igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve API token format and enhance auth status command

Browse Source 
- Change token format to reviq_<base58> prefix instead of raw hex
- Add me.authStatus API endpoint for detailed auth information
- Enhance CLI `reviq auth status` to show token details from API
- Add comprehensive tests for token generation (18 tests)
- Extract bootstrap logic to @reviq/db for reusability and testing
- Remove default db export; callers must use createDb() directly

Token changes:
- New format: reviq_<base58-encoded-32-bytes>
- Added parseToken() for validation
- Added isValidTokenFormat() helper

Auth status endpoint returns:
- User profile information
- Auth method (api_token or session)
- Token/session details (name, expiration, last used)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
RevIQ
2026-01-09 17:59:02 +08:00
parent df9b8808d0
commit 6b9b04d1d0
20 changed files with 764 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/db/package.json
View File

@@ -12,7 +12,9 @@
"lint": "eslint . --cache"
},
"dependencies": {
"@noble/hashes": "^2.0.1",
"@reviq/db-schema": "workspace:*",
"@scure/base": "^2.0.0",
"kysely": "^0.28.9",
"pg": "^8.13.1"
},

168
packages/db/src/helpers/execute-bootstrap.ts Normal file
View File

@@ -0,0 +1,168 @@
/**
* Core bootstrap logic for creating a superuser and initial organization
*
* This is extracted from the CLI bootstrap command to make it reusable
* and testable. It operates on a database transaction.
*/
import type { Database } from "@reviq/db-schema";
import type { Kysely, Transaction } from "kysely";
import { hashPassword } from "./password.js";
import { generateToken, hashToken } from "./token.js";
/**
* Input for the bootstrap operation
*/
export interface BootstrapInput {
/** Email address for the superuser */
email: string;
/** Password for the superuser */
password: string;
/** Optional organization slug (defaults to "reviq") */
orgSlug?: string;
/** Optional organization display name (defaults to "RevIQ") */
orgDisplayName?: string;
/** Optional token name (defaults to "CLI bootstrap token") */
tokenName?: string;
/** Optional token expiration in days (defaults to 365) */
tokenExpirationDays?: number;
}
/**
* Result of the bootstrap operation
*/
export interface BootstrapResult {
/** The created user */
user: {
id: number;
email: string;
};
/** The created organization */
org: {
id: number;
slug: string;
};
/** The created API token (raw token, not hashed) */
token: string;
}
/**
* Execute the bootstrap operation within a transaction
*
* Creates:
* - A superuser with the given email and password
* - An organization with the superuser as owner
* - An API token for the superuser
*
* @param trx - Database transaction (use db.transaction() or pass a Transaction)
* @param input - Bootstrap configuration
* @returns The created user, org, and API token
* @throws Error if user already exists or validation fails
*/
export const executeBootstrap = async (
trx: Kysely<Database> | Transaction<Database>,
input: BootstrapInput,
): Promise<BootstrapResult> => {
const {
email,
password,
orgSlug = "reviq",
orgDisplayName = "RevIQ",
tokenName = "CLI bootstrap token",
tokenExpirationDays = 365,
} = input;
// Validate password length
if (password.length < 8) {
throw new Error("Password must be at least 8 characters");
}
// Validate email format (basic check)
if (!email.includes("@")) {
throw new Error("Invalid email address");
}
const normalizedEmail = email.toLowerCase();
// Check if user already exists
const existing = await trx
.selectFrom("users")
.where("email", "=", normalizedEmail)
.select("id")
.executeTakeFirst();
if (existing) {
throw new Error(`User with email ${email} already exists`);
}
// Hash the password
const passwordHash = hashPassword(password);
// Create superuser
const [user] = await trx
.insertInto("users")
.values({
email: normalizedEmail,
password_hash: passwordHash,
is_superuser: true,
email_verified_at: new Date(),
})
.returning(["id", "email"])
.execute();
if (!user) {
throw new Error("Failed to create user");
}
// Create organization
const [org] = await trx
.insertInto("orgs")
.values({
slug: orgSlug,
display_name: orgDisplayName,
})
.returning(["id", "slug"])
.execute();
if (!org) {
throw new Error("Failed to create organization");
}
// Add user as owner of the org
await trx
.insertInto("org_members")
.values({
org_id: org.id,
user_id: user.id,
role: "owner",
})
.execute();
// Generate API token
const token = generateToken();
const tokenHashValue = hashToken(token);
await trx
.insertInto("api_tokens")
.values({
user_id: user.id,
token_hash: tokenHashValue,
name: tokenName,
expires_at: new Date(
Date.now() + tokenExpirationDays * 24 * 60 * 60 * 1000,
),
})
.execute();
return {
user: {
id: user.id,
email: user.email,
},
org: {
id: org.id,
slug: org.slug,
},
token,
};
};

22
packages/db/src/helpers/password.ts Normal file
View File

@@ -0,0 +1,22 @@
/**
* Password hashing utilities using scrypt from @noble/hashes
*/
import { scrypt as nobleScrypt } from "@noble/hashes/scrypt.js";
import { randomBytes } from "@noble/hashes/utils.js";
// scrypt parameters: N=2^17, r=8, p=1, dkLen=32
const N = 131072;
const r = 8;
const p = 1;
const dkLen = 32;
/**
* Hash a password using scrypt
* Format: scrypt$17$8$1$<salt-base64>$<hash-base64>
*/
export const hashPassword = (password: string): string => {
const salt = randomBytes(16);
const hash = nobleScrypt(password, salt, { N, r, p, dkLen });
return `scrypt$17$8$1$${Buffer.from(salt).toString("base64")}$${Buffer.from(hash).toString("base64")}`;
};

51
packages/db/src/helpers/token.ts Normal file
View File

@@ -0,0 +1,51 @@
/**
* Token generation and hashing utilities
*/
import { sha256 } from "@noble/hashes/sha2.js";
import { randomBytes } from "@noble/hashes/utils.js";
import { base58 } from "@scure/base";
/**
* Token prefix for all RevIQ API tokens
*/
export const TOKEN_PREFIX = "reviq_";
/**
* Generate a cryptographically secure random token
* Format: reviq_<base58-encoded-32-bytes>
* Example: reviq_5HueCGU8rMjxEXxiPuD5BDku4MkFqeZyd4dZ1jvhTVqvbTLvyTJ
*/
export const generateToken = (): string => {
const bytes = randomBytes(32);
return TOKEN_PREFIX + base58.encode(bytes);
};
/**
* Validate that a token has the correct format
* Returns the raw bytes if valid, null if invalid
*/
export const parseToken = (token: string): Uint8Array | null => {
if (!token.startsWith(TOKEN_PREFIX)) {
return null;
}
const encoded = token.slice(TOKEN_PREFIX.length);
try {
const bytes = base58.decode(encoded);
// Expect 32 bytes of entropy
if (bytes.length !== 32) {
return null;
}
return bytes;
} catch {
return null;
}
};
/**
* Hash a token using SHA-256
* Returns a hex string
*/
export const hashToken = (token: string): string => {
return Buffer.from(sha256(Buffer.from(token))).toString("hex");
};

33
packages/db/src/index.ts
View File

@@ -2,24 +2,35 @@
* Database client for RevIQ Publisher Dashboard
*
* @module @reviq/db
*/
import type { Database } from "@reviq/db-schema";
import type { Kysely } from "kysely";
import { createDb } from "./client.js";
/**
* Default database instance
*
* Uses DATABASE_URL environment variable for connection
* Usage:
* import { createDb } from "@reviq/db";
* const db = createDb(); // Uses DATABASE_URL env var
* // ... use db ...
* await db.destroy();
*/
export const db: Kysely<Database> = createDb();
/**
* Re-export database types from db-schema
*/
export type { Database } from "@reviq/db-schema";
/**
* Export createDb for creating custom database instances
* Export createDb for creating database instances
* Callers should create their own database instance and pass it to functions
*/
export { createDb } from "./client.js";
/**
* Export helper functions
*/
export {
type BootstrapInput,
type BootstrapResult,
executeBootstrap,
} from "./helpers/execute-bootstrap.js";
export { hashPassword } from "./helpers/password.js";
export {
generateToken,
hashToken,
parseToken,
TOKEN_PREFIX,
} from "./helpers/token.js";