Implement CLI commands and admin API endpoints
- Add bootstrap command with direct DB access for initial setup - Implement auth login/logout/status CLI commands - Implement user create/confirm-email CLI commands - Implement org create/list/add-site CLI commands - Add admin.orgs.* and admin.users.* API endpoints - Add password hashing utility with scrypt - Add token hashing and authentication utility - Add superuser runtime checks for admin endpoints - Wrap multi-step operations in transactions - Fix config file permissions (0o600) for security - Remove token display from status command - Add return statements to void handlers - Add reviq CLI command to devenv Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
RevIQ
82
apps/api-server/src/utils/auth.ts
Normal file
82
apps/api-server/src/utils/auth.ts
Normal file
@@ -0,0 +1,82 @@
|
||||
/**
|
||||
* Authentication utilities for token handling
|
||||
*/
|
||||
|
||||
import type { Database } from "@reviq/db-schema";
|
||||
import type { Kysely } from "kysely";
|
||||
import { sha256 } from "@noble/hashes/sha2.js";
|
||||
|
||||
export interface AuthenticatedUser {
|
||||
id: number;
|
||||
email: string;
|
||||
isSuperuser: boolean;
|
||||
}
|
||||
|
||||
/**
|
||||
* Hash a token using SHA-256
|
||||
*/
|
||||
export const hashToken = (token: string): string => {
|
||||
return Buffer.from(sha256(Buffer.from(token))).toString("hex");
|
||||
};
|
||||
|
||||
/**
|
||||
* Authenticate a request using session token or API key
|
||||
* Returns the authenticated user or null if not authenticated
|
||||
*/
|
||||
export const authenticateRequest = async (
|
||||
db: Kysely<Database>,
|
||||
sessionToken?: string,
|
||||
apiKey?: string,
|
||||
): Promise<AuthenticatedUser | null> => {
|
||||
// Try session cookie first, then API key
|
||||
const token = sessionToken ?? apiKey;
|
||||
if (!token) {
|
||||
return null;
|
||||
}
|
||||
|
||||
const tokenHash = hashToken(token);
|
||||
|
||||
// Check sessions table
|
||||
const session = await db
|
||||
.selectFrom("sessions")
|
||||
.innerJoin("users", "users.id", "sessions.user_id")
|
||||
.where("sessions.token_hash", "=", tokenHash)
|
||||
.where("sessions.expires_at", ">", new Date())
|
||||
.where("sessions.revoked_at", "is", null)
|
||||
.select(["users.id", "users.email", "users.is_superuser"])
|
||||
.executeTakeFirst();
|
||||
|
||||
if (session) {
|
||||
return {
|
||||
id: session.id,
|
||||
email: session.email,
|
||||
isSuperuser: session.is_superuser,
|
||||
};
|
||||
}
|
||||
|
||||
// Check API tokens table
|
||||
const apiToken = await db
|
||||
.selectFrom("api_tokens")
|
||||
.innerJoin("users", "users.id", "api_tokens.user_id")
|
||||
.where("api_tokens.token_hash", "=", tokenHash)
|
||||
.where("api_tokens.expires_at", ">", new Date())
|
||||
.select(["users.id", "users.email", "users.is_superuser"])
|
||||
.executeTakeFirst();
|
||||
|
||||
if (apiToken) {
|
||||
// Update last_used_at
|
||||
await db
|
||||
.updateTable("api_tokens")
|
||||
.set({ last_used_at: new Date() })
|
||||
.where("token_hash", "=", tokenHash)
|
||||
.execute();
|
||||
|
||||
return {
|
||||
id: apiToken.id,
|
||||
email: apiToken.email,
|
||||
isSuperuser: apiToken.is_superuser,
|
||||
};
|
||||
}
|
||||
|
||||
return null;
|
||||
};
|
||||
58
apps/api-server/src/utils/password.ts
Normal file
58
apps/api-server/src/utils/password.ts
Normal file
@@ -0,0 +1,58 @@
|
||||
/**
|
||||
* Password hashing utilities using scrypt from @noble/hashes
|
||||
*/
|
||||
|
||||
import { scrypt as nobleScrypt } from "@noble/hashes/scrypt.js";
|
||||
import { randomBytes } from "@noble/hashes/utils.js";
|
||||
|
||||
// scrypt parameters: N=2^17, r=8, p=1, dkLen=32
|
||||
const N = 131072;
|
||||
const r = 8;
|
||||
const p = 1;
|
||||
const dkLen = 32;
|
||||
|
||||
/**
|
||||
* Hash a password using scrypt
|
||||
* Format: scrypt$17$8$1$<salt-base64>$<hash-base64>
|
||||
*/
|
||||
export const hashPassword = (password: string): string => {
|
||||
const salt = randomBytes(16);
|
||||
const hash = nobleScrypt(password, salt, { N, r, p, dkLen });
|
||||
return `scrypt$17$8$1$${Buffer.from(salt).toString("base64")}$${Buffer.from(hash).toString("base64")}`;
|
||||
};
|
||||
|
||||
/**
|
||||
* Verify a password against a stored hash
|
||||
* Uses constant-time comparison to prevent timing attacks
|
||||
*/
|
||||
export const verifyPassword = (password: string, stored: string): boolean => {
|
||||
const parts = stored.split("$");
|
||||
if (parts.length !== 5 || parts[0] !== "scrypt") {
|
||||
return false;
|
||||
}
|
||||
|
||||
const saltStr = parts[3];
|
||||
const hashStr = parts[4];
|
||||
if (!(saltStr && hashStr)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const salt = Buffer.from(saltStr, "base64");
|
||||
const storedHash = Buffer.from(hashStr, "base64");
|
||||
const computedHash = nobleScrypt(password, salt, { N, r, p, dkLen });
|
||||
|
||||
// Constant-time comparison
|
||||
if (storedHash.length !== computedHash.length) {
|
||||
return false;
|
||||
}
|
||||
let diff = 0;
|
||||
for (let i = 0; i < storedHash.length; i++) {
|
||||
const storedByte = storedHash[i];
|
||||
const computedByte = computedHash[i];
|
||||
if (storedByte === undefined || computedByte === undefined) {
|
||||
return false;
|
||||
}
|
||||
diff |= storedByte ^ computedByte;
|
||||
}
|
||||
return diff === 0;
|
||||
};
|
||||
Reference in New Issue
Block a user