    console.log(JSON.stringify({
+      ok: true,
+      portal: { id: portal.id, slug: portal.slug, username, password },
+    }));
+  } finally {
+    await prisma.$disconnect();
+  }
+}
+
+main().catch((e) => {
+  console.error(JSON.stringify({ ok: false, error: String(e) }));
+  process.exit(1);
+});

package/bundle/toolchain/bin/delete-portal.ts

@@ -0,0 +1,48 @@
+import { PrismaClient } from "@/lib/prisma-client";
+
+function fail(message: string): never {
+  console.error(JSON.stringify({ ok: false, error: message }));
+  process.exit(1);
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+
+  if (args.includes("--help")) {
+    console.log("Usage: delete-portal --slug <slug> --org-id <orgId>");
+    console.log("Soft-deletes a portal by setting isActive=false. Idempotent.");
+    process.exit(0);
+  }
+
+  const getArg = (flag: string) => { const i = args.indexOf(flag); return i !== -1 ? args[i + 1] : undefined; };
+  const slug = getArg("--slug");
+  const orgId = getArg("--org-id");
+
+  if (!slug || !orgId) fail("Missing --slug or --org-id");
+
+  const prisma = new PrismaClient();
+  try {
+    const portal = await prisma.clientPortal.findUnique({
+      where: { organizationId_slug: { organizationId: orgId, slug } },
+    });
+    if (!portal) fail(`Portal "${slug}" not found`);
+
+    const wasActive = portal.isActive;
+
+    if (wasActive) {
+      await prisma.clientPortal.update({
+        where: { id: portal.id },
+        data: { isActive: false },
+      });
+    }
+
+    console.log(JSON.stringify({ ok: true, slug, wasActive }));
+  } finally {
+    await prisma.$disconnect();
+  }
+}
+
+main().catch((e) => {
+  console.error(JSON.stringify({ ok: false, error: String(e) }));
+  process.exit(1);
+});

package/bundle/toolchain/bin/export-file-manifest.ts

@@ -0,0 +1,84 @@
+import { PrismaClient } from "@/lib/prisma-client";
+import { createHash } from "node:crypto";
+import { readFile_ } from "@/lib/storage";
+
+function fail(message: string): never {
+  console.error(JSON.stringify({ error: message }));
+  process.exit(1);
+}
+
+function parseArgs(argv: string[]) {
+  const getArg = (flag: string) => {
+    const index = argv.indexOf(flag);
+    return index !== -1 ? argv[index + 1] : undefined;
+  };
+
+  return {
+    orgId: getArg("--org-id"),
+    orgSlug: getArg("--org-slug"),
+  };
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+
+  if (args.includes("--help")) {
+    console.log("Usage: export-file-manifest [--org-id <orgId>] [--org-slug <slug>]");
+    console.log("Exports uploaded file metadata and checksums for cloud file sync.");
+    process.exit(0);
+  }
+
+  const { orgId, orgSlug } = parseArgs(args);
+  const prisma = new PrismaClient();
+
+  try {
+    const organization = orgId
+      ? await prisma.organization.findUnique({ where: { id: orgId }, select: { id: true } })
+      : orgSlug
+        ? await prisma.organization.findUnique({ where: { slug: orgSlug }, select: { id: true } })
+        : await prisma.organization.findFirst({ orderBy: { createdAt: "asc" }, select: { id: true } });
+
+    if (!organization) {
+      fail("No organization found");
+    }
+
+    const files = await prisma.portalFile.findMany({
+      where: { portal: { organizationId: organization.id } },
+      include: {
+        portal: {
+          select: {
+            slug: true,
+          },
+        },
+      },
+      orderBy: { uploadedAt: "asc" },
+    });
+
+    const manifest = [];
+    for (const file of files) {
+      const data = await readFile_(file.storagePath);
+      if (!data) {
+        fail(`File missing from storage: ${file.storagePath}`);
+      }
+
+      manifest.push({
+        portalSlug: file.portal.slug,
+        storagePath: file.storagePath,
+        filename: file.filename,
+        mimeType: file.mimeType,
+        size: file.size,
+        uploadedBy: file.uploadedBy,
+        uploadedAt: file.uploadedAt.toISOString(),
+        checksum: file.checksum ?? createHash("sha256").update(data).digest("hex"),
+      });
+    }
+
+    console.log(JSON.stringify({ files: manifest }));
+  } finally {
+    await prisma.$disconnect();
+  }
+}
+
+main().catch((error) => {
+  fail(String(error));
+});