makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

Merge branch 'worktree-agent-a9901af2' into Develop

Browse Source 
# Conflicts:
#	.planning/REQUIREMENTS.md
#	.planning/ROADMAP.md
#	.planning/STATE.md
#	bun.lock
#	package.json
#	src/server/middleware/auth.ts
#	src/server/routes/auth.ts
#	src/server/routes/oauth.ts
#	src/server/services/auth.service.ts
This commit is contained in:
Jean-Luc Makiola
2026-04-04 20:48:38 +02:00
parent e3659a23f1 82eb9e7286
commit 3158274c6a
12 changed files with 257 additions and 369 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/server/index.ts
View File

@@ -1,6 +1,11 @@
import { Hono } from "hono";
import { serveStatic } from "hono/bun";
import { cors } from "hono/cors";
import {
oidcAuthMiddleware,
processOAuthCallback,
revokeSession,
} from "@hono/oidc-auth";
import { db as prodDb } from "../db/index.ts";
import { seedDefaults } from "../db/seed.ts";
import { mcpRoutes } from "./mcp/index.ts";
@@ -35,6 +40,14 @@ app.get("/api/health", (c) => {
return c.json({ status: "ok" });
});
// ── OIDC Browser Auth (top-level, before /api/* middleware) ───────────
app.get("/login", oidcAuthMiddleware(), async (c) => c.redirect("/"));
app.get("/callback", async (c) => processOAuthCallback(c));
app.get("/logout", async (c) => {
await revokeSession(c);
return c.redirect("/login");
});
// CORS for OAuth and MCP endpoints (required for claude.ai browser-based flows)
app.use("/.well-known/*", cors());
app.use("/oauth/*", cors());

9
src/server/mcp/index.ts
View File

@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
import { Hono } from "hono";
import { db as prodDb } from "../../db/index.ts";
import { getUserCount, verifyApiKey } from "../services/auth.service.ts";
import { verifyApiKey } from "../services/auth.service.ts";
import { verifyAccessToken } from "../services/oauth.service.ts";
import { getCollectionSummary } from "./resources/collection.ts";
import {
@@ -90,11 +90,6 @@ export const mcpRoutes = new Hono();
mcpRoutes.use("/*", async (c, next) => {
const db = c.get("db") ?? prodDb;
// Skip auth if no users exist
if (getUserCount(db) <= 0) {
return next();
}
// Try Bearer token first (OAuth)
const authHeader = c.req.header("Authorization");
if (authHeader?.startsWith("Bearer ")) {
@@ -105,7 +100,7 @@ mcpRoutes.use("/*", async (c, next) => {
return c.json({ error: "invalid_token" }, 401);
}
// Try API key (existing flow)
// Try API key
const apiKey = c.req.header("X-API-Key");
if (apiKey) {
const valid = await verifyApiKey(db, apiKey);

36
src/server/middleware/auth.ts
View File

@@ -1,21 +1,12 @@
import type { Context, Next } from "hono";
import { getCookie } from "hono/cookie";
import {
getSession,
getUserCount,
refreshSession,
verifyApiKey,
} from "../services/auth.service";
import { getAuth } from "@hono/oidc-auth";
import { verifyApiKey } from "../services/auth.service";
import { verifyAccessToken } from "../services/oauth.service";
export async function requireAuth(c: Context, next: Next) {
const db = c.get("db");
// Check if any users exist at all
if ((await getUserCount(db)) === 0) {
return c.json({ error: "setup_required" }, 403);
}
// Check API key first
// 1. Check API key (programmatic access)
const apiKey = c.req.header("X-API-Key");
if (apiKey) {
const valid = await verifyApiKey(db, apiKey);
@@ -23,16 +14,17 @@ export async function requireAuth(c: Context, next: Next) {
return c.json({ error: "Invalid API key" }, 401);
}
// Check session cookie
const sessionId = getCookie(c, "gearbox_session");
if (sessionId) {
const session = await getSession(db, sessionId);
if (session) {
// Refresh session expiry on use
await refreshSession(db, sessionId);
return next();
}
// 2. Check MCP OAuth Bearer token
const authHeader = c.req.header("Authorization");
if (authHeader?.startsWith("Bearer ")) {
const token = authHeader.slice(7);
if (await verifyAccessToken(db, token)) return next();
return c.json({ error: "invalid_token" }, 401);
}
// 3. Check OIDC session (browser users)
const auth = await getAuth(c);
if (auth) return next();
return c.json({ error: "Authentication required" }, 401);
}

149
src/server/routes/auth.ts
View File

@@ -1,166 +1,39 @@
import { zValidator } from "@hono/zod-validator";
import { eq } from "drizzle-orm";
import { getAuth } from "@hono/oidc-auth";
import { Hono } from "hono";
import { deleteCookie, getCookie, setCookie } from "hono/cookie";
import { z } from "zod";
import { users } from "../../db/schema.ts";
import { parseId } from "../lib/params.ts";
import { requireAuth } from "../middleware/auth.ts";
import { rateLimit } from "../middleware/rateLimit.ts";
import {
changePassword,
createApiKey,
createSession,
createUser,
deleteApiKey,
deleteSession,
getSession,
getUserCount,
listApiKeys,
verifyPassword,
} from "../services/auth.service.ts";
type Env = { Variables: { db?: any } };
const loginSchema = z.object({
username: z.string().min(1),
password: z.string().min(1),
});
const setupSchema = z.object({
username: z.string().min(1),
password: z.string().min(6),
});
const changePasswordSchema = z.object({
currentPassword: z.string().min(1),
newPassword: z.string().min(6),
});
const createKeySchema = z.object({ name: z.string().min(1) });
const COOKIE_NAME = "gearbox_session";
const COOKIE_MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
const app = new Hono<Env>();
// ── Public routes ───────────────────────────────────────────────────
// ── Auth Status ──────────────────────────────────────────────────────
app.get("/me", async (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (sessionId) {
const session = await getSession(db, sessionId);
if (session) {
return c.json({
user: { id: session.userId },
setupRequired: false,
});
}
const auth = await getAuth(c);
if (auth) {
return c.json({
user: { id: auth.sub, email: auth.email },
authenticated: true,
});
}
const setupRequired = (await getUserCount(db)) === 0;
return c.json({ user: null, setupRequired });
return c.json({ user: null, authenticated: false });
});
app.post("/setup", rateLimit, zValidator("json", setupSchema), async (c) => {
const db = c.get("db");
if ((await getUserCount(db)) > 0) {
return c.json({ error: "Setup already completed" }, 403);
}
const { username, password } = c.req.valid("json");
const user = await createUser(db, username, password);
const session = await createSession(db, user.id);
setCookie(c, COOKIE_NAME, session.id, {
httpOnly: true,
sameSite: "Lax",
path: "/",
maxAge: COOKIE_MAX_AGE,
});
return c.json({ username: user.username }, 201);
});
app.post("/login", rateLimit, zValidator("json", loginSchema), async (c) => {
const db = c.get("db");
const { username, password } = c.req.valid("json");
const user = await verifyPassword(db, username, password);
if (!user) {
return c.json({ error: "Invalid credentials" }, 401);
}
const session = await createSession(db, user.id);
setCookie(c, COOKIE_NAME, session.id, {
httpOnly: true,
sameSite: "Lax",
path: "/",
maxAge: COOKIE_MAX_AGE,
});
return c.json({ username: user.username });
});
app.post("/logout", async (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (sessionId) {
await deleteSession(db, sessionId);
}
deleteCookie(c, COOKIE_NAME, { path: "/" });
return c.json({ ok: true });
});
// ── Protected routes ────────────────────────────────────────────────
app.put(
"/password",
requireAuth,
zValidator("json", changePasswordSchema),
async (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (!sessionId) {
return c.json({ error: "Session required for password change" }, 401);
}
const session = await getSession(db, sessionId);
if (!session) {
return c.json({ error: "Session required for password change" }, 401);
}
const [userRecord] = await db
.select()
.from(users)
.where(eq(users.id, session.userId));
if (!userRecord) {
return c.json({ error: "User not found" }, 404);
}
const { currentPassword, newPassword } = c.req.valid("json");
const changed = await changePassword(
db,
userRecord.username,
currentPassword,
newPassword,
);
if (!changed) {
return c.json({ error: "Invalid current password" }, 401);
}
return c.json({ ok: true });
},
);
// ── API Key Management (protected) ───────────────────────────────────
app.get("/keys", requireAuth, async (c) => {
const db = c.get("db");
const keys = await listApiKeys(db);
const keys = listApiKeys(db);
return c.json(keys);
});

68
src/server/routes/oauth.ts
View File

@@ -1,6 +1,6 @@
import { getAuth } from "@hono/oidc-auth";
import { Hono } from "hono";
import { db as prodDb } from "../../db/index.ts";
import { verifyPassword } from "../services/auth.service.ts";
import {
cleanExpiredOAuthData,
createAuthorizationCode,
@@ -27,19 +27,14 @@ function getBaseUrl(c: any): string {
return new URL(c.req.url).origin;
}
function renderLoginForm(params: {
function renderConsentForm(params: {
clientName: string;
clientId: string;
redirectUri: string;
codeChallenge: string;
codeChallengeMethod: string;
state: string;
error?: string;
}): string {
const errorHtml = params.error
? `<div style="background:#fef2f2;border:1px solid #fca5a5;color:#dc2626;padding:12px;border-radius:8px;margin-bottom:16px;font-size:14px;">${escapeHtml(params.error)}</div>`
: "";
return `<!DOCTYPE html>
<html lang="en">
<head>
@@ -52,8 +47,6 @@ function renderLoginForm(params: {
.card { background: #fff; border-radius: 12px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); padding: 32px; width: 100%; max-width: 400px; }
h1 { font-size: 24px; font-weight: 700; text-align: center; margin-bottom: 8px; }
.subtitle { text-align: center; color: #6b7280; margin-bottom: 24px; font-size: 14px; }
label { display: block; font-size: 14px; font-weight: 500; margin-bottom: 4px; color: #374151; }
input[type="text"], input[type="password"] { width: 100%; padding: 10px 12px; border: 1px solid #d1d5db; border-radius: 8px; font-size: 14px; margin-bottom: 16px; }
button { width: 100%; padding: 10px; background: #2563eb; color: #fff; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; }
button:hover { background: #1d4ed8; }
</style>
@@ -62,12 +55,7 @@ function renderLoginForm(params: {
<div class="card">
<h1>GearBox</h1>
<p class="subtitle">Authorize ${escapeHtml(params.clientName)} to access your data</p>
${errorHtml}
<form method="POST" action="/oauth/authorize">
<label for="username">Username</label>
<input type="text" id="username" name="username" required>
<label for="password">Password</label>
<input type="password" id="password" name="password" required>
<input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
<input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
<input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
@@ -129,7 +117,7 @@ oauthRoutes.post("/register", async (c) => {
}
const clientName = body.client_name || "Unknown Client";
const { clientId } = await registerClient(db, clientName, body.redirect_uris);
const { clientId } = registerClient(db, clientName, body.redirect_uris);
return c.json(
{
@@ -141,10 +129,15 @@ oauthRoutes.post("/register", async (c) => {
);
});
// GET /authorize — Show HTML login form
// GET /authorize — Show consent form (requires OIDC session)
oauthRoutes.get("/authorize", async (c) => {
const db = c.get("db") ?? prodDb;
const auth = await getAuth(c);
if (!auth) {
return c.redirect(`/login?redirect=${encodeURIComponent(c.req.url)}`);
}
const responseType = c.req.query("response_type");
const clientId = c.req.query("client_id");
const redirectUri = c.req.query("redirect_uri");
@@ -159,7 +152,7 @@ oauthRoutes.get("/authorize", async (c) => {
return c.json({ error: "Missing required parameters" }, 400);
}
const client = await getClient(db, clientId);
const client = getClient(db, clientId);
if (!client) {
return c.json({ error: "Unknown client_id" }, 400);
}
@@ -170,7 +163,7 @@ oauthRoutes.get("/authorize", async (c) => {
}
return c.html(
renderLoginForm({
renderConsentForm({
clientName: client.clientName,
clientId,
redirectUri,
@@ -181,36 +174,35 @@ oauthRoutes.get("/authorize", async (c) => {
);
});
// POST /authorize — Process login form
// POST /authorize — Process consent (requires OIDC session)
oauthRoutes.post("/authorize", async (c) => {
const db = c.get("db") ?? prodDb;
const body = await c.req.parseBody();
const username = body.username as string;
const password = body.password as string;
// Check for OIDC session instead of username/password
const auth = await getAuth(c);
if (!auth) {
const currentUrl = c.req.url;
return c.redirect(`/login?redirect=${encodeURIComponent(currentUrl)}`);
}
const body = await c.req.parseBody();
const clientId = body.client_id as string;
const redirectUri = body.redirect_uri as string;
const codeChallenge = body.code_challenge as string;
const codeChallengeMethod = body.code_challenge_method as string;
const state = (body.state as string) ?? "";
const user = await verifyPassword(db, username, password);
if (!user) {
const client = await getClient(db, clientId);
return c.html(
renderLoginForm({
clientName: client?.clientName ?? "Unknown",
clientId,
redirectUri,
codeChallenge,
codeChallengeMethod,
state,
error: "Invalid username or password",
}),
);
const client = getClient(db, clientId);
if (!client) {
return c.json({ error: "Unknown client_id" }, 400);
}
const { code } = await createAuthorizationCode(
const allowedUris: string[] = JSON.parse(client.redirectUris);
if (!allowedUris.includes(redirectUri)) {
return c.json({ error: "redirect_uri not allowed" }, 400);
}
const { code } = createAuthorizationCode(
db,
clientId,
codeChallenge,
@@ -233,7 +225,7 @@ oauthRoutes.post("/token", async (c) => {
const grantType = body.grant_type as string;
// Opportunistic cleanup
await cleanExpiredOAuthData(db);
cleanExpiredOAuthData(db);
if (grantType === "authorization_code") {
const code = body.code as string;

127
src/server/services/auth.service.ts
View File

@@ -1,114 +1,10 @@
import { randomBytes } from "node:crypto";
import { count, eq } from "drizzle-orm";
import { eq } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import { apiKeys, sessions, users } from "../../db/schema.ts";
import { apiKeys } from "../../db/schema.ts";
type Db = typeof prodDb;
// ── User Management ──────────────────────────────────────────────────
export async function createUser(
db: Db = prodDb,
username: string,
password: string,
) {
const passwordHash = await Bun.password.hash(password);
const [row] = await db
.insert(users)
.values({ username, passwordHash })
.returning();
return row;
}
export async function verifyPassword(
db: Db = prodDb,
username: string,
password: string,
) {
const [user] = await db
.select()
.from(users)
.where(eq(users.username, username));
if (!user) return null;
const valid = await Bun.password.verify(password, user.passwordHash);
return valid ? user : null;
}
export async function getUserCount(db: Db = prodDb): Promise<number> {
const [result] = await db.select({ value: count() }).from(users);
return result?.value ?? 0;
}
export async function changePassword(
db: Db = prodDb,
username: string,
currentPassword: string,
newPassword: string,
): Promise<boolean> {
const user = await verifyPassword(db, username, currentPassword);
if (!user) return false;
const newHash = await Bun.password.hash(newPassword);
await db
.update(users)
.set({ passwordHash: newHash })
.where(eq(users.id, user.id));
return true;
}
// ── Session Management ───────────────────────────────────────────────
export async function createSession(
db: Db = prodDb,
userId: number,
expiryDays = 30,
) {
const id = randomBytes(32).toString("hex");
const expiresAt = new Date(Date.now() + expiryDays * 24 * 60 * 60 * 1000);
const [row] = await db
.insert(sessions)
.values({ id, userId, expiresAt })
.returning();
return row;
}
export async function getSession(db: Db = prodDb, sessionId: string) {
const [session] = await db
.select()
.from(sessions)
.where(eq(sessions.id, sessionId));
if (!session) return null;
if (session.expiresAt < new Date()) {
await db.delete(sessions).where(eq(sessions.id, sessionId));
return null;
}
return session;
}
export async function deleteSession(db: Db = prodDb, sessionId: string) {
await db.delete(sessions).where(eq(sessions.id, sessionId));
}
export async function refreshSession(
db: Db = prodDb,
sessionId: string,
expiryDays = 30,
) {
const expiresAt = new Date(Date.now() + expiryDays * 24 * 60 * 60 * 1000);
await db
.update(sessions)
.set({ expiresAt })
.where(eq(sessions.id, sessionId));
}
// ── API Key Management ───────────────────────────────────────────────
export async function createApiKey(db: Db = prodDb, name: string) {
@@ -116,10 +12,11 @@ export async function createApiKey(db: Db = prodDb, name: string) {
const keyHash = await Bun.password.hash(rawKey);
const keyPrefix = rawKey.slice(0, 8);
const [record] = await db
const record = db
.insert(apiKeys)
.values({ name, keyHash, keyPrefix })
.returning();
.returning()
.get();
return { ...record, rawKey };
}
@@ -129,10 +26,11 @@ export async function verifyApiKey(
rawKey: string,
): Promise<boolean> {
const prefix = rawKey.slice(0, 8);
const candidates = await db
const candidates = db
.select()
.from(apiKeys)
.where(eq(apiKeys.keyPrefix, prefix));
.where(eq(apiKeys.keyPrefix, prefix))
.all();
for (const candidate of candidates) {
const valid = await Bun.password.verify(rawKey, candidate.keyHash);
@@ -142,7 +40,7 @@ export async function verifyApiKey(
return false;
}
export async function listApiKeys(db: Db = prodDb) {
export function listApiKeys(db: Db = prodDb) {
return db
.select({
id: apiKeys.id,
@@ -150,9 +48,10 @@ export async function listApiKeys(db: Db = prodDb) {
keyPrefix: apiKeys.keyPrefix,
createdAt: apiKeys.createdAt,
})
.from(apiKeys);
.from(apiKeys)
.all();
}
export async function deleteApiKey(db: Db = prodDb, id: number) {
await db.delete(apiKeys).where(eq(apiKeys.id, id));
export function deleteApiKey(db: Db = prodDb, id: number) {
db.delete(apiKeys).where(eq(apiKeys.id, id)).run();
}