sitepaige-mcp-server 1.0.0 → 1.0.3

package/defaultapp/api/Auth/resend-verification/route.ts

@@ -0,0 +1,130 @@
+/*
+ * Resend verification email endpoint
+ * Allows users to request a new verification email
+ */
+
+import { NextResponse } from 'next/server';
+import { regenerateVerificationToken } from '../../../db-password-auth';
+import { send_email } from '../../../storage/email';
+
+// Email validation regex
+const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+export async function POST(request: Request) {
+  try {
+    const { email } = await request.json();
+
+    // Validate email format
+    if (!email || !emailRegex.test(email)) {
+      return NextResponse.json(
+        { error: 'Invalid email address' },
+        { status: 400 }
+      );
+    }
+
+    // Regenerate verification token
+    const result = await regenerateVerificationToken(email);
+
+    if (!result) {
+      // Don't reveal whether the email exists or not
+      return NextResponse.json({
+        success: true,
+        message: 'If an unverified account exists with this email, a verification email has been sent.'
+      });
+    }
+
+    const { verificationToken } = result;
+
+    // Get site domain from environment or default
+    const siteDomain = process.env.SITE_DOMAIN || 'https://sitepaige.com';
+    const verificationUrl = `${siteDomain}/api/Auth/verify-email?token=${verificationToken}`;
+
+    // Send verification email
+    try {
+      const emailHtml = `
+        <!DOCTYPE html>
+        <html>
+          <head>
+            <style>
+              body { font-family: Arial, sans-serif; line-height: 1.6; color: #333; }
+              .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+              .button { 
+                display: inline-block; 
+                padding: 12px 24px; 
+                background-color: #f0f0f0; 
+                color: #000000; 
+                text-decoration: none; 
+                border: 1px solid #cccccc;
+                border-radius: 4px;
+              }
+              .footer { margin-top: 30px; font-size: 12px; color: #666; }
+            </style>
+          </head>
+          <body>
+            <div class="container">
+              <h2>Verify Your Email Address</h2>
+              <p>You requested a new verification email for your account at ${siteDomain}. Please verify your email address by clicking the button below:</p>
+              <p style="margin: 30px 0;">
+                <a href="${verificationUrl}" class="button">Verify Email Address</a>
+              </p>
+              <p>Or copy and paste this link into your browser:</p>
+              <p style="word-break: break-all; color: #0066cc;">${verificationUrl}</p>
+              <p>This link will expire in 24 hours.</p>
+              <div class="footer">
+                <p>If you didn't request this email, you can safely ignore it.</p>
+              </div>
+            </div>
+          </body>
+        </html>
+      `;
+
+      const emailText = `
+Verify Your Email Address
+
+You requested a new verification email for your account at ${siteDomain}. Please verify your email address by clicking the link below:
+
+${verificationUrl}
+
+This link will expire in 24 hours.
+
+If you didn't request this email, you can safely ignore it.
+      `;
+
+      await send_email({
+        to: email,
+        from: process.env.EMAIL_FROM || 'noreply@sitepaige.com',
+        subject: 'Verify your email address',
+        html: emailHtml,
+        text: emailText
+      });
+
+      return NextResponse.json({
+        success: true,
+        message: 'Verification email sent successfully! Please check your email.'
+      });
+
+    } catch (emailError) {
+      console.error('Failed to send verification email:', emailError);
+      return NextResponse.json({
+        success: false,
+        error: 'Failed to send verification email. Please try again later.'
+      }, { status: 500 });
+    }
+
+  } catch (error: any) {
+    console.error('Resend verification error:', error);
+
+    if (error.message === 'Email is already verified') {
+      return NextResponse.json(
+        { error: 'This email is already verified. Please sign in.' },
+        { status: 400 }
+      );
+    }
+
+    // Generic response to avoid revealing whether email exists
+    return NextResponse.json({
+      success: true,
+      message: 'If an unverified account exists with this email, a verification email has been sent.'
+    });
+  }
+}

package/defaultapp/api/Auth/route.ts

@@ -10,7 +10,6 @@ import * as crypto from 'node:crypto';
 
 import { db_init, db_query } from '../../db';
 import { upsertUser, storeOAuthToken, validateSession, rotateSession } from '../../db-users';
-import { validateCsrfToken } from '../../csrf';
 
 type OAuthProvider = 'google' | 'facebook' | 'apple'  | 'github';
 
@@ -32,11 +31,113 @@ export async function POST(request: Request) {
   const db = await db_init();
   
   try {
-    const { code, provider } = await request.json();
+    const { code, provider, email, password } = await request.json();
     
-    if (!code || !provider) {
+    if (!provider) {
       return NextResponse.json(
-        { error: 'No authorization code or provider specified' },
+        { error: 'No provider specified' },
+        { status: 400 }
+      );
+    }
+
+    // Handle username/password authentication
+    if (provider === 'username') {
+      if (!email || !password) {
+        return NextResponse.json(
+          { error: 'Email and password are required' },
+          { status: 400 }
+        );
+      }
+
+      const { authenticateUser, createPasswordAuthTable } = await import('../../db-password-auth');
+      const { upsertUser } = await import('../../db-users');
+      
+      // Ensure password auth table exists
+      await createPasswordAuthTable();
+
+      try {
+        // Authenticate the user
+        const authRecord = await authenticateUser(email, password);
+        
+        if (!authRecord) {
+          return NextResponse.json(
+            { error: 'Invalid email or password' },
+            { status: 401 }
+          );
+        }
+
+        // Create or update user in the main Users table
+        const user = await upsertUser(
+          `password_${authRecord.id}`, // Unique OAuth ID for password users
+          'username' as any, // Source type
+          email.split('@')[0], // Username from email
+          email,
+          undefined // No avatar for password auth
+        );
+
+        // Delete existing sessions for this user
+        const existingSessions = await db_query(db, 
+          "SELECT ID FROM usersession WHERE userid = ?", 
+          [user.userid]
+        );
+        
+        if (existingSessions && existingSessions.length > 0) {
+          const sessionIds = existingSessions.map(session => session.ID);
+          const placeholders = sessionIds.map(() => '?').join(',');
+          await db_query(db, `DELETE FROM usersession WHERE ID IN (${placeholders})`, sessionIds);
+        }
+
+        // Generate secure session token and ID
+        const sessionId = crypto.randomUUID();
+        const sessionToken = crypto.randomBytes(32).toString('base64url');
+
+        // Create new session with secure token
+        await db_query(db, 
+          "INSERT INTO usersession (ID, SessionToken, userid, ExpirationDate) VALUES (?, ?, ?, ?)",
+          [sessionId, sessionToken, user.userid, new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString()]
+        );
+
+        // Set session cookie with secure token
+        const sessionCookie = await cookies();
+        sessionCookie.set({
+          name: 'session_id', 
+          value: sessionToken,
+          httpOnly: true,
+          secure: process.env.NODE_ENV === 'production',
+          sameSite: process.env.NODE_ENV === 'production' ? 'strict' : 'lax',
+          maxAge: 30 * 24 * 60 * 60, // 30 days
+          path: '/',
+        });
+
+        // Create a completely clean object to avoid any database result object issues
+        const cleanUserData = {
+          userid: String(user.userid),
+          userName: String(user.UserName),
+          avatarURL: String(user.AvatarURL || ''),
+          userLevel: Number(user.UserLevel),
+          isAdmin: Number(user.UserLevel) === 2
+        };
+        
+        return NextResponse.json({ 
+          success: true,
+          user: cleanUserData
+        });
+
+      } catch (error: any) {
+        if (error.message === 'Email not verified') {
+          return NextResponse.json(
+            { error: 'Please verify your email before logging in' },
+            { status: 403 }
+          );
+        }
+        throw error;
+      }
+    }
+
+    // Handle OAuth authentication
+    if (!code) {
+      return NextResponse.json(
+        { error: 'No authorization code specified' },
         { status: 400 }
       );
     }
@@ -293,15 +394,6 @@ export async function GET() {
 }
 
 export async function DELETE(request: Request) {
-  // Validate CSRF token for logout
-  const isValidCsrf = await validateCsrfToken(request);
-  if (!isValidCsrf) {
-    return NextResponse.json(
-      { error: 'Invalid CSRF token' },
-      { status: 403 }
-    );
-  }
-  
   const db = await db_init();
   
   try {

package/defaultapp/api/Auth/signup/route.ts

@@ -0,0 +1,133 @@
+/*
+ * Signup endpoint for username/password authentication
+ * Handles user registration with email verification
+ */
+
+import { NextResponse } from 'next/server';
+import { createPasswordAuth } from '../../../db-password-auth';
+import { send_email } from '../../../storage/email';
+
+// Email validation regex
+const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+// Password validation - at least 8 characters, one uppercase, one lowercase, one number
+const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/;
+
+export async function POST(request: Request) {
+  try {
+    const { email, password } = await request.json();
+
+    // Validate email format
+    if (!email || !emailRegex.test(email)) {
+      return NextResponse.json(
+        { error: 'Invalid email address' },
+        { status: 400 }
+      );
+    }
+
+    // Validate password strength
+    if (!password || !passwordRegex.test(password)) {
+      return NextResponse.json(
+        { error: 'Password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, and one number' },
+        { status: 400 }
+      );
+    }
+
+    // Create password auth record
+    const { passwordAuth, verificationToken } = await createPasswordAuth(email, password);
+
+    // Get site domain from environment or default
+    const siteDomain = process.env.SITE_DOMAIN || 'https://sitepaige.com';
+    const verificationUrl = `${siteDomain}/api/Auth/verify-email?token=${verificationToken}`;
+
+    // Send verification email
+    try {
+      const emailHtml = `
+        <!DOCTYPE html>
+        <html>
+          <head>
+            <style>
+              body { font-family: Arial, sans-serif; line-height: 1.6; color: #333; }
+              .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+              .button { 
+                display: inline-block; 
+                padding: 12px 24px; 
+                background-color: #f0f0f0; 
+                color: #000000; 
+                text-decoration: none; 
+                border: 1px solid #cccccc;
+                border-radius: 4px;
+              }
+              .footer { margin-top: 30px; font-size: 12px; color: #666; }
+            </style>
+          </head>
+          <body>
+            <div class="container">
+              <h2>Welcome to ${siteDomain}!</h2>
+              <p>Thank you for signing up. Please verify your email address by clicking the button below:</p>
+              <p style="margin: 30px 0;">
+                <a href="${verificationUrl}" class="button">Verify Email Address</a>
+              </p>
+              <p>Or copy and paste this link into your browser:</p>
+              <p style="word-break: break-all; color: #0066cc;">${verificationUrl}</p>
+              <p>This link will expire in 24 hours.</p>
+              <div class="footer">
+                <p>If you didn't create an account, you can safely ignore this email.</p>
+              </div>
+            </div>
+          </body>
+        </html>
+      `;
+
+      const emailText = `
+Welcome to ${siteDomain}!
+
+Thank you for signing up. Please verify your email address by clicking the link below:
+
+${verificationUrl}
+
+This link will expire in 24 hours.
+
+If you didn't create an account, you can safely ignore this email.
+      `;
+
+      await send_email({
+        to: email,
+        from: process.env.EMAIL_FROM || 'noreply@sitepaige.com',
+        subject: 'Verify your email address',
+        html: emailHtml,
+        text: emailText
+      });
+
+      return NextResponse.json({
+        success: true,
+        message: 'Registration successful! Please check your email to verify your account.'
+      });
+
+    } catch (emailError) {
+      console.error('Failed to send verification email:', emailError);
+      // Still return success but with a warning
+      return NextResponse.json({
+        success: true,
+        message: 'Registration successful! However, we could not send the verification email. Please contact support.',
+        warning: 'Email sending failed'
+      });
+    }
+
+  } catch (error: any) {
+    console.error('Signup error:', error);
+
+    // Handle specific errors
+    if (error.message === 'Email already registered') {
+      return NextResponse.json(
+        { error: 'This email is already registered. Please sign in instead.' },
+        { status: 409 }
+      );
+    }
+
+    return NextResponse.json(
+      { error: error.message || 'Signup failed' },
+      { status: 500 }
+    );
+  }
+}

package/defaultapp/api/Auth/verify-email/route.ts

@@ -0,0 +1,105 @@
+/*
+ * Email verification endpoint
+ * Handles email verification tokens from signup emails
+ */
+
+import { NextResponse } from 'next/server';
+import { verifyEmailWithToken } from '../../../db-password-auth';
+import { upsertUser } from '../../../db-users';
+import { db_init, db_query } from '../../../db';
+import { cookies } from 'next/headers';
+import * as crypto from 'node:crypto';
+
+export async function GET(request: Request) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const token = searchParams.get('token');
+
+    if (!token) {
+      return NextResponse.json(
+        { error: 'Verification token is required' },
+        { status: 400 }
+      );
+    }
+
+    // Verify the email with token
+    const authRecord = await verifyEmailWithToken(token);
+
+    if (!authRecord) {
+      return NextResponse.json(
+        { error: 'Invalid or expired verification token' },
+        { status: 400 }
+      );
+    }
+
+    // Create or update user in the main Users table
+    const user = await upsertUser(
+      `password_${authRecord.id}`, // Unique OAuth ID for password users
+      'userpass' as any, // Source type
+      authRecord.email.split('@')[0], // Username from email
+      authRecord.email,
+      undefined // No avatar for password auth
+    );
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Failed to create user account' },
+        { status: 500 }
+      );
+    }
+
+    // Auto-login the user after verification
+    const db = await db_init();
+    
+    // Delete existing sessions for this user
+    const existingSessions = await db_query(db, 
+      "SELECT ID FROM usersession WHERE userid = ?", 
+      [user.userid]
+    );
+    
+    if (existingSessions && existingSessions.length > 0) {
+      const sessionIds = existingSessions.map(session => session.ID);
+      const placeholders = sessionIds.map(() => '?').join(',');
+      await db_query(db, `DELETE FROM usersession WHERE ID IN (${placeholders})`, sessionIds);
+    }
+
+    // Generate secure session token and ID
+    const sessionId = crypto.randomUUID();
+    const sessionToken = crypto.randomBytes(32).toString('base64url');
+
+    // Create new session with secure token
+    await db_query(db, 
+      "INSERT INTO usersession (ID, SessionToken, userid, ExpirationDate) VALUES (?, ?, ?, ?)",
+      [sessionId, sessionToken, user.userid, new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString()]
+    );
+
+    // Set session cookie with secure token
+    const sessionCookie = await cookies();
+    sessionCookie.set({
+      name: 'session_id', 
+      value: sessionToken,
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: process.env.NODE_ENV === 'production' ? 'strict' : 'lax',
+      maxAge: 30 * 24 * 60 * 60, // 30 days
+      path: '/',
+    });
+
+    // Redirect to home page or dashboard with success message
+    const siteDomain = process.env.SITE_DOMAIN || 'https://sitepaige.com';
+    const redirectUrl = new URL('/', siteDomain);
+    redirectUrl.searchParams.set('verified', 'true');
+    
+    return NextResponse.redirect(redirectUrl);
+
+  } catch (error: any) {
+    console.error('Email verification error:', error);
+    
+    // Redirect to home with error
+    const siteDomain = process.env.SITE_DOMAIN || 'https://sitepaige.com';
+    const redirectUrl = new URL('/', siteDomain);
+    redirectUrl.searchParams.set('error', 'verification_failed');
+    
+    return NextResponse.redirect(redirectUrl);
+  }
+}