webspresso 0.0.35 → 0.0.37

package/bin/commands/admin-password.js

@@ -0,0 +1,251 @@
+/**
+ * Admin Password Command
+ * Reset admin user password via CLI
+ */
+
+const fs = require('fs');
+const path = require('path');
+const readline = require('readline');
+
+function registerCommand(program) {
+  program
+    .command('admin:password')
+    .description('Reset admin user password')
+    .option('-e, --email <email>', 'Admin user email')
+    .option('-p, --password <password>', 'New password (not recommended, use interactive mode)')
+    .option('-c, --config <path>', 'Path to database config file')
+    .action(async (options) => {
+      try {
+        // Find project root and load database
+        const cwd = process.cwd();
+        
+        // Try to find and load the database config
+        let dbConfig = null;
+        const configPaths = [
+          options.config,
+          path.join(cwd, 'webspresso.config.js'),
+          path.join(cwd, 'database.config.js'),
+          path.join(cwd, 'db.config.js'),
+        ].filter(Boolean);
+        
+        for (const configPath of configPaths) {
+          if (fs.existsSync(configPath)) {
+            const config = require(configPath);
+            dbConfig = config.database || config;
+            break;
+          }
+        }
+        
+        if (!dbConfig) {
+          console.error('❌ Error: Could not find database configuration.');
+          console.error('   Please run this command from your project root.');
+          process.exit(1);
+        }
+        
+        // Lazy load dependencies
+        const bcrypt = require('bcrypt');
+        const knex = require('knex');
+        
+        // Initialize database connection
+        const db = knex(dbConfig);
+        
+        // Check if admin_users table exists
+        const hasTable = await db.schema.hasTable('admin_users');
+        if (!hasTable) {
+          console.error('❌ Error: admin_users table does not exist.');
+          console.error('   Run "webspresso admin:setup" and "webspresso db:migrate" first.');
+          await db.destroy();
+          process.exit(1);
+        }
+        
+        // Get email (interactive if not provided)
+        let email = options.email;
+        if (!email) {
+          const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+          });
+          
+          email = await new Promise((resolve) => {
+            rl.question('Enter admin email: ', (answer) => {
+              rl.close();
+              resolve(answer.trim());
+            });
+          });
+        }
+        
+        if (!email) {
+          console.error('❌ Error: Email is required.');
+          await db.destroy();
+          process.exit(1);
+        }
+        
+        // Check if user exists
+        const user = await db('admin_users').where({ email }).first();
+        if (!user) {
+          console.error(`❌ Error: Admin user with email "${email}" not found.`);
+          
+          // Show available users
+          const users = await db('admin_users').select('id', 'email', 'name');
+          if (users.length > 0) {
+            console.log('\nAvailable admin users:');
+            users.forEach(u => console.log(`   - ${u.email} (${u.name || 'No name'})`));
+          }
+          
+          await db.destroy();
+          process.exit(1);
+        }
+        
+        // Get new password (interactive if not provided)
+        let password = options.password;
+        if (!password) {
+          const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+          });
+          
+          // Disable echo for password input
+          if (process.stdin.isTTY) {
+            process.stdout.write('Enter new password: ');
+            password = await new Promise((resolve) => {
+              let pwd = '';
+              process.stdin.setRawMode(true);
+              process.stdin.resume();
+              process.stdin.on('data', (char) => {
+                char = char.toString();
+                if (char === '\n' || char === '\r') {
+                  process.stdin.setRawMode(false);
+                  process.stdin.pause();
+                  console.log(); // New line after password
+                  resolve(pwd);
+                } else if (char === '\u0003') {
+                  // Ctrl+C
+                  process.exit();
+                } else if (char === '\u007F') {
+                  // Backspace
+                  if (pwd.length > 0) {
+                    pwd = pwd.slice(0, -1);
+                    process.stdout.write('\b \b');
+                  }
+                } else {
+                  pwd += char;
+                  process.stdout.write('*');
+                }
+              });
+            });
+            rl.close();
+          } else {
+            password = await new Promise((resolve) => {
+              rl.question('Enter new password: ', (answer) => {
+                rl.close();
+                resolve(answer);
+              });
+            });
+          }
+        }
+        
+        if (!password || password.length < 6) {
+          console.error('❌ Error: Password must be at least 6 characters.');
+          await db.destroy();
+          process.exit(1);
+        }
+        
+        // Hash the password
+        const hashedPassword = await bcrypt.hash(password, 10);
+        
+        // Update the password
+        await db('admin_users')
+          .where({ email })
+          .update({
+            password: hashedPassword,
+            updated_at: new Date(),
+          });
+        
+        console.log(`\n✅ Password updated successfully for: ${email}\n`);
+        
+        await db.destroy();
+      } catch (err) {
+        console.error('❌ Error:', err.message);
+        process.exit(1);
+      }
+    });
+    
+  // Also add a command to list admin users
+  program
+    .command('admin:list')
+    .description('List all admin users')
+    .option('-c, --config <path>', 'Path to database config file')
+    .action(async (options) => {
+      try {
+        const cwd = process.cwd();
+        
+        // Try to find and load the database config
+        let dbConfig = null;
+        const configPaths = [
+          options.config,
+          path.join(cwd, 'webspresso.config.js'),
+          path.join(cwd, 'database.config.js'),
+          path.join(cwd, 'db.config.js'),
+        ].filter(Boolean);
+        
+        for (const configPath of configPaths) {
+          if (fs.existsSync(configPath)) {
+            const config = require(configPath);
+            dbConfig = config.database || config;
+            break;
+          }
+        }
+        
+        if (!dbConfig) {
+          console.error('❌ Error: Could not find database configuration.');
+          process.exit(1);
+        }
+        
+        const knex = require('knex');
+        const db = knex(dbConfig);
+        
+        // Check if admin_users table exists
+        const hasTable = await db.schema.hasTable('admin_users');
+        if (!hasTable) {
+          console.log('ℹ️  admin_users table does not exist yet.');
+          console.log('   Run "webspresso admin:setup" and "webspresso db:migrate" first.');
+          await db.destroy();
+          return;
+        }
+        
+        // Get all admin users
+        const users = await db('admin_users')
+          .select('id', 'email', 'name', 'role', 'active', 'created_at')
+          .orderBy('id');
+        
+        if (users.length === 0) {
+          console.log('\nNo admin users found.\n');
+          console.log('Create the first admin user via the admin panel setup page.');
+        } else {
+          console.log(`\n📋 Admin Users (${users.length}):\n`);
+          console.log('  ID  | Email                          | Name           | Role    | Active | Created');
+          console.log('  ' + '-'.repeat(90));
+          
+          users.forEach(user => {
+            const email = (user.email || '').padEnd(30).slice(0, 30);
+            const name = (user.name || '-').padEnd(14).slice(0, 14);
+            const role = (user.role || 'admin').padEnd(7).slice(0, 7);
+            const active = user.active ? '  ✓   ' : '  ✗   ';
+            const created = user.created_at 
+              ? new Date(user.created_at).toLocaleDateString()
+              : '-';
+            
+            console.log(`  ${String(user.id).padStart(3)} | ${email} | ${name} | ${role} | ${active} | ${created}`);
+          });
+          console.log();
+        }
+        
+        await db.destroy();
+      } catch (err) {
+        console.error('❌ Error:', err.message);
+        process.exit(1);
+      }
+    });
+}
+
+module.exports = { registerCommand };

package/bin/webspresso.js

@@ -25,6 +25,7 @@ const { registerCommand: registerDbStatus } = require('./commands/db-status');
 const { registerCommand: registerDbMake } = require('./commands/db-make');
 const { registerCommand: registerSeed } = require('./commands/seed');
 const { registerCommand: registerAdminSetup } = require('./commands/admin-setup');
+const { registerCommand: registerAdminPassword } = require('./commands/admin-password');
 
 registerNew(program);
 registerPage(program);
@@ -38,6 +39,7 @@ registerDbStatus(program);
 registerDbMake(program);
 registerSeed(program);
 registerAdminSetup(program);
+registerAdminPassword(program);
 
 // Parse arguments
 program.parse();

package/core/auth/hash.js

@@ -0,0 +1,112 @@
+/**
+ * Webspresso Auth - Password Hashing
+ * Bcrypt wrapper for secure password hashing
+ * @module core/auth/hash
+ */
+
+let bcrypt;
+try {
+  bcrypt = require('bcrypt');
+} catch {
+  // bcrypt is optional, will throw if used without installation
+  bcrypt = null;
+}
+
+/**
+ * Default bcrypt cost factor
+ * Higher = more secure but slower
+ */
+const DEFAULT_ROUNDS = 12;
+
+/**
+ * Hash a password using bcrypt
+ * @param {string} password - Plain text password
+ * @param {number} [rounds=12] - Cost factor (rounds)
+ * @returns {Promise<string>} Hashed password
+ */
+async function hash(password, rounds = DEFAULT_ROUNDS) {
+  if (!bcrypt) {
+    throw new Error('bcrypt is required for password hashing. Install it with: npm install bcrypt');
+  }
+  
+  if (!password || typeof password !== 'string') {
+    throw new Error('Password must be a non-empty string');
+  }
+  
+  return bcrypt.hash(password, rounds);
+}
+
+/**
+ * Verify a password against a hash
+ * @param {string} password - Plain text password to verify
+ * @param {string} hashedPassword - Hashed password to compare against
+ * @returns {Promise<boolean>} True if password matches
+ */
+async function verify(password, hashedPassword) {
+  if (!bcrypt) {
+    throw new Error('bcrypt is required for password verification. Install it with: npm install bcrypt');
+  }
+  
+  if (!password || !hashedPassword) {
+    return false;
+  }
+  
+  try {
+    return await bcrypt.compare(password, hashedPassword);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if a hash needs rehashing (e.g., cost factor changed)
+ * @param {string} hashedPassword - Hashed password to check
+ * @param {number} [rounds=12] - Desired cost factor
+ * @returns {boolean} True if rehash is needed
+ */
+function needsRehash(hashedPassword, rounds = DEFAULT_ROUNDS) {
+  if (!bcrypt) {
+    throw new Error('bcrypt is required. Install it with: npm install bcrypt');
+  }
+  
+  if (!hashedPassword) {
+    return true;
+  }
+  
+  try {
+    const hashRounds = bcrypt.getRounds(hashedPassword);
+    return hashRounds < rounds;
+  } catch {
+    return true;
+  }
+}
+
+/**
+ * Generate a secure random token
+ * @param {number} [length=32] - Token length in bytes
+ * @returns {string} Hex-encoded random token
+ */
+function generateToken(length = 32) {
+  const crypto = require('crypto');
+  return crypto.randomBytes(length).toString('hex');
+}
+
+/**
+ * Hash a token for storage (SHA-256)
+ * Used for remember me tokens - stored hashed, compared hashed
+ * @param {string} token - Plain token
+ * @returns {string} Hashed token
+ */
+function hashToken(token) {
+  const crypto = require('crypto');
+  return crypto.createHash('sha256').update(token).digest('hex');
+}
+
+module.exports = {
+  hash,
+  verify,
+  needsRehash,
+  generateToken,
+  hashToken,
+  DEFAULT_ROUNDS,
+};

package/core/auth/index.js

@@ -0,0 +1,202 @@
+/**
+ * Webspresso Auth
+ * Django/Rails-inspired authentication system with adapter pattern
+ * @module core/auth
+ */
+
+const { AuthManager, AuthenticationError, DEFAULT_CONFIG } = require('./manager');
+const { PolicyManager, AuthorizationError } = require('./policy');
+const { createAuthMiddleware, setupAuthMiddleware } = require('./middleware');
+const { hash, verify, needsRehash, generateToken, hashToken } = require('./hash');
+
+/**
+ * Create authentication instance
+ * @param {Object} config - Configuration
+ * @param {Function} config.findUserById - (id) => Promise<User|null>
+ * @param {Function} config.findUserByCredentials - (identifier, password) => Promise<User|null>
+ * @param {Object} [config.rememberTokens] - Remember token adapter
+ * @param {Object} [config.session] - Session configuration
+ * @param {Object} [config.rememberMe] - Remember me configuration
+ * @param {Object} [config.routes] - Route configuration
+ * @returns {AuthManager}
+ * 
+ * @example
+ * const auth = createAuth({
+ *   findUserById: async (id) => {
+ *     return await UserRepo.findById(id);
+ *   },
+ *   
+ *   findUserByCredentials: async (email, password) => {
+ *     const user = await UserRepo.findOne({ email });
+ *     if (user && await verify(password, user.password)) {
+ *       return user;
+ *     }
+ *     return null;
+ *   },
+ *   
+ *   // Optional: Remember me tokens
+ *   rememberTokens: {
+ *     create: async (userId, token, expiresAt) => {
+ *       await db.knex('remember_tokens').insert({
+ *         user_id: userId,
+ *         token,
+ *         expires_at: expiresAt,
+ *       });
+ *     },
+ *     find: async (token) => {
+ *       return await db.knex('remember_tokens').where({ token }).first();
+ *     },
+ *     delete: async (token) => {
+ *       await db.knex('remember_tokens').where({ token }).delete();
+ *     },
+ *     deleteAllForUser: async (userId) => {
+ *       await db.knex('remember_tokens').where({ user_id: userId }).delete();
+ *     },
+ *   },
+ *   
+ *   session: {
+ *     secret: process.env.SESSION_SECRET,
+ *     cookie: {
+ *       maxAge: 24 * 60 * 60 * 1000, // 1 day
+ *     },
+ *   },
+ * });
+ */
+function createAuth(config) {
+  return new AuthManager(config);
+}
+
+/**
+ * Quick auth setup helper for common patterns
+ * @param {Object} options - Options
+ * @param {Object} options.db - Database instance (with getRepository)
+ * @param {string} [options.userModel='User'] - User model name
+ * @param {string} [options.identifierField='email'] - Login identifier field
+ * @param {string} [options.passwordField='password'] - Password field
+ * @param {Object} [options.session] - Session config
+ * @param {boolean} [options.rememberMe=true] - Enable remember me
+ * @returns {AuthManager}
+ */
+function quickAuth(options) {
+  const {
+    db,
+    userModel = 'User',
+    identifierField = 'email',
+    passwordField = 'password',
+    session = {},
+    rememberMe = true,
+  } = options;
+
+  if (!db || typeof db.getRepository !== 'function') {
+    throw new Error('db with getRepository is required');
+  }
+
+  const UserRepo = db.getRepository(userModel);
+
+  const config = {
+    findUserById: async (id) => {
+      return await UserRepo.findById(id);
+    },
+
+    findUserByCredentials: async (identifier, password) => {
+      const user = await UserRepo.findOne({ [identifierField]: identifier });
+      if (user && await verify(password, user[passwordField])) {
+        return user;
+      }
+      return null;
+    },
+
+    session: {
+      secret: process.env.SESSION_SECRET || session.secret,
+      ...session,
+    },
+  };
+
+  // Add remember tokens if enabled
+  if (rememberMe) {
+    config.rememberTokens = {
+      create: async (userId, token, expiresAt) => {
+        await db.knex('remember_tokens').insert({
+          user_id: userId,
+          token,
+          expires_at: expiresAt,
+          created_at: new Date(),
+        });
+      },
+      find: async (token) => {
+        return await db.knex('remember_tokens').where({ token }).first();
+      },
+      delete: async (token) => {
+        await db.knex('remember_tokens').where({ token }).delete();
+      },
+      deleteAllForUser: async (userId) => {
+        await db.knex('remember_tokens').where({ user_id: userId }).delete();
+      },
+    };
+  }
+
+  return createAuth(config);
+}
+
+/**
+ * Migration helper for remember_tokens table
+ * @param {Object} knex - Knex instance
+ * @returns {Promise<void>}
+ */
+async function createRememberTokensTable(knex) {
+  const exists = await knex.schema.hasTable('remember_tokens');
+  
+  if (!exists) {
+    await knex.schema.createTable('remember_tokens', (table) => {
+      table.bigIncrements('id').primary();
+      table.bigInteger('user_id').unsigned().notNullable();
+      table.string('token', 64).notNullable().unique();
+      table.timestamp('expires_at').notNullable();
+      table.timestamp('created_at').defaultTo(knex.fn.now());
+      
+      table.index('user_id');
+      table.index('token');
+    });
+  }
+}
+
+/**
+ * Drop remember_tokens table
+ * @param {Object} knex - Knex instance
+ * @returns {Promise<void>}
+ */
+async function dropRememberTokensTable(knex) {
+  await knex.schema.dropTableIfExists('remember_tokens');
+}
+
+module.exports = {
+  // Factory functions
+  createAuth,
+  quickAuth,
+  
+  // Classes
+  AuthManager,
+  PolicyManager,
+  
+  // Errors
+  AuthenticationError,
+  AuthorizationError,
+  
+  // Middleware
+  createAuthMiddleware,
+  setupAuthMiddleware,
+  
+  // Hash utilities
+  hash,
+  verify,
+  needsRehash,
+  generateToken,
+  hashToken,
+  
+  // Migration helpers
+  createRememberTokensTable,
+  dropRememberTokensTable,
+  
+  // Config
+  DEFAULT_CONFIG,
+};