Implement CLI commands and admin API endpoints

- Add bootstrap command with direct DB access for initial setup - Implement auth login/logout/status CLI commands - Implement user create/confirm-email CLI commands - Implement org create/list/add-site CLI commands - Add admin.orgs.* and admin.users.* API endpoints - Add password hashing utility with scrypt - Add token hashing and authentication utility - Add superuser runtime checks for admin endpoints - Wrap multi-step operations in transactions - Fix config file permissions (0o600) for security - Remove token display from status command - Add return statements to void handlers - Add reviq CLI command to devenv Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 15:30:10 +08:00
parent 30ee35b25c
commit 410b937f9f
20 changed files with 1267 additions and 85 deletions
--- a/apps/api-server/src/context.ts
+++ b/apps/api-server/src/context.ts
@@ -34,7 +34,8 @@ export interface SessionUser {
 * Session information
 */
 export interface Session {
-  id: number;
+  /** Session ID (stored as bigint in DB, returned as string) */
+  id: string;
  trustedMode: boolean;
  createdAt: Date;
 }
@@ -58,3 +59,12 @@ export interface LoginRequestContext extends APIContext {
  /** User associated with the login request */
  user: SessionUser;
 }
+
+/**
+ * Superuser context for admin procedures
+ * Requires user to have is_superuser = true
+ */
+export interface SuperuserContext extends AuthenticatedContext {
+  /** User with superuser privileges */
+  user: SessionUser & { isSuperuser: true };
+}
--- a/apps/api-server/src/router.ts
+++ b/apps/api-server/src/router.ts
@@ -2,6 +2,7 @@ import type {
  APIContext,
  AuthenticatedContext,
  LoginRequestContext,
+  SuperuserContext,
 } from "./context.js";
 import { implement } from "@orpc/server";
 import { contract } from "@reviq/api-contract";
@@ -16,6 +17,18 @@ import {

 const os = implement(contract);

+/**
+ * Helper to require superuser context with runtime validation
+ */
+const requireSuperuser = (context: unknown): SuperuserContext => {
+  // Cast to partial type first to allow runtime checks
+  const ctx = context as Partial<SuperuserContext>;
+  if (!ctx.user?.isSuperuser) {
+    throw new Error("Unauthorized: Superuser access required");
+  }
+  return context as SuperuserContext;
+};
+
 // Auth procedures
 const signup = os.auth.signup.handler(async () => {
  throw new Error("Not implemented");
@@ -31,9 +44,59 @@ const resendVerificationEmail = os.auth.resendVerificationEmail.handler(
  },
 );

-const createLoginRequest = os.auth.createLoginRequest.handler(async () => {
-  throw new Error("Not implemented");
-});
+const createLoginRequest = os.auth.createLoginRequest.handler(
+  async ({ input, context }) => {
+    const ctx = context as APIContext;
+    const email = input.email.toLowerCase();
+
+    const user = await ctx.db
+      .selectFrom("users")
+      .where("email", "=", email)
+      .select(["id", "password_hash"])
+      .executeTakeFirst();
+
+    // Check for passkeys
+    const hasPasskey = user
+      ? (await ctx.db
+          .selectFrom("passkeys")
+          .where("user_id", "=", user.id)
+          .select("id")
+          .executeTakeFirst()) !== undefined
+      : false;
+
+    const hasPassword = user?.password_hash !== null && user !== undefined;
+
+    if (!user) {
+      // Anti-enumeration: return fake response for non-existent users
+      return {
+        hasPasskey: false,
+        hasPassword: false,
+        isTrustedDevice: false,
+        email,
+      };
+    }
+
+    // Create login request
+    await ctx.db
+      .insertInto("login_requests")
+      .values({
+        user_id: user.id,
+        email,
+        expires_at: new Date(Date.now() + 15 * 60 * 1000), // 15 min
+      })
+      .execute();
+
+    // TODO: Set login_request cookie
+    // TODO: Check device fingerprint for trusted device
+
+    return {
+      hasPasskey,
+      hasPassword,
+      isTrustedDevice: false,
+      email,
+    };
+  },
+);

 const loginPassword = os.auth.loginPassword.handler(async () => {
  throw new Error("Not implemented");
@@ -57,8 +120,17 @@ const resetPassword = os.auth.resetPassword.handler(async () => {
  throw new Error("Not implemented");
 });

-const logout = os.auth.logout.handler(async () => {
-  throw new Error("Not implemented");
+const logout = os.auth.logout.handler(async ({ context }) => {
+  const ctx = context as AuthenticatedContext;
+
+  // Revoke the current session by setting revoked_at
+  await ctx.db
+    .updateTable("sessions")
+    .set({ revoked_at: new Date() })
+    .where("id", "=", ctx.session.id)
+    .execute();
+
+  return undefined;
 });

 // WebAuthn procedures
@@ -84,6 +156,8 @@ const verifyRegistration = os.auth.webauthn.verifyRegistration.handler(

    const rpInfo = getRPInfo(ctx.origin, ctx.allowedOrigins, ctx.rpName);
    await verifyReg(ctx.db, rpInfo, ctx.user.id, challengeId, response);
+
+    return undefined;
  },
 );

@@ -113,6 +187,8 @@ const verifyAuthentication = os.auth.webauthn.verifyAuthentication.handler(
    if (!verified) {
      throw new Error("Authentication failed");
    }
+
+    return undefined;
  },
 );

@@ -161,6 +237,8 @@ const passkeysRename = os.me.passkeys.rename.handler(
      .where("id", "=", String(passkeyId))
      .where("user_id", "=", ctx.user.id)
      .execute();
+
+    return undefined;
  },
 );

@@ -193,6 +271,8 @@ const passkeysDelete = os.me.passkeys.delete.handler(
      .where("id", "=", String(passkeyId))
      .where("user_id", "=", ctx.user.id)
      .execute();
+
+    return undefined;
  },
 );

@@ -291,63 +371,341 @@ const sitesList = os.orgs.sites.list.handler(async () => {
 });

 // Admin orgs procedures
-const adminOrgsList = os.admin.orgs.list.handler(async () => {
-  throw new Error("Not implemented");
+const adminOrgsList = os.admin.orgs.list.handler(async ({ context }) => {
+  const ctx = requireSuperuser(context);
+  const orgs = await ctx.db.selectFrom("orgs").selectAll().execute();
+  return orgs.map((org) => ({
+    id: org.id,
+    slug: org.slug,
+    displayName: org.display_name,
+    logoUrl: org.logo_url,
+    createdAt: org.created_at,
+  }));
 });

-const adminOrgsGet = os.admin.orgs.get.handler(async () => {
-  throw new Error("Not implemented");
+const adminOrgsGet = os.admin.orgs.get.handler(async ({ input, context }) => {
+  const ctx = requireSuperuser(context);
+  const org = await ctx.db
+    .selectFrom("orgs")
+    .where("slug", "=", input.slug)
+    .selectAll()
+    .executeTakeFirst();
+  if (!org) {
+    throw new Error("Org not found");
+  }
+  return {
+    id: org.id,
+    slug: org.slug,
+    displayName: org.display_name,
+    logoUrl: org.logo_url,
+    createdAt: org.created_at,
+  };
 });

-const adminOrgsCreate = os.admin.orgs.create.handler(async () => {
-  throw new Error("Not implemented");
-});
+const adminOrgsCreate = os.admin.orgs.create.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    const { slug, displayName, ownerEmail } = input;

-const adminOrgsUpdate = os.admin.orgs.update.handler(async () => {
-  throw new Error("Not implemented");
-});
+    // Use transaction to ensure atomicity
+    const orgSlug = await ctx.db.transaction().execute(async (trx) => {
+      // Find or create owner user
+      let owner = await trx
+        .selectFrom("users")
+        .where("email", "=", ownerEmail.toLowerCase())
+        .select("id")
+        .executeTakeFirst();

-const adminOrgsDelete = os.admin.orgs.delete.handler(async () => {
-  throw new Error("Not implemented");
-});
+      if (!owner) {
+        const result = await trx
+          .insertInto("users")
+          .values({ email: ownerEmail.toLowerCase() })
+          .returning("id")
+          .executeTakeFirst();
+        owner = result;
+      }

-const adminOrgsListSites = os.admin.orgs.listSites.handler(async () => {
-  throw new Error("Not implemented");
-});
+      if (!owner) {
+        throw new Error("Failed to create owner user");
+      }

-const adminOrgsAddSite = os.admin.orgs.addSite.handler(async () => {
-  throw new Error("Not implemented");
-});
+      // Create org
+      const org = await trx
+        .insertInto("orgs")
+        .values({ slug, display_name: displayName })
+        .returning(["id", "slug"])
+        .executeTakeFirst();

-const adminOrgsRemoveSite = os.admin.orgs.removeSite.handler(async () => {
-  throw new Error("Not implemented");
-});
+      if (!org) {
+        throw new Error("Failed to create org");
+      }
+
+      // Add owner membership
+      await trx
+        .insertInto("org_members")
+        .values({ org_id: org.id, user_id: owner.id, role: "owner" })
+        .execute();
+
+      return org.slug;
+    });
+
+    return { slug: orgSlug };
+  },
+);
+
+const adminOrgsUpdate = os.admin.orgs.update.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    const { slug, displayName, logoUrl } = input;
+
+    const updates: Record<string, string | undefined> = {};
+    if (displayName !== undefined) {
+      updates.display_name = displayName;
+    }
+    if (logoUrl !== undefined) {
+      updates.logo_url = logoUrl;
+    }
+
+    if (Object.keys(updates).length > 0) {
+      await ctx.db
+        .updateTable("orgs")
+        .set(updates)
+        .where("slug", "=", slug)
+        .execute();
+    }
+
+    return undefined;
+  },
+);
+
+const adminOrgsDelete = os.admin.orgs.delete.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    await ctx.db.deleteFrom("orgs").where("slug", "=", input.slug).execute();
+
+    return undefined;
+  },
+);
+
+const adminOrgsListSites = os.admin.orgs.listSites.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    const org = await ctx.db
+      .selectFrom("orgs")
+      .where("slug", "=", input.slug)
+      .select("id")
+      .executeTakeFirst();
+
+    if (!org) {
+      throw new Error("Org not found");
+    }
+
+    const sites = await ctx.db
+      .selectFrom("org_sites")
+      .where("org_id", "=", org.id)
+      .selectAll()
+      .execute();
+
+    return sites.map((site) => ({
+      id: site.id,
+      domain: site.domain,
+      createdAt: site.created_at,
+    }));
+  },
+);
+
+const adminOrgsAddSite = os.admin.orgs.addSite.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    const { slug, domain } = input;
+
+    const org = await ctx.db
+      .selectFrom("orgs")
+      .where("slug", "=", slug)
+      .select("id")
+      .executeTakeFirst();
+
+    if (!org) {
+      throw new Error("Org not found");
+    }
+
+    await ctx.db
+      .insertInto("org_sites")
+      .values({ org_id: org.id, domain })
+      .execute();
+
+    return undefined;
+  },
+);
+
+const adminOrgsRemoveSite = os.admin.orgs.removeSite.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    const { slug, domain } = input;
+
+    const org = await ctx.db
+      .selectFrom("orgs")
+      .where("slug", "=", slug)
+      .select("id")
+      .executeTakeFirst();
+
+    if (!org) {
+      throw new Error("Org not found");
+    }
+
+    await ctx.db
+      .deleteFrom("org_sites")
+      .where("org_id", "=", org.id)
+      .where("domain", "=", domain)
+      .execute();
+
+    return undefined;
+  },
+);

 // Admin users procedures
-const adminUsersList = os.admin.users.list.handler(async () => {
-  throw new Error("Not implemented");
+const adminUsersList = os.admin.users.list.handler(async ({ context }) => {
+  const ctx = requireSuperuser(context);
+  const users = await ctx.db.selectFrom("users").selectAll().execute();
+  return users.map((user) => ({
+    id: user.id,
+    email: user.email,
+    displayName: user.display_name,
+    fullName: user.full_name,
+    phoneNumber: user.phone_number,
+    avatarUrl: user.avatar_url,
+    emailVerified: user.email_verified_at !== null,
+    needsSetup: user.display_name === null,
+    isSuperuser: user.is_superuser,
+  }));
 });

-const adminUsersGet = os.admin.users.get.handler(async () => {
-  throw new Error("Not implemented");
+const adminUsersGet = os.admin.users.get.handler(async ({ input, context }) => {
+  const ctx = requireSuperuser(context);
+  const user = await ctx.db
+    .selectFrom("users")
+    .where("email", "=", input.email.toLowerCase())
+    .selectAll()
+    .executeTakeFirst();
+  if (!user) {
+    throw new Error("User not found");
+  }
+  return {
+    id: user.id,
+    email: user.email,
+    displayName: user.display_name,
+    fullName: user.full_name,
+    phoneNumber: user.phone_number,
+    avatarUrl: user.avatar_url,
+    emailVerified: user.email_verified_at !== null,
+    needsSetup: user.display_name === null,
+    isSuperuser: user.is_superuser,
+  };
 });

-const adminUsersCreate = os.admin.users.create.handler(async () => {
-  throw new Error("Not implemented");
-});
+const adminUsersCreate = os.admin.users.create.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    const { email, name, orgSlug, orgRole } = input;

-const adminUsersUpdate = os.admin.users.update.handler(async () => {
-  throw new Error("Not implemented");
-});
+    // Use transaction to ensure atomicity when adding to org
+    await ctx.db.transaction().execute(async (trx) => {
+      const result = await trx
+        .insertInto("users")
+        .values({
+          email: email.toLowerCase(),
+          display_name: name ?? null,
+        })
+        .returning("id")
+        .executeTakeFirst();

-const adminUsersConfirmEmail = os.admin.users.confirmEmail.handler(async () => {
-  throw new Error("Not implemented");
-});
+      if (!result) {
+        throw new Error("Failed to create user");
+      }
+
+      // Add to org if specified
+      if (orgSlug) {
+        const org = await trx
+          .selectFrom("orgs")
+          .where("slug", "=", orgSlug)
+          .select("id")
+          .executeTakeFirst();
+
+        if (org) {
+          await trx
+            .insertInto("org_members")
+            .values({
+              org_id: org.id,
+              user_id: result.id,
+              role: orgRole ?? "member",
+            })
+            .execute();
+        }
+      }
+    });
+
+    return undefined;
+  },
+);
+
+const adminUsersUpdate = os.admin.users.update.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    const { email, isSuperuser } = input;
+
+    if (isSuperuser !== undefined) {
+      await ctx.db
+        .updateTable("users")
+        .set({ is_superuser: isSuperuser })
+        .where("email", "=", email.toLowerCase())
+        .execute();
+    }
+
+    return undefined;
+  },
+);
+
+const adminUsersConfirmEmail = os.admin.users.confirmEmail.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+    await ctx.db
+      .updateTable("users")
+      .set({ email_verified_at: new Date() })
+      .where("email", "=", input.email.toLowerCase())
+      .execute();
+
+    return undefined;
+  },
+);

 // Admin auth procedures
-const adminAuthCompleteLogin = os.admin.auth.completeLogin.handler(async () => {
-  throw new Error("Not implemented");
-});
+const adminAuthCompleteLogin = os.admin.auth.completeLogin.handler(
+  async ({ input, context }) => {
+    const ctx = requireSuperuser(context);
+
+    // Find user by email
+    const user = await ctx.db
+      .selectFrom("users")
+      .where("email", "=", input.email.toLowerCase())
+      .select("id")
+      .executeTakeFirst();
+
+    if (!user) {
+      throw new Error("User not found");
+    }
+
+    // Complete the most recent pending login request for this user
+    await ctx.db
+      .updateTable("login_requests")
+      .set({ completed_at: new Date() })
+      .where("user_id", "=", user.id)
+      .where("completed_at", "is", null)
+      .where("expires_at", ">", new Date())
+      .execute();
+
+    return undefined;
+  },
+);

 // Build the router
 export const router = os.router({
--- a/apps/api-server/src/utils/auth.ts
+++ b/apps/api-server/src/utils/auth.ts
@@ -0,0 +1,82 @@
+/**
+ * Authentication utilities for token handling
+ */
+
+import type { Database } from "@reviq/db-schema";
+import type { Kysely } from "kysely";
+import { sha256 } from "@noble/hashes/sha2.js";
+
+export interface AuthenticatedUser {
+  id: number;
+  email: string;
+  isSuperuser: boolean;
+}
+
+/**
+ * Hash a token using SHA-256
+ */
+export const hashToken = (token: string): string => {
+  return Buffer.from(sha256(Buffer.from(token))).toString("hex");
+};
+
+/**
+ * Authenticate a request using session token or API key
+ * Returns the authenticated user or null if not authenticated
+ */
+export const authenticateRequest = async (
+  db: Kysely<Database>,
+  sessionToken?: string,
+  apiKey?: string,
+): Promise<AuthenticatedUser | null> => {
+  // Try session cookie first, then API key
+  const token = sessionToken ?? apiKey;
+  if (!token) {
+    return null;
+  }
+
+  const tokenHash = hashToken(token);
+
+  // Check sessions table
+  const session = await db
+    .selectFrom("sessions")
+    .innerJoin("users", "users.id", "sessions.user_id")
+    .where("sessions.token_hash", "=", tokenHash)
+    .where("sessions.expires_at", ">", new Date())
+    .where("sessions.revoked_at", "is", null)
+    .select(["users.id", "users.email", "users.is_superuser"])
+    .executeTakeFirst();
+
+  if (session) {
+    return {
+      id: session.id,
+      email: session.email,
+      isSuperuser: session.is_superuser,
+    };
+  }
+
+  // Check API tokens table
+  const apiToken = await db
+    .selectFrom("api_tokens")
+    .innerJoin("users", "users.id", "api_tokens.user_id")
+    .where("api_tokens.token_hash", "=", tokenHash)
+    .where("api_tokens.expires_at", ">", new Date())
+    .select(["users.id", "users.email", "users.is_superuser"])
+    .executeTakeFirst();
+
+  if (apiToken) {
+    // Update last_used_at
+    await db
+      .updateTable("api_tokens")
+      .set({ last_used_at: new Date() })
+      .where("token_hash", "=", tokenHash)
+      .execute();
+
+    return {
+      id: apiToken.id,
+      email: apiToken.email,
+      isSuperuser: apiToken.is_superuser,
+    };
+  }
+
+  return null;
+};
--- a/apps/api-server/src/utils/password.ts
+++ b/apps/api-server/src/utils/password.ts
@@ -0,0 +1,58 @@
+/**
+ * Password hashing utilities using scrypt from @noble/hashes
+ */
+
+import { scrypt as nobleScrypt } from "@noble/hashes/scrypt.js";
+import { randomBytes } from "@noble/hashes/utils.js";
+
+// scrypt parameters: N=2^17, r=8, p=1, dkLen=32
+const N = 131072;
+const r = 8;
+const p = 1;
+const dkLen = 32;
+
+/**
+ * Hash a password using scrypt
+ * Format: scrypt$17$8$1$<salt-base64>$<hash-base64>
+ */
+export const hashPassword = (password: string): string => {
+  const salt = randomBytes(16);
+  const hash = nobleScrypt(password, salt, { N, r, p, dkLen });
+  return `scrypt$17$8$1$${Buffer.from(salt).toString("base64")}$${Buffer.from(hash).toString("base64")}`;
+};
+
+/**
+ * Verify a password against a stored hash
+ * Uses constant-time comparison to prevent timing attacks
+ */
+export const verifyPassword = (password: string, stored: string): boolean => {
+  const parts = stored.split("$");
+  if (parts.length !== 5 || parts[0] !== "scrypt") {
+    return false;
+  }
+
+  const saltStr = parts[3];
+  const hashStr = parts[4];
+  if (!(saltStr && hashStr)) {
+    return false;
+  }
+
+  const salt = Buffer.from(saltStr, "base64");
+  const storedHash = Buffer.from(hashStr, "base64");
+  const computedHash = nobleScrypt(password, salt, { N, r, p, dkLen });
+
+  // Constant-time comparison
+  if (storedHash.length !== computedHash.length) {
+    return false;
+  }
+  let diff = 0;
+  for (let i = 0; i < storedHash.length; i++) {
+    const storedByte = storedHash[i];
+    const computedByte = computedHash[i];
+    if (storedByte === undefined || computedByte === undefined) {
+      return false;
+    }
+    diff |= storedByte ^ computedByte;
+  }
+  return diff === 0;
+};