npm - third-audience-mdx - Versions diffs - 1.0.0 - Mend

third-audience-mdx 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (108) hide show

package/CLAUDE.md +41 -0
package/INSTALLATION.md +367 -0
package/README.md +303 -0
package/WORKLOG.md +162 -0
package/dist/cli/index.d.mts +1 -0
package/dist/cli/index.d.ts +1 -0
package/dist/cli/index.js +208 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/index.mjs +185 -0
package/dist/cli/index.mjs.map +1 -0
package/dist/dashboard/auth.d.mts +16 -0
package/dist/dashboard/auth.d.ts +16 -0
package/dist/dashboard/auth.js +123 -0
package/dist/dashboard/auth.js.map +1 -0
package/dist/dashboard/auth.mjs +87 -0
package/dist/dashboard/auth.mjs.map +1 -0
package/dist/dashboard/routes/analytics-api-route.d.mts +6 -0
package/dist/dashboard/routes/analytics-api-route.d.ts +6 -0
package/dist/dashboard/routes/analytics-api-route.js +180 -0
package/dist/dashboard/routes/analytics-api-route.js.map +1 -0
package/dist/dashboard/routes/analytics-api-route.mjs +145 -0
package/dist/dashboard/routes/analytics-api-route.mjs.map +1 -0
package/dist/dashboard/routes/api-key-route.d.mts +8 -0
package/dist/dashboard/routes/api-key-route.d.ts +8 -0
package/dist/dashboard/routes/api-key-route.js +173 -0
package/dist/dashboard/routes/api-key-route.js.map +1 -0
package/dist/dashboard/routes/api-key-route.mjs +137 -0
package/dist/dashboard/routes/api-key-route.mjs.map +1 -0
package/dist/dashboard/routes/citation-route.d.mts +14 -0
package/dist/dashboard/routes/citation-route.d.ts +14 -0
package/dist/dashboard/routes/citation-route.js +202 -0
package/dist/dashboard/routes/citation-route.js.map +1 -0
package/dist/dashboard/routes/citation-route.mjs +166 -0
package/dist/dashboard/routes/citation-route.mjs.map +1 -0
package/dist/dashboard/routes/llms-txt-route.d.mts +6 -0
package/dist/dashboard/routes/llms-txt-route.d.ts +6 -0
package/dist/dashboard/routes/llms-txt-route.js +119 -0
package/dist/dashboard/routes/llms-txt-route.js.map +1 -0
package/dist/dashboard/routes/llms-txt-route.mjs +84 -0
package/dist/dashboard/routes/llms-txt-route.mjs.map +1 -0
package/dist/dashboard/routes/login-route.d.mts +6 -0
package/dist/dashboard/routes/login-route.d.ts +6 -0
package/dist/dashboard/routes/login-route.js +313 -0
package/dist/dashboard/routes/login-route.js.map +1 -0
package/dist/dashboard/routes/login-route.mjs +284 -0
package/dist/dashboard/routes/login-route.mjs.map +1 -0
package/dist/dashboard/routes/markdown-route.d.mts +15 -0
package/dist/dashboard/routes/markdown-route.d.ts +15 -0
package/dist/dashboard/routes/markdown-route.js +239 -0
package/dist/dashboard/routes/markdown-route.js.map +1 -0
package/dist/dashboard/routes/markdown-route.mjs +204 -0
package/dist/dashboard/routes/markdown-route.mjs.map +1 -0
package/dist/dashboard/routes/okf-route.d.mts +13 -0
package/dist/dashboard/routes/okf-route.d.ts +13 -0
package/dist/dashboard/routes/okf-route.js +184 -0
package/dist/dashboard/routes/okf-route.js.map +1 -0
package/dist/dashboard/routes/okf-route.mjs +149 -0
package/dist/dashboard/routes/okf-route.mjs.map +1 -0
package/dist/dashboard/routes/sitemap-ai-route.d.mts +6 -0
package/dist/dashboard/routes/sitemap-ai-route.d.ts +6 -0
package/dist/dashboard/routes/sitemap-ai-route.js +134 -0
package/dist/dashboard/routes/sitemap-ai-route.js.map +1 -0
package/dist/dashboard/routes/sitemap-ai-route.mjs +99 -0
package/dist/dashboard/routes/sitemap-ai-route.mjs.map +1 -0
package/dist/dashboard/ui/components/Sidebar.d.mts +5 -0
package/dist/dashboard/ui/components/Sidebar.d.ts +5 -0
package/dist/dashboard/ui/components/Sidebar.js +102 -0
package/dist/dashboard/ui/components/Sidebar.js.map +1 -0
package/dist/dashboard/ui/components/Sidebar.mjs +68 -0
package/dist/dashboard/ui/components/Sidebar.mjs.map +1 -0
package/dist/dashboard/ui/globals.css +175 -0
package/dist/dashboard/ui/pages/BotAnalyticsPage.d.mts +5 -0
package/dist/dashboard/ui/pages/BotAnalyticsPage.d.ts +5 -0
package/dist/dashboard/ui/pages/BotAnalyticsPage.js +269 -0
package/dist/dashboard/ui/pages/BotAnalyticsPage.js.map +1 -0
package/dist/dashboard/ui/pages/BotAnalyticsPage.mjs +232 -0
package/dist/dashboard/ui/pages/BotAnalyticsPage.mjs.map +1 -0
package/dist/dashboard/ui/pages/BotManagementPage.d.mts +13 -0
package/dist/dashboard/ui/pages/BotManagementPage.d.ts +13 -0
package/dist/dashboard/ui/pages/BotManagementPage.js +177 -0
package/dist/dashboard/ui/pages/BotManagementPage.js.map +1 -0
package/dist/dashboard/ui/pages/BotManagementPage.mjs +153 -0
package/dist/dashboard/ui/pages/BotManagementPage.mjs.map +1 -0
package/dist/dashboard/ui/pages/LlmTrafficPage.d.mts +5 -0
package/dist/dashboard/ui/pages/LlmTrafficPage.d.ts +5 -0
package/dist/dashboard/ui/pages/LlmTrafficPage.js +203 -0
package/dist/dashboard/ui/pages/LlmTrafficPage.js.map +1 -0
package/dist/dashboard/ui/pages/LlmTrafficPage.mjs +168 -0
package/dist/dashboard/ui/pages/LlmTrafficPage.mjs.map +1 -0
package/dist/dashboard/ui/pages/SettingsPage.d.mts +8 -0
package/dist/dashboard/ui/pages/SettingsPage.d.ts +8 -0
package/dist/dashboard/ui/pages/SettingsPage.js +181 -0
package/dist/dashboard/ui/pages/SettingsPage.js.map +1 -0
package/dist/dashboard/ui/pages/SettingsPage.mjs +157 -0
package/dist/dashboard/ui/pages/SettingsPage.mjs.map +1 -0
package/dist/dashboard/ui/pages/SystemHealthPage.d.mts +5 -0
package/dist/dashboard/ui/pages/SystemHealthPage.d.ts +5 -0
package/dist/dashboard/ui/pages/SystemHealthPage.js +183 -0
package/dist/dashboard/ui/pages/SystemHealthPage.js.map +1 -0
package/dist/dashboard/ui/pages/SystemHealthPage.mjs +148 -0
package/dist/dashboard/ui/pages/SystemHealthPage.mjs.map +1 -0
package/dist/index.d.mts +84 -0
package/dist/index.d.ts +84 -0
package/dist/index.js +372 -0
package/dist/index.js.map +1 -0
package/dist/index.mjs +346 -0
package/dist/index.mjs.map +1 -0
package/package.json +125 -0

package/dist/dashboard/routes/analytics-api-route.js ADDED Viewed

@@ -0,0 +1,180 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/dashboard/routes/analytics-api-route.ts
+var analytics_api_route_exports = {};
+__export(analytics_api_route_exports, {
+  GET: () => GET
+});
+module.exports = __toCommonJS(analytics_api_route_exports);
+var import_server2 = require("next/server");
+// src/analytics/performance-stats.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var PerformanceStats = class {
+  constructor(dataDir = process.env.TA_DATA_DIR ?? "data") {
+    this.dataDir = dataDir;
+  }
+  compute(days = 30) {
+    const records = this.loadRecords(days);
+    const totalVisits = records.length;
+    const uniqueBots = [...new Set(records.map((r) => r.bot_name).filter(Boolean))];
+    const withResponseMs = records.filter((r) => r.response_ms !== null);
+    const avgResponseMs = withResponseMs.length > 0 ? withResponseMs.reduce((s, r) => s + r.response_ms, 0) / withResponseMs.length : null;
+    const cacheHitRate = records.length > 0 ? records.filter((r) => r.cache_hit).length / records.length : null;
+    const pageCounts = /* @__PURE__ */ new Map();
+    const botCounts = /* @__PURE__ */ new Map();
+    const dayCounts = /* @__PURE__ */ new Map();
+    for (const r of records) {
+      pageCounts.set(r.url, (pageCounts.get(r.url) ?? 0) + 1);
+      const name = r.bot_name ?? "unknown";
+      botCounts.set(name, (botCounts.get(name) ?? 0) + 1);
+      const day = r.timestamp.slice(0, 10);
+      dayCounts.set(day, (dayCounts.get(day) ?? 0) + 1);
+    }
+    const topPages = [...pageCounts.entries()].sort((a, b) => b[1] - a[1]).slice(0, 10).map(([url, visits]) => ({ url, visits }));
+    const topBots = [...botCounts.entries()].sort((a, b) => b[1] - a[1]).slice(0, 10).map(([name, visits]) => ({ name, visits }));
+    const visitsByDay = [...dayCounts.entries()].sort((a, b) => a[0].localeCompare(b[0])).map(([date, visits]) => ({ date, visits }));
+    return { totalVisits, uniqueBots, avgResponseMs, cacheHitRate, topPages, topBots, visitsByDay };
+  }
+  loadRecords(days) {
+    const filePath = import_path.default.join(this.dataDir, "ta-visits.jsonl");
+    if (!import_fs.default.existsSync(filePath)) return [];
+    const cutoff = /* @__PURE__ */ new Date();
+    cutoff.setDate(cutoff.getDate() - days);
+    const cutoffStr = cutoff.toISOString();
+    return import_fs.default.readFileSync(filePath, "utf-8").split("\n").filter(Boolean).map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    }).filter((r) => r !== null && r.timestamp >= cutoffStr);
+  }
+};
+// src/dashboard/auth.ts
+var import_server = require("next/server");
+// src/dashboard/admin-store.ts
+var import_fs2 = __toESM(require("fs"));
+var import_path2 = __toESM(require("path"));
+var import_crypto = __toESM(require("crypto"));
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return import_path2.default.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!import_fs2.default.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return import_crypto.default.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = import_crypto.default.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = import_crypto.default.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return import_server.NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+// src/dashboard/routes/analytics-api-route.ts
+var stats = new PerformanceStats();
+async function GET(req) {
+  if (!checkApiAuth(req)) {
+    return unauthorizedResponse();
+  }
+  const days = parseInt(req.nextUrl.searchParams.get("days") ?? "30", 10);
+  const summary = stats.compute(days);
+  return import_server2.NextResponse.json(summary);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GET
+});
+//# sourceMappingURL=analytics-api-route.js.map

package/dist/dashboard/routes/analytics-api-route.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/dashboard/routes/analytics-api-route.ts","../../../src/analytics/performance-stats.ts","../../../src/dashboard/auth.ts","../../../src/dashboard/admin-store.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from 'next/server'\nimport { PerformanceStats } from '../../analytics/performance-stats.js'\nimport { checkApiAuth, unauthorizedResponse } from '../auth.js'\n\nconst stats = new PerformanceStats()\n\n/** GET /api/third-audience/analytics?days=30 */\nexport async function GET(req: NextRequest) {\n if (!checkApiAuth(req)) {\n return unauthorizedResponse()\n }\n\n const days = parseInt(req.nextUrl.searchParams.get('days') ?? '30', 10)\n const summary = stats.compute(days)\n\n return NextResponse.json(summary)\n}\n","import fs from 'fs'\nimport path from 'path'\nimport type { VisitRecord } from './visit-tracker.js'\n\nexport interface PerformanceSummary {\n totalVisits: number\n uniqueBots: string[]\n avgResponseMs: number | null\n cacheHitRate: number | null\n topPages: Array<{ url: string; visits: number }>\n topBots: Array<{ name: string; visits: number }>\n visitsByDay: Array<{ date: string; visits: number }>\n}\n\nexport class PerformanceStats {\n private dataDir: string\n\n constructor(dataDir = process.env.TA_DATA_DIR ?? 'data') {\n this.dataDir = dataDir\n }\n\n compute(days = 30): PerformanceSummary {\n const records = this.loadRecords(days)\n\n const totalVisits = records.length\n const uniqueBots = [...new Set(records.map(r => r.bot_name).filter(Boolean))] as string[]\n\n const withResponseMs = records.filter(r => r.response_ms !== null)\n const avgResponseMs = withResponseMs.length > 0\n ? withResponseMs.reduce((s, r) => s + r.response_ms!, 0) / withResponseMs.length\n : null\n\n const cacheHitRate = records.length > 0\n ? records.filter(r => r.cache_hit).length / records.length\n : null\n\n const pageCounts = new Map<string, number>()\n const botCounts = new Map<string, number>()\n const dayCounts = new Map<string, number>()\n\n for (const r of records) {\n pageCounts.set(r.url, (pageCounts.get(r.url) ?? 0) + 1)\n const name = r.bot_name ?? 'unknown'\n botCounts.set(name, (botCounts.get(name) ?? 0) + 1)\n const day = r.timestamp.slice(0, 10)\n dayCounts.set(day, (dayCounts.get(day) ?? 0) + 1)\n }\n\n const topPages = [...pageCounts.entries()]\n .sort((a, b) => b[1] - a[1])\n .slice(0, 10)\n .map(([url, visits]) => ({ url, visits }))\n\n const topBots = [...botCounts.entries()]\n .sort((a, b) => b[1] - a[1])\n .slice(0, 10)\n .map(([name, visits]) => ({ name, visits }))\n\n const visitsByDay = [...dayCounts.entries()]\n .sort((a, b) => a[0].localeCompare(b[0]))\n .map(([date, visits]) => ({ date, visits }))\n\n return { totalVisits, uniqueBots, avgResponseMs, cacheHitRate, topPages, topBots, visitsByDay }\n }\n\n private loadRecords(days: number): VisitRecord[] {\n const filePath = path.join(this.dataDir, 'ta-visits.jsonl')\n if (!fs.existsSync(filePath)) return []\n\n const cutoff = new Date()\n cutoff.setDate(cutoff.getDate() - days)\n const cutoffStr = cutoff.toISOString()\n\n return fs.readFileSync(filePath, 'utf-8')\n .split('\\n')\n .filter(Boolean)\n .map(line => { try { return JSON.parse(line) as VisitRecord } catch { return null } })\n .filter((r): r is VisitRecord => r !== null && r.timestamp >= cutoffStr)\n }\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n // 1. X-TA-Api-Key header (WP-style headless key)\n const apiKeyHeader = req.headers.get('x-ta-api-key')\n if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n // 2. Bearer token (treat as api key)\n const auth = req.headers.get('authorization') ?? ''\n if (auth.startsWith('Bearer ')) {\n const token = auth.slice(7)\n return verifyApiKey(token)\n }\n\n // 3. Browser session cookie\n const session = req.cookies.get(SESSION_COOKIE)?.value\n if (session) return verifySession(session)\n\n return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n return NextResponse.json(\n { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n {\n status: 401,\n headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n }\n )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n passwordHash: string // sha256(secret + password)\n isDefaultPassword: boolean\n createdAt: string\n lastLoginAt: string | null\n apiKey?: string // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n const dataDir = process.env.TA_DATA_DIR ?? 'data'\n return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n const filePath = adminFilePath()\n if (!fs.existsSync(filePath)) return null\n try {\n return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n } catch {\n return null\n }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n const filePath = adminFilePath()\n const dir = path.dirname(filePath)\n if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n const existing = loadAdmin()\n if (existing) return { password: '', apiKey: '', isNew: false }\n\n const apiKey = generateApiKey()\n saveAdmin({\n passwordHash: hashPassword(DEFAULT_PASSWORD),\n isDefaultPassword: true,\n createdAt: new Date().toISOString(),\n lastLoginAt: null,\n apiKey: encryptApiKey(apiKey),\n })\n return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n const record = loadAdmin()\n if (!record) return false\n return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n const record = loadAdmin()\n if (!record) return\n saveAdmin({\n ...record,\n passwordHash: hashPassword(newPassword),\n isDefaultPassword: false,\n })\n}\n\nexport function recordLogin(): void {\n const record = loadAdmin()\n if (!record) return\n saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n // Derive a 32-byte key from the secret using SHA-256\n return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n const iv = crypto.randomBytes(12)\n const key = getEncryptionKey()\n const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n const tag = cipher.getAuthTag()\n // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n try {\n const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n const encrypted = Buffer.from(encoded.slice(56), 'hex')\n const key = getEncryptionKey()\n const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n decipher.setAuthTag(tag)\n return decipher.update(encrypted) + decipher.final('utf8')\n } catch {\n return null\n }\n}\n\nexport function generateApiKey(): string {\n return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n const record = loadAdmin()\n if (!record?.apiKey) return null\n return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n const record = loadAdmin()\n if (!record) throw new Error('Admin store not initialised')\n const newKey = generateApiKey()\n saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n const stored = getApiKey()\n if (!stored) return false\n if (key.length !== stored.length) return false\n return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n const lastDot = token.lastIndexOf('.')\n if (lastDot === -1) return false\n const payload = token.slice(0, lastDot)\n const sig = token.slice(lastDot + 1)\n const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n .update(payload).digest('hex')\n // Constant-time comparison\n if (sig.length !== expected.length) return false\n return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAAA,iBAA+C;;;ACA/C,gBAAe;AACf,kBAAiB;AAaV,IAAM,mBAAN,MAAuB;AAAA,EAG5B,YAAY,UAAU,QAAQ,IAAI,eAAe,QAAQ;AACvD,SAAK,UAAU;AAAA,EACjB;AAAA,EAEA,QAAQ,OAAO,IAAwB;AACrC,UAAM,UAAU,KAAK,YAAY,IAAI;AAErC,UAAM,cAAc,QAAQ;AAC5B,UAAM,aAAa,CAAC,GAAG,IAAI,IAAI,QAAQ,IAAI,OAAK,EAAE,QAAQ,EAAE,OAAO,OAAO,CAAC,CAAC;AAE5E,UAAM,iBAAiB,QAAQ,OAAO,OAAK,EAAE,gBAAgB,IAAI;AACjE,UAAM,gBAAgB,eAAe,SAAS,IAC1C,eAAe,OAAO,CAAC,GAAG,MAAM,IAAI,EAAE,aAAc,CAAC,IAAI,eAAe,SACxE;AAEJ,UAAM,eAAe,QAAQ,SAAS,IAClC,QAAQ,OAAO,OAAK,EAAE,SAAS,EAAE,SAAS,QAAQ,SAClD;AAEJ,UAAM,aAAa,oBAAI,IAAoB;AAC3C,UAAM,YAAY,oBAAI,IAAoB;AAC1C,UAAM,YAAY,oBAAI,IAAoB;AAE1C,eAAW,KAAK,SAAS;AACvB,iBAAW,IAAI,EAAE,MAAM,WAAW,IAAI,EAAE,GAAG,KAAK,KAAK,CAAC;AACtD,YAAM,OAAO,EAAE,YAAY;AAC3B,gBAAU,IAAI,OAAO,UAAU,IAAI,IAAI,KAAK,KAAK,CAAC;AAClD,YAAM,MAAM,EAAE,UAAU,MAAM,GAAG,EAAE;AACnC,gBAAU,IAAI,MAAM,UAAU,IAAI,GAAG,KAAK,KAAK,CAAC;AAAA,IAClD;AAEA,UAAM,WAAW,CAAC,GAAG,WAAW,QAAQ,CAAC,EACtC,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,EAC1B,MAAM,GAAG,EAAE,EACX,IAAI,CAAC,CAAC,KAAK,MAAM,OAAO,EAAE,KAAK,OAAO,EAAE;AAE3C,UAAM,UAAU,CAAC,GAAG,UAAU,QAAQ,CAAC,EACpC,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,EAC1B,MAAM,GAAG,EAAE,EACX,IAAI,CAAC,CAAC,MAAM,MAAM,OAAO,EAAE,MAAM,OAAO,EAAE;AAE7C,UAAM,cAAc,CAAC,GAAG,UAAU,QAAQ,CAAC,EACxC,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EACvC,IAAI,CAAC,CAAC,MAAM,MAAM,OAAO,EAAE,MAAM,OAAO,EAAE;AAE7C,WAAO,EAAE,aAAa,YAAY,eAAe,cAAc,UAAU,SAAS,YAAY;AAAA,EAChG;AAAA,EAEQ,YAAY,MAA6B;AAC/C,UAAM,WAAW,YAAAC,QAAK,KAAK,KAAK,SAAS,iBAAiB;AAC1D,QAAI,CAAC,UAAAC,QAAG,WAAW,QAAQ,EAAG,QAAO,CAAC;AAEtC,UAAM,SAAS,oBAAI,KAAK;AACxB,WAAO,QAAQ,OAAO,QAAQ,IAAI,IAAI;AACtC,UAAM,YAAY,OAAO,YAAY;AAErC,WAAO,UAAAA,QAAG,aAAa,UAAU,OAAO,EACrC,MAAM,IAAI,EACV,OAAO,OAAO,EACd,IAAI,UAAQ;AAAE,UAAI;AAAE,eAAO,KAAK,MAAM,IAAI;AAAA,MAAiB,QAAQ;AAAE,eAAO;AAAA,MAAK;AAAA,IAAE,CAAC,EACpF,OAAO,CAAC,MAAwB,MAAM,QAAQ,EAAE,aAAa,SAAS;AAAA,EAC3E;AACF;;;AC9EA,oBAA6B;;;ACD7B,IAAAC,aAAe;AACf,IAAAC,eAAiB;AACjB,oBAAmB;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAO,aAAAC,QAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAAC,WAAAC,QAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAM,WAAAA,QAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAoDA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,cAAAC,QAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAYA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,cAAAC,QAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAUO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,cAAAC,QAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,cAAAC,QAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,cAAAA,QAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,2BAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;;;AFvCA,IAAM,QAAQ,IAAI,iBAAiB;AAGnC,eAAsB,IAAI,KAAkB;AAC1C,MAAI,CAAC,aAAa,GAAG,GAAG;AACtB,WAAO,qBAAqB;AAAA,EAC9B;AAEA,QAAM,OAAO,SAAS,IAAI,QAAQ,aAAa,IAAI,MAAM,KAAK,MAAM,EAAE;AACtE,QAAM,UAAU,MAAM,QAAQ,IAAI;AAElC,SAAO,4BAAa,KAAK,OAAO;AAClC;","names":["import_server","path","fs","import_fs","import_path","path","fs","crypto","crypto","crypto","crypto"]}

package/dist/dashboard/routes/analytics-api-route.mjs ADDED Viewed

@@ -0,0 +1,145 @@
+// src/dashboard/routes/analytics-api-route.ts
+import { NextResponse as NextResponse2 } from "next/server";
+// src/analytics/performance-stats.ts
+import fs from "fs";
+import path from "path";
+var PerformanceStats = class {
+  constructor(dataDir = process.env.TA_DATA_DIR ?? "data") {
+    this.dataDir = dataDir;
+  }
+  compute(days = 30) {
+    const records = this.loadRecords(days);
+    const totalVisits = records.length;
+    const uniqueBots = [...new Set(records.map((r) => r.bot_name).filter(Boolean))];
+    const withResponseMs = records.filter((r) => r.response_ms !== null);
+    const avgResponseMs = withResponseMs.length > 0 ? withResponseMs.reduce((s, r) => s + r.response_ms, 0) / withResponseMs.length : null;
+    const cacheHitRate = records.length > 0 ? records.filter((r) => r.cache_hit).length / records.length : null;
+    const pageCounts = /* @__PURE__ */ new Map();
+    const botCounts = /* @__PURE__ */ new Map();
+    const dayCounts = /* @__PURE__ */ new Map();
+    for (const r of records) {
+      pageCounts.set(r.url, (pageCounts.get(r.url) ?? 0) + 1);
+      const name = r.bot_name ?? "unknown";
+      botCounts.set(name, (botCounts.get(name) ?? 0) + 1);
+      const day = r.timestamp.slice(0, 10);
+      dayCounts.set(day, (dayCounts.get(day) ?? 0) + 1);
+    }
+    const topPages = [...pageCounts.entries()].sort((a, b) => b[1] - a[1]).slice(0, 10).map(([url, visits]) => ({ url, visits }));
+    const topBots = [...botCounts.entries()].sort((a, b) => b[1] - a[1]).slice(0, 10).map(([name, visits]) => ({ name, visits }));
+    const visitsByDay = [...dayCounts.entries()].sort((a, b) => a[0].localeCompare(b[0])).map(([date, visits]) => ({ date, visits }));
+    return { totalVisits, uniqueBots, avgResponseMs, cacheHitRate, topPages, topBots, visitsByDay };
+  }
+  loadRecords(days) {
+    const filePath = path.join(this.dataDir, "ta-visits.jsonl");
+    if (!fs.existsSync(filePath)) return [];
+    const cutoff = /* @__PURE__ */ new Date();
+    cutoff.setDate(cutoff.getDate() - days);
+    const cutoffStr = cutoff.toISOString();
+    return fs.readFileSync(filePath, "utf-8").split("\n").filter(Boolean).map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    }).filter((r) => r !== null && r.timestamp >= cutoffStr);
+  }
+};
+// src/dashboard/auth.ts
+import { NextResponse } from "next/server";
+// src/dashboard/admin-store.ts
+import fs2 from "fs";
+import path2 from "path";
+import crypto from "crypto";
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return path2.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!fs2.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(fs2.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return crypto.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = crypto.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = crypto.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+// src/dashboard/routes/analytics-api-route.ts
+var stats = new PerformanceStats();
+async function GET(req) {
+  if (!checkApiAuth(req)) {
+    return unauthorizedResponse();
+  }
+  const days = parseInt(req.nextUrl.searchParams.get("days") ?? "30", 10);
+  const summary = stats.compute(days);
+  return NextResponse2.json(summary);
+}
+export {
+  GET
+};
+//# sourceMappingURL=analytics-api-route.mjs.map

package/dist/dashboard/routes/analytics-api-route.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/dashboard/routes/analytics-api-route.ts","../../../src/analytics/performance-stats.ts","../../../src/dashboard/auth.ts","../../../src/dashboard/admin-store.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from 'next/server'\nimport { PerformanceStats } from '../../analytics/performance-stats.js'\nimport { checkApiAuth, unauthorizedResponse } from '../auth.js'\n\nconst stats = new PerformanceStats()\n\n/** GET /api/third-audience/analytics?days=30 */\nexport async function GET(req: NextRequest) {\n if (!checkApiAuth(req)) {\n return unauthorizedResponse()\n }\n\n const days = parseInt(req.nextUrl.searchParams.get('days') ?? '30', 10)\n const summary = stats.compute(days)\n\n return NextResponse.json(summary)\n}\n","import fs from 'fs'\nimport path from 'path'\nimport type { VisitRecord } from './visit-tracker.js'\n\nexport interface PerformanceSummary {\n totalVisits: number\n uniqueBots: string[]\n avgResponseMs: number | null\n cacheHitRate: number | null\n topPages: Array<{ url: string; visits: number }>\n topBots: Array<{ name: string; visits: number }>\n visitsByDay: Array<{ date: string; visits: number }>\n}\n\nexport class PerformanceStats {\n private dataDir: string\n\n constructor(dataDir = process.env.TA_DATA_DIR ?? 'data') {\n this.dataDir = dataDir\n }\n\n compute(days = 30): PerformanceSummary {\n const records = this.loadRecords(days)\n\n const totalVisits = records.length\n const uniqueBots = [...new Set(records.map(r => r.bot_name).filter(Boolean))] as string[]\n\n const withResponseMs = records.filter(r => r.response_ms !== null)\n const avgResponseMs = withResponseMs.length > 0\n ? withResponseMs.reduce((s, r) => s + r.response_ms!, 0) / withResponseMs.length\n : null\n\n const cacheHitRate = records.length > 0\n ? records.filter(r => r.cache_hit).length / records.length\n : null\n\n const pageCounts = new Map<string, number>()\n const botCounts = new Map<string, number>()\n const dayCounts = new Map<string, number>()\n\n for (const r of records) {\n pageCounts.set(r.url, (pageCounts.get(r.url) ?? 0) + 1)\n const name = r.bot_name ?? 'unknown'\n botCounts.set(name, (botCounts.get(name) ?? 0) + 1)\n const day = r.timestamp.slice(0, 10)\n dayCounts.set(day, (dayCounts.get(day) ?? 0) + 1)\n }\n\n const topPages = [...pageCounts.entries()]\n .sort((a, b) => b[1] - a[1])\n .slice(0, 10)\n .map(([url, visits]) => ({ url, visits }))\n\n const topBots = [...botCounts.entries()]\n .sort((a, b) => b[1] - a[1])\n .slice(0, 10)\n .map(([name, visits]) => ({ name, visits }))\n\n const visitsByDay = [...dayCounts.entries()]\n .sort((a, b) => a[0].localeCompare(b[0]))\n .map(([date, visits]) => ({ date, visits }))\n\n return { totalVisits, uniqueBots, avgResponseMs, cacheHitRate, topPages, topBots, visitsByDay }\n }\n\n private loadRecords(days: number): VisitRecord[] {\n const filePath = path.join(this.dataDir, 'ta-visits.jsonl')\n if (!fs.existsSync(filePath)) return []\n\n const cutoff = new Date()\n cutoff.setDate(cutoff.getDate() - days)\n const cutoffStr = cutoff.toISOString()\n\n return fs.readFileSync(filePath, 'utf-8')\n .split('\\n')\n .filter(Boolean)\n .map(line => { try { return JSON.parse(line) as VisitRecord } catch { return null } })\n .filter((r): r is VisitRecord => r !== null && r.timestamp >= cutoffStr)\n }\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n // 1. X-TA-Api-Key header (WP-style headless key)\n const apiKeyHeader = req.headers.get('x-ta-api-key')\n if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n // 2. Bearer token (treat as api key)\n const auth = req.headers.get('authorization') ?? ''\n if (auth.startsWith('Bearer ')) {\n const token = auth.slice(7)\n return verifyApiKey(token)\n }\n\n // 3. Browser session cookie\n const session = req.cookies.get(SESSION_COOKIE)?.value\n if (session) return verifySession(session)\n\n return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n return NextResponse.json(\n { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n {\n status: 401,\n headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n }\n )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n passwordHash: string // sha256(secret + password)\n isDefaultPassword: boolean\n createdAt: string\n lastLoginAt: string | null\n apiKey?: string // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n const dataDir = process.env.TA_DATA_DIR ?? 'data'\n return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n const filePath = adminFilePath()\n if (!fs.existsSync(filePath)) return null\n try {\n return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n } catch {\n return null\n }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n const filePath = adminFilePath()\n const dir = path.dirname(filePath)\n if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n const existing = loadAdmin()\n if (existing) return { password: '', apiKey: '', isNew: false }\n\n const apiKey = generateApiKey()\n saveAdmin({\n passwordHash: hashPassword(DEFAULT_PASSWORD),\n isDefaultPassword: true,\n createdAt: new Date().toISOString(),\n lastLoginAt: null,\n apiKey: encryptApiKey(apiKey),\n })\n return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n const record = loadAdmin()\n if (!record) return false\n return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n const record = loadAdmin()\n if (!record) return\n saveAdmin({\n ...record,\n passwordHash: hashPassword(newPassword),\n isDefaultPassword: false,\n })\n}\n\nexport function recordLogin(): void {\n const record = loadAdmin()\n if (!record) return\n saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n // Derive a 32-byte key from the secret using SHA-256\n return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n const iv = crypto.randomBytes(12)\n const key = getEncryptionKey()\n const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n const tag = cipher.getAuthTag()\n // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n try {\n const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n const encrypted = Buffer.from(encoded.slice(56), 'hex')\n const key = getEncryptionKey()\n const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n decipher.setAuthTag(tag)\n return decipher.update(encrypted) + decipher.final('utf8')\n } catch {\n return null\n }\n}\n\nexport function generateApiKey(): string {\n return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n const record = loadAdmin()\n if (!record?.apiKey) return null\n return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n const record = loadAdmin()\n if (!record) throw new Error('Admin store not initialised')\n const newKey = generateApiKey()\n saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n const stored = getApiKey()\n if (!stored) return false\n if (key.length !== stored.length) return false\n return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n const lastDot = token.lastIndexOf('.')\n if (lastDot === -1) return false\n const payload = token.slice(0, lastDot)\n const sig = token.slice(lastDot + 1)\n const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n .update(payload).digest('hex')\n // Constant-time comparison\n if (sig.length !== expected.length) return false\n return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";AAAA,SAAS,gBAAAA,qBAAsC;;;ACA/C,OAAO,QAAQ;AACf,OAAO,UAAU;AAaV,IAAM,mBAAN,MAAuB;AAAA,EAG5B,YAAY,UAAU,QAAQ,IAAI,eAAe,QAAQ;AACvD,SAAK,UAAU;AAAA,EACjB;AAAA,EAEA,QAAQ,OAAO,IAAwB;AACrC,UAAM,UAAU,KAAK,YAAY,IAAI;AAErC,UAAM,cAAc,QAAQ;AAC5B,UAAM,aAAa,CAAC,GAAG,IAAI,IAAI,QAAQ,IAAI,OAAK,EAAE,QAAQ,EAAE,OAAO,OAAO,CAAC,CAAC;AAE5E,UAAM,iBAAiB,QAAQ,OAAO,OAAK,EAAE,gBAAgB,IAAI;AACjE,UAAM,gBAAgB,eAAe,SAAS,IAC1C,eAAe,OAAO,CAAC,GAAG,MAAM,IAAI,EAAE,aAAc,CAAC,IAAI,eAAe,SACxE;AAEJ,UAAM,eAAe,QAAQ,SAAS,IAClC,QAAQ,OAAO,OAAK,EAAE,SAAS,EAAE,SAAS,QAAQ,SAClD;AAEJ,UAAM,aAAa,oBAAI,IAAoB;AAC3C,UAAM,YAAY,oBAAI,IAAoB;AAC1C,UAAM,YAAY,oBAAI,IAAoB;AAE1C,eAAW,KAAK,SAAS;AACvB,iBAAW,IAAI,EAAE,MAAM,WAAW,IAAI,EAAE,GAAG,KAAK,KAAK,CAAC;AACtD,YAAM,OAAO,EAAE,YAAY;AAC3B,gBAAU,IAAI,OAAO,UAAU,IAAI,IAAI,KAAK,KAAK,CAAC;AAClD,YAAM,MAAM,EAAE,UAAU,MAAM,GAAG,EAAE;AACnC,gBAAU,IAAI,MAAM,UAAU,IAAI,GAAG,KAAK,KAAK,CAAC;AAAA,IAClD;AAEA,UAAM,WAAW,CAAC,GAAG,WAAW,QAAQ,CAAC,EACtC,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,EAC1B,MAAM,GAAG,EAAE,EACX,IAAI,CAAC,CAAC,KAAK,MAAM,OAAO,EAAE,KAAK,OAAO,EAAE;AAE3C,UAAM,UAAU,CAAC,GAAG,UAAU,QAAQ,CAAC,EACpC,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,EAC1B,MAAM,GAAG,EAAE,EACX,IAAI,CAAC,CAAC,MAAM,MAAM,OAAO,EAAE,MAAM,OAAO,EAAE;AAE7C,UAAM,cAAc,CAAC,GAAG,UAAU,QAAQ,CAAC,EACxC,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EACvC,IAAI,CAAC,CAAC,MAAM,MAAM,OAAO,EAAE,MAAM,OAAO,EAAE;AAE7C,WAAO,EAAE,aAAa,YAAY,eAAe,cAAc,UAAU,SAAS,YAAY;AAAA,EAChG;AAAA,EAEQ,YAAY,MAA6B;AAC/C,UAAM,WAAW,KAAK,KAAK,KAAK,SAAS,iBAAiB;AAC1D,QAAI,CAAC,GAAG,WAAW,QAAQ,EAAG,QAAO,CAAC;AAEtC,UAAM,SAAS,oBAAI,KAAK;AACxB,WAAO,QAAQ,OAAO,QAAQ,IAAI,IAAI;AACtC,UAAM,YAAY,OAAO,YAAY;AAErC,WAAO,GAAG,aAAa,UAAU,OAAO,EACrC,MAAM,IAAI,EACV,OAAO,OAAO,EACd,IAAI,UAAQ;AAAE,UAAI;AAAE,eAAO,KAAK,MAAM,IAAI;AAAA,MAAiB,QAAQ;AAAE,eAAO;AAAA,MAAK;AAAA,IAAE,CAAC,EACpF,OAAO,CAAC,MAAwB,MAAM,QAAQ,EAAE,aAAa,SAAS;AAAA,EAC3E;AACF;;;AC9EA,SAAS,oBAAoB;;;ACD7B,OAAOC,SAAQ;AACf,OAAOC,WAAU;AACjB,OAAO,YAAY;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAOA,MAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAACC,IAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAMA,IAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAoDA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAYA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,OAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAUO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,OAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,OAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,OAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,aAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;;;AFvCA,IAAM,QAAQ,IAAI,iBAAiB;AAGnC,eAAsB,IAAI,KAAkB;AAC1C,MAAI,CAAC,aAAa,GAAG,GAAG;AACtB,WAAO,qBAAqB;AAAA,EAC9B;AAEA,QAAM,OAAO,SAAS,IAAI,QAAQ,aAAa,IAAI,MAAM,KAAK,MAAM,EAAE;AACtE,QAAM,UAAU,MAAM,QAAQ,IAAI;AAElC,SAAOC,cAAa,KAAK,OAAO;AAClC;","names":["NextResponse","fs","path","fs","NextResponse"]}

package/dist/dashboard/routes/api-key-route.d.mts ADDED Viewed

@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from 'next/server';
+/** GET /api/third-audience/api-key — returns masked key for display */
+declare function GET(req: NextRequest): Promise<NextResponse>;
+/** POST /api/third-audience/api-key — rotate (regenerate) the API key */
+declare function POST(req: NextRequest): Promise<NextResponse>;
+export { GET, POST };

package/dist/dashboard/routes/api-key-route.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from 'next/server';
+/** GET /api/third-audience/api-key — returns masked key for display */
+declare function GET(req: NextRequest): Promise<NextResponse>;
+/** POST /api/third-audience/api-key — rotate (regenerate) the API key */
+declare function POST(req: NextRequest): Promise<NextResponse>;
+export { GET, POST };

package/dist/dashboard/routes/api-key-route.js ADDED Viewed

@@ -0,0 +1,173 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/dashboard/routes/api-key-route.ts
+var api_key_route_exports = {};
+__export(api_key_route_exports, {
+  GET: () => GET,
+  POST: () => POST
+});
+module.exports = __toCommonJS(api_key_route_exports);
+var import_server2 = require("next/server");
+// src/dashboard/auth.ts
+var import_server = require("next/server");
+// src/dashboard/admin-store.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_crypto = __toESM(require("crypto"));
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return import_path.default.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!import_fs.default.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(import_fs.default.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function saveAdmin(record) {
+  const filePath = adminFilePath();
+  const dir = import_path.default.dirname(filePath);
+  if (!import_fs.default.existsSync(dir)) import_fs.default.mkdirSync(dir, { recursive: true });
+  import_fs.default.writeFileSync(filePath, JSON.stringify(record, null, 2), "utf-8");
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return import_crypto.default.createHash("sha256").update(secret).digest();
+}
+function encryptApiKey(plaintext) {
+  const iv = import_crypto.default.randomBytes(12);
+  const key = getEncryptionKey();
+  const cipher = import_crypto.default.createCipheriv(CIPHER, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return iv.toString("hex") + tag.toString("hex") + encrypted.toString("hex");
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = import_crypto.default.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function generateApiKey() {
+  return "ta_" + import_crypto.default.randomBytes(24).toString("hex");
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function rotateApiKey() {
+  const record = loadAdmin();
+  if (!record) throw new Error("Admin store not initialised");
+  const newKey = generateApiKey();
+  saveAdmin({ ...record, apiKey: encryptApiKey(newKey) });
+  return newKey;
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = import_crypto.default.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return import_server.NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+// src/dashboard/routes/api-key-route.ts
+async function GET(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const key = getApiKey();
+  if (!key) {
+    return import_server2.NextResponse.json({ key: null, masked: null });
+  }
+  const masked = key.slice(0, 8) + "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" + key.slice(-4);
+  return import_server2.NextResponse.json({ masked, prefix: key.slice(0, 3) });
+}
+async function POST(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const body = await req.json().catch(() => ({}));
+  if (body.action !== "rotate") {
+    return import_server2.NextResponse.json({ error: 'Send { action: "rotate" }' }, { status: 400 });
+  }
+  const newKey = rotateApiKey();
+  return import_server2.NextResponse.json({
+    key: newKey,
+    message: "API key rotated. Copy it now \u2014 it will not be shown again."
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GET,
+  POST
+});
+//# sourceMappingURL=api-key-route.js.map

package/dist/dashboard/routes/api-key-route.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/dashboard/routes/api-key-route.ts","../../../src/dashboard/auth.ts","../../../src/dashboard/admin-store.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from 'next/server'\nimport { checkApiAuth, unauthorizedResponse } from '../auth.js'\nimport { getApiKey, rotateApiKey } from '../admin-store.js'\n\n/** GET /api/third-audience/api-key — returns masked key for display */\nexport async function GET(req: NextRequest): Promise<NextResponse> {\n if (!checkApiAuth(req)) return unauthorizedResponse()\n\n const key = getApiKey()\n if (!key) {\n return NextResponse.json({ key: null, masked: null })\n }\n\n // Show first 8 + last 4 chars, mask the middle — same pattern as WP settings page\n const masked = key.slice(0, 8) + '••••••••••••••••••••••••••••••••••••••' + key.slice(-4)\n return NextResponse.json({ masked, prefix: key.slice(0, 3) })\n}\n\n/** POST /api/third-audience/api-key — rotate (regenerate) the API key */\nexport async function POST(req: NextRequest): Promise<NextResponse> {\n if (!checkApiAuth(req)) return unauthorizedResponse()\n\n const body = await req.json().catch(() => ({})) as Record<string, unknown>\n if (body.action !== 'rotate') {\n return NextResponse.json({ error: 'Send { action: \"rotate\" }' }, { status: 400 })\n }\n\n const newKey = rotateApiKey()\n return NextResponse.json({\n key: newKey,\n message: 'API key rotated. Copy it now — it will not be shown again.',\n })\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n // 1. X-TA-Api-Key header (WP-style headless key)\n const apiKeyHeader = req.headers.get('x-ta-api-key')\n if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n // 2. Bearer token (treat as api key)\n const auth = req.headers.get('authorization') ?? ''\n if (auth.startsWith('Bearer ')) {\n const token = auth.slice(7)\n return verifyApiKey(token)\n }\n\n // 3. Browser session cookie\n const session = req.cookies.get(SESSION_COOKIE)?.value\n if (session) return verifySession(session)\n\n return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n return NextResponse.json(\n { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n {\n status: 401,\n headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n }\n )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n passwordHash: string // sha256(secret + password)\n isDefaultPassword: boolean\n createdAt: string\n lastLoginAt: string | null\n apiKey?: string // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n const dataDir = process.env.TA_DATA_DIR ?? 'data'\n return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n const filePath = adminFilePath()\n if (!fs.existsSync(filePath)) return null\n try {\n return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n } catch {\n return null\n }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n const filePath = adminFilePath()\n const dir = path.dirname(filePath)\n if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n const existing = loadAdmin()\n if (existing) return { password: '', apiKey: '', isNew: false }\n\n const apiKey = generateApiKey()\n saveAdmin({\n passwordHash: hashPassword(DEFAULT_PASSWORD),\n isDefaultPassword: true,\n createdAt: new Date().toISOString(),\n lastLoginAt: null,\n apiKey: encryptApiKey(apiKey),\n })\n return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n const record = loadAdmin()\n if (!record) return false\n return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n const record = loadAdmin()\n if (!record) return\n saveAdmin({\n ...record,\n passwordHash: hashPassword(newPassword),\n isDefaultPassword: false,\n })\n}\n\nexport function recordLogin(): void {\n const record = loadAdmin()\n if (!record) return\n saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n // Derive a 32-byte key from the secret using SHA-256\n return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n const iv = crypto.randomBytes(12)\n const key = getEncryptionKey()\n const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n const tag = cipher.getAuthTag()\n // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n try {\n const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n const encrypted = Buffer.from(encoded.slice(56), 'hex')\n const key = getEncryptionKey()\n const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n decipher.setAuthTag(tag)\n return decipher.update(encrypted) + decipher.final('utf8')\n } catch {\n return null\n }\n}\n\nexport function generateApiKey(): string {\n return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n const record = loadAdmin()\n if (!record?.apiKey) return null\n return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n const record = loadAdmin()\n if (!record) throw new Error('Admin store not initialised')\n const newKey = generateApiKey()\n saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n const stored = getApiKey()\n if (!stored) return false\n if (key.length !== stored.length) return false\n return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n const lastDot = token.lastIndexOf('.')\n if (lastDot === -1) return false\n const payload = token.slice(0, lastDot)\n const sig = token.slice(lastDot + 1)\n const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n .update(payload).digest('hex')\n // Constant-time comparison\n if (sig.length !== expected.length) return false\n return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAAA,iBAA+C;;;ACC/C,oBAA6B;;;ACD7B,gBAAe;AACf,kBAAiB;AACjB,oBAAmB;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAO,YAAAC,QAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAAC,UAAAC,QAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAM,UAAAA,QAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,UAAU,QAA2B;AACnD,QAAM,WAAW,cAAc;AAC/B,QAAM,MAAM,YAAAC,QAAK,QAAQ,QAAQ;AACjC,MAAI,CAAC,UAAAD,QAAG,WAAW,GAAG,EAAG,WAAAA,QAAG,UAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AAC9D,YAAAA,QAAG,cAAc,UAAU,KAAK,UAAU,QAAQ,MAAM,CAAC,GAAG,OAAO;AACrE;AA6CA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,cAAAE,QAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAEA,SAAS,cAAc,WAA2B;AAChD,QAAM,KAAK,cAAAA,QAAO,YAAY,EAAE;AAChC,QAAM,MAAM,iBAAiB;AAC7B,QAAM,SAAS,cAAAA,QAAO,eAAe,QAAQ,KAAK,EAAE;AACpD,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,WAAW,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAClF,QAAM,MAAM,OAAO,WAAW;AAE9B,SAAO,GAAG,SAAS,KAAK,IAAI,IAAI,SAAS,KAAK,IAAI,UAAU,SAAS,KAAK;AAC5E;AAEA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,cAAAA,QAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAyB;AACvC,SAAO,QAAQ,cAAAA,QAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AACtD;AAEO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAEO,SAAS,eAAuB;AACrC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,6BAA6B;AAC1D,QAAM,SAAS,eAAe;AAC9B,YAAU,EAAE,GAAG,QAAQ,QAAQ,cAAc,MAAM,EAAE,CAAC;AACtD,SAAO;AACT;AAEO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,cAAAA,QAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,cAAAC,QAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,cAAAA,QAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,2BAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;;;ADtCA,eAAsB,IAAI,KAAyC;AACjE,MAAI,CAAC,aAAa,GAAG,EAAG,QAAO,qBAAqB;AAEpD,QAAM,MAAM,UAAU;AACtB,MAAI,CAAC,KAAK;AACR,WAAO,4BAAa,KAAK,EAAE,KAAK,MAAM,QAAQ,KAAK,CAAC;AAAA,EACtD;AAGA,QAAM,SAAS,IAAI,MAAM,GAAG,CAAC,IAAI,yOAA2C,IAAI,MAAM,EAAE;AACxF,SAAO,4BAAa,KAAK,EAAE,QAAQ,QAAQ,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;AAC9D;AAGA,eAAsB,KAAK,KAAyC;AAClE,MAAI,CAAC,aAAa,GAAG,EAAG,QAAO,qBAAqB;AAEpD,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAC9C,MAAI,KAAK,WAAW,UAAU;AAC5B,WAAO,4BAAa,KAAK,EAAE,OAAO,4BAA4B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,SAAS,aAAa;AAC5B,SAAO,4BAAa,KAAK;AAAA,IACvB,KAAK;AAAA,IACL,SAAS;AAAA,EACX,CAAC;AACH;","names":["import_server","path","fs","path","crypto","crypto"]}