Implement CLI commands and admin API endpoints

- Add bootstrap command with direct DB access for initial setup - Implement auth login/logout/status CLI commands - Implement user create/confirm-email CLI commands - Implement org create/list/add-site CLI commands - Add admin.orgs.* and admin.users.* API endpoints - Add password hashing utility with scrypt - Add token hashing and authentication utility - Add superuser runtime checks for admin endpoints - Wrap multi-step operations in transactions - Fix config file permissions (0o600) for security - Remove token display from status command - Add return statements to void handlers - Add reviq CLI command to devenv Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 15:30:10 +08:00
parent 30ee35b25c
commit 410b937f9f
20 changed files with 1267 additions and 85 deletions
--- a/apps/cli/src/utils/api-client.ts
+++ b/apps/cli/src/utils/api-client.ts
@@ -0,0 +1,61 @@
+/**
+ * API client utilities for CLI commands
+ */
+
+import { readConfig } from "./config.js";
+
+export interface ApiClientError {
+  code: string;
+  message: string;
+}
+
+/**
+ * Create an API client with the stored credentials
+ * Throws an error if not logged in
+ */
+export const createApiClient = async () => {
+  const config = await readConfig();
+  if (!config) {
+    throw new Error(
+      "Not logged in. Run 'reviq bootstrap' or 'reviq auth login' first.",
+    );
+  }
+
+  return {
+    /**
+     * Call an oRPC procedure
+     */
+    call: async <T>(path: string, input?: unknown): Promise<T> => {
+      const url = `${config.apiUrl}/api/v1/rpc/${path}`;
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": config.token,
+        },
+        body: input !== undefined ? JSON.stringify(input) : undefined,
+      });
+
+      if (!response.ok) {
+        const text = await response.text();
+        let errorMessage = `API error: ${String(response.status)} ${response.statusText}`;
+        try {
+          const error = JSON.parse(text) as ApiClientError;
+          if (error.message) {
+            errorMessage = error.message;
+          }
+        } catch {
+          if (text) {
+            errorMessage = text;
+          }
+        }
+        throw new Error(errorMessage);
+      }
+
+      return response.json() as Promise<T>;
+    },
+    config,
+  };
+};
+
+export type ApiClient = Awaited<ReturnType<typeof createApiClient>>;
--- a/apps/cli/src/utils/config.ts
+++ b/apps/cli/src/utils/config.ts
@@ -0,0 +1,58 @@
+/**
+ * CLI configuration utilities
+ * Stores credentials at ~/.config/reviq/credentials.json
+ */
+
+import { mkdir, readFile, unlink, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+export interface Config {
+  apiUrl: string;
+  token: string;
+  email: string;
+}
+
+const CONFIG_DIR = join(homedir(), ".config", "reviq");
+const CONFIG_FILE = join(CONFIG_DIR, "credentials.json");
+
+/**
+ * Get the path to the config file
+ */
+export const getConfigPath = (): string => CONFIG_FILE;
+
+/**
+ * Read the config file
+ * Returns null if the file doesn't exist or is invalid
+ */
+export const readConfig = async (): Promise<Config | null> => {
+  try {
+    const data = await readFile(CONFIG_FILE, "utf-8");
+    return JSON.parse(data) as Config;
+  } catch {
+    return null;
+  }
+};
+
+/**
+ * Write the config file
+ * Creates the config directory if it doesn't exist
+ */
+export const writeConfig = async (config: Config): Promise<void> => {
+  await mkdir(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), {
+    mode: 0o600,
+  });
+};
+
+/**
+ * Delete the config file
+ * Ignores errors if the file doesn't exist
+ */
+export const deleteConfig = async (): Promise<void> => {
+  try {
+    await unlink(CONFIG_FILE);
+  } catch {
+    // Ignore if doesn't exist
+  }
+};
--- a/apps/cli/src/utils/password.ts
+++ b/apps/cli/src/utils/password.ts
@@ -0,0 +1,22 @@
+/**
+ * Password hashing utilities using scrypt from @noble/hashes
+ */
+
+import { scrypt as nobleScrypt } from "@noble/hashes/scrypt.js";
+import { randomBytes } from "@noble/hashes/utils.js";
+
+// scrypt parameters: N=2^17, r=8, p=1, dkLen=32
+const N = 131072;
+const r = 8;
+const p = 1;
+const dkLen = 32;
+
+/**
+ * Hash a password using scrypt
+ * Format: scrypt$17$8$1$<salt-base64>$<hash-base64>
+ */
+export const hashPassword = (password: string): string => {
+  const salt = randomBytes(16);
+  const hash = nobleScrypt(password, salt, { N, r, p, dkLen });
+  return `scrypt$17$8$1$${Buffer.from(salt).toString("base64")}$${Buffer.from(hash).toString("base64")}`;
+};
--- a/apps/cli/src/utils/token.ts
+++ b/apps/cli/src/utils/token.ts
@@ -0,0 +1,22 @@
+/**
+ * Token generation and hashing utilities
+ */
+
+import { sha256 } from "@noble/hashes/sha2.js";
+import { randomBytes } from "@noble/hashes/utils.js";
+
+/**
+ * Generate a cryptographically secure random token
+ * Returns a 32-byte hex string (64 characters)
+ */
+export const generateToken = (): string => {
+  return Buffer.from(randomBytes(32)).toString("hex");
+};
+
+/**
+ * Hash a token using SHA-256
+ * Returns a hex string
+ */
+export const hashToken = (token: string): string => {
+  return Buffer.from(sha256(Buffer.from(token))).toString("hex");
+};