RevIQ
6b9b04d1d0
Improve API token format and enhance auth status command
...
- Change token format to reviq_<base58> prefix instead of raw hex
- Add me.authStatus API endpoint for detailed auth information
- Enhance CLI `reviq auth status` to show token details from API
- Add comprehensive tests for token generation (18 tests)
- Extract bootstrap logic to @reviq/db for reusability and testing
- Remove default db export; callers must use createDb() directly
Token changes:
- New format: reviq_<base58-encoded-32-bytes>
- Added parseToken() for validation
- Added isValidTokenFormat() helper
Auth status endpoint returns:
- User profile information
- Auth method (api_token or session)
- Token/session details (name, expiration, last used)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-09 17:59:02 +08:00
RevIQ
3f94a9e067
Merge branch 'wt2': Add auth procedures and password utilities
...
Integrates extracted auth handlers and Bun-based password hashing:
- Auth procedures moved to individual handler files
- Password hashing using Bun's argon2id (replaces scrypt)
- Password validation with zxcvbn
- Session, cookie, crypto, email, and geo utilities
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-09 15:36:32 +08:00
RevIQ
410b937f9f
Implement CLI commands and admin API endpoints
...
- Add bootstrap command with direct DB access for initial setup
- Implement auth login/logout/status CLI commands
- Implement user create/confirm-email CLI commands
- Implement org create/list/add-site CLI commands
- Add admin.orgs.* and admin.users.* API endpoints
- Add password hashing utility with scrypt
- Add token hashing and authentication utility
- Add superuser runtime checks for admin endpoints
- Wrap multi-step operations in transactions
- Fix config file permissions (0o600) for security
- Remove token display from status command
- Add return statements to void handlers
- Add reviq CLI command to devenv
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-09 15:30:10 +08:00
RevIQ
829d365e80
Implement auth procedures with code review fixes
...
Add complete auth backend (Workstream D):
- Auth middleware for session/API key authentication
- Signup with password or passkey (WebAuthn)
- Login flow with device trust and email confirmation
- Password reset and email verification
- Session management and logout
Utilities created:
- cookies.ts: Cookie helpers and configuration
- crypto.ts: Token generation and hashing
- password.ts: zxcvbn validation, argon2id hashing
- geo.ts: IP/location extraction from headers
- email.ts: Stubbed email sending
- session.ts: Session creation and device trust
Code review improvements applied:
- Use ORPCError instead of Error in procedures
- Add ast-grep rule to enforce ORPCError usage
- Remove error info leakage (generic messages)
- Optimize N+1 query with JOIN in login-password
- Extract signupWithPassword/signupWithPasskey for testability
- Add 15-minute WebAuthn challenge expiry check
- Strengthen CookieOptions type definitions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-09 15:19:15 +08:00
RevIQ
b46146faa5
Implement WebAuthn passkey authentication
...
Add complete WebAuthn support for passkey registration and authentication:
- Install @simplewebauthn/server for WebAuthn utilities
- Create passkey-helpers.ts with base64url/Uint8Array conversion utilities
- Create webauthn.ts with registration/authentication option generation and verification
- Create context.ts with API context types
- Implement all WebAuthn router handlers (createRegistrationOptions, verifyRegistration, createAuthenticationOptions, verifyAuthentication)
- Implement passkey management handlers (listPasskeys, createPasskey, renamePasskey, deletePasskey)
- Add WebAuthn configuration constants and environment variables
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-09 12:34:26 +08:00
