chore(18-03): apply 18-01 schema foundation as dependency baseline

This commit is contained in:
2026-04-05 13:04:09 +02:00
parent f7c9f3dc94
commit 89b0496845
20 changed files with 3022 additions and 473 deletions

View File

@@ -1,167 +1,40 @@
import { zValidator } from "@hono/zod-validator";
import { eq } from "drizzle-orm";
import { getAuth } from "@hono/oidc-auth";
import { Hono } from "hono";
import { deleteCookie, getCookie, setCookie } from "hono/cookie";
import { z } from "zod";
import { users } from "../../db/schema.ts";
import { parseId } from "../lib/params.ts";
import { requireAuth } from "../middleware/auth.ts";
import { rateLimit } from "../middleware/rateLimit.ts";
import {
changePassword,
createApiKey,
createSession,
createUser,
deleteApiKey,
deleteSession,
getSession,
getUserCount,
listApiKeys,
verifyPassword,
} from "../services/auth.service.ts";
type Env = { Variables: { db?: any } };
type Env = { Variables: { db?: any; userId?: number } };
const loginSchema = z.object({
username: z.string().min(1),
password: z.string().min(1),
});
const setupSchema = z.object({
username: z.string().min(1),
password: z.string().min(6),
});
const changePasswordSchema = z.object({
currentPassword: z.string().min(1),
newPassword: z.string().min(6),
});
const createKeySchema = z.object({ name: z.string().min(1) });
const COOKIE_NAME = "gearbox_session";
const COOKIE_MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
const app = new Hono<Env>();
// ── Public routes ───────────────────────────────────────────────────
// ── Auth Status ──────────────────────────────────────────────────────
app.get("/me", (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (sessionId) {
const session = getSession(db, sessionId);
if (session) {
return c.json({
user: { id: session.userId },
setupRequired: false,
});
}
app.get("/me", async (c) => {
const auth = await getAuth(c);
if (auth) {
return c.json({
user: { id: auth.sub, email: auth.email },
authenticated: true,
});
}
const setupRequired = getUserCount(db) === 0;
return c.json({ user: null, setupRequired });
return c.json({ user: null, authenticated: false });
});
app.post("/setup", rateLimit, zValidator("json", setupSchema), async (c) => {
// ── API Key Management (protected) ───────────────────────────────────
app.get("/keys", requireAuth, async (c) => {
const db = c.get("db");
if (getUserCount(db) > 0) {
return c.json({ error: "Setup already completed" }, 403);
}
const { username, password } = c.req.valid("json");
const user = await createUser(db, username, password);
const session = createSession(db, user.id);
setCookie(c, COOKIE_NAME, session.id, {
httpOnly: true,
sameSite: "Lax",
path: "/",
maxAge: COOKIE_MAX_AGE,
});
return c.json({ username: user.username }, 201);
});
app.post("/login", rateLimit, zValidator("json", loginSchema), async (c) => {
const db = c.get("db");
const { username, password } = c.req.valid("json");
const user = await verifyPassword(db, username, password);
if (!user) {
return c.json({ error: "Invalid credentials" }, 401);
}
const session = createSession(db, user.id);
setCookie(c, COOKIE_NAME, session.id, {
httpOnly: true,
sameSite: "Lax",
path: "/",
maxAge: COOKIE_MAX_AGE,
});
return c.json({ username: user.username });
});
app.post("/logout", (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (sessionId) {
deleteSession(db, sessionId);
}
deleteCookie(c, COOKIE_NAME, { path: "/" });
return c.json({ ok: true });
});
// ── Protected routes ────────────────────────────────────────────────
app.put(
"/password",
requireAuth,
zValidator("json", changePasswordSchema),
async (c) => {
const db = c.get("db");
const sessionId = getCookie(c, COOKIE_NAME);
if (!sessionId) {
return c.json({ error: "Session required for password change" }, 401);
}
const session = getSession(db, sessionId);
if (!session) {
return c.json({ error: "Session required for password change" }, 401);
}
const userRecord = db
.select()
.from(users)
.where(eq(users.id, session.userId))
.get();
if (!userRecord) {
return c.json({ error: "User not found" }, 404);
}
const { currentPassword, newPassword } = c.req.valid("json");
const changed = await changePassword(
db,
userRecord.username,
currentPassword,
newPassword,
);
if (!changed) {
return c.json({ error: "Invalid current password" }, 401);
}
return c.json({ ok: true });
},
);
app.get("/keys", requireAuth, (c) => {
const db = c.get("db");
const keys = listApiKeys(db);
const userId = c.get("userId")!;
const keys = await listApiKeys(db, userId);
return c.json(keys);
});
@@ -171,8 +44,9 @@ app.post(
zValidator("json", createKeySchema),
async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const { name } = c.req.valid("json");
const result = await createApiKey(db, name);
const result = await createApiKey(db, userId, name);
return c.json(
{
@@ -186,11 +60,12 @@ app.post(
},
);
app.delete("/keys/:id", requireAuth, (c) => {
app.delete("/keys/:id", requireAuth, async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const id = parseId(c.req.param("id"));
if (!id) return c.json({ error: "Invalid key ID" }, 400);
deleteApiKey(db, id);
await deleteApiKey(db, userId, id);
return c.json({ ok: true });
});

View File

@@ -7,6 +7,7 @@ import {
updateSetupSchema,
} from "../../shared/schemas.ts";
import { parseId } from "../lib/params.ts";
import { withImageUrls } from "../services/storage.service.ts";
import {
createSetup,
deleteSetup,
@@ -18,88 +19,97 @@ import {
updateSetup,
} from "../services/setup.service.ts";
type Env = { Variables: { db?: any } };
type Env = { Variables: { db?: any; userId?: number } };
const app = new Hono<Env>();
// Setup CRUD
app.get("/", (c) => {
app.get("/", async (c) => {
const db = c.get("db");
const setups = getAllSetups(db);
const userId = c.get("userId")!;
const setups = await getAllSetups(db, userId);
return c.json(setups);
});
app.post("/", zValidator("json", createSetupSchema), (c) => {
app.post("/", zValidator("json", createSetupSchema), async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const data = c.req.valid("json");
const setup = createSetup(db, data);
const setup = await createSetup(db, userId, data);
return c.json(setup, 201);
});
app.get("/:id", (c) => {
app.get("/:id", async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const id = parseId(c.req.param("id"));
if (!id) return c.json({ error: "Invalid setup ID" }, 400);
const setup = getSetupWithItems(db, id);
const setup = await getSetupWithItems(db, userId, id);
if (!setup) return c.json({ error: "Setup not found" }, 404);
return c.json(setup);
const enrichedItems = await withImageUrls(setup.items);
return c.json({ ...setup, items: enrichedItems });
});
app.put("/:id", zValidator("json", updateSetupSchema), (c) => {
app.put("/:id", zValidator("json", updateSetupSchema), async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const id = parseId(c.req.param("id"));
if (!id) return c.json({ error: "Invalid setup ID" }, 400);
const data = c.req.valid("json");
const setup = updateSetup(db, id, data);
const setup = await updateSetup(db, userId, id, data);
if (!setup) return c.json({ error: "Setup not found" }, 404);
return c.json(setup);
});
app.delete("/:id", (c) => {
app.delete("/:id", async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const id = parseId(c.req.param("id"));
if (!id) return c.json({ error: "Invalid setup ID" }, 400);
const deleted = deleteSetup(db, id);
const deleted = await deleteSetup(db, userId, id);
if (!deleted) return c.json({ error: "Setup not found" }, 404);
return c.json({ success: true });
});
// Setup Items
app.put("/:id/items", zValidator("json", syncSetupItemsSchema), (c) => {
app.put("/:id/items", zValidator("json", syncSetupItemsSchema), async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const id = parseId(c.req.param("id"));
if (!id) return c.json({ error: "Invalid setup ID" }, 400);
const { itemIds } = c.req.valid("json");
const setup = getSetupWithItems(db, id);
const setup = await getSetupWithItems(db, userId, id);
if (!setup) return c.json({ error: "Setup not found" }, 404);
syncSetupItems(db, id, itemIds);
await syncSetupItems(db, userId, id, itemIds);
return c.json({ success: true });
});
app.patch(
"/:id/items/:itemId/classification",
zValidator("json", updateClassificationSchema),
(c) => {
async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const setupId = parseId(c.req.param("id"));
const itemId = parseId(c.req.param("itemId"));
if (!setupId || !itemId) return c.json({ error: "Invalid ID" }, 400);
const { classification } = c.req.valid("json");
updateItemClassification(db, setupId, itemId, classification);
await updateItemClassification(db, userId, setupId, itemId, classification);
return c.json({ success: true });
},
);
app.delete("/:id/items/:itemId", (c) => {
app.delete("/:id/items/:itemId", async (c) => {
const db = c.get("db");
const userId = c.get("userId")!;
const setupId = parseId(c.req.param("id"));
const itemId = parseId(c.req.param("itemId"));
if (!setupId || !itemId) return c.json({ error: "Invalid ID" }, 400);
removeSetupItem(db, setupId, itemId);
await removeSetupItem(db, userId, setupId, itemId);
return c.json({ success: true });
});