sitepaige-mcp-server 0.7.14 → 1.0.2

package/dist/defaultapp/api/Auth/route.ts

@@ -32,11 +32,113 @@ export async function POST(request: Request) {
   const db = await db_init();
   
   try {
-    const { code, provider } = await request.json();
+    const { code, provider, email, password } = await request.json();
     
-    if (!code || !provider) {
+    if (!provider) {
       return NextResponse.json(
-        { error: 'No authorization code or provider specified' },
+        { error: 'No provider specified' },
+        { status: 400 }
+      );
+    }
+
+    // Handle username/password authentication
+    if (provider === 'username') {
+      if (!email || !password) {
+        return NextResponse.json(
+          { error: 'Email and password are required' },
+          { status: 400 }
+        );
+      }
+
+      const { authenticateUser, createPasswordAuthTable } = await import('../../db-password-auth');
+      const { upsertUser } = await import('../../db-users');
+      
+      // Ensure password auth table exists
+      await createPasswordAuthTable();
+
+      try {
+        // Authenticate the user
+        const authRecord = await authenticateUser(email, password);
+        
+        if (!authRecord) {
+          return NextResponse.json(
+            { error: 'Invalid email or password' },
+            { status: 401 }
+          );
+        }
+
+        // Create or update user in the main Users table
+        const user = await upsertUser(
+          `password_${authRecord.id}`, // Unique OAuth ID for password users
+          'username' as any, // Source type
+          email.split('@')[0], // Username from email
+          email,
+          undefined // No avatar for password auth
+        );
+
+        // Delete existing sessions for this user
+        const existingSessions = await db_query(db, 
+          "SELECT ID FROM usersession WHERE userid = ?", 
+          [user.userid]
+        );
+        
+        if (existingSessions && existingSessions.length > 0) {
+          const sessionIds = existingSessions.map(session => session.ID);
+          const placeholders = sessionIds.map(() => '?').join(',');
+          await db_query(db, `DELETE FROM usersession WHERE ID IN (${placeholders})`, sessionIds);
+        }
+
+        // Generate secure session token and ID
+        const sessionId = crypto.randomUUID();
+        const sessionToken = crypto.randomBytes(32).toString('base64url');
+
+        // Create new session with secure token
+        await db_query(db, 
+          "INSERT INTO usersession (ID, SessionToken, userid, ExpirationDate) VALUES (?, ?, ?, ?)",
+          [sessionId, sessionToken, user.userid, new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString()]
+        );
+
+        // Set session cookie with secure token
+        const sessionCookie = await cookies();
+        sessionCookie.set({
+          name: 'session_id', 
+          value: sessionToken,
+          httpOnly: true,
+          secure: process.env.NODE_ENV === 'production',
+          sameSite: process.env.NODE_ENV === 'production' ? 'strict' : 'lax',
+          maxAge: 30 * 24 * 60 * 60, // 30 days
+          path: '/',
+        });
+
+        // Create a completely clean object to avoid any database result object issues
+        const cleanUserData = {
+          userid: String(user.userid),
+          userName: String(user.UserName),
+          avatarURL: String(user.AvatarURL || ''),
+          userLevel: Number(user.UserLevel),
+          isAdmin: Number(user.UserLevel) === 2
+        };
+        
+        return NextResponse.json({ 
+          success: true,
+          user: cleanUserData
+        });
+
+      } catch (error: any) {
+        if (error.message === 'Email not verified') {
+          return NextResponse.json(
+            { error: 'Please verify your email before logging in' },
+            { status: 403 }
+          );
+        }
+        throw error;
+      }
+    }
+
+    // Handle OAuth authentication
+    if (!code) {
+      return NextResponse.json(
+        { error: 'No authorization code specified' },
         { status: 400 }
       );
     }

package/dist/defaultapp/api/Auth/signup/route.ts

@@ -0,0 +1,143 @@
+/*
+ * Signup endpoint for username/password authentication
+ * Handles user registration with email verification
+ */
+
+import { NextResponse } from 'next/server';
+import { validateCsrfToken } from '../../../csrf';
+import { createPasswordAuth } from '../../../db-password-auth';
+import { send_email } from '../../../storage/email';
+
+// Email validation regex
+const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+// Password validation - at least 8 characters, one uppercase, one lowercase, one number
+const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/;
+
+export async function POST(request: Request) {
+  // Validate CSRF token
+  const isValidCsrf = await validateCsrfToken(request);
+  if (!isValidCsrf) {
+    return NextResponse.json(
+      { error: 'Invalid CSRF token' },
+      { status: 403 }
+    );
+  }
+
+  try {
+    const { email, password } = await request.json();
+
+    // Validate email format
+    if (!email || !emailRegex.test(email)) {
+      return NextResponse.json(
+        { error: 'Invalid email address' },
+        { status: 400 }
+      );
+    }
+
+    // Validate password strength
+    if (!password || !passwordRegex.test(password)) {
+      return NextResponse.json(
+        { error: 'Password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, and one number' },
+        { status: 400 }
+      );
+    }
+
+    // Create password auth record
+    const { passwordAuth, verificationToken } = await createPasswordAuth(email, password);
+
+    // Get site domain from environment or default
+    const siteDomain = process.env.SITE_DOMAIN || 'https://sitepaige.com';
+    const verificationUrl = `${siteDomain}/api/Auth/verify-email?token=${verificationToken}`;
+
+    // Send verification email
+    try {
+      const emailHtml = `
+        <!DOCTYPE html>
+        <html>
+          <head>
+            <style>
+              body { font-family: Arial, sans-serif; line-height: 1.6; color: #333; }
+              .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+              .button { 
+                display: inline-block; 
+                padding: 12px 24px; 
+                background-color: #4F46E5; 
+                color: white; 
+                text-decoration: none; 
+                border-radius: 6px;
+                font-weight: bold;
+              }
+              .footer { margin-top: 30px; font-size: 12px; color: #666; }
+            </style>
+          </head>
+          <body>
+            <div class="container">
+              <h2>Welcome to ${siteDomain}!</h2>
+              <p>Thank you for signing up. Please verify your email address by clicking the button below:</p>
+              <p style="margin: 30px 0;">
+                <a href="${verificationUrl}" class="button">Verify Email Address</a>
+              </p>
+              <p>Or copy and paste this link into your browser:</p>
+              <p style="word-break: break-all; color: #4F46E5;">${verificationUrl}</p>
+              <p>This link will expire in 24 hours.</p>
+              <div class="footer">
+                <p>If you didn't create an account, you can safely ignore this email.</p>
+              </div>
+            </div>
+          </body>
+        </html>
+      `;
+
+      const emailText = `
+Welcome to ${siteDomain}!
+
+Thank you for signing up. Please verify your email address by clicking the link below:
+
+${verificationUrl}
+
+This link will expire in 24 hours.
+
+If you didn't create an account, you can safely ignore this email.
+      `;
+
+      await send_email({
+        to: email,
+        from: process.env.EMAIL_FROM || 'noreply@sitepaige.com',
+        subject: 'Verify your email address',
+        html: emailHtml,
+        text: emailText
+      });
+
+      return NextResponse.json({
+        success: true,
+        message: 'Registration successful! Please check your email to verify your account.'
+      });
+
+    } catch (emailError) {
+      console.error('Failed to send verification email:', emailError);
+      // Still return success but with a warning
+      return NextResponse.json({
+        success: true,
+        message: 'Registration successful! However, we could not send the verification email. Please contact support.',
+        warning: 'Email sending failed'
+      });
+    }
+
+  } catch (error: any) {
+    console.error('Signup error:', error);
+
+    // Handle specific errors
+    if (error.message === 'Email already registered') {
+      return NextResponse.json(
+        { error: 'This email is already registered. Please sign in instead.' },
+        { status: 409 }
+      );
+    }
+
+    return NextResponse.json(
+      { error: error.message || 'Signup failed' },
+      { status: 500 }
+    );
+  }
+}

package/dist/defaultapp/api/Auth/verify-email/route.ts

@@ -0,0 +1,98 @@
+/*
+ * Email verification endpoint
+ * Handles email verification tokens from signup emails
+ */
+
+import { NextResponse } from 'next/server';
+import { verifyEmailWithToken } from '../../../db-password-auth';
+import { upsertUser } from '../../../db-users';
+import { db_init, db_query } from '../../../db';
+import { cookies } from 'next/headers';
+import * as crypto from 'node:crypto';
+
+export async function GET(request: Request) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const token = searchParams.get('token');
+
+    if (!token) {
+      return NextResponse.json(
+        { error: 'Verification token is required' },
+        { status: 400 }
+      );
+    }
+
+    // Verify the email with token
+    const authRecord = await verifyEmailWithToken(token);
+
+    if (!authRecord) {
+      return NextResponse.json(
+        { error: 'Invalid or expired verification token' },
+        { status: 400 }
+      );
+    }
+
+    // Create or update user in the main Users table
+    const user = await upsertUser(
+      `password_${authRecord.id}`, // Unique OAuth ID for password users
+      'username' as any, // Source type
+      authRecord.email.split('@')[0], // Username from email
+      authRecord.email,
+      undefined // No avatar for password auth
+    );
+
+    // Auto-login the user after verification
+    const db = await db_init();
+    
+    // Delete existing sessions for this user
+    const existingSessions = await db_query(db, 
+      "SELECT ID FROM usersession WHERE userid = ?", 
+      [user.userid]
+    );
+    
+    if (existingSessions && existingSessions.length > 0) {
+      const sessionIds = existingSessions.map(session => session.ID);
+      const placeholders = sessionIds.map(() => '?').join(',');
+      await db_query(db, `DELETE FROM usersession WHERE ID IN (${placeholders})`, sessionIds);
+    }
+
+    // Generate secure session token and ID
+    const sessionId = crypto.randomUUID();
+    const sessionToken = crypto.randomBytes(32).toString('base64url');
+
+    // Create new session with secure token
+    await db_query(db, 
+      "INSERT INTO usersession (ID, SessionToken, userid, ExpirationDate) VALUES (?, ?, ?, ?)",
+      [sessionId, sessionToken, user.userid, new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString()]
+    );
+
+    // Set session cookie with secure token
+    const sessionCookie = await cookies();
+    sessionCookie.set({
+      name: 'session_id', 
+      value: sessionToken,
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: process.env.NODE_ENV === 'production' ? 'strict' : 'lax',
+      maxAge: 30 * 24 * 60 * 60, // 30 days
+      path: '/',
+    });
+
+    // Redirect to home page or dashboard with success message
+    const siteDomain = process.env.SITE_DOMAIN || 'https://sitepaige.com';
+    const redirectUrl = new URL('/', siteDomain);
+    redirectUrl.searchParams.set('verified', 'true');
+    
+    return NextResponse.redirect(redirectUrl);
+
+  } catch (error: any) {
+    console.error('Email verification error:', error);
+    
+    // Redirect to home with error
+    const siteDomain = process.env.SITE_DOMAIN || 'https://sitepaige.com';
+    const redirectUrl = new URL('/', siteDomain);
+    redirectUrl.searchParams.set('error', 'verification_failed');
+    
+    return NextResponse.redirect(redirectUrl);
+  }
+}

package/dist/defaultapp/db-password-auth.ts

@@ -0,0 +1,325 @@
+/*
+ * Username/Password Authentication Database Utilities
+ * Handles all database operations related to username/password authentication
+ */
+
+import { db_init, db_query } from './db';
+import type { DatabaseClient } from './db';
+import * as crypto from 'node:crypto';
+import { scrypt, randomBytes } from 'node:crypto';
+import { promisify } from 'node:util';
+
+const scryptAsync = promisify(scrypt);
+
+export interface PasswordAuth {
+  id: string;
+  email: string; // Email serves as username
+  passwordhash: string;
+  salt: string;
+  verificationtoken?: string;
+  verificationtokenexpires?: string;
+  emailverified: boolean;
+  resettoken?: string;
+  resettokenexpires?: string;
+  createdat: string;
+  updatedat: string;
+}
+
+/**
+ * Hash a password using scrypt
+ */
+export async function hashPassword(password: string): Promise<{ hash: string; salt: string }> {
+  const salt = randomBytes(32).toString('base64');
+  const hash = (await scryptAsync(password, salt, 64)) as Buffer;
+  return {
+    hash: hash.toString('base64'),
+    salt
+  };
+}
+
+/**
+ * Verify a password against its hash
+ */
+export async function verifyPassword(password: string, hash: string, salt: string): Promise<boolean> {
+  const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
+  return derivedKey.toString('base64') === hash;
+}
+
+/**
+ * Create the password authentication table
+ */
+export async function createPasswordAuthTable(): Promise<void> {
+  const client = await db_init();
+  
+  const createTableQuery = `
+    CREATE TABLE IF NOT EXISTS passwordauth (
+      id TEXT PRIMARY KEY,
+      email TEXT NOT NULL UNIQUE,
+      passwordhash TEXT NOT NULL,
+      salt TEXT NOT NULL,
+      verificationtoken TEXT,
+      verificationtokenexpires TIMESTAMP,
+      emailverified BOOLEAN DEFAULT FALSE,
+      resettoken TEXT,
+      resettokenexpires TIMESTAMP,
+      createdat TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+      updatedat TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+    )
+  `;
+
+  await db_query(client, createTableQuery);
+  
+  // Create index on email for faster lookups
+  await db_query(client, 'CREATE INDEX IF NOT EXISTS idx_passwordauth_email ON passwordauth(email)');
+  await db_query(client, 'CREATE INDEX IF NOT EXISTS idx_passwordauth_verification_token ON passwordauth(verificationtoken)');
+  await db_query(client, 'CREATE INDEX IF NOT EXISTS idx_passwordauth_reset_token ON passwordauth(resettoken)');
+}
+
+/**
+ * Get password auth record by email
+ */
+export async function getPasswordAuthByEmail(email: string): Promise<PasswordAuth | null> {
+  const client = await db_init();
+  
+  const results = await db_query(client, 
+    "SELECT * FROM passwordauth WHERE email = ?",
+    [email.toLowerCase()]
+  );
+  
+  return results.length > 0 ? results[0] as PasswordAuth : null;
+}
+
+/**
+ * Create a new password auth record (for signup)
+ */
+export async function createPasswordAuth(
+  email: string,
+  password: string
+): Promise<{ passwordAuth: PasswordAuth; verificationToken: string }> {
+  const client = await db_init();
+  
+  // Check if email already exists
+  const existing = await getPasswordAuthByEmail(email);
+  if (existing) {
+    throw new Error('Email already registered');
+  }
+  
+  // Hash the password
+  const { hash, salt } = await hashPassword(password);
+  
+  // Generate verification token
+  const verificationToken = randomBytes(32).toString('base64url');
+  const verificationTokenExpires = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours
+  
+  const id = crypto.randomUUID();
+  const now = new Date().toISOString();
+  
+  await db_query(client,
+    `INSERT INTO passwordauth 
+     (id, email, passwordhash, salt, verificationtoken, verificationtokenexpires, emailverified, createdat, updatedat)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    [id, email.toLowerCase(), hash, salt, verificationToken, verificationTokenExpires.toISOString(), false, now, now]
+  );
+  
+  const passwordAuth = await getPasswordAuthByEmail(email);
+  if (!passwordAuth) {
+    throw new Error('Failed to create password auth record');
+  }
+  
+  return { passwordAuth, verificationToken };
+}
+
+/**
+ * Verify email with token
+ */
+export async function verifyEmailWithToken(token: string): Promise<PasswordAuth | null> {
+  const client = await db_init();
+  
+  // Find the auth record with this token
+  const results = await db_query(client,
+    `SELECT * FROM passwordauth 
+     WHERE verificationtoken = ? 
+     AND verificationtokenexpires > CURRENT_TIMESTAMP 
+     AND emailverified = false`,
+    [token]
+  );
+  
+  if (results.length === 0) {
+    return null;
+  }
+  
+  const authRecord = results[0];
+  
+  // Mark email as verified and clear token
+  await db_query(client,
+    `UPDATE passwordauth 
+     SET emailverified = true, 
+         verificationtoken = NULL, 
+         verificationtokenexpires = NULL,
+         updatedat = CURRENT_TIMESTAMP
+     WHERE id = ?`,
+    [authRecord.id]
+  );
+  
+  return await getPasswordAuthByEmail(authRecord.email);
+}
+
+/**
+ * Authenticate user with email and password
+ */
+export async function authenticateUser(email: string, password: string): Promise<PasswordAuth | null> {
+  const authRecord = await getPasswordAuthByEmail(email);
+  
+  if (!authRecord) {
+    return null;
+  }
+  
+  // Check if email is verified
+  if (!authRecord.emailverified) {
+    throw new Error('Email not verified');
+  }
+  
+  // Verify password
+  const isValid = await verifyPassword(password, authRecord.passwordhash, authRecord.salt);
+  
+  if (!isValid) {
+    return null;
+  }
+  
+  return authRecord;
+}
+
+/**
+ * Generate password reset token
+ */
+export async function generatePasswordResetToken(email: string): Promise<string | null> {
+  const client = await db_init();
+  
+  const authRecord = await getPasswordAuthByEmail(email);
+  if (!authRecord) {
+    return null;
+  }
+  
+  const resetToken = randomBytes(32).toString('base64url');
+  const resetTokenExpires = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+  
+  await db_query(client,
+    `UPDATE passwordauth 
+     SET resettoken = ?, 
+         resettokenexpires = ?,
+         updatedat = CURRENT_TIMESTAMP
+     WHERE id = ?`,
+    [resetToken, resetTokenExpires.toISOString(), authRecord.id]
+  );
+  
+  return resetToken;
+}
+
+/**
+ * Reset password with token
+ */
+export async function resetPasswordWithToken(token: string, newPassword: string): Promise<boolean> {
+  const client = await db_init();
+  
+  // Find the auth record with this token
+  const results = await db_query(client,
+    `SELECT * FROM passwordauth 
+     WHERE resettoken = ? 
+     AND resettokenexpires > CURRENT_TIMESTAMP`,
+    [token]
+  );
+  
+  if (results.length === 0) {
+    return false;
+  }
+  
+  const authRecord = results[0];
+  
+  // Hash the new password
+  const { hash, salt } = await hashPassword(newPassword);
+  
+  // Update password and clear reset token
+  await db_query(client,
+    `UPDATE passwordauth 
+     SET passwordhash = ?, 
+         salt = ?, 
+         resettoken = NULL, 
+         resettokenexpires = NULL,
+         updatedat = CURRENT_TIMESTAMP
+     WHERE id = ?`,
+    [hash, salt, authRecord.id]
+  );
+  
+  return true;
+}
+
+/**
+ * Delete unverified accounts older than 7 days
+ */
+export async function cleanupUnverifiedAccounts(): Promise<number> {
+  const client = await db_init();
+  
+  const result = await db_query(client,
+    `DELETE FROM passwordauth 
+     WHERE emailverified = false 
+     AND createdat < datetime('now', '-7 days')`
+  );
+  
+  return result[0]?.changes || 0;
+}
+
+/**
+ * Update password for authenticated user
+ */
+export async function updatePassword(email: string, currentPassword: string, newPassword: string): Promise<boolean> {
+  // First verify the current password
+  const authRecord = await authenticateUser(email, currentPassword);
+  if (!authRecord) {
+    return false;
+  }
+  
+  // Hash the new password
+  const { hash, salt } = await hashPassword(newPassword);
+  const client = await db_init();
+  
+  // Update password
+  await db_query(client,
+    `UPDATE passwordauth 
+     SET passwordhash = ?, 
+         salt = ?,
+         updatedat = CURRENT_TIMESTAMP
+     WHERE id = ?`,
+    [hash, salt, authRecord.id]
+  );
+  
+  return true;
+}
+
+/**
+ * Check if an email is already registered
+ */
+export async function isEmailRegistered(email: string): Promise<boolean> {
+  const authRecord = await getPasswordAuthByEmail(email);
+  return authRecord !== null;
+}
+
+/**
+ * Get statistics about password auth users
+ */
+export async function getPasswordAuthStats(): Promise<{
+  totalUsers: number;
+  verifiedUsers: number;
+  unverifiedUsers: number;
+}> {
+  const client = await db_init();
+  
+  const stats = await db_query(client, `
+    SELECT 
+      COUNT(*) as totalUsers,
+      SUM(CASE WHEN emailverified = true THEN 1 ELSE 0 END) as verifiedUsers,
+      SUM(CASE WHEN emailverified = false THEN 1 ELSE 0 END) as unverifiedUsers
+    FROM passwordauth
+  `);
+  
+  return stats[0];
+}