igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'cli-improvements-1' with @reviq/utils password hashing

Browse Source 
- Use executeBootstrap helper from @reviq/db for CLI bootstrap
- Update @reviq/db to use @reviq/utils for PBKDF2-SHA256 password hashing
  (Cloudflare Workers compatible)
- Keep @scure/base for base58 token encoding
- Remove redundant password.ts from @reviq/db (import directly from @reviq/utils)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
RevIQ
2026-01-09 18:17:45 +08:00
parent cfe26c8820 77e6754427
commit d4e20d41b5
19 changed files with 785 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/cli/package.json
View File

@@ -12,14 +12,15 @@
"cli": "bun run src/bin/reviq.ts",
"typecheck": "tsc --noEmit",
"lint": "eslint . --cache",
"clean": "rm -rf dist .eslintcache"
"clean": "rm -rf dist .eslintcache",
"test": "bun test"
},
"dependencies": {
"@stricli/core": "^1.2.5",
"@stricli/auto-complete": "^1.0.0",
"@noble/hashes": "^2.0.1",
"@reviq/db": "workspace:*",
"@reviq/utils": "workspace:*",
"@noble/hashes": "^2.0.1"
"@scure/base": "^2.0.0",
"@stricli/auto-complete": "^1.0.0",
"@stricli/core": "^1.2.5"
},
"devDependencies": {
"@macalinao/eslint-config": "catalog:",

119
apps/cli/src/routes/auth/status.ts
View File

@@ -1,6 +1,61 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { getConfigPath, readConfig } from "../../utils/config.js";
import { TOKEN_PREFIX } from "../../utils/token.js";
interface AuthStatusResponse {
user: {
id: number;
email: string;
displayName: string | null;
fullName: string | null;
isSuperuser: boolean;
emailVerified: boolean;
};
auth:
| {
method: "api_token";
tokenId: string;
tokenName: string;
expiresAt: string;
lastUsedAt: string | null;
createdAt: string;
}
| {
method: "session";
sessionId: string;
expiresAt: string;
createdAt: string;
};
}
function formatDate(dateStr: string): string {
const date = new Date(dateStr);
return date.toLocaleString();
}
function formatRelativeTime(dateStr: string): string {
const date = new Date(dateStr);
const now = new Date();
const diffMs = date.getTime() - now.getTime();
const diffDays = Math.floor(diffMs / (1000 * 60 * 60 * 24));
if (diffDays < 0) {
return `${String(Math.abs(diffDays))} days ago`;
}
if (diffDays === 0) {
const diffHours = Math.floor(diffMs / (1000 * 60 * 60));
if (diffHours <= 0) {
return "expired";
}
return `in ${String(diffHours)} hours`;
}
if (diffDays === 1) {
return "tomorrow";
}
return `in ${String(diffDays)} days`;
}
async function status(this: LocalContext): Promise<void> {
const config = await readConfig();
@@ -16,10 +71,66 @@ async function status(this: LocalContext): Promise<void> {
console.log("Authentication Status");
console.log("=====================\n");
console.log(`Email: ${config.email}`);
console.log(`API URL: ${config.apiUrl}`);
console.log(`Config file: ${getConfigPath()}`);
console.log("Token: [configured]");
// Show local config info
console.log("Local Configuration:");
console.log(` Config file: ${getConfigPath()}`);
console.log(` API URL: ${config.apiUrl}`);
// Show token format info
const hasNewFormat = config.token.startsWith(TOKEN_PREFIX);
console.log(
` Token format: ${hasNewFormat ? "reviq_<base58>" : "legacy (hex)"}`,
);
// Try to fetch status from API
console.log("\nAPI Status:");
try {
const client = await createApiClient();
const response = await client.call<AuthStatusResponse>("me.authStatus");
// User info
console.log("\n User:");
console.log(` Email: ${response.user.email}`);
if (response.user.displayName) {
console.log(` Display name: ${response.user.displayName}`);
}
if (response.user.fullName) {
console.log(` Full name: ${response.user.fullName}`);
}
console.log(
` Email verified: ${response.user.emailVerified ? "yes" : "no"}`,
);
console.log(` Superuser: ${response.user.isSuperuser ? "yes" : "no"}`);
// Auth method info
if (response.auth.method === "api_token") {
console.log("\n API Token:");
console.log(` Name: ${response.auth.tokenName}`);
console.log(` Token ID: ${response.auth.tokenId}`);
console.log(` Created: ${formatDate(response.auth.createdAt)}`);
console.log(
` Expires: ${formatDate(response.auth.expiresAt)} (${formatRelativeTime(response.auth.expiresAt)})`,
);
if (response.auth.lastUsedAt) {
console.log(` Last used: ${formatDate(response.auth.lastUsedAt)}`);
}
} else {
console.log("\n Session:");
console.log(` Session ID: ${response.auth.sessionId}`);
console.log(` Created: ${formatDate(response.auth.createdAt)}`);
console.log(
` Expires: ${formatDate(response.auth.expiresAt)} (${formatRelativeTime(response.auth.expiresAt)})`,
);
}
} catch (error) {
console.log(
` Error: ${error instanceof Error ? error.message : String(error)}`,
);
console.log(
"\n Unable to connect to API. Local credentials may be invalid.",
);
}
}
export const statusCommand = buildCommand({

97
apps/cli/src/routes/bootstrap.ts
View File

@@ -1,9 +1,7 @@
import type { LocalContext } from "../context.js";
import { createDb } from "@reviq/db";
import { hashPassword } from "@reviq/utils";
import { createDb, executeBootstrap } from "@reviq/db";
import { buildCommand } from "@stricli/core";
import { writeConfig } from "../utils/config.js";
import { generateToken, hashToken } from "../utils/token.js";
interface BootstrapFlags {
email: string;
@@ -17,98 +15,23 @@ async function bootstrap(
console.log("RevIQ Bootstrap - Create Superuser");
console.log("===================================\n");
// Validate password length
if (flags.password.length < 8) {
console.error("Error: Password must be at least 8 characters");
this.process.exit(1);
}
const db = createDb();
try {
// Check if user already exists
const existing = await db
.selectFrom("users")
.where("email", "=", flags.email.toLowerCase())
.select("id")
.executeTakeFirst();
// Execute the bootstrap operation
const result = await executeBootstrap(db, {
email: flags.email,
password: flags.password,
});
if (existing) {
console.error(`Error: User with email ${flags.email} already exists`);
await db.destroy();
this.process.exit(1);
}
// Hash the password
const passwordHash = await hashPassword(flags.password);
// Create superuser
const [user] = await db
.insertInto("users")
.values({
email: flags.email.toLowerCase(),
password_hash: passwordHash,
is_superuser: true,
email_verified_at: new Date(),
})
.returning(["id", "email"])
.execute();
if (!user) {
console.error("Error: Failed to create user");
await db.destroy();
this.process.exit(1);
}
console.log(`Created superuser: ${user.email}`);
// Create "reviq" org
const [org] = await db
.insertInto("orgs")
.values({
slug: "reviq",
display_name: "RevIQ",
})
.returning(["id", "slug"])
.execute();
if (!org) {
console.error("Error: Failed to create org");
await db.destroy();
this.process.exit(1);
}
// Add user as owner of the org
await db
.insertInto("org_members")
.values({
org_id: org.id,
user_id: user.id,
role: "owner",
})
.execute();
console.log(`Created org: ${org.slug}`);
// Generate API token
const token = generateToken();
const tokenHashValue = hashToken(token);
await db
.insertInto("api_tokens")
.values({
user_id: user.id,
token_hash: tokenHashValue,
name: "CLI bootstrap token",
expires_at: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), // 1 year
})
.execute();
console.log(`Created superuser: ${result.user.email}`);
console.log(`Created org: ${result.org.slug}`);
// Save to config
await writeConfig({
apiUrl: Bun.env.API_URL ?? "http://localhost:9861",
token,
email: user.email,
token: result.token,
email: result.user.email,
});
console.log("Saved credentials to ~/.config/reviq/credentials.json");

170
apps/cli/src/utils/token.test.ts Normal file
View File

@@ -0,0 +1,170 @@
/**
* Tests for token generation and parsing utilities
*/
import { describe, expect, test } from "bun:test";
import { generateToken, hashToken, parseToken, TOKEN_PREFIX } from "./token.js";
describe("TOKEN_PREFIX", () => {
test("should be 'reviq_'", () => {
expect(TOKEN_PREFIX).toBe("reviq_");
});
});
describe("generateToken", () => {
test("should generate a token with the reviq_ prefix", () => {
const token = generateToken();
expect(token.startsWith(TOKEN_PREFIX)).toBe(true);
});
test("should generate tokens of consistent length", () => {
const token1 = generateToken();
const token2 = generateToken();
const token3 = generateToken();
// Base58 encoding of 32 bytes produces 43-44 characters
// Plus 6 chars for "reviq_" prefix = 49-50 total
expect(token1.length).toBeGreaterThanOrEqual(49);
expect(token1.length).toBeLessThanOrEqual(50);
expect(token2.length).toBeGreaterThanOrEqual(49);
expect(token2.length).toBeLessThanOrEqual(50);
expect(token3.length).toBeGreaterThanOrEqual(49);
expect(token3.length).toBeLessThanOrEqual(50);
});
test("should generate unique tokens", () => {
const tokens = new Set<string>();
for (let i = 0; i < 100; i++) {
tokens.add(generateToken());
}
expect(tokens.size).toBe(100);
});
test("should only contain valid base58 characters after prefix", () => {
const token = generateToken();
const base58Part = token.slice(TOKEN_PREFIX.length);
// Base58 alphabet: 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
// (excludes 0, O, I, l)
const base58Regex =
/^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]+$/;
expect(base58Regex.test(base58Part)).toBe(true);
});
});
describe("parseToken", () => {
test("should parse a valid token and return 32 bytes", () => {
const token = generateToken();
const bytes = parseToken(token);
expect(bytes).not.toBeNull();
expect(bytes?.length).toBe(32);
});
test("should return null for tokens without the prefix", () => {
const bytes = parseToken("invalid_token");
expect(bytes).toBeNull();
});
test("should return null for tokens with wrong prefix", () => {
const bytes = parseToken(
"wrong_5HueCGU8rMjxEXxiPuD5BDku4MkFqeZyd4dZ1jvhTVqvbTLvyTJ",
);
expect(bytes).toBeNull();
});
test("should return null for tokens with invalid base58 characters", () => {
// 'O', '0', 'I', 'l' are not valid base58 characters
const bytes = parseToken("reviq_0InvalidBase58");
expect(bytes).toBeNull();
});
test("should return null for tokens with incorrect byte length", () => {
// A shorter base58 string (less than 32 bytes)
const bytes = parseToken("reviq_abc123");
expect(bytes).toBeNull();
});
test("should round-trip correctly", () => {
const originalToken = generateToken();
const bytes = parseToken(originalToken);
expect(bytes).not.toBeNull();
// Verify the bytes are the same entropy
expect(bytes?.length).toBe(32);
});
});
describe("hashToken", () => {
test("should produce a 64-character hex string", () => {
const token = generateToken();
const hash = hashToken(token);
expect(hash.length).toBe(64);
});
test("should produce consistent hashes for the same token", () => {
const token = generateToken();
const hash1 = hashToken(token);
const hash2 = hashToken(token);
expect(hash1).toBe(hash2);
});
test("should produce different hashes for different tokens", () => {
const token1 = generateToken();
const token2 = generateToken();
const hash1 = hashToken(token1);
const hash2 = hashToken(token2);
expect(hash1).not.toBe(hash2);
});
test("should only contain hex characters", () => {
const token = generateToken();
const hash = hashToken(token);
const hexRegex = /^[0-9a-f]+$/;
expect(hexRegex.test(hash)).toBe(true);
});
test("should hash legacy tokens correctly", () => {
// Test with a legacy hex token (pre-reviq_ format)
const legacyToken = "a".repeat(64);
const hash = hashToken(legacyToken);
expect(hash.length).toBe(64);
expect(hash).not.toBe(legacyToken);
});
});
describe("token security properties", () => {
test("should have sufficient entropy (32 bytes = 256 bits)", () => {
const token = generateToken();
const bytes = parseToken(token);
expect(bytes).not.toBeNull();
expect(bytes?.length).toBe(32);
// 32 bytes * 8 bits = 256 bits of entropy
});
test("should be cryptographically random (statistical test)", () => {
// Generate many tokens and check that byte distribution is roughly uniform
const byteCounts: number[] = new Array<number>(256).fill(0);
const numTokens = 1000;
for (let i = 0; i < numTokens; i++) {
const token = generateToken();
const bytes = parseToken(token);
if (bytes) {
for (const byte of bytes) {
// byte is always 0-255, and byteCounts has 256 elements initialized to 0
byteCounts[byte] = (byteCounts[byte] ?? 0) + 1;
}
}
}
// Each byte value should appear roughly (numTokens * 32) / 256 times
const expectedCount = (numTokens * 32) / 256;
const tolerance = expectedCount * 0.5; // Allow 50% variance
// Check that no byte value is extremely over- or under-represented
for (let i = 0; i < 256; i++) {
const count: number = byteCounts[i] ?? 0;
expect(count).toBeGreaterThan(expectedCount - tolerance);
expect(count).toBeLessThan(expectedCount + tolerance);
}
});
});

26
apps/cli/src/utils/token.ts
View File

@@ -1,22 +1,12 @@
/**
* Token generation and hashing utilities
*
* Re-exports from @reviq/db for convenience
*/
import { sha256 } from "@noble/hashes/sha2.js";
import { randomBytes } from "@noble/hashes/utils.js";
/**
* Generate a cryptographically secure random token
* Returns a 32-byte hex string (64 characters)
*/
export const generateToken = (): string => {
return Buffer.from(randomBytes(32)).toString("hex");
};
/**
* Hash a token using SHA-256
* Returns a hex string
*/
export const hashToken = (token: string): string => {
return Buffer.from(sha256(Buffer.from(token))).toString("hex");
};
export {
generateToken,
hashToken,
parseToken,
TOKEN_PREFIX,
} from "@reviq/db";