Merge branch 'worktree-agent-a9901af2' into Develop
# Conflicts: # .planning/REQUIREMENTS.md # .planning/ROADMAP.md # .planning/STATE.md # bun.lock # package.json # src/server/middleware/auth.ts # src/server/routes/auth.ts # src/server/routes/oauth.ts # src/server/services/auth.service.ts
This commit is contained in:
@@ -1,166 +1,39 @@
|
||||
import { zValidator } from "@hono/zod-validator";
|
||||
import { eq } from "drizzle-orm";
|
||||
import { getAuth } from "@hono/oidc-auth";
|
||||
import { Hono } from "hono";
|
||||
import { deleteCookie, getCookie, setCookie } from "hono/cookie";
|
||||
import { z } from "zod";
|
||||
import { users } from "../../db/schema.ts";
|
||||
import { parseId } from "../lib/params.ts";
|
||||
import { requireAuth } from "../middleware/auth.ts";
|
||||
import { rateLimit } from "../middleware/rateLimit.ts";
|
||||
import {
|
||||
changePassword,
|
||||
createApiKey,
|
||||
createSession,
|
||||
createUser,
|
||||
deleteApiKey,
|
||||
deleteSession,
|
||||
getSession,
|
||||
getUserCount,
|
||||
listApiKeys,
|
||||
verifyPassword,
|
||||
} from "../services/auth.service.ts";
|
||||
|
||||
type Env = { Variables: { db?: any } };
|
||||
|
||||
const loginSchema = z.object({
|
||||
username: z.string().min(1),
|
||||
password: z.string().min(1),
|
||||
});
|
||||
const setupSchema = z.object({
|
||||
username: z.string().min(1),
|
||||
password: z.string().min(6),
|
||||
});
|
||||
const changePasswordSchema = z.object({
|
||||
currentPassword: z.string().min(1),
|
||||
newPassword: z.string().min(6),
|
||||
});
|
||||
const createKeySchema = z.object({ name: z.string().min(1) });
|
||||
|
||||
const COOKIE_NAME = "gearbox_session";
|
||||
const COOKIE_MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
|
||||
|
||||
const app = new Hono<Env>();
|
||||
|
||||
// ── Public routes ───────────────────────────────────────────────────
|
||||
// ── Auth Status ──────────────────────────────────────────────────────
|
||||
|
||||
app.get("/me", async (c) => {
|
||||
const db = c.get("db");
|
||||
const sessionId = getCookie(c, COOKIE_NAME);
|
||||
|
||||
if (sessionId) {
|
||||
const session = await getSession(db, sessionId);
|
||||
if (session) {
|
||||
return c.json({
|
||||
user: { id: session.userId },
|
||||
setupRequired: false,
|
||||
});
|
||||
}
|
||||
const auth = await getAuth(c);
|
||||
if (auth) {
|
||||
return c.json({
|
||||
user: { id: auth.sub, email: auth.email },
|
||||
authenticated: true,
|
||||
});
|
||||
}
|
||||
|
||||
const setupRequired = (await getUserCount(db)) === 0;
|
||||
return c.json({ user: null, setupRequired });
|
||||
return c.json({ user: null, authenticated: false });
|
||||
});
|
||||
|
||||
app.post("/setup", rateLimit, zValidator("json", setupSchema), async (c) => {
|
||||
const db = c.get("db");
|
||||
|
||||
if ((await getUserCount(db)) > 0) {
|
||||
return c.json({ error: "Setup already completed" }, 403);
|
||||
}
|
||||
|
||||
const { username, password } = c.req.valid("json");
|
||||
const user = await createUser(db, username, password);
|
||||
const session = await createSession(db, user.id);
|
||||
|
||||
setCookie(c, COOKIE_NAME, session.id, {
|
||||
httpOnly: true,
|
||||
sameSite: "Lax",
|
||||
path: "/",
|
||||
maxAge: COOKIE_MAX_AGE,
|
||||
});
|
||||
|
||||
return c.json({ username: user.username }, 201);
|
||||
});
|
||||
|
||||
app.post("/login", rateLimit, zValidator("json", loginSchema), async (c) => {
|
||||
const db = c.get("db");
|
||||
const { username, password } = c.req.valid("json");
|
||||
|
||||
const user = await verifyPassword(db, username, password);
|
||||
if (!user) {
|
||||
return c.json({ error: "Invalid credentials" }, 401);
|
||||
}
|
||||
|
||||
const session = await createSession(db, user.id);
|
||||
|
||||
setCookie(c, COOKIE_NAME, session.id, {
|
||||
httpOnly: true,
|
||||
sameSite: "Lax",
|
||||
path: "/",
|
||||
maxAge: COOKIE_MAX_AGE,
|
||||
});
|
||||
|
||||
return c.json({ username: user.username });
|
||||
});
|
||||
|
||||
app.post("/logout", async (c) => {
|
||||
const db = c.get("db");
|
||||
const sessionId = getCookie(c, COOKIE_NAME);
|
||||
|
||||
if (sessionId) {
|
||||
await deleteSession(db, sessionId);
|
||||
}
|
||||
|
||||
deleteCookie(c, COOKIE_NAME, { path: "/" });
|
||||
return c.json({ ok: true });
|
||||
});
|
||||
|
||||
// ── Protected routes ────────────────────────────────────────────────
|
||||
|
||||
app.put(
|
||||
"/password",
|
||||
requireAuth,
|
||||
zValidator("json", changePasswordSchema),
|
||||
async (c) => {
|
||||
const db = c.get("db");
|
||||
const sessionId = getCookie(c, COOKIE_NAME);
|
||||
if (!sessionId) {
|
||||
return c.json({ error: "Session required for password change" }, 401);
|
||||
}
|
||||
const session = await getSession(db, sessionId);
|
||||
|
||||
if (!session) {
|
||||
return c.json({ error: "Session required for password change" }, 401);
|
||||
}
|
||||
|
||||
const [userRecord] = await db
|
||||
.select()
|
||||
.from(users)
|
||||
.where(eq(users.id, session.userId));
|
||||
|
||||
if (!userRecord) {
|
||||
return c.json({ error: "User not found" }, 404);
|
||||
}
|
||||
|
||||
const { currentPassword, newPassword } = c.req.valid("json");
|
||||
const changed = await changePassword(
|
||||
db,
|
||||
userRecord.username,
|
||||
currentPassword,
|
||||
newPassword,
|
||||
);
|
||||
|
||||
if (!changed) {
|
||||
return c.json({ error: "Invalid current password" }, 401);
|
||||
}
|
||||
|
||||
return c.json({ ok: true });
|
||||
},
|
||||
);
|
||||
// ── API Key Management (protected) ───────────────────────────────────
|
||||
|
||||
app.get("/keys", requireAuth, async (c) => {
|
||||
const db = c.get("db");
|
||||
const keys = await listApiKeys(db);
|
||||
const keys = listApiKeys(db);
|
||||
return c.json(keys);
|
||||
});
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import { getAuth } from "@hono/oidc-auth";
|
||||
import { Hono } from "hono";
|
||||
import { db as prodDb } from "../../db/index.ts";
|
||||
import { verifyPassword } from "../services/auth.service.ts";
|
||||
import {
|
||||
cleanExpiredOAuthData,
|
||||
createAuthorizationCode,
|
||||
@@ -27,19 +27,14 @@ function getBaseUrl(c: any): string {
|
||||
return new URL(c.req.url).origin;
|
||||
}
|
||||
|
||||
function renderLoginForm(params: {
|
||||
function renderConsentForm(params: {
|
||||
clientName: string;
|
||||
clientId: string;
|
||||
redirectUri: string;
|
||||
codeChallenge: string;
|
||||
codeChallengeMethod: string;
|
||||
state: string;
|
||||
error?: string;
|
||||
}): string {
|
||||
const errorHtml = params.error
|
||||
? `<div style="background:#fef2f2;border:1px solid #fca5a5;color:#dc2626;padding:12px;border-radius:8px;margin-bottom:16px;font-size:14px;">${escapeHtml(params.error)}</div>`
|
||||
: "";
|
||||
|
||||
return `<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
@@ -52,8 +47,6 @@ function renderLoginForm(params: {
|
||||
.card { background: #fff; border-radius: 12px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); padding: 32px; width: 100%; max-width: 400px; }
|
||||
h1 { font-size: 24px; font-weight: 700; text-align: center; margin-bottom: 8px; }
|
||||
.subtitle { text-align: center; color: #6b7280; margin-bottom: 24px; font-size: 14px; }
|
||||
label { display: block; font-size: 14px; font-weight: 500; margin-bottom: 4px; color: #374151; }
|
||||
input[type="text"], input[type="password"] { width: 100%; padding: 10px 12px; border: 1px solid #d1d5db; border-radius: 8px; font-size: 14px; margin-bottom: 16px; }
|
||||
button { width: 100%; padding: 10px; background: #2563eb; color: #fff; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; }
|
||||
button:hover { background: #1d4ed8; }
|
||||
</style>
|
||||
@@ -62,12 +55,7 @@ function renderLoginForm(params: {
|
||||
<div class="card">
|
||||
<h1>GearBox</h1>
|
||||
<p class="subtitle">Authorize ${escapeHtml(params.clientName)} to access your data</p>
|
||||
${errorHtml}
|
||||
<form method="POST" action="/oauth/authorize">
|
||||
<label for="username">Username</label>
|
||||
<input type="text" id="username" name="username" required>
|
||||
<label for="password">Password</label>
|
||||
<input type="password" id="password" name="password" required>
|
||||
<input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
|
||||
<input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
|
||||
<input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
|
||||
@@ -129,7 +117,7 @@ oauthRoutes.post("/register", async (c) => {
|
||||
}
|
||||
|
||||
const clientName = body.client_name || "Unknown Client";
|
||||
const { clientId } = await registerClient(db, clientName, body.redirect_uris);
|
||||
const { clientId } = registerClient(db, clientName, body.redirect_uris);
|
||||
|
||||
return c.json(
|
||||
{
|
||||
@@ -141,10 +129,15 @@ oauthRoutes.post("/register", async (c) => {
|
||||
);
|
||||
});
|
||||
|
||||
// GET /authorize — Show HTML login form
|
||||
// GET /authorize — Show consent form (requires OIDC session)
|
||||
oauthRoutes.get("/authorize", async (c) => {
|
||||
const db = c.get("db") ?? prodDb;
|
||||
|
||||
const auth = await getAuth(c);
|
||||
if (!auth) {
|
||||
return c.redirect(`/login?redirect=${encodeURIComponent(c.req.url)}`);
|
||||
}
|
||||
|
||||
const responseType = c.req.query("response_type");
|
||||
const clientId = c.req.query("client_id");
|
||||
const redirectUri = c.req.query("redirect_uri");
|
||||
@@ -159,7 +152,7 @@ oauthRoutes.get("/authorize", async (c) => {
|
||||
return c.json({ error: "Missing required parameters" }, 400);
|
||||
}
|
||||
|
||||
const client = await getClient(db, clientId);
|
||||
const client = getClient(db, clientId);
|
||||
if (!client) {
|
||||
return c.json({ error: "Unknown client_id" }, 400);
|
||||
}
|
||||
@@ -170,7 +163,7 @@ oauthRoutes.get("/authorize", async (c) => {
|
||||
}
|
||||
|
||||
return c.html(
|
||||
renderLoginForm({
|
||||
renderConsentForm({
|
||||
clientName: client.clientName,
|
||||
clientId,
|
||||
redirectUri,
|
||||
@@ -181,36 +174,35 @@ oauthRoutes.get("/authorize", async (c) => {
|
||||
);
|
||||
});
|
||||
|
||||
// POST /authorize — Process login form
|
||||
// POST /authorize — Process consent (requires OIDC session)
|
||||
oauthRoutes.post("/authorize", async (c) => {
|
||||
const db = c.get("db") ?? prodDb;
|
||||
const body = await c.req.parseBody();
|
||||
|
||||
const username = body.username as string;
|
||||
const password = body.password as string;
|
||||
// Check for OIDC session instead of username/password
|
||||
const auth = await getAuth(c);
|
||||
if (!auth) {
|
||||
const currentUrl = c.req.url;
|
||||
return c.redirect(`/login?redirect=${encodeURIComponent(currentUrl)}`);
|
||||
}
|
||||
|
||||
const body = await c.req.parseBody();
|
||||
const clientId = body.client_id as string;
|
||||
const redirectUri = body.redirect_uri as string;
|
||||
const codeChallenge = body.code_challenge as string;
|
||||
const codeChallengeMethod = body.code_challenge_method as string;
|
||||
const state = (body.state as string) ?? "";
|
||||
|
||||
const user = await verifyPassword(db, username, password);
|
||||
if (!user) {
|
||||
const client = await getClient(db, clientId);
|
||||
return c.html(
|
||||
renderLoginForm({
|
||||
clientName: client?.clientName ?? "Unknown",
|
||||
clientId,
|
||||
redirectUri,
|
||||
codeChallenge,
|
||||
codeChallengeMethod,
|
||||
state,
|
||||
error: "Invalid username or password",
|
||||
}),
|
||||
);
|
||||
const client = getClient(db, clientId);
|
||||
if (!client) {
|
||||
return c.json({ error: "Unknown client_id" }, 400);
|
||||
}
|
||||
|
||||
const { code } = await createAuthorizationCode(
|
||||
const allowedUris: string[] = JSON.parse(client.redirectUris);
|
||||
if (!allowedUris.includes(redirectUri)) {
|
||||
return c.json({ error: "redirect_uri not allowed" }, 400);
|
||||
}
|
||||
|
||||
const { code } = createAuthorizationCode(
|
||||
db,
|
||||
clientId,
|
||||
codeChallenge,
|
||||
@@ -233,7 +225,7 @@ oauthRoutes.post("/token", async (c) => {
|
||||
const grantType = body.grant_type as string;
|
||||
|
||||
// Opportunistic cleanup
|
||||
await cleanExpiredOAuthData(db);
|
||||
cleanExpiredOAuthData(db);
|
||||
|
||||
if (grantType === "authorization_code") {
|
||||
const code = body.code as string;
|
||||
|
||||
Reference in New Issue
Block a user