Implement CLI commands and admin API endpoints
- Add bootstrap command with direct DB access for initial setup - Implement auth login/logout/status CLI commands - Implement user create/confirm-email CLI commands - Implement org create/list/add-site CLI commands - Add admin.orgs.* and admin.users.* API endpoints - Add password hashing utility with scrypt - Add token hashing and authentication utility - Add superuser runtime checks for admin endpoints - Wrap multi-step operations in transactions - Fix config file permissions (0o600) for security - Remove token display from status command - Add return statements to void handlers - Add reviq CLI command to devenv Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
RevIQ
82
apps/api-server/src/utils/auth.ts
Normal file
82
apps/api-server/src/utils/auth.ts
Normal file
@@ -0,0 +1,82 @@
|
||||
/**
|
||||
* Authentication utilities for token handling
|
||||
*/
|
||||
|
||||
import type { Database } from "@reviq/db-schema";
|
||||
import type { Kysely } from "kysely";
|
||||
import { sha256 } from "@noble/hashes/sha2.js";
|
||||
|
||||
export interface AuthenticatedUser {
|
||||
id: number;
|
||||
email: string;
|
||||
isSuperuser: boolean;
|
||||
}
|
||||
|
||||
/**
|
||||
* Hash a token using SHA-256
|
||||
*/
|
||||
export const hashToken = (token: string): string => {
|
||||
return Buffer.from(sha256(Buffer.from(token))).toString("hex");
|
||||
};
|
||||
|
||||
/**
|
||||
* Authenticate a request using session token or API key
|
||||
* Returns the authenticated user or null if not authenticated
|
||||
*/
|
||||
export const authenticateRequest = async (
|
||||
db: Kysely<Database>,
|
||||
sessionToken?: string,
|
||||
apiKey?: string,
|
||||
): Promise<AuthenticatedUser | null> => {
|
||||
// Try session cookie first, then API key
|
||||
const token = sessionToken ?? apiKey;
|
||||
if (!token) {
|
||||
return null;
|
||||
}
|
||||
|
||||
const tokenHash = hashToken(token);
|
||||
|
||||
// Check sessions table
|
||||
const session = await db
|
||||
.selectFrom("sessions")
|
||||
.innerJoin("users", "users.id", "sessions.user_id")
|
||||
.where("sessions.token_hash", "=", tokenHash)
|
||||
.where("sessions.expires_at", ">", new Date())
|
||||
.where("sessions.revoked_at", "is", null)
|
||||
.select(["users.id", "users.email", "users.is_superuser"])
|
||||
.executeTakeFirst();
|
||||
|
||||
if (session) {
|
||||
return {
|
||||
id: session.id,
|
||||
email: session.email,
|
||||
isSuperuser: session.is_superuser,
|
||||
};
|
||||
}
|
||||
|
||||
// Check API tokens table
|
||||
const apiToken = await db
|
||||
.selectFrom("api_tokens")
|
||||
.innerJoin("users", "users.id", "api_tokens.user_id")
|
||||
.where("api_tokens.token_hash", "=", tokenHash)
|
||||
.where("api_tokens.expires_at", ">", new Date())
|
||||
.select(["users.id", "users.email", "users.is_superuser"])
|
||||
.executeTakeFirst();
|
||||
|
||||
if (apiToken) {
|
||||
// Update last_used_at
|
||||
await db
|
||||
.updateTable("api_tokens")
|
||||
.set({ last_used_at: new Date() })
|
||||
.where("token_hash", "=", tokenHash)
|
||||
.execute();
|
||||
|
||||
return {
|
||||
id: apiToken.id,
|
||||
email: apiToken.email,
|
||||
isSuperuser: apiToken.is_superuser,
|
||||
};
|
||||
}
|
||||
|
||||
return null;
|
||||
};
|
||||
Reference in New Issue
Block a user