webspresso 0.0.72 → 0.0.74

package/README.md

@@ -764,10 +764,12 @@ const { app } = createApp({
 Options:
 - `db` (required) - Database instance
 - `path` - Admin panel path (default: `/_admin`)
-- `auth` - Auth manager for user management
-- `userManagement` - User management config (`enabled`, `model`, `fields`)
+- `auth` - Same **`AuthManager`** instance as **`createApp({ auth })`** when you use **`userManagement`** — enables **Active Sessions** / revoke APIs if **`rememberTokens`** (remember-me) is configured; optional for user CRUD-only
+- `userManagement` - Site-user admin UI (`enabled`, `model` matching ORM user table, optional `fields` map). SPA routes: `/_admin/users`, `/_admin/users/new`, …; APIs: `/_admin/api/users*`. Admin staff still use **`admin_users`** / `/_admin` login; this is separate from **`req.user`** on the public site
 - `configure` - Callback `(registry) => void` for manual setup
 
+See **`doc/index.html#admin-user-management`** and **Session authentication** in **`.cursor/skills/webspresso-usage/SKILL.md`** for the split between **`adminUser`** and **`createApp({ auth })`**.
+
 **Custom Admin Pages (registerModule):**
 
 Plugins can add custom admin pages using `registerModule` in `onRoutesReady`:

package/bin/commands/upgrade.js

@@ -0,0 +1,146 @@
+/**
+ * Upgrade Command — bump the webspresso dependency in the current project
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+const PKG_NAME = 'webspresso';
+
+/**
+ * @param {string} cwd
+ * @returns {'npm'|'pnpm'|'yarn'}
+ */
+function detectPackageManager(cwd) {
+  if (fs.existsSync(path.join(cwd, 'pnpm-lock.yaml'))) return 'pnpm';
+  if (fs.existsSync(path.join(cwd, 'yarn.lock'))) return 'yarn';
+  return 'npm';
+}
+
+/**
+ * @param {object} pkg
+ * @returns {{ specifier: string, saveDev: boolean } | null}
+ */
+function findWebspressoDep(pkg) {
+  if (!pkg || typeof pkg !== 'object') return null;
+  const prod = pkg.dependencies && pkg.dependencies[PKG_NAME];
+  const dev = pkg.devDependencies && pkg.devDependencies[PKG_NAME];
+  if (prod) return { specifier: String(prod), saveDev: false };
+  if (dev) return { specifier: String(dev), saveDev: true };
+  return null;
+}
+
+function isNonRegistrySpecifier(spec) {
+  return /^(file:|link:|workspace:|git\+|github:|http:|https:)/i.test(spec.trim());
+}
+
+/**
+ * @param {'npm'|'pnpm'|'yarn'} pm
+ * @param {string} tag
+ * @param {boolean} saveDev
+ * @returns {string[]}
+ */
+function buildInstallArgs(pm, tag, saveDev) {
+  const spec = `${PKG_NAME}@${tag}`;
+  if (pm === 'npm') {
+    return saveDev
+      ? ['install', spec, '--save-dev']
+      : ['install', spec, '--save'];
+  }
+  if (pm === 'pnpm') {
+    return saveDev ? ['add', '-D', spec] : ['add', spec];
+  }
+  /* yarn */
+  return saveDev ? ['add', '-D', spec] : ['add', spec];
+}
+
+function registerCommand(program) {
+  program
+    .command('upgrade')
+    .description(
+      'Upgrade the webspresso package in the current project (npm/pnpm/yarn)'
+    )
+    .option(
+      '-t, --tag <dist-tag>',
+      'npm dist-tag (e.g. latest, next)',
+      'latest'
+    )
+    .option('--pm <manager>', 'Force package manager: npm, pnpm, or yarn')
+    .option('--dry-run', 'Print the install command without running it')
+    .action((options) => {
+      const cwd = process.cwd();
+      const pkgPath = path.join(cwd, 'package.json');
+
+      if (!fs.existsSync(pkgPath)) {
+        console.error('❌ package.json not found. Run this from your project root.');
+        process.exit(1);
+      }
+
+      let pkg;
+      try {
+        pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      } catch (e) {
+        console.error(`❌ Could not read package.json: ${e.message}`);
+        process.exit(1);
+      }
+
+      const found = findWebspressoDep(pkg);
+      if (!found) {
+        console.error(
+          `❌ No "${PKG_NAME}" entry in dependencies or devDependencies.`
+        );
+        console.error('   Add it first, e.g. npm install webspresso');
+        process.exit(1);
+      }
+
+      if (isNonRegistrySpecifier(found.specifier)) {
+        console.error(
+          `❌ "${PKG_NAME}" is not a registry semver range (current: ${found.specifier}).`
+        );
+        console.error(
+          '   For file:/link:/workspace: installs, change package.json manually or point to a published version.'
+        );
+        process.exit(1);
+      }
+
+      let pm = options.pm;
+      if (pm) {
+        pm = String(pm).toLowerCase();
+        if (!['npm', 'pnpm', 'yarn'].includes(pm)) {
+          console.error('❌ --pm must be npm, pnpm, or yarn');
+          process.exit(1);
+        }
+      } else {
+        pm = detectPackageManager(cwd);
+      }
+
+      const args = buildInstallArgs(pm, options.tag, found.saveDev);
+      const cmd = `${pm} ${args.join(' ')}`;
+
+      console.log('\nWebspresso upgrade');
+      console.log('==================\n');
+      console.log(`  Package manager: ${pm}`);
+      console.log(`  Target:          ${PKG_NAME}@${options.tag}`);
+      console.log(`  Save as:         ${found.saveDev ? 'devDependency' : 'dependency'}`);
+      console.log(`  Current range:   ${found.specifier}\n`);
+
+      if (options.dryRun) {
+        console.log(`Dry run — would run:\n  ${cmd}\n`);
+        return;
+      }
+
+      try {
+        execSync(cmd, { stdio: 'inherit', cwd, shell: true });
+        console.log(
+          '\n✅ Upgrade finished. If you use native addons (better-sqlite3, bcrypt, sharp), run:\n' +
+            '   npm run rebuild:native\n' +
+            '   (or: npm rebuild better-sqlite3 bcrypt sharp)\n'
+        );
+      } catch {
+        process.exit(1);
+      }
+    });
+}
+
+module.exports = { registerCommand, detectPackageManager, findWebspressoDep };

package/bin/webspresso.js

@@ -30,6 +30,7 @@ const { registerCommand: registerFaviconGenerate } = require('./commands/favicon
 const { registerCommand: registerAuditPrune } = require('./commands/audit-prune');
 const { registerCommand: registerDoctor } = require('./commands/doctor');
 const { registerCommand: registerSkill } = require('./commands/skill');
+const { registerCommand: registerUpgrade } = require('./commands/upgrade');
 
 registerNew(program);
 registerPage(program);
@@ -48,6 +49,7 @@ registerFaviconGenerate(program);
 registerAuditPrune(program);
 registerDoctor(program);
 registerSkill(program);
+registerUpgrade(program);
 
 // Parse arguments
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "webspresso",
-  "version": "0.0.72",
+  "version": "0.0.74",
   "description": "Minimal, production-ready SSR framework for Node.js with file-based routing, Nunjucks templating, built-in i18n, and CLI tooling",
   "main": "index.js",
   "types": "index.d.ts",

package/plugins/admin-panel/app.js

@@ -35,6 +35,87 @@ async function checkSetupNeeded() {
   }
 }
 
+// Site user management: menu uses /models/{userModel}*; /users* kept as aliases (redirect) + /users/sessions
+function getUserManagementModel() {
+  var um = window.__ADMIN_CONFIG__ && window.__ADMIN_CONFIG__.userManagement;
+  if (!um || !um.enabled) return null;
+  return um.model || 'User';
+}
+
+async function guardUserManagementRoutes() {
+  var isAuth = await checkAuth();
+  if (!isAuth) {
+    m.route.set('/login');
+    return false;
+  }
+  if (!getUserManagementModel()) {
+    m.route.set('/');
+    return false;
+  }
+  return true;
+}
+
+const UserSessionsPage = {
+  oninit: async function (vnode) {
+    vnode.state.loading = true;
+    vnode.state.rows = [];
+    vnode.state.message = null;
+    vnode.state.error = null;
+    try {
+      var res = await api.get('/users/sessions');
+      vnode.state.rows = res.data || [];
+      vnode.state.message = res.message || null;
+    } catch (e) {
+      vnode.state.error = e.message || String(e);
+    }
+    vnode.state.loading = false;
+    m.redraw();
+  },
+  view: function (vnode) {
+    var rows = vnode.state.rows || [];
+    var umModel = getUserManagementModel();
+    var usersCrudHref = umModel ? '/models/' + encodeURIComponent(umModel) : '/';
+    return m(Layout, { breadcrumbs: [{ label: 'Users', href: usersCrudHref }, { label: 'Active Sessions', href: '/users/sessions' }] }, [
+      m('h2.text-2xl.font-bold.mb-4.text-gray-900.dark:text-slate-100', 'Active Sessions'),
+      vnode.state.loading ? m('p.text-gray-600.dark:text-slate-400', 'Loading…') : null,
+      vnode.state.error ? m('p.text-red-600.dark:text-red-400.mb-2', vnode.state.error) : null,
+      vnode.state.message ? m('p.text-sm.text-gray-600.dark:text-slate-400.mb-2', vnode.state.message) : null,
+      !vnode.state.loading && rows.length === 0 && !vnode.state.error
+        ? m('p.text-gray-600.dark:text-slate-400', 'No remember-me sessions (or tracking not enabled).')
+        : m('.overflow-x-auto.rounded-lg.border.border-gray-200.dark:border-slate-700.bg-white.dark:bg-slate-800/50', [
+            m('table.min-w-full.text-sm.text-left', [
+              m('thead.bg-gray-50.dark:bg-slate-900', m('tr', [
+                m('th.px-3.py-2.text-xs.font-medium.text-gray-500.dark:text-slate-400.uppercase.tracking-wider', 'User'),
+                m('th.px-3.py-2.text-xs.font-medium.text-gray-500.dark:text-slate-400.uppercase.tracking-wider', 'Token (prefix)'),
+                m('th.px-3.py-2.text-xs.font-medium.text-gray-500.dark:text-slate-400.uppercase.tracking-wider', 'Created'),
+                m('th.px-3.py-2', ''),
+              ])),
+              m('tbody.divide-y.divide-gray-100.dark:divide-slate-700', rows.map(function (r) {
+                var tok = (r.token || '').slice(0, 12) + '…';
+                return m('tr.bg-white.dark:bg-slate-800/30', [
+                  m('td.px-3.py-2.text-gray-900.dark:text-slate-200', (r.user_email || r.user_id || '') + ''),
+                  m('td.px-3.py-2.font-mono.text-xs.text-gray-800.dark:text-slate-300', tok),
+                  m('td.px-3.py-2.text-gray-700.dark:text-slate-300', r.created_at ? new Date(r.created_at).toLocaleString() : ''),
+                  m('td.px-3.py-2', m('button.text-red-600.dark:text-red-400.text-xs', {
+                    onclick: async function () {
+                      if (!confirm('Revoke this session?')) return;
+                      try {
+                        await api.delete('/users/sessions/' + encodeURIComponent(r.token));
+                        vnode.state.rows = vnode.state.rows.filter(function (x) { return x.token !== r.token; });
+                        m.redraw();
+                      } catch (err) {
+                        alert(err.message || err);
+                      }
+                    },
+                  }, 'Revoke')),
+                ]);
+              })),
+            ]),
+          ]),
+    ]);
+  },
+};
+
 // Build routes
 var routes = {
   '/': {
@@ -80,6 +161,34 @@ var routes = {
       return SettingsPage;
     }
   },
+  '/users/sessions': {
+    onmatch: async () => {
+      if (!(await guardUserManagementRoutes())) return;
+      return UserSessionsPage;
+    }
+  },
+  '/users/new': {
+    onmatch: async () => {
+      if (!(await guardUserManagementRoutes())) return;
+      var model = getUserManagementModel();
+      m.route.set('/models/' + encodeURIComponent(model) + '/new');
+    }
+  },
+  '/users/:id/edit': {
+    onmatch: async () => {
+      if (!(await guardUserManagementRoutes())) return;
+      var model = getUserManagementModel();
+      var id = m.route.param('id');
+      m.route.set('/models/' + encodeURIComponent(model) + '/edit/' + encodeURIComponent(id));
+    }
+  },
+  '/users': {
+    onmatch: async () => {
+      if (!(await guardUserManagementRoutes())) return;
+      var model = getUserManagementModel();
+      m.route.set('/models/' + encodeURIComponent(model));
+    }
+  },
   '/models/:model': {
     onmatch: async () => {
       const isAuth = await checkAuth();