igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement CLI commands and admin API endpoints

Browse Source 
- Add bootstrap command with direct DB access for initial setup
- Implement auth login/logout/status CLI commands
- Implement user create/confirm-email CLI commands
- Implement org create/list/add-site CLI commands
- Add admin.orgs.* and admin.users.* API endpoints
- Add password hashing utility with scrypt
- Add token hashing and authentication utility
- Add superuser runtime checks for admin endpoints
- Wrap multi-step operations in transactions
- Fix config file permissions (0o600) for security
- Remove token display from status command
- Add return statements to void handlers
- Add reviq CLI command to devenv

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
RevIQ
2026-01-09 15:30:10 +08:00
parent 30ee35b25c
commit 410b937f9f
20 changed files with 1267 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/api-server/package.json
View File

@@ -11,6 +11,7 @@
"clean": "rm -rf dist .eslintcache"
},
"dependencies": {
"@noble/hashes": "^2.0.1",
"@orpc/server": "^1.13.2",
"@reviq/api-contract": "workspace:*",
"@reviq/db": "workspace:*",

12
apps/api-server/src/context.ts
View File

@@ -34,7 +34,8 @@ export interface SessionUser {
* Session information
*/
export interface Session {
id: number;
/** Session ID (stored as bigint in DB, returned as string) */
id: string;
trustedMode: boolean;
createdAt: Date;
}
@@ -58,3 +59,12 @@ export interface LoginRequestContext extends APIContext {
/** User associated with the login request */
user: SessionUser;
}
/**
* Superuser context for admin procedures
* Requires user to have is_superuser = true
*/
export interface SuperuserContext extends AuthenticatedContext {
/** User with superuser privileges */
user: SessionUser & { isSuperuser: true };
}

440
apps/api-server/src/router.ts
View File

@@ -2,6 +2,7 @@ import type {
APIContext,
AuthenticatedContext,
LoginRequestContext,
SuperuserContext,
} from "./context.js";
import { implement } from "@orpc/server";
import { contract } from "@reviq/api-contract";
@@ -16,6 +17,18 @@ import {
const os = implement(contract);
/**
* Helper to require superuser context with runtime validation
*/
const requireSuperuser = (context: unknown): SuperuserContext => {
// Cast to partial type first to allow runtime checks
const ctx = context as Partial<SuperuserContext>;
if (!ctx.user?.isSuperuser) {
throw new Error("Unauthorized: Superuser access required");
}
return context as SuperuserContext;
};
// Auth procedures
const signup = os.auth.signup.handler(async () => {
throw new Error("Not implemented");
@@ -31,9 +44,59 @@ const resendVerificationEmail = os.auth.resendVerificationEmail.handler(
},
);
const createLoginRequest = os.auth.createLoginRequest.handler(async () => {
throw new Error("Not implemented");
});
const createLoginRequest = os.auth.createLoginRequest.handler(
async ({ input, context }) => {
const ctx = context as APIContext;
const email = input.email.toLowerCase();
const user = await ctx.db
.selectFrom("users")
.where("email", "=", email)
.select(["id", "password_hash"])
.executeTakeFirst();
// Check for passkeys
const hasPasskey = user
? (await ctx.db
.selectFrom("passkeys")
.where("user_id", "=", user.id)
.select("id")
.executeTakeFirst()) !== undefined
: false;
const hasPassword = user?.password_hash !== null && user !== undefined;
if (!user) {
// Anti-enumeration: return fake response for non-existent users
return {
hasPasskey: false,
hasPassword: false,
isTrustedDevice: false,
email,
};
}
// Create login request
await ctx.db
.insertInto("login_requests")
.values({
user_id: user.id,
email,
expires_at: new Date(Date.now() + 15 * 60 * 1000), // 15 min
})
.execute();
// TODO: Set login_request cookie
// TODO: Check device fingerprint for trusted device
return {
hasPasskey,
hasPassword,
isTrustedDevice: false,
email,
};
},
);
const loginPassword = os.auth.loginPassword.handler(async () => {
throw new Error("Not implemented");
@@ -57,8 +120,17 @@ const resetPassword = os.auth.resetPassword.handler(async () => {
throw new Error("Not implemented");
});
const logout = os.auth.logout.handler(async () => {
throw new Error("Not implemented");
const logout = os.auth.logout.handler(async ({ context }) => {
const ctx = context as AuthenticatedContext;
// Revoke the current session by setting revoked_at
await ctx.db
.updateTable("sessions")
.set({ revoked_at: new Date() })
.where("id", "=", ctx.session.id)
.execute();
return undefined;
});
// WebAuthn procedures
@@ -84,6 +156,8 @@ const verifyRegistration = os.auth.webauthn.verifyRegistration.handler(
const rpInfo = getRPInfo(ctx.origin, ctx.allowedOrigins, ctx.rpName);
await verifyReg(ctx.db, rpInfo, ctx.user.id, challengeId, response);
return undefined;
},
);
@@ -113,6 +187,8 @@ const verifyAuthentication = os.auth.webauthn.verifyAuthentication.handler(
if (!verified) {
throw new Error("Authentication failed");
}
return undefined;
},
);
@@ -161,6 +237,8 @@ const passkeysRename = os.me.passkeys.rename.handler(
.where("id", "=", String(passkeyId))
.where("user_id", "=", ctx.user.id)
.execute();
return undefined;
},
);
@@ -193,6 +271,8 @@ const passkeysDelete = os.me.passkeys.delete.handler(
.where("id", "=", String(passkeyId))
.where("user_id", "=", ctx.user.id)
.execute();
return undefined;
},
);
@@ -291,63 +371,341 @@ const sitesList = os.orgs.sites.list.handler(async () => {
});
// Admin orgs procedures
const adminOrgsList = os.admin.orgs.list.handler(async () => {
throw new Error("Not implemented");
const adminOrgsList = os.admin.orgs.list.handler(async ({ context }) => {
const ctx = requireSuperuser(context);
const orgs = await ctx.db.selectFrom("orgs").selectAll().execute();
return orgs.map((org) => ({
id: org.id,
slug: org.slug,
displayName: org.display_name,
logoUrl: org.logo_url,
createdAt: org.created_at,
}));
});
const adminOrgsGet = os.admin.orgs.get.handler(async () => {
throw new Error("Not implemented");
const adminOrgsGet = os.admin.orgs.get.handler(async ({ input, context }) => {
const ctx = requireSuperuser(context);
const org = await ctx.db
.selectFrom("orgs")
.where("slug", "=", input.slug)
.selectAll()
.executeTakeFirst();
if (!org) {
throw new Error("Org not found");
}
return {
id: org.id,
slug: org.slug,
displayName: org.display_name,
logoUrl: org.logo_url,
createdAt: org.created_at,
};
});
const adminOrgsCreate = os.admin.orgs.create.handler(async () => {
throw new Error("Not implemented");
const adminOrgsCreate = os.admin.orgs.create.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
const { slug, displayName, ownerEmail } = input;
// Use transaction to ensure atomicity
const orgSlug = await ctx.db.transaction().execute(async (trx) => {
// Find or create owner user
let owner = await trx
.selectFrom("users")
.where("email", "=", ownerEmail.toLowerCase())
.select("id")
.executeTakeFirst();
if (!owner) {
const result = await trx
.insertInto("users")
.values({ email: ownerEmail.toLowerCase() })
.returning("id")
.executeTakeFirst();
owner = result;
}
if (!owner) {
throw new Error("Failed to create owner user");
}
// Create org
const org = await trx
.insertInto("orgs")
.values({ slug, display_name: displayName })
.returning(["id", "slug"])
.executeTakeFirst();
if (!org) {
throw new Error("Failed to create org");
}
// Add owner membership
await trx
.insertInto("org_members")
.values({ org_id: org.id, user_id: owner.id, role: "owner" })
.execute();
return org.slug;
});
const adminOrgsUpdate = os.admin.orgs.update.handler(async () => {
throw new Error("Not implemented");
});
return { slug: orgSlug };
},
);
const adminOrgsDelete = os.admin.orgs.delete.handler(async () => {
throw new Error("Not implemented");
});
const adminOrgsUpdate = os.admin.orgs.update.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
const { slug, displayName, logoUrl } = input;
const adminOrgsListSites = os.admin.orgs.listSites.handler(async () => {
throw new Error("Not implemented");
});
const updates: Record<string, string | undefined> = {};
if (displayName !== undefined) {
updates.display_name = displayName;
}
if (logoUrl !== undefined) {
updates.logo_url = logoUrl;
}
const adminOrgsAddSite = os.admin.orgs.addSite.handler(async () => {
throw new Error("Not implemented");
});
if (Object.keys(updates).length > 0) {
await ctx.db
.updateTable("orgs")
.set(updates)
.where("slug", "=", slug)
.execute();
}
const adminOrgsRemoveSite = os.admin.orgs.removeSite.handler(async () => {
throw new Error("Not implemented");
});
return undefined;
},
);
const adminOrgsDelete = os.admin.orgs.delete.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
await ctx.db.deleteFrom("orgs").where("slug", "=", input.slug).execute();
return undefined;
},
);
const adminOrgsListSites = os.admin.orgs.listSites.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
const org = await ctx.db
.selectFrom("orgs")
.where("slug", "=", input.slug)
.select("id")
.executeTakeFirst();
if (!org) {
throw new Error("Org not found");
}
const sites = await ctx.db
.selectFrom("org_sites")
.where("org_id", "=", org.id)
.selectAll()
.execute();
return sites.map((site) => ({
id: site.id,
domain: site.domain,
createdAt: site.created_at,
}));
},
);
const adminOrgsAddSite = os.admin.orgs.addSite.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
const { slug, domain } = input;
const org = await ctx.db
.selectFrom("orgs")
.where("slug", "=", slug)
.select("id")
.executeTakeFirst();
if (!org) {
throw new Error("Org not found");
}
await ctx.db
.insertInto("org_sites")
.values({ org_id: org.id, domain })
.execute();
return undefined;
},
);
const adminOrgsRemoveSite = os.admin.orgs.removeSite.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
const { slug, domain } = input;
const org = await ctx.db
.selectFrom("orgs")
.where("slug", "=", slug)
.select("id")
.executeTakeFirst();
if (!org) {
throw new Error("Org not found");
}
await ctx.db
.deleteFrom("org_sites")
.where("org_id", "=", org.id)
.where("domain", "=", domain)
.execute();
return undefined;
},
);
// Admin users procedures
const adminUsersList = os.admin.users.list.handler(async () => {
throw new Error("Not implemented");
const adminUsersList = os.admin.users.list.handler(async ({ context }) => {
const ctx = requireSuperuser(context);
const users = await ctx.db.selectFrom("users").selectAll().execute();
return users.map((user) => ({
id: user.id,
email: user.email,
displayName: user.display_name,
fullName: user.full_name,
phoneNumber: user.phone_number,
avatarUrl: user.avatar_url,
emailVerified: user.email_verified_at !== null,
needsSetup: user.display_name === null,
isSuperuser: user.is_superuser,
}));
});
const adminUsersGet = os.admin.users.get.handler(async () => {
throw new Error("Not implemented");
const adminUsersGet = os.admin.users.get.handler(async ({ input, context }) => {
const ctx = requireSuperuser(context);
const user = await ctx.db
.selectFrom("users")
.where("email", "=", input.email.toLowerCase())
.selectAll()
.executeTakeFirst();
if (!user) {
throw new Error("User not found");
}
return {
id: user.id,
email: user.email,
displayName: user.display_name,
fullName: user.full_name,
phoneNumber: user.phone_number,
avatarUrl: user.avatar_url,
emailVerified: user.email_verified_at !== null,
needsSetup: user.display_name === null,
isSuperuser: user.is_superuser,
};
});
const adminUsersCreate = os.admin.users.create.handler(async () => {
throw new Error("Not implemented");
const adminUsersCreate = os.admin.users.create.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
const { email, name, orgSlug, orgRole } = input;
// Use transaction to ensure atomicity when adding to org
await ctx.db.transaction().execute(async (trx) => {
const result = await trx
.insertInto("users")
.values({
email: email.toLowerCase(),
display_name: name ?? null,
})
.returning("id")
.executeTakeFirst();
if (!result) {
throw new Error("Failed to create user");
}
// Add to org if specified
if (orgSlug) {
const org = await trx
.selectFrom("orgs")
.where("slug", "=", orgSlug)
.select("id")
.executeTakeFirst();
if (org) {
await trx
.insertInto("org_members")
.values({
org_id: org.id,
user_id: result.id,
role: orgRole ?? "member",
})
.execute();
}
}
});
const adminUsersUpdate = os.admin.users.update.handler(async () => {
throw new Error("Not implemented");
});
return undefined;
},
);
const adminUsersConfirmEmail = os.admin.users.confirmEmail.handler(async () => {
throw new Error("Not implemented");
});
const adminUsersUpdate = os.admin.users.update.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
const { email, isSuperuser } = input;
if (isSuperuser !== undefined) {
await ctx.db
.updateTable("users")
.set({ is_superuser: isSuperuser })
.where("email", "=", email.toLowerCase())
.execute();
}
return undefined;
},
);
const adminUsersConfirmEmail = os.admin.users.confirmEmail.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
await ctx.db
.updateTable("users")
.set({ email_verified_at: new Date() })
.where("email", "=", input.email.toLowerCase())
.execute();
return undefined;
},
);
// Admin auth procedures
const adminAuthCompleteLogin = os.admin.auth.completeLogin.handler(async () => {
throw new Error("Not implemented");
});
const adminAuthCompleteLogin = os.admin.auth.completeLogin.handler(
async ({ input, context }) => {
const ctx = requireSuperuser(context);
// Find user by email
const user = await ctx.db
.selectFrom("users")
.where("email", "=", input.email.toLowerCase())
.select("id")
.executeTakeFirst();
if (!user) {
throw new Error("User not found");
}
// Complete the most recent pending login request for this user
await ctx.db
.updateTable("login_requests")
.set({ completed_at: new Date() })
.where("user_id", "=", user.id)
.where("completed_at", "is", null)
.where("expires_at", ">", new Date())
.execute();
return undefined;
},
);
// Build the router
export const router = os.router({

82
apps/api-server/src/utils/auth.ts Normal file
View File

@@ -0,0 +1,82 @@
/**
* Authentication utilities for token handling
*/
import type { Database } from "@reviq/db-schema";
import type { Kysely } from "kysely";
import { sha256 } from "@noble/hashes/sha2.js";
export interface AuthenticatedUser {
id: number;
email: string;
isSuperuser: boolean;
}
/**
* Hash a token using SHA-256
*/
export const hashToken = (token: string): string => {
return Buffer.from(sha256(Buffer.from(token))).toString("hex");
};
/**
* Authenticate a request using session token or API key
* Returns the authenticated user or null if not authenticated
*/
export const authenticateRequest = async (
db: Kysely<Database>,
sessionToken?: string,
apiKey?: string,
): Promise<AuthenticatedUser | null> => {
// Try session cookie first, then API key
const token = sessionToken ?? apiKey;
if (!token) {
return null;
}
const tokenHash = hashToken(token);
// Check sessions table
const session = await db
.selectFrom("sessions")
.innerJoin("users", "users.id", "sessions.user_id")
.where("sessions.token_hash", "=", tokenHash)
.where("sessions.expires_at", ">", new Date())
.where("sessions.revoked_at", "is", null)
.select(["users.id", "users.email", "users.is_superuser"])
.executeTakeFirst();
if (session) {
return {
id: session.id,
email: session.email,
isSuperuser: session.is_superuser,
};
}
// Check API tokens table
const apiToken = await db
.selectFrom("api_tokens")
.innerJoin("users", "users.id", "api_tokens.user_id")
.where("api_tokens.token_hash", "=", tokenHash)
.where("api_tokens.expires_at", ">", new Date())
.select(["users.id", "users.email", "users.is_superuser"])
.executeTakeFirst();
if (apiToken) {
// Update last_used_at
await db
.updateTable("api_tokens")
.set({ last_used_at: new Date() })
.where("token_hash", "=", tokenHash)
.execute();
return {
id: apiToken.id,
email: apiToken.email,
isSuperuser: apiToken.is_superuser,
};
}
return null;
};

58
apps/api-server/src/utils/password.ts Normal file
View File

@@ -0,0 +1,58 @@
/**
* Password hashing utilities using scrypt from @noble/hashes
*/
import { scrypt as nobleScrypt } from "@noble/hashes/scrypt.js";
import { randomBytes } from "@noble/hashes/utils.js";
// scrypt parameters: N=2^17, r=8, p=1, dkLen=32
const N = 131072;
const r = 8;
const p = 1;
const dkLen = 32;
/**
* Hash a password using scrypt
* Format: scrypt$17$8$1$<salt-base64>$<hash-base64>
*/
export const hashPassword = (password: string): string => {
const salt = randomBytes(16);
const hash = nobleScrypt(password, salt, { N, r, p, dkLen });
return `scrypt$17$8$1$${Buffer.from(salt).toString("base64")}$${Buffer.from(hash).toString("base64")}`;
};
/**
* Verify a password against a stored hash
* Uses constant-time comparison to prevent timing attacks
*/
export const verifyPassword = (password: string, stored: string): boolean => {
const parts = stored.split("$");
if (parts.length !== 5 || parts[0] !== "scrypt") {
return false;
}
const saltStr = parts[3];
const hashStr = parts[4];
if (!(saltStr && hashStr)) {
return false;
}
const salt = Buffer.from(saltStr, "base64");
const storedHash = Buffer.from(hashStr, "base64");
const computedHash = nobleScrypt(password, salt, { N, r, p, dkLen });
// Constant-time comparison
if (storedHash.length !== computedHash.length) {
return false;
}
let diff = 0;
for (let i = 0; i < storedHash.length; i++) {
const storedByte = storedHash[i];
const computedByte = computedHash[i];
if (storedByte === undefined || computedByte === undefined) {
return false;
}
diff |= storedByte ^ computedByte;
}
return diff === 0;
};

156
apps/cli/src/routes/auth/login.ts
View File

@@ -1,15 +1,163 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { readConfig } from "../../utils/config.js";
import { generateToken, hashToken } from "../../utils/token.js";
function login(this: LocalContext): void {
console.log("Auth login command - Not implemented");
console.log("This command will authenticate a user and store credentials");
interface LoginFlags {
email: string;
"api-url"?: string;
}
interface LoginStatusOutput {
status: "pending" | "completed" | "expired";
}
async function login(this: LocalContext, flags: LoginFlags): Promise<void> {
const apiUrl = flags["api-url"] ?? "http://localhost:9861";
// Check if already logged in
const existingConfig = await readConfig();
if (existingConfig) {
console.log(`Already logged in as ${existingConfig.email}`);
console.log(`Use 'reviq auth logout' to logout first.`);
return;
}
console.log("Starting login flow...\n");
// Generate a unique callback token for this login request
const callbackToken = generateToken();
const callbackTokenHash = hashToken(callbackToken);
try {
// Create login request
const createResponse = await fetch(
`${apiUrl}/api/v1/rpc/auth.createLoginRequest`,
{
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({ email: flags.email }),
},
);
if (!createResponse.ok) {
const text = await createResponse.text();
console.error(`Error creating login request: ${text}`);
this.process.exit(1);
}
// Construct the login URL
const loginUrl = new URL(`${apiUrl}/login`);
loginUrl.searchParams.set("email", flags.email);
loginUrl.searchParams.set("cli_callback", callbackTokenHash);
console.log("Opening browser for authentication...");
console.log(`\nIf the browser doesn't open, visit:`);
console.log(` ${loginUrl.toString()}\n`);
// Try to open the browser
const openCommand =
process.platform === "darwin"
? "open"
: process.platform === "win32"
? "start"
: "xdg-open";
try {
const proc = Bun.spawn([openCommand, loginUrl.toString()], {
stdout: "ignore",
stderr: "ignore",
});
await proc.exited;
} catch {
// Ignore errors opening browser - user can use the URL
}
console.log("Waiting for login to complete...");
console.log("(Press Ctrl+C to cancel)\n");
// Poll for completion
const maxAttempts = 120; // 2 minutes at 1 second intervals
let attempts = 0;
while (attempts < maxAttempts) {
await new Promise((resolve) => setTimeout(resolve, 1000));
attempts++;
try {
const statusResponse = await fetch(
`${apiUrl}/api/v1/rpc/auth.loginIfRequestIsCompleted`,
{
method: "POST",
headers: {
"Content-Type": "application/json",
"X-CLI-Callback-Token": callbackToken,
},
},
);
if (statusResponse.ok) {
const status = (await statusResponse.json()) as LoginStatusOutput;
if (status.status === "completed") {
// Login completed - we should have received a token
// For now, we'll need the API to return the token
console.log("Login completed successfully!");
// TODO: The API needs to return the session token when login completes
// For now, this is a placeholder
console.log(
"\nNote: Browser-based login flow requires API integration.",
);
console.log("Use 'reviq bootstrap' to create initial credentials.");
return;
}
if (status.status === "expired") {
console.error("Login request expired. Please try again.");
this.process.exit(1);
}
}
} catch {
// Ignore polling errors and continue
}
// Show progress indicator
process.stdout.write(".");
}
console.log("\n\nLogin timed out. Please try again.");
this.process.exit(1);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
this.process.exit(1);
}
}
export const loginCommand = buildCommand({
func: login,
parameters: {},
parameters: {
flags: {
email: {
kind: "parsed",
parse: String,
brief: "Email address to login with",
},
"api-url": {
kind: "parsed",
parse: String,
brief: "API URL (default: http://localhost:9861)",
optional: true,
},
},
},
docs: {
brief: "Login to RevIQ",
fullDescription:
"Opens a browser to complete authentication and stores the credentials locally.",
},
});

19
apps/cli/src/routes/auth/logout.ts
View File

@@ -1,9 +1,20 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { deleteConfig, getConfigPath, readConfig } from "../../utils/config.js";
function logout(this: LocalContext): void {
console.log("Auth logout command - Not implemented");
console.log("This command will clear stored authentication credentials");
async function logout(this: LocalContext): Promise<void> {
const config = await readConfig();
if (!config) {
console.log("Not logged in");
return;
}
// Delete the config file
await deleteConfig();
console.log("Logged out successfully");
console.log(`Removed credentials from ${getConfigPath()}`);
}
export const logoutCommand = buildCommand({
@@ -11,5 +22,7 @@ export const logoutCommand = buildCommand({
parameters: {},
docs: {
brief: "Logout from RevIQ",
fullDescription:
"Removes stored authentication credentials from the local config file.",
},
});

24
apps/cli/src/routes/auth/status.ts
View File

@@ -1,9 +1,25 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { getConfigPath, readConfig } from "../../utils/config.js";
function status(this: LocalContext): void {
console.log("Auth status command - Not implemented");
console.log("This command will show current authentication status");
async function status(this: LocalContext): Promise<void> {
const config = await readConfig();
if (!config) {
console.log("Not logged in");
console.log(`\nConfig file: ${getConfigPath()} (not found)`);
console.log(
"\nRun 'reviq bootstrap' to create a superuser or 'reviq auth login' to authenticate.",
);
return;
}
console.log("Authentication Status");
console.log("=====================\n");
console.log(`Email: ${config.email}`);
console.log(`API URL: ${config.apiUrl}`);
console.log(`Config file: ${getConfigPath()}`);
console.log("Token: [configured]");
}
export const statusCommand = buildCommand({
@@ -11,5 +27,7 @@ export const statusCommand = buildCommand({
parameters: {},
docs: {
brief: "Check authentication status",
fullDescription:
"Shows the current authentication status and config file location.",
},
});

149
apps/cli/src/routes/bootstrap.ts
View File

@@ -1,25 +1,150 @@
import type { LocalContext } from "../context.js";
import { createDb } from "@reviq/db";
import { buildCommand } from "@stricli/core";
import { writeConfig } from "../utils/config.js";
import { hashPassword } from "../utils/password.js";
import { generateToken, hashToken } from "../utils/token.js";
function bootstrap(this: LocalContext): void {
interface BootstrapFlags {
email: string;
password: string;
}
async function bootstrap(
this: LocalContext,
flags: BootstrapFlags,
): Promise<void> {
console.log("RevIQ Bootstrap - Create Superuser");
console.log("===================================\n");
console.log("TODO: Implement bootstrap command");
console.log("\nThis command will:");
console.log(" 1. Prompt for email address");
console.log(" 2. Prompt for password (with confirmation)");
console.log(" 3. Hash password using scrypt (@noble/hashes)");
console.log(" 4. Create user in database with is_superuser=true");
console.log("\nRequirements:");
console.log(" - Database must be migrated (run 'dbmate up' first)");
console.log(" - DATABASE_URL environment variable must be set");
// Validate password length
if (flags.password.length < 8) {
console.error("Error: Password must be at least 8 characters");
this.process.exit(1);
}
const db = createDb();
try {
// Check if user already exists
const existing = await db
.selectFrom("users")
.where("email", "=", flags.email.toLowerCase())
.select("id")
.executeTakeFirst();
if (existing) {
console.error(`Error: User with email ${flags.email} already exists`);
await db.destroy();
this.process.exit(1);
}
// Hash the password
const passwordHash = hashPassword(flags.password);
// Create superuser
const [user] = await db
.insertInto("users")
.values({
email: flags.email.toLowerCase(),
password_hash: passwordHash,
is_superuser: true,
email_verified_at: new Date(),
})
.returning(["id", "email"])
.execute();
if (!user) {
console.error("Error: Failed to create user");
await db.destroy();
this.process.exit(1);
}
console.log(`Created superuser: ${user.email}`);
// Create "reviq" org
const [org] = await db
.insertInto("orgs")
.values({
slug: "reviq",
display_name: "RevIQ",
})
.returning(["id", "slug"])
.execute();
if (!org) {
console.error("Error: Failed to create org");
await db.destroy();
this.process.exit(1);
}
// Add user as owner of the org
await db
.insertInto("org_members")
.values({
org_id: org.id,
user_id: user.id,
role: "owner",
})
.execute();
console.log(`Created org: ${org.slug}`);
// Generate API token
const token = generateToken();
const tokenHashValue = hashToken(token);
await db
.insertInto("api_tokens")
.values({
user_id: user.id,
token_hash: tokenHashValue,
name: "CLI bootstrap token",
expires_at: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), // 1 year
})
.execute();
// Save to config
await writeConfig({
apiUrl: Bun.env.API_URL ?? "http://localhost:9861",
token,
email: user.email,
});
console.log("Saved credentials to ~/.config/reviq/credentials.json");
console.log("\nBootstrap complete! You can now use the CLI.");
await db.destroy();
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
await db.destroy();
this.process.exit(1);
}
}
export const bootstrapCommand = buildCommand({
func: bootstrap,
parameters: {},
parameters: {
flags: {
email: {
kind: "parsed",
parse: String,
brief: "Email address for the superuser",
},
password: {
kind: "parsed",
parse: String,
brief: "Password for the superuser",
},
},
},
docs: {
brief: "Create a superuser account",
brief: "Create a superuser account and initial organization",
fullDescription:
"Creates a superuser with the 'reviq' organization. " +
"Requires DATABASE_URL environment variable to be set.",
},
});

42
apps/cli/src/routes/org/add-site.ts
View File

@@ -1,15 +1,49 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
function addSite(this: LocalContext): void {
console.log("Org add-site command - Not implemented");
console.log("This command will add a site to an organization");
interface AddSiteFlags {
org: string;
domain: string;
}
async function addSite(this: LocalContext, flags: AddSiteFlags): Promise<void> {
try {
const client = await createApiClient();
await client.call("admin.orgs.addSite", {
slug: flags.org,
domain: flags.domain,
});
console.log(`Added site ${flags.domain} to org ${flags.org}`);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
this.process.exit(1);
}
}
export const addSiteCommand = buildCommand({
func: addSite,
parameters: {},
parameters: {
flags: {
org: {
kind: "parsed",
parse: String,
brief: "Org slug to add the site to",
},
domain: {
kind: "parsed",
parse: String,
brief: "Domain to add (e.g. example.com)",
},
},
},
docs: {
brief: "Add a site to an organization",
fullDescription: "Adds a site domain to an organization via the admin API.",
},
});

54
apps/cli/src/routes/org/create.ts
View File

@@ -1,15 +1,61 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
function create(this: LocalContext): void {
console.log("Org create command - Not implemented");
console.log("This command will create a new organization");
interface CreateOrgFlags {
slug: string;
name: string;
owner: string;
}
async function create(
this: LocalContext,
flags: CreateOrgFlags,
): Promise<void> {
try {
const client = await createApiClient();
const result = await client.call<{ slug: string }>("admin.orgs.create", {
slug: flags.slug,
displayName: flags.name,
ownerEmail: flags.owner,
});
console.log(`Created org: ${result.slug}`);
console.log(`Owner: ${flags.owner}`);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
this.process.exit(1);
}
}
export const createCommand = buildCommand({
func: create,
parameters: {},
parameters: {
flags: {
slug: {
kind: "parsed",
parse: String,
brief: "URL-friendly slug for the org",
},
name: {
kind: "parsed",
parse: String,
brief: "Display name for the org",
},
owner: {
kind: "parsed",
parse: String,
brief: "Email of the org owner",
},
},
},
docs: {
brief: "Create an organization",
fullDescription:
"Creates a new organization with the specified owner via the admin API.",
},
});

42
apps/cli/src/routes/org/list.ts
View File

@@ -1,9 +1,44 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
function list(this: LocalContext): void {
console.log("Org list command - Not implemented");
console.log("This command will list all organizations");
interface OrgOutput {
id: number;
slug: string;
displayName: string;
logoUrl: string | null;
createdAt: string;
}
async function list(this: LocalContext): Promise<void> {
try {
const client = await createApiClient();
const orgs = await client.call<OrgOutput[]>("admin.orgs.list", {});
if (orgs.length === 0) {
console.log("No organizations found");
return;
}
console.log("Organizations:");
console.log("==============\n");
for (const org of orgs) {
console.log(org.slug);
console.log(` Name: ${org.displayName}`);
console.log(` Created: ${new Date(org.createdAt).toLocaleDateString()}`);
console.log();
}
console.log(`Total: ${String(orgs.length)} organization(s)`);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
this.process.exit(1);
}
}
export const listCommand = buildCommand({
@@ -11,5 +46,6 @@ export const listCommand = buildCommand({
parameters: {},
docs: {
brief: "List organizations",
fullDescription: "Lists all organizations via the admin API.",
},
});

39
apps/cli/src/routes/user/confirm-email.ts
View File

@@ -1,15 +1,46 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
function confirmEmail(this: LocalContext): void {
console.log("User confirm-email command - Not implemented");
console.log("This command will confirm a user's email address");
interface ConfirmEmailFlags {
email: string;
}
async function confirmEmail(
this: LocalContext,
flags: ConfirmEmailFlags,
): Promise<void> {
try {
const client = await createApiClient();
await client.call("admin.users.confirmEmail", {
email: flags.email,
});
console.log(`Confirmed email for: ${flags.email}`);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
this.process.exit(1);
}
}
export const confirmEmailCommand = buildCommand({
func: confirmEmail,
parameters: {},
parameters: {
flags: {
email: {
kind: "parsed",
parse: String,
brief: "Email address to confirm",
},
},
},
docs: {
brief: "Confirm user email",
fullDescription:
"Confirms a user's email address via the admin API. This is useful for development when email sending is not configured.",
},
});

65
apps/cli/src/routes/user/create.ts
View File

@@ -1,15 +1,72 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
function create(this: LocalContext): void {
console.log("User create command - Not implemented");
console.log("This command will create a new user account");
interface CreateUserFlags {
email: string;
name?: string;
org?: string;
role?: string;
}
async function create(
this: LocalContext,
flags: CreateUserFlags,
): Promise<void> {
try {
const client = await createApiClient();
await client.call("admin.users.create", {
email: flags.email,
name: flags.name,
orgSlug: flags.org,
orgRole: flags.role,
});
console.log(`Created user: ${flags.email}`);
if (flags.org) {
console.log(`Added to org: ${flags.org} as ${flags.role ?? "member"}`);
}
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
this.process.exit(1);
}
}
export const createCommand = buildCommand({
func: create,
parameters: {},
parameters: {
flags: {
email: {
kind: "parsed",
parse: String,
brief: "Email address for the new user",
},
name: {
kind: "parsed",
parse: String,
brief: "Display name for the user",
optional: true,
},
org: {
kind: "parsed",
parse: String,
brief: "Org slug to add the user to",
optional: true,
},
role: {
kind: "parsed",
parse: String,
brief: "Role in the org (owner, admin, member)",
optional: true,
},
},
},
docs: {
brief: "Create a new user",
fullDescription: "Creates a new user account via the admin API.",
},
});

61
apps/cli/src/utils/api-client.ts Normal file
View File

@@ -0,0 +1,61 @@
/**
* API client utilities for CLI commands
*/
import { readConfig } from "./config.js";
export interface ApiClientError {
code: string;
message: string;
}
/**
* Create an API client with the stored credentials
* Throws an error if not logged in
*/
export const createApiClient = async () => {
const config = await readConfig();
if (!config) {
throw new Error(
"Not logged in. Run 'reviq bootstrap' or 'reviq auth login' first.",
);
}
return {
/**
* Call an oRPC procedure
*/
call: async <T>(path: string, input?: unknown): Promise<T> => {
const url = `${config.apiUrl}/api/v1/rpc/${path}`;
const response = await fetch(url, {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-API-Key": config.token,
},
body: input !== undefined ? JSON.stringify(input) : undefined,
});
if (!response.ok) {
const text = await response.text();
let errorMessage = `API error: ${String(response.status)} ${response.statusText}`;
try {
const error = JSON.parse(text) as ApiClientError;
if (error.message) {
errorMessage = error.message;
}
} catch {
if (text) {
errorMessage = text;
}
}
throw new Error(errorMessage);
}
return response.json() as Promise<T>;
},
config,
};
};
export type ApiClient = Awaited<ReturnType<typeof createApiClient>>;

58
apps/cli/src/utils/config.ts Normal file
View File

@@ -0,0 +1,58 @@
/**
* CLI configuration utilities
* Stores credentials at ~/.config/reviq/credentials.json
*/
import { mkdir, readFile, unlink, writeFile } from "node:fs/promises";
import { homedir } from "node:os";
import { join } from "node:path";
export interface Config {
apiUrl: string;
token: string;
email: string;
}
const CONFIG_DIR = join(homedir(), ".config", "reviq");
const CONFIG_FILE = join(CONFIG_DIR, "credentials.json");
/**
* Get the path to the config file
*/
export const getConfigPath = (): string => CONFIG_FILE;
/**
* Read the config file
* Returns null if the file doesn't exist or is invalid
*/
export const readConfig = async (): Promise<Config | null> => {
try {
const data = await readFile(CONFIG_FILE, "utf-8");
return JSON.parse(data) as Config;
} catch {
return null;
}
};
/**
* Write the config file
* Creates the config directory if it doesn't exist
*/
export const writeConfig = async (config: Config): Promise<void> => {
await mkdir(CONFIG_DIR, { recursive: true, mode: 0o700 });
await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), {
mode: 0o600,
});
};
/**
* Delete the config file
* Ignores errors if the file doesn't exist
*/
export const deleteConfig = async (): Promise<void> => {
try {
await unlink(CONFIG_FILE);
} catch {
// Ignore if doesn't exist
}
};

22
apps/cli/src/utils/password.ts Normal file
View File

@@ -0,0 +1,22 @@
/**
* Password hashing utilities using scrypt from @noble/hashes
*/
import { scrypt as nobleScrypt } from "@noble/hashes/scrypt.js";
import { randomBytes } from "@noble/hashes/utils.js";
// scrypt parameters: N=2^17, r=8, p=1, dkLen=32
const N = 131072;
const r = 8;
const p = 1;
const dkLen = 32;
/**
* Hash a password using scrypt
* Format: scrypt$17$8$1$<salt-base64>$<hash-base64>
*/
export const hashPassword = (password: string): string => {
const salt = randomBytes(16);
const hash = nobleScrypt(password, salt, { N, r, p, dkLen });
return `scrypt$17$8$1$${Buffer.from(salt).toString("base64")}$${Buffer.from(hash).toString("base64")}`;
};

22
apps/cli/src/utils/token.ts Normal file
View File

@@ -0,0 +1,22 @@
/**
* Token generation and hashing utilities
*/
import { sha256 } from "@noble/hashes/sha2.js";
import { randomBytes } from "@noble/hashes/utils.js";
/**
* Generate a cryptographically secure random token
* Returns a 32-byte hex string (64 characters)
*/
export const generateToken = (): string => {
return Buffer.from(randomBytes(32)).toString("hex");
};
/**
* Hash a token using SHA-256
* Returns a hex string
*/
export const hashToken = (token: string): string => {
return Buffer.from(sha256(Buffer.from(token))).toString("hex");
};

1
bun.lock
View File

@@ -15,6 +15,7 @@
"name": "api-server",
"version": "0.0.0",
"dependencies": {
"@noble/hashes": "^2.0.1",
"@orpc/server": "^1.13.2",
"@reviq/api-contract": "workspace:*",
"@reviq/db": "workspace:*",

1
devenv.nix
View File

@@ -37,5 +37,6 @@
"db-new".exec = "dbmate new \"$1\"";
"db-status".exec = "dbmate status";
"db-gen".exec = "bun run --cwd packages/db-schema generate";
"reviq".exec = "bun run --cwd apps/cli cli \"$@\"";
};
}