Merge branch 'worktree-agent-a9901af2' into Develop

# Conflicts:
#	.planning/REQUIREMENTS.md
#	.planning/ROADMAP.md
#	.planning/STATE.md
#	bun.lock
#	package.json
#	src/server/middleware/auth.ts
#	src/server/routes/auth.ts
#	src/server/routes/oauth.ts
#	src/server/services/auth.service.ts
This commit is contained in:
2026-04-04 20:48:38 +02:00
12 changed files with 257 additions and 369 deletions

View File

@@ -1,166 +1,39 @@
import { zValidator } from "@hono/zod-validator";
import { eq } from "drizzle-orm";
import { getAuth } from "@hono/oidc-auth";
import { Hono } from "hono";
import { deleteCookie, getCookie, setCookie } from "hono/cookie";
import { z } from "zod";
import { users } from "../../db/schema.ts";
import { parseId } from "../lib/params.ts";
import { requireAuth } from "../middleware/auth.ts";
import { rateLimit } from "../middleware/rateLimit.ts";
import {
changePassword,
createApiKey,
createSession,
createUser,
deleteApiKey,
deleteSession,
getSession,
getUserCount,
listApiKeys,
verifyPassword,
} from "../services/auth.service.ts";
type Env = { Variables: { db?: any } };
const loginSchema = z.object({
username: z.string().min(1),
password: z.string().min(1),
});
const setupSchema = z.object({
username: z.string().min(1),
password: z.string().min(6),
});
const changePasswordSchema = z.object({
currentPassword: z.string().min(1),
newPassword: z.string().min(6),
});
const createKeySchema = z.object({ name: z.string().min(1) });
const COOKIE_NAME = "gearbox_session";
const COOKIE_MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
const app = new Hono<Env>();
// ── Public routes ───────────────────────────────────────────────────
// ── Auth Status ──────────────────────────────────────────────────────
app.get("/me", async (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (sessionId) {
const session = await getSession(db, sessionId);
if (session) {
return c.json({
user: { id: session.userId },
setupRequired: false,
});
}
const auth = await getAuth(c);
if (auth) {
return c.json({
user: { id: auth.sub, email: auth.email },
authenticated: true,
});
}
const setupRequired = (await getUserCount(db)) === 0;
return c.json({ user: null, setupRequired });
return c.json({ user: null, authenticated: false });
});
app.post("/setup", rateLimit, zValidator("json", setupSchema), async (c) => {
const db = c.get("db");
if ((await getUserCount(db)) > 0) {
return c.json({ error: "Setup already completed" }, 403);
}
const { username, password } = c.req.valid("json");
const user = await createUser(db, username, password);
const session = await createSession(db, user.id);
setCookie(c, COOKIE_NAME, session.id, {
httpOnly: true,
sameSite: "Lax",
path: "/",
maxAge: COOKIE_MAX_AGE,
});
return c.json({ username: user.username }, 201);
});
app.post("/login", rateLimit, zValidator("json", loginSchema), async (c) => {
const db = c.get("db");
const { username, password } = c.req.valid("json");
const user = await verifyPassword(db, username, password);
if (!user) {
return c.json({ error: "Invalid credentials" }, 401);
}
const session = await createSession(db, user.id);
setCookie(c, COOKIE_NAME, session.id, {
httpOnly: true,
sameSite: "Lax",
path: "/",
maxAge: COOKIE_MAX_AGE,
});
return c.json({ username: user.username });
});
app.post("/logout", async (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (sessionId) {
await deleteSession(db, sessionId);
}
deleteCookie(c, COOKIE_NAME, { path: "/" });
return c.json({ ok: true });
});
// ── Protected routes ────────────────────────────────────────────────
app.put(
"/password",
requireAuth,
zValidator("json", changePasswordSchema),
async (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (!sessionId) {
return c.json({ error: "Session required for password change" }, 401);
}
const session = await getSession(db, sessionId);
if (!session) {
return c.json({ error: "Session required for password change" }, 401);
}
const [userRecord] = await db
.select()
.from(users)
.where(eq(users.id, session.userId));
if (!userRecord) {
return c.json({ error: "User not found" }, 404);
}
const { currentPassword, newPassword } = c.req.valid("json");
const changed = await changePassword(
db,
userRecord.username,
currentPassword,
newPassword,
);
if (!changed) {
return c.json({ error: "Invalid current password" }, 401);
}
return c.json({ ok: true });
},
);
// ── API Key Management (protected) ───────────────────────────────────
app.get("/keys", requireAuth, async (c) => {
const db = c.get("db");
const keys = await listApiKeys(db);
const keys = listApiKeys(db);
return c.json(keys);
});

View File

@@ -1,6 +1,6 @@
import { getAuth } from "@hono/oidc-auth";
import { Hono } from "hono";
import { db as prodDb } from "../../db/index.ts";
import { verifyPassword } from "../services/auth.service.ts";
import {
cleanExpiredOAuthData,
createAuthorizationCode,
@@ -27,19 +27,14 @@ function getBaseUrl(c: any): string {
return new URL(c.req.url).origin;
}
function renderLoginForm(params: {
function renderConsentForm(params: {
clientName: string;
clientId: string;
redirectUri: string;
codeChallenge: string;
codeChallengeMethod: string;
state: string;
error?: string;
}): string {
const errorHtml = params.error
? `<div style="background:#fef2f2;border:1px solid #fca5a5;color:#dc2626;padding:12px;border-radius:8px;margin-bottom:16px;font-size:14px;">${escapeHtml(params.error)}</div>`
: "";
return `<!DOCTYPE html>
<html lang="en">
<head>
@@ -52,8 +47,6 @@ function renderLoginForm(params: {
.card { background: #fff; border-radius: 12px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); padding: 32px; width: 100%; max-width: 400px; }
h1 { font-size: 24px; font-weight: 700; text-align: center; margin-bottom: 8px; }
.subtitle { text-align: center; color: #6b7280; margin-bottom: 24px; font-size: 14px; }
label { display: block; font-size: 14px; font-weight: 500; margin-bottom: 4px; color: #374151; }
input[type="text"], input[type="password"] { width: 100%; padding: 10px 12px; border: 1px solid #d1d5db; border-radius: 8px; font-size: 14px; margin-bottom: 16px; }
button { width: 100%; padding: 10px; background: #2563eb; color: #fff; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; }
button:hover { background: #1d4ed8; }
</style>
@@ -62,12 +55,7 @@ function renderLoginForm(params: {
<div class="card">
<h1>GearBox</h1>
<p class="subtitle">Authorize ${escapeHtml(params.clientName)} to access your data</p>
${errorHtml}
<form method="POST" action="/oauth/authorize">
<label for="username">Username</label>
<input type="text" id="username" name="username" required>
<label for="password">Password</label>
<input type="password" id="password" name="password" required>
<input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
<input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
<input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
@@ -129,7 +117,7 @@ oauthRoutes.post("/register", async (c) => {
}
const clientName = body.client_name || "Unknown Client";
const { clientId } = await registerClient(db, clientName, body.redirect_uris);
const { clientId } = registerClient(db, clientName, body.redirect_uris);
return c.json(
{
@@ -141,10 +129,15 @@ oauthRoutes.post("/register", async (c) => {
);
});
// GET /authorize — Show HTML login form
// GET /authorize — Show consent form (requires OIDC session)
oauthRoutes.get("/authorize", async (c) => {
const db = c.get("db") ?? prodDb;
const auth = await getAuth(c);
if (!auth) {
return c.redirect(`/login?redirect=${encodeURIComponent(c.req.url)}`);
}
const responseType = c.req.query("response_type");
const clientId = c.req.query("client_id");
const redirectUri = c.req.query("redirect_uri");
@@ -159,7 +152,7 @@ oauthRoutes.get("/authorize", async (c) => {
return c.json({ error: "Missing required parameters" }, 400);
}
const client = await getClient(db, clientId);
const client = getClient(db, clientId);
if (!client) {
return c.json({ error: "Unknown client_id" }, 400);
}
@@ -170,7 +163,7 @@ oauthRoutes.get("/authorize", async (c) => {
}
return c.html(
renderLoginForm({
renderConsentForm({
clientName: client.clientName,
clientId,
redirectUri,
@@ -181,36 +174,35 @@ oauthRoutes.get("/authorize", async (c) => {
);
});
// POST /authorize — Process login form
// POST /authorize — Process consent (requires OIDC session)
oauthRoutes.post("/authorize", async (c) => {
const db = c.get("db") ?? prodDb;
const body = await c.req.parseBody();
const username = body.username as string;
const password = body.password as string;
// Check for OIDC session instead of username/password
const auth = await getAuth(c);
if (!auth) {
const currentUrl = c.req.url;
return c.redirect(`/login?redirect=${encodeURIComponent(currentUrl)}`);
}
const body = await c.req.parseBody();
const clientId = body.client_id as string;
const redirectUri = body.redirect_uri as string;
const codeChallenge = body.code_challenge as string;
const codeChallengeMethod = body.code_challenge_method as string;
const state = (body.state as string) ?? "";
const user = await verifyPassword(db, username, password);
if (!user) {
const client = await getClient(db, clientId);
return c.html(
renderLoginForm({
clientName: client?.clientName ?? "Unknown",
clientId,
redirectUri,
codeChallenge,
codeChallengeMethod,
state,
error: "Invalid username or password",
}),
);
const client = getClient(db, clientId);
if (!client) {
return c.json({ error: "Unknown client_id" }, 400);
}
const { code } = await createAuthorizationCode(
const allowedUris: string[] = JSON.parse(client.redirectUris);
if (!allowedUris.includes(redirectUri)) {
return c.json({ error: "redirect_uri not allowed" }, 400);
}
const { code } = createAuthorizationCode(
db,
clientId,
codeChallenge,
@@ -233,7 +225,7 @@ oauthRoutes.post("/token", async (c) => {
const grantType = body.grant_type as string;
// Opportunistic cleanup
await cleanExpiredOAuthData(db);
cleanExpiredOAuthData(db);
if (grantType === "authorization_code") {
const code = body.code as string;