igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
181 Commits 2 Branches 0 Tags
25c8bab7414d68bbbcd933378e3787ac491e66e2
Commit Graph

8 Commits

Author SHA1 Message Date
igm
25c8bab741 Add orgMemberMiddleware for org-scoped procedures 
- Add OrgInfo, OrgMembership, OrgMemberContext types to context.ts
- Create org-member.ts middleware that:
  - Chains with authMiddleware
  - Takes input with org slug
  - Looks up org and verifies membership
  - Adds org and membership info to context
- Export from middlewares/index.ts and procedures/base.ts

Also simplify superuserMiddleware to use authMiddleware.concat()

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:49:03 +08:00
igm
c2b815dd6a Extract emails into separate package with clean interface 
- Create packages/emails/ with EmailClient interface abstraction
- Wrap Postmark ServerClient in adapter for clean typing
- Add createLoggingEmailClient for dev mode (logs to console)
- Split email templates into individual files with full test coverage
- Update api-server to use new package via context injection
- Remove EMAIL_DEV_MODE - now uses POSTMARK_API_KEY presence
- Delete apps/api-server/src/utils/email.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:51:12 +08:00
RevIQ
319edf70db Fix IP address not being set on sessions from localhost 
The extractClientIP() function only checked proxy headers (X-Forwarded-For,
CF-Connecting-IP, etc.) which don't exist when running locally without a proxy.

Changes:
- Add clientIP field to APIContext
- Use Bun's server.requestIP() to get client IP from direct socket connection
- Update getGeoInfo() to accept fallback IP parameter
- Pass context.clientIP to getGeoInfo() in auth procedures

Now sessions will have IP address set even for local development (::1 or 127.0.0.1).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-10 18:08:21 +08:00
RevIQ
6b9b04d1d0 Improve API token format and enhance auth status command 
- Change token format to reviq_<base58> prefix instead of raw hex
- Add me.authStatus API endpoint for detailed auth information
- Enhance CLI `reviq auth status` to show token details from API
- Add comprehensive tests for token generation (18 tests)
- Extract bootstrap logic to @reviq/db for reusability and testing
- Remove default db export; callers must use createDb() directly

Token changes:
- New format: reviq_<base58-encoded-32-bytes>
- Added parseToken() for validation
- Added isValidTokenFormat() helper

Auth status endpoint returns:
- User profile information
- Auth method (api_token or session)
- Token/session details (name, expiration, last used)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-09 17:59:02 +08:00
RevIQ
3f94a9e067 Merge branch 'wt2': Add auth procedures and password utilities 
Integrates extracted auth handlers and Bun-based password hashing:
- Auth procedures moved to individual handler files
- Password hashing using Bun's argon2id (replaces scrypt)
- Password validation with zxcvbn
- Session, cookie, crypto, email, and geo utilities

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-09 15:36:32 +08:00
RevIQ
410b937f9f Implement CLI commands and admin API endpoints 
- Add bootstrap command with direct DB access for initial setup
- Implement auth login/logout/status CLI commands
- Implement user create/confirm-email CLI commands
- Implement org create/list/add-site CLI commands
- Add admin.orgs.* and admin.users.* API endpoints
- Add password hashing utility with scrypt
- Add token hashing and authentication utility
- Add superuser runtime checks for admin endpoints
- Wrap multi-step operations in transactions
- Fix config file permissions (0o600) for security
- Remove token display from status command
- Add return statements to void handlers
- Add reviq CLI command to devenv

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-09 15:30:10 +08:00
RevIQ
829d365e80 Implement auth procedures with code review fixes 
Add complete auth backend (Workstream D):
- Auth middleware for session/API key authentication
- Signup with password or passkey (WebAuthn)
- Login flow with device trust and email confirmation
- Password reset and email verification
- Session management and logout

Utilities created:
- cookies.ts: Cookie helpers and configuration
- crypto.ts: Token generation and hashing
- password.ts: zxcvbn validation, argon2id hashing
- geo.ts: IP/location extraction from headers
- email.ts: Stubbed email sending
- session.ts: Session creation and device trust

Code review improvements applied:
- Use ORPCError instead of Error in procedures
- Add ast-grep rule to enforce ORPCError usage
- Remove error info leakage (generic messages)
- Optimize N+1 query with JOIN in login-password
- Extract signupWithPassword/signupWithPasskey for testability
- Add 15-minute WebAuthn challenge expiry check
- Strengthen CookieOptions type definitions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-09 15:19:15 +08:00
RevIQ
b46146faa5 Implement WebAuthn passkey authentication 
Add complete WebAuthn support for passkey registration and authentication:
- Install @simplewebauthn/server for WebAuthn utilities
- Create passkey-helpers.ts with base64url/Uint8Array conversion utilities
- Create webauthn.ts with registration/authentication option generation and verification
- Create context.ts with API context types
- Implement all WebAuthn router handlers (createRegistrationOptions, verifyRegistration, createAuthenticationOptions, verifyAuthentication)
- Implement passkey management handlers (listPasskeys, createPasskey, renamePasskey, deletePasskey)
- Add WebAuthn configuration constants and environment variables

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-09 12:34:26 +08:00