igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge origin/master into reviq-auth-login-command

Browse Source 
Resolved conflicts:
- apps/api-server/src/router.ts: Use meRoutes from master
- packages/api-contract/src/contract.ts: Keep master's nested sessions/devices/invites structure, add apiTokens

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
igm
2026-01-10 19:03:37 +08:00
parent a7d6beaf5a 48ffba6c5f
commit 8f3a1f2962
67 changed files with 5091 additions and 713 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1985
apps/api-server/src/__tests__/e2e/auth.test.ts Normal file
View File

File diff suppressed because it is too large Load Diff

707
apps/api-server/src/__tests__/e2e/me.test.ts
View File

@@ -8,6 +8,14 @@
* - me.updateProfile - update profile fields
* - me.setPassword - set/change password
* - me.delete - delete account
* - me.sessions.list - list all sessions
* - me.sessions.revoke - revoke a session
* - me.sessions.revokeAll - revoke all sessions except current
* - me.devices.getInfo - get current device info
* - me.devices.trust - trust current device
* - me.devices.listTrusted - list trusted devices
* - me.devices.untrust - untrust a device
* - me.devices.revokeAll - revoke all trusted devices
*/
import type { Database } from "@reviq/db-schema";
@@ -59,14 +67,22 @@ function getDb(): Kysely<Database> {
function createAPIContext(options?: {
sessionToken?: string;
apiKey?: string;
deviceFingerprint?: string;
}): APIContext {
const reqHeaders = new Headers();
const cookies: string[] = [];
if (options?.sessionToken) {
reqHeaders.set(
"cookie",
`${COOKIE_NAMES.SESSION_TOKEN}=${options.sessionToken}`,
cookies.push(`${COOKIE_NAMES.SESSION_TOKEN}=${options.sessionToken}`);
}
if (options?.deviceFingerprint) {
cookies.push(
`${COOKIE_NAMES.DEVICE_FINGERPRINT}=${options.deviceFingerprint}`,
);
}
if (cookies.length > 0) {
reqHeaders.set("cookie", cookies.join("; "));
}
if (options?.apiKey) {
reqHeaders.set("x-api-key", options.apiKey);
}
@@ -82,26 +98,81 @@ function createAPIContext(options?: {
}
/**
* Create a real session in the database and return the token
* Create a real session in the database and return the token and session ID
*/
async function createSession(userId: number): Promise<string> {
async function createSession(
userId: number,
options?: { ipAddress?: string; userAgent?: string },
): Promise<{ token: string; sessionId: number }> {
const token = `test-session-${String(Date.now())}${String(Math.random())}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
await getDb()
const result = await getDb()
.insertInto("sessions")
.values({
user_id: userId,
token_hash: tokenHashValue,
ip_address: "127.0.0.1",
user_agent: "test-agent",
ip_address: options?.ipAddress ?? "127.0.0.1",
user_agent: options?.userAgent ?? "test-agent",
expires_at: expiresAt,
trusted_mode: false,
})
.execute();
.returning("id")
.executeTakeFirstOrThrow();
return token;
return { token, sessionId: Number(result.id) };
}
/**
* Create an authenticated API context for a user (creates session + context)
*/
async function createUserAPIContext(
userId: number,
options?: { deviceFingerprint?: string },
): Promise<{ context: APIContext; token: string }> {
const { token } = await createSession(userId);
const context = createAPIContext({
sessionToken: token,
deviceFingerprint: options?.deviceFingerprint,
});
return { context, token };
}
// Export to suppress unused warning - helper available for future tests
void createUserAPIContext;
/**
* Create a device in the database and return the fingerprint
*/
async function createDevice(
userId: number,
options?: {
fingerprint?: string;
isTrusted?: boolean;
name?: string;
userAgent?: string;
},
): Promise<{ fingerprint: string; deviceId: number }> {
const fingerprint =
options?.fingerprint ??
`test-fp-${String(Date.now())}${String(Math.random())}`;
const result = await getDb()
.insertInto("user_devices")
.values({
user_id: userId,
device_fingerprint: fingerprint,
is_trusted: options?.isTrusted ?? false,
name: options?.name ?? null,
user_agent: options?.userAgent ?? "Mozilla/5.0 Test Browser",
ip_address: "127.0.0.1",
last_used_at: new Date(),
})
.returning("id")
.executeTakeFirstOrThrow();
return { fingerprint, deviceId: Number(result.id) };
}
/**
@@ -158,7 +229,7 @@ describe("me.get", () => {
.where("id", "=", user.id)
.execute();
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
const result = await call(router.me.get, undefined, { context });
@@ -187,7 +258,7 @@ describe("me.get", () => {
.where("id", "=", user.id)
.execute();
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
const result = await call(router.me.get, undefined, { context });
@@ -203,7 +274,7 @@ describe("me.get", () => {
passwordHash,
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
const result = await call(router.me.get, undefined, { context });
@@ -217,7 +288,7 @@ describe("me.get", () => {
isSuperuser: true,
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
const result = await call(router.me.get, undefined, { context });
@@ -233,7 +304,7 @@ describe("me.authStatus", () => {
displayName: "Session User",
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
const result = await call(router.me.authStatus, undefined, { context });
@@ -279,7 +350,7 @@ describe("me.setupProfile", () => {
.where("id", "=", user.id)
.execute();
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(
@@ -315,7 +386,7 @@ describe("me.setupProfile", () => {
.where("id", "=", user.id)
.execute();
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(
@@ -345,7 +416,7 @@ describe("me.updateProfile", () => {
displayName: "Original Name",
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(
@@ -371,7 +442,7 @@ describe("me.updateProfile", () => {
displayName: "Original",
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(
@@ -410,7 +481,7 @@ describe("me.updateProfile", () => {
.where("id", "=", user.id)
.execute();
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(
@@ -441,7 +512,7 @@ describe("me.updateProfile", () => {
displayName: "Stay Same",
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(router.me.updateProfile, {}, { context });
@@ -462,7 +533,7 @@ describe("me.setPassword", () => {
email: "nopass@example.com",
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
// Use a strong password
@@ -491,7 +562,7 @@ describe("me.setPassword", () => {
passwordHash: oldHash,
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(
@@ -519,10 +590,9 @@ describe("me.setPassword", () => {
passwordHash: oldHash,
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
// eslint-disable-next-line @typescript-eslint/await-thenable, @typescript-eslint/no-confusing-void-expression
await expect(
call(
router.me.setPassword,
@@ -541,10 +611,9 @@ describe("me.setPassword", () => {
passwordHash: oldHash,
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
// eslint-disable-next-line @typescript-eslint/await-thenable, @typescript-eslint/no-confusing-void-expression
await expect(
call(
router.me.setPassword,
@@ -562,13 +631,13 @@ describe("me.setPassword", () => {
email: "weak@example.com",
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
// Password must be at least 8 chars to pass schema validation
// "password" passes length check but fails zxcvbn strength check
// zxcvbn provides feedback like "This is a top-10 common password"
// eslint-disable-next-line @typescript-eslint/await-thenable, @typescript-eslint/no-confusing-void-expression
await expect(
call(
router.me.setPassword,
@@ -590,7 +659,7 @@ describe("me.delete", () => {
passwordHash,
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(router.me.delete, { password }, { context });
@@ -610,10 +679,9 @@ describe("me.delete", () => {
email: "nopassdelete@example.com",
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
// eslint-disable-next-line @typescript-eslint/await-thenable, @typescript-eslint/no-confusing-void-expression
await expect(
call(router.me.delete, { password: "anything" }, { context }),
).rejects.toThrow("Cannot delete account without a password");
@@ -626,10 +694,9 @@ describe("me.delete", () => {
passwordHash,
});
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
// eslint-disable-next-line @typescript-eslint/await-thenable, @typescript-eslint/no-confusing-void-expression
await expect(
call(router.me.delete, { password: "WrongPassword123!" }, { context }),
).rejects.toThrow("Incorrect password");
@@ -654,7 +721,7 @@ describe("me.delete", () => {
})
.execute();
const sessionToken = await createSession(user.id);
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(router.me.delete, { password }, { context });
@@ -669,3 +736,573 @@ describe("me.delete", () => {
expect(tokens).toHaveLength(0);
});
});
// ===== Session Management Tests =====
describe("me.sessions.list", () => {
test("returns all sessions for user", async () => {
const user = await createTestUser(getDb(), {
email: "sessions@example.com",
});
// Create multiple sessions
const { token: sessionToken1 } = await createSession(user.id, {
ipAddress: "192.168.1.1",
userAgent: "Chrome/1.0",
});
await createSession(user.id, {
ipAddress: "192.168.1.2",
userAgent: "Firefox/1.0",
});
await createSession(user.id, {
ipAddress: "192.168.1.3",
userAgent: "Safari/1.0",
});
const context = createAPIContext({ sessionToken: sessionToken1 });
const sessions = await call(router.me.sessions.list, undefined, {
context,
});
expect(sessions).toHaveLength(3);
// Sessions should be ordered by created_at desc
expect(sessions[0]?.userAgent).toBe("Safari/1.0");
expect(sessions[1]?.userAgent).toBe("Firefox/1.0");
expect(sessions[2]?.userAgent).toBe("Chrome/1.0");
});
test("marks current session with isCurrent flag", async () => {
const user = await createTestUser(getDb(), {
email: "current@example.com",
});
const { token: sessionToken1, sessionId: id1 } = await createSession(
user.id,
);
const { sessionId: id2 } = await createSession(user.id);
const context = createAPIContext({ sessionToken: sessionToken1 });
const sessions = await call(router.me.sessions.list, undefined, {
context,
});
expect(sessions).toHaveLength(2);
const current = sessions.find((s) => s.id === id1);
const other = sessions.find((s) => s.id === id2);
expect(current?.isCurrent).toBe(true);
expect(other?.isCurrent).toBe(false);
});
test("returns session metadata correctly", async () => {
const user = await createTestUser(getDb(), {
email: "metadata@example.com",
});
// Create session and update with location data
const { token: sessionToken, sessionId } = await createSession(user.id, {
ipAddress: "8.8.8.8",
userAgent: "TestAgent/1.0",
});
await getDb()
.updateTable("sessions")
.set({
city: "San Francisco",
region: "CA",
country: "US",
trusted_mode: true,
})
.where("id", "=", String(sessionId))
.execute();
const context = createAPIContext({ sessionToken });
const sessions = await call(router.me.sessions.list, undefined, {
context,
});
expect(sessions).toHaveLength(1);
const session = sessions[0];
expect(session?.ip).toBe("8.8.8.8");
expect(session?.userAgent).toBe("TestAgent/1.0");
expect(session?.city).toBe("San Francisco");
expect(session?.region).toBe("CA");
expect(session?.country).toBe("US");
expect(session?.trustedMode).toBe(true);
expect(session?.createdAt).toBeInstanceOf(Date);
expect(session?.revokedAt).toBeNull();
});
});
describe("me.sessions.revoke", () => {
test("revokes another session successfully", async () => {
const user = await createTestUser(getDb(), {
email: "revoke@example.com",
});
const { token: sessionToken1 } = await createSession(user.id);
const { sessionId: sessionId2 } = await createSession(user.id);
const context = createAPIContext({ sessionToken: sessionToken1 });
await call(
router.me.sessions.revoke,
{ sessionId: sessionId2 },
{ context },
);
// Verify session is revoked
const session = await getDb()
.selectFrom("sessions")
.select(["revoked_at"])
.where("id", "=", String(sessionId2))
.executeTakeFirstOrThrow();
expect(session.revoked_at).not.toBeNull();
});
test("fails to revoke current session", async () => {
const user = await createTestUser(getDb(), {
email: "revokecurrent@example.com",
});
const { token: sessionToken, sessionId } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await expect(
call(router.me.sessions.revoke, { sessionId }, { context }),
).rejects.toThrow("Cannot revoke current session");
});
test("fails to revoke non-existent session", async () => {
const user = await createTestUser(getDb(), {
email: "revokenotfound@example.com",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await expect(
call(router.me.sessions.revoke, { sessionId: 999999 }, { context }),
).rejects.toThrow("Session not found");
});
test("fails to revoke already revoked session", async () => {
const user = await createTestUser(getDb(), {
email: "revokeagain@example.com",
});
const { token: sessionToken1 } = await createSession(user.id);
const { sessionId: sessionId2 } = await createSession(user.id);
// Revoke the session directly
await getDb()
.updateTable("sessions")
.set({ revoked_at: new Date() })
.where("id", "=", String(sessionId2))
.execute();
const context = createAPIContext({ sessionToken: sessionToken1 });
await expect(
call(router.me.sessions.revoke, { sessionId: sessionId2 }, { context }),
).rejects.toThrow("Session not found");
});
test("fails to revoke another user's session", async () => {
const user1 = await createTestUser(getDb(), {
email: "user1@example.com",
});
const user2 = await createTestUser(getDb(), {
email: "user2@example.com",
});
const { token: sessionToken1 } = await createSession(user1.id);
const { sessionId: sessionId2 } = await createSession(user2.id);
const context = createAPIContext({ sessionToken: sessionToken1 });
await expect(
call(router.me.sessions.revoke, { sessionId: sessionId2 }, { context }),
).rejects.toThrow("Session not found");
});
});
describe("me.sessions.revokeAll", () => {
test("revokes all sessions except current", async () => {
const user = await createTestUser(getDb(), {
email: "revokeall@example.com",
});
const { token: sessionToken1, sessionId: id1 } = await createSession(
user.id,
);
const { sessionId: id2 } = await createSession(user.id);
const { sessionId: id3 } = await createSession(user.id);
const context = createAPIContext({ sessionToken: sessionToken1 });
await call(router.me.sessions.revokeAll, undefined, { context });
// Verify current session is NOT revoked
const currentSession = await getDb()
.selectFrom("sessions")
.select(["revoked_at"])
.where("id", "=", String(id1))
.executeTakeFirstOrThrow();
expect(currentSession.revoked_at).toBeNull();
// Verify other sessions ARE revoked
const otherSessions = await getDb()
.selectFrom("sessions")
.select(["id", "revoked_at"])
.where("id", "in", [String(id2), String(id3)])
.execute();
for (const session of otherSessions) {
expect(session.revoked_at).not.toBeNull();
}
});
test("does nothing when only current session exists", async () => {
const user = await createTestUser(getDb(), {
email: "onlyone@example.com",
});
const { token: sessionToken, sessionId } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
// Should not throw
await call(router.me.sessions.revokeAll, undefined, { context });
// Current session should still be valid
const session = await getDb()
.selectFrom("sessions")
.select(["revoked_at"])
.where("id", "=", String(sessionId))
.executeTakeFirstOrThrow();
expect(session.revoked_at).toBeNull();
});
});
// ===== Device Management Tests =====
describe("me.devices.getInfo", () => {
test("returns device info for current device", async () => {
const user = await createTestUser(getDb(), {
email: "deviceinfo@example.com",
});
const { fingerprint, deviceId } = await createDevice(user.id, {
name: "My MacBook",
isTrusted: true,
userAgent: "Safari/17.0",
});
// Update with location data
await getDb()
.updateTable("user_devices")
.set({
ip_address: "1.2.3.4",
city: "New York",
region: "NY",
country: "US",
})
.where("id", "=", String(deviceId))
.execute();
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({
sessionToken,
deviceFingerprint: fingerprint,
});
const info = await call(router.me.devices.getInfo, undefined, { context });
expect(info.id).toBe(deviceId);
expect(info.name).toBe("My MacBook");
expect(info.ip).toBe("1.2.3.4");
expect(info.city).toBe("New York");
expect(info.region).toBe("NY");
expect(info.country).toBe("US");
expect(info.isTrusted).toBe(true);
expect(info.lastUsedAt).toBeInstanceOf(Date);
});
test("returns default name from user agent when name is null", async () => {
const user = await createTestUser(getDb(), {
email: "defaultname@example.com",
});
const { fingerprint } = await createDevice(user.id, {
userAgent: "Mozilla/5.0 (Macintosh)",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({
sessionToken,
deviceFingerprint: fingerprint,
});
const info = await call(router.me.devices.getInfo, undefined, { context });
expect(info.name).toBe("Mozilla device");
});
test("fails without device fingerprint", async () => {
const user = await createTestUser(getDb(), {
email: "nofingerprint@example.com",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await expect(
call(router.me.devices.getInfo, undefined, { context }),
).rejects.toThrow("No device fingerprint found");
});
test("fails when device does not exist", async () => {
const user = await createTestUser(getDb(), {
email: "nodevice@example.com",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({
sessionToken,
deviceFingerprint: "nonexistent-fingerprint",
});
await expect(
call(router.me.devices.getInfo, undefined, { context }),
).rejects.toThrow("Device not found");
});
});
describe("me.devices.trust", () => {
test("trusts current device with name", async () => {
const user = await createTestUser(getDb(), {
email: "trustdevice@example.com",
});
const { fingerprint, deviceId } = await createDevice(user.id, {
isTrusted: false,
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({
sessionToken,
deviceFingerprint: fingerprint,
});
await call(
router.me.devices.trust,
{ name: "My Work Laptop" },
{ context },
);
// Verify device is trusted with the new name
const device = await getDb()
.selectFrom("user_devices")
.select(["is_trusted", "name"])
.where("id", "=", String(deviceId))
.executeTakeFirstOrThrow();
expect(device.is_trusted).toBe(true);
expect(device.name).toBe("My Work Laptop");
});
test("fails without device fingerprint", async () => {
const user = await createTestUser(getDb(), {
email: "trustnofp@example.com",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await expect(
call(router.me.devices.trust, { name: "Test" }, { context }),
).rejects.toThrow("No device fingerprint found");
});
test("fails when device does not exist", async () => {
const user = await createTestUser(getDb(), {
email: "trustnodevice@example.com",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({
sessionToken,
deviceFingerprint: "nonexistent",
});
await expect(
call(router.me.devices.trust, { name: "Test" }, { context }),
).rejects.toThrow("Device not found");
});
});
describe("me.devices.listTrusted", () => {
test("returns only trusted devices", async () => {
const user = await createTestUser(getDb(), {
email: "listtrusted@example.com",
});
// Create trusted and untrusted devices
await createDevice(user.id, { isTrusted: true, name: "Trusted 1" });
await createDevice(user.id, { isTrusted: true, name: "Trusted 2" });
await createDevice(user.id, { isTrusted: false, name: "Untrusted" });
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
const devices = await call(router.me.devices.listTrusted, undefined, {
context,
});
expect(devices).toHaveLength(2);
expect(devices.map((d) => d.name).sort()).toEqual([
"Trusted 1",
"Trusted 2",
]);
expect(devices.every((d) => d.isTrusted)).toBe(true);
});
test("returns empty list when no trusted devices", async () => {
const user = await createTestUser(getDb(), {
email: "notrusted@example.com",
});
await createDevice(user.id, { isTrusted: false });
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
const devices = await call(router.me.devices.listTrusted, undefined, {
context,
});
expect(devices).toHaveLength(0);
});
test("returns default name when device name is null", async () => {
const user = await createTestUser(getDb(), {
email: "defaulttrusted@example.com",
});
await createDevice(user.id, {
isTrusted: true,
name: undefined,
userAgent: "Chrome/120",
});
// Set name to null explicitly
await getDb()
.updateTable("user_devices")
.set({ name: null })
.where("user_id", "=", user.id)
.execute();
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
const devices = await call(router.me.devices.listTrusted, undefined, {
context,
});
expect(devices).toHaveLength(1);
expect(devices[0]?.name).toBe("Unknown device");
});
});
describe("me.devices.untrust", () => {
test("untrusts device by ID", async () => {
const user = await createTestUser(getDb(), {
email: "untrust@example.com",
});
const { deviceId } = await createDevice(user.id, {
isTrusted: true,
name: "Trusted Device",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(router.me.devices.untrust, { deviceId }, { context });
// Verify device is untrusted
const device = await getDb()
.selectFrom("user_devices")
.select(["is_trusted"])
.where("id", "=", String(deviceId))
.executeTakeFirstOrThrow();
expect(device.is_trusted).toBe(false);
});
test("fails to untrust non-existent device", async () => {
const user = await createTestUser(getDb(), {
email: "untrustnotfound@example.com",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await expect(
call(router.me.devices.untrust, { deviceId: 999999 }, { context }),
).rejects.toThrow("Device not found");
});
test("fails to untrust another user's device", async () => {
const user1 = await createTestUser(getDb(), {
email: "untrustuser1@example.com",
});
const user2 = await createTestUser(getDb(), {
email: "untrustuser2@example.com",
});
const { deviceId } = await createDevice(user2.id, { isTrusted: true });
const { token: sessionToken } = await createSession(user1.id);
const context = createAPIContext({ sessionToken });
await expect(
call(router.me.devices.untrust, { deviceId }, { context }),
).rejects.toThrow("Device not found");
});
});
describe("me.devices.revokeAll", () => {
test("untrusts all devices", async () => {
const user = await createTestUser(getDb(), {
email: "revokealldevices@example.com",
});
await createDevice(user.id, { isTrusted: true });
await createDevice(user.id, { isTrusted: true });
await createDevice(user.id, { isTrusted: false });
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
await call(router.me.devices.revokeAll, undefined, { context });
// All devices should be untrusted
const devices = await getDb()
.selectFrom("user_devices")
.select(["id", "is_trusted"])
.where("user_id", "=", user.id)
.execute();
expect(devices).toHaveLength(3);
expect(devices.every((d) => !d.is_trusted)).toBe(true);
});
test("works when no devices exist", async () => {
const user = await createTestUser(getDb(), {
email: "revokenodevices@example.com",
});
const { token: sessionToken } = await createSession(user.id);
const context = createAPIContext({ sessionToken });
// Should not throw
await call(router.me.devices.revokeAll, undefined, { context });
});
});

213
apps/api-server/src/__tests__/e2e/webauthn.test.ts
View File

@@ -9,15 +9,13 @@
import type { Database } from "@reviq/db-schema";
import type { Kysely } from "kysely";
import type {
APIContext,
AuthenticatedContext,
LoginRequestContext,
} from "../../context.js";
import type { APIContext } from "../../context.js";
import { afterAll, beforeAll, describe, expect, test } from "bun:test";
import { call } from "@orpc/server";
import { VirtualAuthenticator } from "@reviq/virtual-authenticator";
import { router } from "../../router.js";
import { COOKIE_NAMES } from "../../utils/cookies.js";
import { hashToken } from "../../utils/crypto.js";
import { getUserPasskeys } from "../../utils/webauthn.js";
import { KNOWN_AAGUIDS, TEST_RP } from "../helpers/test-constants.js";
import {
@@ -28,6 +26,9 @@ import {
truncateAllTables,
} from "../helpers/test-db.js";
/** Session expiry duration: 24 hours in milliseconds */
const SESSION_EXPIRY_MS = 24 * 60 * 60 * 1000;
let db: Kysely<Database> | undefined;
/**
@@ -41,67 +42,93 @@ function getDb(): Kysely<Database> {
}
/**
* Create an API context (for public endpoints)
* Create an API context with optional session token
*/
function createAPIContext(): APIContext {
function createAPIContext(sessionToken?: string): APIContext {
const reqHeaders = new Headers();
if (sessionToken) {
reqHeaders.set("cookie", `${COOKIE_NAMES.SESSION_TOKEN}=${sessionToken}`);
}
return {
db: getDb(),
origin: TEST_RP.origin,
allowedOrigins: [...TEST_RP.allowedOrigins],
rpName: TEST_RP.rpName,
reqHeaders: new Headers(),
reqHeaders,
resHeaders: new Headers(),
};
}
/**
* Create an authenticated context (for protected endpoints)
* Create a real session in the database and return the token
*/
function createAuthenticatedContext(
userId: number,
email: string,
): AuthenticatedContext {
const now = new Date();
return {
...createAPIContext(),
user: {
id: userId,
email,
displayName: null,
emailVerifiedAt: null,
isSuperuser: false,
},
session: {
id: "1",
trustedMode: false,
createdAt: now,
},
auth: {
method: "session",
sessionId: "1",
expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),
createdAt: now,
},
};
async function createSession(userId: number): Promise<string> {
const token = `test-session-${String(Date.now())}${String(Math.random())}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
await getDb()
.insertInto("sessions")
.values({
user_id: userId,
token_hash: tokenHashValue,
ip_address: "127.0.0.1",
user_agent: "test-agent",
expires_at: expiresAt,
trusted_mode: false,
})
.execute();
return token;
}
/**
* Create a login request context (for login flow endpoints)
* Create a login request in the database and return ID and token
*/
function createLoginRequestContext(
async function createLoginRequest(
userId: number,
email: string,
): LoginRequestContext {
return {
...createAPIContext(),
loginRequestId: 1,
user: {
id: userId,
): Promise<{ id: number; token: string }> {
const token = `test-login-${String(Date.now())}${String(Math.random())}`;
const expiresAt = new Date(Date.now() + 10 * 60 * 1000); // 10 minutes
const result = await getDb()
.insertInto("login_requests")
.values({
user_id: userId,
email,
displayName: null,
emailVerifiedAt: null,
isSuperuser: false,
},
token,
expires_at: expiresAt,
})
.returning("id")
.executeTakeFirstOrThrow();
return { id: Number(result.id), token };
}
/**
* Create an authenticated API context for a user (creates session + context)
*/
async function createUserAPIContext(userId: number): Promise<APIContext> {
const sessionToken = await createSession(userId);
return createAPIContext(sessionToken);
}
/**
* Create an API context with login request cookie
*/
function createLoginRequestContext(loginToken: string): APIContext {
const reqHeaders = new Headers();
reqHeaders.set("cookie", `${COOKIE_NAMES.LOGIN_REQUEST_TOKEN}=${loginToken}`);
return {
db: getDb(),
origin: TEST_RP.origin,
allowedOrigins: [...TEST_RP.allowedOrigins],
rpName: TEST_RP.rpName,
reqHeaders,
resHeaders: new Headers(),
};
}
@@ -127,7 +154,7 @@ async function registerPasskey(
authenticator: VirtualAuthenticator,
) {
const apiCtx = createAPIContext();
const authCtx = createAuthenticatedContext(userId, email);
const authCtx = await createUserAPIContext(userId);
const { options, challengeId } = await call(
router.auth.webauthn.createRegistrationOptions,
@@ -152,7 +179,8 @@ async function authenticate(
email: string,
authenticator: VirtualAuthenticator,
) {
const loginCtx = createLoginRequestContext(userId, email);
const { token: loginToken } = await createLoginRequest(userId, email);
const loginCtx = createLoginRequestContext(loginToken);
const { options, challengeId } = await call(
router.auth.webauthn.createAuthenticationOptions,
@@ -234,8 +262,8 @@ describe("registration flow", () => {
// Create credential with virtual authenticator
const response = authenticator.createCredential(options);
// Verify registration via router
const authCtx = createAuthenticatedContext(user.id, user.email);
// Verify registration via router (requires authenticated session)
const authCtx = await createUserAPIContext(user.id);
await call(
router.auth.webauthn.verifyRegistration,
{ challengeId, response },
@@ -256,7 +284,7 @@ describe("registration flow", () => {
});
const authenticator = new VirtualAuthenticator({ origin: TEST_RP.origin });
const apiCtx = createAPIContext();
const authCtx = createAuthenticatedContext(user.id, user.email);
const authCtx = await createUserAPIContext(user.id);
// Register first passkey via router
const { options: options1, challengeId: challengeId1 } = await call(
@@ -299,7 +327,7 @@ describe("registration flow", () => {
});
const apiCtx = createAPIContext();
const authCtx = createAuthenticatedContext(user.id, user.email);
const authCtx = await createUserAPIContext(user.id);
const { options, challengeId } = await call(
router.auth.webauthn.createRegistrationOptions,
@@ -325,7 +353,7 @@ describe("registration flow", () => {
});
const authenticator = new VirtualAuthenticator({ origin: TEST_RP.origin });
const apiCtx = createAPIContext();
const authCtx = createAuthenticatedContext(user.id, user.email);
const authCtx = await createUserAPIContext(user.id);
const { options, challengeId } = await call(
router.auth.webauthn.createRegistrationOptions,
@@ -355,7 +383,7 @@ describe("registration flow", () => {
});
const authenticator = new VirtualAuthenticator({ origin: TEST_RP.origin });
const apiCtx = createAPIContext();
const authCtx = createAuthenticatedContext(user.id, user.email);
const authCtx = await createUserAPIContext(user.id);
// Create options via router
const { options } = await call(
@@ -399,7 +427,8 @@ describe("authentication flow", () => {
);
// Create authentication options via router
const loginCtx = createLoginRequestContext(user.id, user.email);
const { token: loginToken } = await createLoginRequest(user.id, user.email);
const loginCtx = createLoginRequestContext(loginToken);
const { options, challengeId } = await call(
router.auth.webauthn.createAuthenticationOptions,
undefined,
@@ -427,7 +456,8 @@ describe("authentication flow", () => {
await registerPasskey(user.id, user.email, authenticator);
// Authenticate via router
const loginCtx = createLoginRequestContext(user.id, user.email);
const { token: loginToken } = await createLoginRequest(user.id, user.email);
const loginCtx = createLoginRequestContext(loginToken);
const { options: authOptions, challengeId: authChallengeId } = await call(
router.auth.webauthn.createAuthenticationOptions,
undefined,
@@ -460,7 +490,8 @@ describe("authentication flow", () => {
expect(firstPasskey.lastUsedAt).toBeNull();
// Authenticate via router
const loginCtx = createLoginRequestContext(user.id, user.email);
const { token: loginToken } = await createLoginRequest(user.id, user.email);
const loginCtx = createLoginRequestContext(loginToken);
const { options: authOptions, challengeId: authChallengeId } = await call(
router.auth.webauthn.createAuthenticationOptions,
undefined,
@@ -489,7 +520,8 @@ describe("authentication flow", () => {
await registerPasskey(user.id, user.email, authenticator);
// Authenticate via router
const loginCtx = createLoginRequestContext(user.id, user.email);
const { token: loginToken } = await createLoginRequest(user.id, user.email);
const loginCtx = createLoginRequestContext(loginToken);
const { options: authOptions, challengeId: authChallengeId } = await call(
router.auth.webauthn.createAuthenticationOptions,
undefined,
@@ -522,7 +554,8 @@ describe("authentication flow", () => {
await registerPasskey(user.id, user.email, authenticator);
// Create auth options via router
const loginCtx = createLoginRequestContext(user.id, user.email);
const { token: loginToken } = await createLoginRequest(user.id, user.email);
const loginCtx = createLoginRequestContext(loginToken);
const { options: authOptions } = await call(
router.auth.webauthn.createAuthenticationOptions,
undefined,
@@ -585,7 +618,8 @@ describe("security tests", () => {
authenticator.setSignCount(regResponse.id, 0);
// Create a new authentication challenge
const loginCtx = createLoginRequestContext(user.id, user.email);
const { token: loginToken } = await createLoginRequest(user.id, user.email);
const loginCtx = createLoginRequestContext(loginToken);
const { options, challengeId } = await call(
router.auth.webauthn.createAuthenticationOptions,
undefined,
@@ -624,7 +658,8 @@ describe("security tests", () => {
await registerPasskey(user.id, user.email, authenticator);
// Create authentication challenge
const loginCtx = createLoginRequestContext(user.id, user.email);
const { token: loginToken } = await createLoginRequest(user.id, user.email);
const loginCtx = createLoginRequestContext(loginToken);
const { options, challengeId } = await call(
router.auth.webauthn.createAuthenticationOptions,
undefined,
@@ -755,7 +790,7 @@ describe("passkey management", () => {
await registerPasskey(user.id, user.email, authenticator2);
// List passkeys via router handler
const ctx = createAuthenticatedContext(user.id, user.email);
const ctx = await createUserAPIContext(user.id);
const passkeys = await call(router.me.passkeys.list, undefined, {
context: ctx,
});
@@ -806,7 +841,7 @@ describe("passkey management", () => {
await registerPasskey(user.id, user.email, authenticator);
const ctx = createAuthenticatedContext(user.id, user.email);
const ctx = await createUserAPIContext(user.id);
let passkeys = await call(router.me.passkeys.list, undefined, {
context: ctx,
});
@@ -842,8 +877,8 @@ describe("passkey management", () => {
await registerPasskey(user1.id, user1.email, auth1);
await registerPasskey(user2.id, user2.email, auth2);
const ctx1 = createAuthenticatedContext(user1.id, user1.email);
const ctx2 = createAuthenticatedContext(user2.id, user2.email);
const ctx1 = await createUserAPIContext(user1.id);
const ctx2 = await createUserAPIContext(user2.id);
const user2Passkeys = await call(router.me.passkeys.list, undefined, {
context: ctx2,
@@ -853,12 +888,18 @@ describe("passkey management", () => {
throw new Error("Expected user2 passkey to exist");
}
// Try to rename user2's passkey using user1's context (should not work)
await call(
router.me.passkeys.rename,
{ passkeyId: user2FirstPasskey.id, name: "Hacked Name" },
{ context: ctx1 },
);
// Try to rename user2's passkey using user1's context (should throw NOT_FOUND)
try {
await call(
router.me.passkeys.rename,
{ passkeyId: user2FirstPasskey.id, name: "Hacked Name" },
{ context: ctx1 },
);
throw new Error("Expected rename to fail with NOT_FOUND");
} catch (error) {
expect(error).toBeInstanceOf(Error);
expect((error as Error).message).toContain("Passkey not found");
}
// User2's passkey should be unchanged
const user2PasskeysAfter = await call(router.me.passkeys.list, undefined, {
@@ -880,7 +921,7 @@ describe("passkey management", () => {
await registerPasskey(user.id, user.email, authenticator);
const ctx = createAuthenticatedContext(user.id, user.email);
const ctx = await createUserAPIContext(user.id);
let passkeys = await call(router.me.passkeys.list, undefined, {
context: ctx,
});
@@ -906,7 +947,7 @@ describe("passkey management", () => {
await registerPasskey(user.id, user.email, auth1);
await registerPasskey(user.id, user.email, auth2);
const ctx = createAuthenticatedContext(user.id, user.email);
const ctx = await createUserAPIContext(user.id);
let passkeys = await call(router.me.passkeys.list, undefined, {
context: ctx,
});
@@ -937,7 +978,7 @@ describe("passkey management", () => {
await registerPasskey(user.id, user.email, authenticator);
const ctx = createAuthenticatedContext(user.id, user.email);
const ctx = await createUserAPIContext(user.id);
const passkeys = await call(router.me.passkeys.list, undefined, {
context: ctx,
});
@@ -978,8 +1019,8 @@ describe("passkey management", () => {
await registerPasskey(user1.id, user1.email, auth1);
await registerPasskey(user2.id, user2.email, auth2);
const ctx1 = createAuthenticatedContext(user1.id, user1.email);
const ctx2 = createAuthenticatedContext(user2.id, user2.email);
const ctx1 = await createUserAPIContext(user1.id);
const ctx2 = await createUserAPIContext(user2.id);
const user2Passkeys = await call(router.me.passkeys.list, undefined, {
context: ctx2,
@@ -989,12 +1030,18 @@ describe("passkey management", () => {
throw new Error("Expected user2 passkey to exist");
}
// Try to delete user2's passkey using user1's context (should not affect user2)
await call(
router.me.passkeys.delete,
{ passkeyId: user2FirstPasskey.id },
{ context: ctx1 },
);
// Try to delete user2's passkey using user1's context (should throw NOT_FOUND)
try {
await call(
router.me.passkeys.delete,
{ passkeyId: user2FirstPasskey.id },
{ context: ctx1 },
);
throw new Error("Expected delete to fail with NOT_FOUND");
} catch (error) {
expect(error).toBeInstanceOf(Error);
expect((error as Error).message).toContain("Passkey not found");
}
// User2's passkey should still exist
const user2PasskeysAfter = await call(router.me.passkeys.list, undefined, {

7
apps/api-server/src/__tests__/helpers/test-db.ts
View File

@@ -4,6 +4,7 @@
import type { Database } from "@reviq/db-schema";
import type { Kysely } from "kysely";
import { existsSync } from "node:fs";
import { join } from "node:path";
import { createDb } from "@reviq/db";
import { sql } from "kysely";
@@ -134,13 +135,13 @@ async function ensureTestDatabaseExists(): Promise<void> {
*
* @throws Error if repo root cannot be found
*/
async function findRepoRoot(): Promise<string> {
function findRepoRoot(): string {
let current = import.meta.dir;
// Walk up to 10 levels to find the repo root
for (let i = 0; i < 10; i++) {
const migrationsPath = join(current, "db", "migrations");
if (await Bun.file(migrationsPath).exists()) {
if (existsSync(migrationsPath)) {
return current;
}
const parent = join(current, "..");
@@ -166,7 +167,7 @@ export async function runMigrations(): Promise<void> {
// Ensure the database exists first
await ensureTestDatabaseExists();
const repoRoot = await findRepoRoot();
const repoRoot = findRepoRoot();
const proc = Bun.spawn(["dbmate", "up"], {
env: { ...process.env, DATABASE_URL: testDbUrl },

2
apps/api-server/src/context.ts
View File

@@ -21,6 +21,8 @@ export interface APIContext {
reqHeaders: Headers;
/** Response headers (for setting cookies) */
resHeaders: Headers;
/** Client IP address from direct connection (fallback when no proxy headers) */
clientIP?: string | null;
}
/**

7
apps/api-server/src/index.ts
View File

@@ -39,7 +39,7 @@ const rpName = Bun.env.RP_NAME ?? DEFAULT_RP_NAME;
Bun.serve({
port,
async fetch(request) {
async fetch(request, server) {
const url = new URL(request.url);
if (url.pathname.startsWith("/api/v1/rpc")) {
@@ -50,6 +50,10 @@ Bun.serve({
// Create response headers for setting cookies
const resHeaders = new Headers();
// Get client IP from Bun's server (fallback for when no proxy headers)
const socketInfo = server.requestIP(request);
const clientIP = socketInfo?.address ?? null;
const context: APIContext = {
db,
origin,
@@ -57,6 +61,7 @@ Bun.serve({
rpName,
reqHeaders: request.headers,
resHeaders,
clientIP,
};
const { response } = await handler.handle(request, {

2
apps/api-server/src/procedures/auth/create-login-request.ts
View File

@@ -102,7 +102,7 @@ export const createLoginRequest = os.auth.createLoginRequest.handler(
const hasPassword = user.password_hash !== null;
// Get geo info and user agent
const geo = getGeoInfo(context.reqHeaders);
const geo = getGeoInfo(context.reqHeaders, context.clientIP);
const userAgent = getUserAgent(context.reqHeaders);
// Create login request with secure token

2
apps/api-server/src/procedures/auth/login-if-completed.ts
View File

@@ -86,7 +86,7 @@ export const loginIfRequestIsCompleted =
}
// Get current request info
const geo = getGeoInfo(context.reqHeaders);
const geo = getGeoInfo(context.reqHeaders, context.clientIP);
const userAgent = getUserAgent(context.reqHeaders);
// Upsert user device

2
apps/api-server/src/procedures/auth/signup.ts
View File

@@ -225,7 +225,7 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
}
// Get geo info and user agent for session creation
const geo = getGeoInfo(context.reqHeaders);
const geo = getGeoInfo(context.reqHeaders, context.clientIP);
const userAgent = getUserAgent(context.reqHeaders);
let userId: number;

63
apps/api-server/src/procedures/me/_routes.ts Normal file
View File

@@ -0,0 +1,63 @@
/**
* Me routes - consolidated exports for os.router()
*/
import { createApiToken, deleteApiToken, listApiTokens } from "./api-tokens.js";
import { meAuthStatus } from "./auth-status.js";
import { meDelete } from "./delete.js";
import {
getDeviceInfo,
listTrustedDevices,
revokeAllTrustedDevices,
trustDevice,
untrustDevice,
} from "./devices.js";
import { meGet } from "./get.js";
import {
acceptInvite,
declineInvite,
getInvite,
listInvites,
} from "./invites.js";
import { deletePasskey, listPasskeys, renamePasskey } from "./passkeys.js";
import { listSessions, revokeAllSessions, revokeSession } from "./sessions.js";
import { setPassword } from "./set-password.js";
import { setupProfile } from "./setup-profile.js";
import { updateProfile } from "./update-profile.js";
export const meRoutes = {
get: meGet,
authStatus: meAuthStatus,
setupProfile,
updateProfile,
delete: meDelete,
setPassword,
passkeys: {
list: listPasskeys,
rename: renamePasskey,
delete: deletePasskey,
},
invites: {
list: listInvites,
get: getInvite,
accept: acceptInvite,
decline: declineInvite,
},
sessions: {
list: listSessions,
revoke: revokeSession,
revokeAll: revokeAllSessions,
},
devices: {
getInfo: getDeviceInfo,
trust: trustDevice,
listTrusted: listTrustedDevices,
untrust: untrustDevice,
revokeAll: revokeAllTrustedDevices,
},
apiTokens: {
list: listApiTokens,
create: createApiToken,
delete: deleteApiToken,
},
};

41
apps/api-server/src/procedures/me/auth-status.ts Normal file
View File

@@ -0,0 +1,41 @@
/**
* Get current user auth status
*/
import { authMiddleware, os } from "../base.js";
export const meAuthStatus = os.me.authStatus
.use(authMiddleware)
.handler(async ({ context }) => {
const user = await context.db
.selectFrom("users")
.select([
"id",
"email",
"display_name",
"full_name",
"phone_number",
"avatar_url",
"email_verified_at",
"is_superuser",
"password_hash",
])
.where("id", "=", context.user.id)
.executeTakeFirstOrThrow();
return {
user: {
id: user.id,
email: user.email,
displayName: user.display_name,
fullName: user.full_name,
phoneNumber: user.phone_number,
avatarUrl: user.avatar_url,
emailVerified: user.email_verified_at !== null,
needsSetup: user.display_name === null,
isSuperuser: user.is_superuser,
hasPassword: user.password_hash !== null,
},
auth: context.auth,
};
});

10
apps/api-server/src/procedures/me/devices.ts
View File

@@ -13,7 +13,7 @@ import { defaultDeviceName, requireDeviceFingerprint } from "./helpers.js";
* @throws BAD_REQUEST if no device fingerprint found
* @throws NOT_FOUND if device doesn't exist
*/
export const getDeviceInfo = os.me.getDeviceInfo
export const getDeviceInfo = os.me.devices.getInfo
.use(authMiddleware)
.handler(async ({ context }) => {
const fingerprint = requireDeviceFingerprint(context.reqHeaders);
@@ -48,7 +48,7 @@ export const getDeviceInfo = os.me.getDeviceInfo
* @throws BAD_REQUEST if no device fingerprint found
* @throws NOT_FOUND if device doesn't exist
*/
export const trustDevice = os.me.trustDevice
export const trustDevice = os.me.devices.trust
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { name } = input;
@@ -73,7 +73,7 @@ export const trustDevice = os.me.trustDevice
* - Requires authentication
* - Returns all trusted devices for the current user
*/
export const listTrustedDevices = os.me.listTrustedDevices
export const listTrustedDevices = os.me.devices.listTrusted
.use(authMiddleware)
.handler(async ({ context }) => {
const devices = await context.db
@@ -102,7 +102,7 @@ export const listTrustedDevices = os.me.listTrustedDevices
* - Marks device as untrusted by ID
* @throws NOT_FOUND if device doesn't exist
*/
export const untrustDevice = os.me.untrustDevice
export const untrustDevice = os.me.devices.untrust
.use(authMiddleware)
.handler(async ({ input, context }) => {
const result = await context.db
@@ -124,7 +124,7 @@ export const untrustDevice = os.me.untrustDevice
* - Requires authentication
* - Marks all devices as untrusted
*/
export const revokeAllTrustedDevices = os.me.revokeAllTrustedDevices
export const revokeAllTrustedDevices = os.me.devices.revokeAll
.use(authMiddleware)
.handler(async ({ context }) => {
await context.db

38
apps/api-server/src/procedures/me/get.ts Normal file
View File

@@ -0,0 +1,38 @@
/**
* Get current user profile
*/
import { authMiddleware, os } from "../base.js";
export const meGet = os.me.get
.use(authMiddleware)
.handler(async ({ context }) => {
const user = await context.db
.selectFrom("users")
.select([
"id",
"email",
"display_name",
"full_name",
"phone_number",
"avatar_url",
"email_verified_at",
"is_superuser",
"password_hash",
])
.where("id", "=", context.user.id)
.executeTakeFirstOrThrow();
return {
id: user.id,
email: user.email,
displayName: user.display_name,
fullName: user.full_name,
phoneNumber: user.phone_number,
avatarUrl: user.avatar_url,
emailVerified: user.email_verified_at !== null,
needsSetup: user.display_name === null,
isSuperuser: user.is_superuser,
hasPassword: user.password_hash !== null,
};
});

6
apps/api-server/src/procedures/me/index.ts
View File

@@ -10,6 +10,12 @@ export {
trustDevice,
untrustDevice,
} from "./devices.js";
export {
acceptInvite,
declineInvite,
getInvite,
listInvites,
} from "./invites.js";
export { deletePasskey, listPasskeys, renamePasskey } from "./passkeys.js";
export {
listSessions,

211
apps/api-server/src/procedures/me/invites.ts Normal file
View File

@@ -0,0 +1,211 @@
/**
* User invite procedures - list, get, decline invites for the current user
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os } from "../base.js";
/**
* List pending invites for the current user
* Only returns invites where the user's email matches and email is verified
*/
export const listInvites = os.me.invites.list
.use(authMiddleware)
.handler(async ({ context }) => {
// Only show invites if email is verified
if (!context.user.emailVerifiedAt) {
return [];
}
// Get non-expired invites matching user's email
const invites = await context.db
.selectFrom("org_invites")
.innerJoin("orgs", "orgs.id", "org_invites.org_id")
.innerJoin("users", "users.id", "org_invites.invited_by")
.where("org_invites.email", "=", context.user.email.toLowerCase())
.where("org_invites.expires_at", ">", new Date())
.select([
"org_invites.id",
"org_invites.role",
"org_invites.created_at",
"org_invites.expires_at",
"orgs.id as org_id",
"orgs.slug as org_slug",
"orgs.display_name as org_display_name",
"orgs.logo_url as org_logo_url",
"users.display_name as inviter_name",
"users.email as inviter_email",
])
.orderBy("org_invites.created_at", "desc")
.execute();
return invites.map((i) => ({
id: i.id,
org: {
id: i.org_id,
slug: i.org_slug,
displayName: i.org_display_name,
logoUrl: i.org_logo_url,
},
role: i.role,
invitedBy: i.inviter_name ?? i.inviter_email,
createdAt: i.created_at,
expiresAt: i.expires_at,
}));
});
/**
* Get a specific invite by ID
* Only returns if the invite belongs to the current user's email
*/
export const getInvite = os.me.invites.get
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { inviteId } = input;
// Only show invite if email is verified
if (!context.user.emailVerifiedAt) {
throw new ORPCError("FORBIDDEN", {
message: "Please verify your email to view invitations",
});
}
// Get the invite matching user's email
const invite = await context.db
.selectFrom("org_invites")
.innerJoin("orgs", "orgs.id", "org_invites.org_id")
.innerJoin("users", "users.id", "org_invites.invited_by")
.where("org_invites.id", "=", inviteId)
.where("org_invites.email", "=", context.user.email.toLowerCase())
.where("org_invites.expires_at", ">", new Date())
.select([
"org_invites.id",
"org_invites.role",
"org_invites.created_at",
"org_invites.expires_at",
"orgs.id as org_id",
"orgs.slug as org_slug",
"orgs.display_name as org_display_name",
"orgs.logo_url as org_logo_url",
"users.display_name as inviter_name",
"users.email as inviter_email",
])
.executeTakeFirst();
if (!invite) {
throw new ORPCError("NOT_FOUND", {
message: "Invitation not found or expired",
});
}
return {
id: invite.id,
org: {
id: invite.org_id,
slug: invite.org_slug,
displayName: invite.org_display_name,
logoUrl: invite.org_logo_url,
},
role: invite.role,
invitedBy: invite.inviter_name ?? invite.inviter_email,
createdAt: invite.created_at,
expiresAt: invite.expires_at,
};
});
/**
* Accept an invite by ID
* Adds user to org and deletes the invite
*/
export const acceptInvite = os.me.invites.accept
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { inviteId } = input;
// Only allow accepting if email is verified
if (!context.user.emailVerifiedAt) {
throw new ORPCError("FORBIDDEN", {
message: "Please verify your email to accept invitations",
});
}
// Get the invite matching user's email
const invite = await context.db
.selectFrom("org_invites")
.where("id", "=", inviteId)
.where("email", "=", context.user.email.toLowerCase())
.where("expires_at", ">", new Date())
.select(["id", "org_id", "role"])
.executeTakeFirst();
if (!invite) {
throw new ORPCError("NOT_FOUND", {
message: "Invitation not found or expired",
});
}
try {
// Accept the invite in a transaction
await context.db.transaction().execute(async (trx) => {
// Add user as a member
await trx
.insertInto("org_members")
.values({
org_id: invite.org_id,
user_id: context.user.id,
role: invite.role,
})
.execute();
// Delete the invite
await trx
.deleteFrom("org_invites")
.where("id", "=", invite.id)
.execute();
});
} catch (error) {
// Handle unique constraint violation (user is already a member)
if (
error instanceof Error &&
error.message.includes("org_members_org_id_user_id_key")
) {
// Clean up the invite since user is already a member
await context.db
.deleteFrom("org_invites")
.where("id", "=", invite.id)
.execute();
throw new ORPCError("CONFLICT", {
message: "You are already a member of this organization",
});
}
throw error;
}
return { success: true };
});
/**
* Decline an invite
* Deletes the invite if it belongs to the current user's email
*/
export const declineInvite = os.me.invites.decline
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { inviteId } = input;
// Delete the invite only if it matches user's email
const result = await context.db
.deleteFrom("org_invites")
.where("id", "=", inviteId)
.where("email", "=", context.user.email.toLowerCase())
.executeTakeFirst();
if (!result.numDeletedRows || result.numDeletedRows === 0n) {
throw new ORPCError("NOT_FOUND", {
message: "Invitation not found",
});
}
return { success: true };
});

6
apps/api-server/src/procedures/me/sessions.ts
View File

@@ -11,7 +11,7 @@ import { authMiddleware, os } from "../base.js";
* - Returns all sessions for the current user
* - Includes isCurrent flag to identify active session
*/
export const listSessions = os.me.listSessions
export const listSessions = os.me.sessions.list
.use(authMiddleware)
.handler(async ({ context }) => {
const sessions = await context.db
@@ -42,7 +42,7 @@ export const listSessions = os.me.listSessions
* @throws NOT_FOUND if session doesn't exist
* @throws BAD_REQUEST if trying to revoke current session
*/
export const revokeSession = os.me.revokeSession
export const revokeSession = os.me.sessions.revoke
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { sessionId } = input;
@@ -74,7 +74,7 @@ export const revokeSession = os.me.revokeSession
* - Requires authentication
* - Revokes all sessions except current
*/
export const revokeAllSessions = os.me.revokeAllSessions
export const revokeAllSessions = os.me.sessions.revokeAll
.use(authMiddleware)
.handler(async ({ context }) => {
// Revoke all sessions except current

24
apps/api-server/src/procedures/me/setup-profile.ts Normal file
View File

@@ -0,0 +1,24 @@
/**
* Setup user profile (initial setup after signup)
*/
import { authMiddleware, os } from "../base.js";
export const setupProfile = os.me.setupProfile
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { displayName, fullName, phoneNumber } = input;
await context.db
.updateTable("users")
.set({
display_name: displayName,
full_name: fullName ?? null,
phone_number: phoneNumber ?? null,
updated_at: new Date(),
})
.where("id", "=", context.user.id)
.execute();
return { success: true };
});

152
apps/api-server/src/router.ts
View File

@@ -15,31 +15,7 @@ import {
loginRequestMiddleware,
os,
} from "./procedures/base.js";
import {
createApiToken,
deleteApiToken,
listApiTokens,
} from "./procedures/me/api-tokens.js";
import { meDelete } from "./procedures/me/delete.js";
import {
getDeviceInfo,
listTrustedDevices,
revokeAllTrustedDevices,
trustDevice,
untrustDevice,
} from "./procedures/me/devices.js";
import {
deletePasskey,
listPasskeys,
renamePasskey,
} from "./procedures/me/passkeys.js";
import {
listSessions,
revokeAllSessions,
revokeSession,
} from "./procedures/me/sessions.js";
import { setPassword } from "./procedures/me/set-password.js";
import { updateProfile } from "./procedures/me/update-profile.js";
import { meRoutes } from "./procedures/me/_routes.js";
import {
invitesAccept,
invitesCancel,
@@ -169,105 +145,6 @@ const verifyAuthentication = os.auth.webauthn.verifyAuthentication
return { success: true };
});
// Me procedures
const meGet = os.me.get.use(authMiddleware).handler(async ({ context }) => {
const user = await context.db
.selectFrom("users")
.select([
"id",
"email",
"display_name",
"full_name",
"phone_number",
"avatar_url",
"email_verified_at",
"is_superuser",
"password_hash",
])
.where("id", "=", context.user.id)
.executeTakeFirstOrThrow();
return {
id: user.id,
email: user.email,
displayName: user.display_name,
fullName: user.full_name,
phoneNumber: user.phone_number,
avatarUrl: user.avatar_url,
emailVerified: user.email_verified_at !== null,
needsSetup: user.display_name === null,
isSuperuser: user.is_superuser,
hasPassword: user.password_hash !== null,
};
});
const meAuthStatus = os.me.authStatus
.use(authMiddleware)
.handler(async ({ context }) => {
const user = await context.db
.selectFrom("users")
.select([
"id",
"email",
"display_name",
"full_name",
"phone_number",
"avatar_url",
"email_verified_at",
"is_superuser",
"password_hash",
])
.where("id", "=", context.user.id)
.executeTakeFirstOrThrow();
return {
user: {
id: user.id,
email: user.email,
displayName: user.display_name,
fullName: user.full_name,
phoneNumber: user.phone_number,
avatarUrl: user.avatar_url,
emailVerified: user.email_verified_at !== null,
needsSetup: user.display_name === null,
isSuperuser: user.is_superuser,
hasPassword: user.password_hash !== null,
},
auth: context.auth,
};
});
const setupProfile = os.me.setupProfile
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { displayName, fullName, phoneNumber } = input;
await context.db
.updateTable("users")
.set({
display_name: displayName,
full_name: fullName ?? null,
phone_number: phoneNumber ?? null,
updated_at: new Date(),
})
.where("id", "=", context.user.id)
.execute();
return { success: true };
});
// Me procedures imported from ./procedures/me/*
// - updateProfile, setPassword, meDelete
// - listPasskeys, renamePasskey, deletePasskey
// - listSessions, revokeSession, revokeAllSessions
// - getDeviceInfo, trustDevice, listTrustedDevices, untrustDevice, revokeAllTrustedDevices
// Orgs procedures - imported from ./procedures/orgs/index.js
// - orgsList, orgsCreate, orgsGet, orgsUpdate, orgsDelete, orgsLeave
// - membersList, membersUpdateRole, membersRemove
// - invitesList, invitesCreate, invitesCancel, invitesAccept
// - sitesList
// Build the router
export const router = os.router({
auth: {
@@ -288,32 +165,7 @@ export const router = os.router({
verifyAuthentication,
},
},
me: {
get: meGet,
authStatus: meAuthStatus,
setupProfile,
updateProfile,
delete: meDelete,
setPassword,
passkeys: {
list: listPasskeys,
rename: renamePasskey,
delete: deletePasskey,
},
listSessions,
revokeSession,
revokeAllSessions,
getDeviceInfo,
trustDevice,
listTrustedDevices,
untrustDevice,
revokeAllTrustedDevices,
apiTokens: {
list: listApiTokens,
create: createApiToken,
delete: deleteApiToken,
},
},
me: meRoutes,
orgs: {
list: orgsList,
create: orgsCreate,

11
apps/api-server/src/utils/geo.ts
View File

@@ -126,9 +126,16 @@ export const lookupGeoFromIP = (
/**
* Extract geolocation info from request headers.
* Uses Cloudflare headers when available, falls back to GeoIP database lookup.
*
* @param headers - Request headers to extract proxy IP headers from
* @param fallbackIP - Optional fallback IP from direct socket connection (e.g., from Bun's server.requestIP)
*/
export const getGeoInfo = (headers: Headers): GeoInfo => {
const ip = extractClientIP(headers);
export const getGeoInfo = (
headers: Headers,
fallbackIP?: string | null,
): GeoInfo => {
// Try proxy headers first, then fall back to direct connection IP
const ip = extractClientIP(headers) ?? fallbackIP ?? null;
// Try Cloudflare geo headers first
const cfCountry = headers.get("CF-IPCountry");