igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: igm:94b6de5970fa93fca9779e6e5c46aff95eab2cd0
Branches Tags
igm:master igm:fix-exports
...
compare: igm:master
Branches Tags
igm:master igm:fix-exports

36 Commits
94b6de5970 ... master

Author SHA1 Message Date
igm
8da4379583 fix readme
Some checks failed
CI / ci (push) Has been cancelled
Details
2026-01-12 18:29:02 +08:00
igm
1f6d5a4a9f linting
Some checks failed
CI / ci (push) Has been cancelled
Details
2026-01-12 18:07:31 +08:00
igm
d8397dfb38 Simplify middleware and remove unused code 
- Remove unused orgMemberMiddleware (org procedures use helper functions)
- Remove orgMemberProcedure from base.ts
- Simplify superuserMiddleware using inline concat syntax
- Import OrgInfo/OrgMembership from context.ts instead of redefining

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 18:06:25 +08:00
igm
73ef3df01f Add pre-configured procedures and use them throughout codebase 
- Add authedProcedure, superuserProcedure, loginRequestProcedure,
  orgMemberProcedure in base.ts
- Create procedures/me/_base.ts with meRoute = authedProcedure.me
- Update all me procedures to use meRoute.X.handler()
- Update auth/logout and auth/resend-verification to use authedProcedure
- Update all admin procedures to use superuserProcedure
- Update all orgs procedures to use authedProcedure

This reduces boilerplate and makes middleware usage consistent.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:57:15 +08:00
igm
25c8bab741 Add orgMemberMiddleware for org-scoped procedures 
- Add OrgInfo, OrgMembership, OrgMemberContext types to context.ts
- Create org-member.ts middleware that:
  - Chains with authMiddleware
  - Takes input with org slug
  - Looks up org and verifies membership
  - Adds org and membership info to context
- Export from middlewares/index.ts and procedures/base.ts

Also simplify superuserMiddleware to use authMiddleware.concat()

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:49:03 +08:00
igm
b48012c1f6 Move middlewares to dedicated folder with one per file 
- Create src/middlewares/ folder with separate files:
  - os.ts: base implementer
  - auth.ts: authentication middleware
  - login-request.ts: login request middleware
  - superuser.ts: chains authMiddleware then checks superuser
- Update base.ts to re-export from middlewares
- Update admin procedures to use merged superuserMiddleware
  (no longer need to chain authMiddleware.use(superuserMiddleware))

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:46:14 +08:00
igm
bd4053f952 Remove unused auth middleware and utils 
- Delete src/middleware/auth.ts (createAuthMiddleware, createSuperuserMiddleware)
- Delete src/utils/auth.ts (authenticateRequest)

These files were never imported or used anywhere in the codebase.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:39:07 +08:00
igm
ce5a27d014 Remove redundant null/undefined tests from createDb 
TypeScript already enforces the string type at compile time,
so runtime tests for invalid type inputs are unnecessary.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:34:25 +08:00
igm
665092464a Fix all linter errors 
- Remove unused biome suppression comment in completions.ts
- Remove unnecessary if condition in execute-bootstrap.test.ts
- Add eslint-disable comments for any type assertions in client.test.ts
- Add eslint-disable comments for expect().rejects patterns
- Fix template literal number expression with toString()
- Fix error handling in test-db.ts to avoid object stringify

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:30:00 +08:00
igm
b78064caeb Merge branch 'email-cleanup'
Some checks failed
CI / ci (push) Has been cancelled
Details
2026-01-12 17:23:04 +08:00
igm
c60041a1bb Replace dbmate with direct schema.sql execution in tests
Some checks failed
CI / ci (push) Has been cancelled
Details 
Instead of running dbmate migrations, tests now directly execute the
db/schema.sql file on the test database. This is faster and removes
the dbmate dependency from tests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:12:10 +08:00
igm
40d743c8c2 Apply linter formatting fixes to emails package 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:12:06 +08:00
igm
e43c006bb1 Fix merge conflicts and add withTransaction helper 
- Add withTransaction helper that gracefully handles nested transactions
  (reuses existing transaction in tests, starts new one otherwise)
- Update auth procedures to use withTransaction instead of direct .transaction()
- Add email config to all e2e test contexts (required by merged code)
- Remove duplicate verification token code from signup procedure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 17:07:14 +08:00
igm
8e65c2e698 Merge branch 'transactions-in-procedure' 2026-01-12 15:53:41 +08:00
igm
b085a315be Add transactions to auth procedures and extract DB models 
- Wrap multiple DB operations in transactions for atomicity:
  - login-if-completed: device upsert + session + login_request deletion
  - forgot-password: delete old tokens + insert new token
  - signup: session + email_verification creation

- Extract reusable DB model operations to packages/db/src/models/:
  - sessions.ts: insertSession()
  - user-devices.ts: upsertUserDevice(), isDeviceTrusted()

- Update session.ts to use new model functions from @reviq/db
- Fix type narrowing in admin.test.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:52:05 +08:00
igm
1ed41e5c4c Merge branch 'db-coverage' 2026-01-12 15:51:48 +08:00
igm
84644c8bfb Merge branch 'email-cleanup' 2026-01-12 15:51:38 +08:00
igm
5ecf12a1a1 Consolidate duplicate components and create reusable MetricsTable 
- Merge two ConfirmDialog components into single shared ui/confirm-dialog
  with consistent API across account and org pages
- Create MetricsTable component to reduce duplication across dashboard
  table components (ad-unit, country, domain, source tables)
- Reduces code duplication by ~200 lines
- Consistent styling and behavior across all confirmation dialogs
- Single source of truth for metrics table structure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:51:29 +08:00
igm
c2b815dd6a Extract emails into separate package with clean interface 
- Create packages/emails/ with EmailClient interface abstraction
- Wrap Postmark ServerClient in adapter for clean typing
- Add createLoggingEmailClient for dev mode (logs to console)
- Split email templates into individual files with full test coverage
- Update api-server to use new package via context injection
- Remove EMAIL_DEV_MODE - now uses POSTMARK_API_KEY presence
- Delete apps/api-server/src/utils/email.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:51:12 +08:00
igm
67930d90d5 Simplify apps/cli/ code 
- config.ts: Convert arrow functions to function declarations
- api-client.ts: Extract duplicated RPCLink logic into buildClient helper
- format-error.ts: Add centralized ORPCError handling
- complete-login.ts: Remove redundant error handling (now in formatError)
- status.ts: Simplify formatRelativeTime, improve whitespace
- create.ts: Rename validRoles to VALID_ROLES, add as const, early return
- completions.ts: Derive Shell type from SUPPORTED_SHELLS array

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:42:39 +08:00
igm
58ffa68f4c Add tests for @reviq/db package 
- token.test.ts: Unit tests for generateToken, parseToken, hashToken
- client.test.ts: Tests for createDb validation and e2e connectivity
- execute-bootstrap.test.ts: Comprehensive e2e tests for bootstrap
  operation including overwrite mode and related record cleanup

Coverage: client.ts 100%, token.ts 100%, execute-bootstrap.ts 98.69%

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:35:02 +08:00
igm
5a2e0297e5 Merge branch 'more-spec'
Some checks failed
CI / ci (push) Has been cancelled
Details
2026-01-12 15:23:25 +08:00
igm
c9de0b1ac5 Add sideEffects: false to all library packages 
Enables tree-shaking for bundlers by marking all library packages
as side-effect-free.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:22:24 +08:00
igm
0f50291490 Add @types/bun to api-contract for test file compilation 
The test file imports from bun:test which requires bun types. Added
@types/bun dependency and configured tsconfig to include bun types.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:20:21 +08:00
igm
9c6694cad4 Auto-skip e2e tests when TEST_DATABASE_URL is not configured
Some checks failed
CI / ci (push) Has been cancelled
Details 
Previously, e2e tests would fail with a confusing URL parse error when
TEST_DATABASE_URL was not set. Now SKIP_DB_TESTS automatically becomes
true when the database URL is missing, gracefully skipping these tests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:15:15 +08:00
igm
f9f1dc7403 Merge branch 'test-coverage'
Some checks failed
CI / ci (push) Has been cancelled
Details
2026-01-12 15:08:49 +08:00
igm
b27a977809 Document test scripts in README and CLAUDE.md 
- Add test:unit, test:cov, test:unit:cov to README scripts table
- Add Running Tests section to CLAUDE.md recommending test:cov

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:08:35 +08:00
igm
7edc4ba8a9 gnu sed 2026-01-12 15:08:17 +08:00
igm
16f827e8f0 Merge branch 'test-coverage'
Some checks failed
CI / ci (push) Has been cancelled
Details 
Add test utilities and ast-grep rules for code quality.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:05:07 +08:00
igm
947c73dbdc Remove unnecessary exclude from tsconfig files 
TypeScript excludes node_modules by default, and dist is handled
by outDir or include patterns.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:02:55 +08:00
igm
2baf10b0cd Replace String() calls with .toString()/.toLocaleString() per ast-grep rule 
- Add formatError() helper in CLI to safely handle unknown error types
- Add uniqueTestId() helper for generating unique test identifiers
- Replace String(id) with id.toString() for database ID conversions
- Replace String(n) with n.toLocaleString() for user-facing number formatting
- Fix TypeScript errors in test files (undefined checks, unused variables)
- Update lint commands to include ast-grep scanning

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 15:02:46 +08:00
igm
8b081d5ba8 Remove unnecessary testing/README.md 
Sub-packages test-helpers and virtual-authenticator have their own READMEs.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 14:57:28 +08:00
igm
01f1e1c9e3 Add READMEs for remaining packages 
- db-schema: Database schema types from kysely-codegen
- db: Database client and helper functions
- testing: Overview of testing packages
- test-helpers: Database testing utilities
- virtual-authenticator: WebAuthn virtual authenticator

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 13:59:34 +08:00
igm
26d10d452f Rename @reviq/utils to @reviq/server-utils and add package READMEs 
- Rename packages/utils/ to packages/server-utils/
- Update all imports and package.json references
- Add READMEs for frontend-utils, server-utils, and common packages
- Update main README with new package structure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 13:57:28 +08:00
igm
8b63eb3538 Add ast-grep rule to prevent String() function usage 
Prefer .toString() or .toLocaleString() over String() for
more predictable behavior and consistency.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 13:48:13 +08:00
igm
587e151fbd Fix ast-grep tests and add no-countall-number test 
- Update zod-namespace-import snapshot (semicolon fix)
- Add test cases for no-countall-number rule
- Update rule pattern to match method calls on objects

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-12 13:45:14 +08:00
170 changed files with 4346 additions and 2162 deletions
Expand all files Collapse all files

16
.ast-grep/rule-tests/__snapshots__/no-countall-number-snapshot.yml Normal file
View File

@@ -0,0 +1,16 @@
id: no-countall-number
snapshots:
countAll<number>():
fixed: countAll()
labels:
- source: countAll<number>()
style: primary
start: 0
end: 18
eb.fn.countAll<number>().as("count"):
fixed: eb.fn.countAll().as("count")
labels:
- source: eb.fn.countAll<number>()
style: primary
start: 0
end: 24

20
.ast-grep/rule-tests/__snapshots__/no-string-function-snapshot.yml Normal file
View File

@@ -0,0 +1,20 @@
id: no-string-function
snapshots:
String(123):
labels:
- source: String(123)
style: primary
start: 0
end: 11
String(Date.now()):
labels:
- source: String(Date.now())
style: primary
start: 0
end: 18
String(value):
labels:
- source: String(value)
style: primary
start: 0
end: 13

4
.ast-grep/rule-tests/__snapshots__/zod-namespace-import-snapshot.yml
View File

@@ -3,7 +3,7 @@ snapshots:
? |
import { z } from "zod";
: fixed: |
import * as z from "zod"
import * as z from "zod";
labels:
- source: import { z } from "zod";
style: primary
@@ -12,7 +12,7 @@ snapshots:
? |
import { z, ZodError } from "zod";
: fixed: |
import * as z from "zod"
import * as z from "zod";
labels:
- source: import { z, ZodError } from "zod";
style: primary

9
.ast-grep/rule-tests/no-countall-number-test.yml Normal file
View File

@@ -0,0 +1,9 @@
id: no-countall-number
valid:
# Plain countAll() is fine
- eb.fn.countAll().as("count")
# Other type arguments are fine
- eb.fn.countAll<string>().as("count")
invalid:
# countAll<number>() should be flagged
- eb.fn.countAll<number>().as("count")

13
.ast-grep/rule-tests/no-string-function-test.yml Normal file
View File

@@ -0,0 +1,13 @@
id: no-string-function
valid:
# toString() is fine
- value.toString()
- (123).toString()
- date.toLocaleString()
# Other functions named String are fine
- myString(value)
invalid:
# String() function should be flagged
- String(value)
- String(123)
- String(Date.now())

4
.ast-grep/rules/no-countall-number.yml
View File

@@ -4,5 +4,5 @@ severity: error
message: "Don't use countAll<number>() - use countAll() instead. PostgreSQL COUNT returns bigint (string), so the type annotation is misleading."
note: "Use Number() to convert the result if you need a number type."
rule:
pattern: countAll<number>()
fix: countAll()
pattern: $OBJ.countAll<number>()
fix: $OBJ.countAll()

7
.ast-grep/rules/no-string-function.yml Normal file
View File

@@ -0,0 +1,7 @@
id: no-string-function
language: typescript
severity: error
message: "Don't use String() - use .toString() or .toLocaleString() instead."
note: "String() can have unexpected behavior. Use .toString() for general conversion or .toLocaleString() for locale-aware formatting."
rule:
pattern: String($VAL)

19
CLAUDE.md
View File

@@ -1,5 +1,12 @@
# Claude Code Notes
## Running Tests
Use `bun run test:cov` to run all tests with coverage. This runs both unit tests and e2e tests that require a database connection.
- `bun run test:cov` - Run all tests with coverage (preferred)
- `bun run test:unit:cov` - Run only unit tests with coverage (no database required)
## Database Scripts
Use the wrapper scripts instead of running dbmate directly:
@@ -22,13 +29,13 @@ This repo uses Gitea (git.rev.iq) with the `tea` CLI for pull requests:
- tea 0.10.1 is pinned in `nix/tea.nix` (0.11.x has TTY bugs)
- Always specify `-r igm/publisher-dashboard` flag (SSH remote auto-detection doesn't work)
## macOS sed Syntax
## sed Syntax (GNU coreutils)
macOS uses BSD sed which differs from GNU sed:
- In-place edit requires empty string for backup: `sed -i '' 's/old/new/g' file`
- GNU sed (Linux): `sed -i 's/old/new/g' file`
- Use `|` as delimiter when patterns contain `/`: `sed -i '' 's|old/path|new/path|g' file`
- For multiple files: `for f in *.txt; do sed -i '' 's/old/new/g' "$f"; done`
This project uses GNU coreutils via devenv, so use standard GNU sed syntax:
- In-place edit: `sed -i 's/old/new/g' file`
- Use `|` as delimiter when patterns contain `/`: `sed -i 's|old/path|new/path|g' file`
- For multiple files: `for f in *.txt; do sed -i 's/old/new/g' "$f"; done`
- Do NOT use BSD sed syntax (`sed -i ''`) - we have GNU sed available
## SvelteKit resolve() Usage

17
README.md
View File

@@ -26,9 +26,11 @@ A modern publisher dashboard for managing organizations, members, and sites. Bui
### Shared Packages
- `@reviq/api-contract` - Shared API contract (oRPC)
- `@reviq/common` - Shared utilities for frontend and backend
- `@reviq/db` - Database client and queries
- `@reviq/db-schema` - Database schema and codegen
- `@reviq/utils` - Shared utilities
- `@reviq/frontend-utils` - Frontend-specific utilities
- `@reviq/server-utils` - Server/CLI utilities
## Project Structure
@@ -40,10 +42,12 @@ publisher-dashboard/
│ └── publisher-dashboard/ # SvelteKit frontend
├── packages/
│ ├── api-contract/ # Shared oRPC contract
│ ├── common/ # Shared utilities (frontend + backend)
│ ├── db/ # Database client
│ ├── db-schema/ # DB schema & codegen
│ ├── testing/ # Test utilities
── utils/ # Shared utilities
│ ├── frontend-utils/ # Frontend utilities
── server-utils/ # Server/CLI utilities
│ └── testing/ # Test utilities
└── db/ # Database migrations
```
@@ -51,7 +55,7 @@ publisher-dashboard/
### Prerequisites
- [Bun](https://bun.sh/) v1.1.42+
- [Bun](https://bun.sh/) v1.3.5+
- [devenv](https://devenv.sh/) for development environment management
### Environment Variables
@@ -109,7 +113,10 @@ bun run dev
| `bun run typecheck` | Run TypeScript type checking |
| `bun run lint` | Run Biome and ESLint |
| `bun run lint:fix` | Fix linting issues |
| `bun run test` | Run tests |
| `bun run test` | Run all tests (requires database) |
| `bun run test:unit` | Run unit tests only (no database required) |
| `bun run test:cov` | Run all tests with coverage report |
| `bun run test:unit:cov` | Run unit tests with coverage (no database) |
| `bun run db:codegen` | Generate database types |
| `./scripts/db-dump` | Dump database schema (strips `\restrict` lines) |
| `./scripts/db-migrate` | Run migrations (strips `\restrict` lines) |

4
apps/api-server/package.json
View File

@@ -12,14 +12,14 @@
"test": "bun test src/ --no-parallel"
},
"dependencies": {
"@formatjs/intl-durationformat": "^0.9.2",
"@noble/hashes": "^2.0.1",
"@orpc/experimental-pino": "^1.13.2",
"@orpc/server": "^1.13.2",
"@reviq/api-contract": "workspace:*",
"@reviq/db": "workspace:*",
"@reviq/db-schema": "workspace:*",
"@reviq/utils": "workspace:*",
"@reviq/emails": "workspace:*",
"@reviq/server-utils": "workspace:*",
"@scure/base": "^2.0.0",
"@simplewebauthn/server": "^13.2.2",
"@simplewebauthn/types": "^12.0.0",

61
apps/api-server/src/__tests__/e2e/admin.test.ts
View File

@@ -29,6 +29,7 @@ import type { Kysely } from "kysely";
import type { APIContext } from "../../context.js";
import { afterAll, beforeAll, describe, expect, test } from "bun:test";
import { call } from "@orpc/server";
import { createLoggingEmailClient } from "@reviq/emails";
import {
createTestUser,
describeE2E,
@@ -36,6 +37,7 @@ import {
initTestDb,
TEST_RP,
truncateAllTables,
uniqueTestId,
withTestTransaction,
} from "@reviq/test-helpers";
import { router } from "../../router.js";
@@ -74,6 +76,11 @@ function createAPIContext(
rpName: TEST_RP.rpName,
reqHeaders,
resHeaders: new Headers(),
email: {
client: createLoggingEmailClient(),
fromAddress: "test@example.com",
baseUrl: TEST_RP.origin,
},
};
}
@@ -84,7 +91,7 @@ async function createSession(
db: Kysely<Database>,
userId: number,
): Promise<{ token: string; sessionId: number }> {
const token = `test-session-${String(Date.now())}${String(Math.random())}`;
const token = `test-session-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
@@ -115,9 +122,7 @@ async function createOrg(
logoUrl?: string;
},
): Promise<{ id: number; slug: string }> {
const slug =
options?.slug ??
`org-${String(Date.now())}-${String(Math.random()).slice(2, 8)}`;
const slug = options?.slug ?? `org-${uniqueTestId()}`;
const result = await db
.insertInto("orgs")
@@ -183,7 +188,7 @@ async function createLoginRequest(
expiresAt?: Date;
},
): Promise<{ id: number; token: string }> {
const token = `login-${String(Date.now())}${String(Math.random())}`;
const token = `login-${uniqueTestId()}`;
const expiresAt =
options?.expiresAt ?? new Date(Date.now() + LOGIN_REQUEST_EXPIRY_MS);
@@ -212,7 +217,7 @@ async function createOrgInvite(
email: string,
invitedBy: number,
): Promise<{ id: number }> {
const token = `invite-${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const token = `invite-${uniqueTestId()}`;
const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days
const result = await db
@@ -461,7 +466,7 @@ describeE2E("admin", () => {
test("creates passwordless user", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -492,7 +497,7 @@ describeE2E("admin", () => {
test("creates user with name", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -519,7 +524,7 @@ describeE2E("admin", () => {
test("creates user and adds to organization as member", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -554,7 +559,7 @@ describeE2E("admin", () => {
test("creates user and adds to organization with custom role", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -588,7 +593,7 @@ describeE2E("admin", () => {
test("normalizes email to lowercase", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -615,7 +620,7 @@ describeE2E("admin", () => {
test("throws CONFLICT for duplicate email", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -637,7 +642,7 @@ describeE2E("admin", () => {
test("throws NOT_FOUND for non-existent org", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1060,7 +1065,7 @@ describeE2E("admin", () => {
test("creates organization with owner", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1096,20 +1101,22 @@ describeE2E("admin", () => {
expect(org?.display_name).toBe("New Organization");
// Verify owner membership
if (org) {
const membership = await db
.selectFrom("org_members")
.where("org_id", "=", org?.id)
.where("org_id", "=", org.id)
.where("user_id", "=", owner.id)
.selectAll()
.executeTakeFirst();
expect(membership).toBeDefined();
expect(membership?.role).toBe("owner");
}
});
test("normalizes owner email to lowercase", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1135,7 +1142,7 @@ describeE2E("admin", () => {
test("throws NOT_FOUND for non-existent owner", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1160,7 +1167,7 @@ describeE2E("admin", () => {
test("throws CONFLICT for duplicate slug", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1284,7 +1291,7 @@ describeE2E("admin", () => {
await createOrg(db, {
slug: "test-org",
displayName: "Old",
logoUrl: null,
logoUrl: undefined,
});
const { token: sessionToken } = await createSession(db, admin.id);
@@ -1379,7 +1386,7 @@ describeE2E("admin", () => {
test("deletes organization and related records", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1444,7 +1451,7 @@ describeE2E("admin", () => {
test("throws NOT_FOUND for non-existent organization", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1564,7 +1571,7 @@ describeE2E("admin", () => {
test("adds site to organization", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1596,7 +1603,7 @@ describeE2E("admin", () => {
test("throws NOT_FOUND for non-existent organization", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1617,7 +1624,7 @@ describeE2E("admin", () => {
test("throws CONFLICT for duplicate domain", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1640,7 +1647,7 @@ describeE2E("admin", () => {
test("throws CONFLICT for domain in another organization", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1793,7 +1800,7 @@ describeE2E("admin", () => {
// Verify login request was completed
const request = await db
.selectFrom("login_requests")
.where("id", "=", String(loginRequest.id))
.where("id", "=", loginRequest.id.toString())
.select(["completed_at"])
.executeTakeFirstOrThrow();
@@ -1825,7 +1832,7 @@ describeE2E("admin", () => {
const request = await db
.selectFrom("login_requests")
.where("id", "=", String(loginRequest.id))
.where("id", "=", loginRequest.id.toString())
.select(["completed_at"])
.executeTakeFirstOrThrow();

31
apps/api-server/src/__tests__/e2e/auth.test.ts
View File

@@ -41,12 +41,14 @@ import type { Kysely } from "kysely";
import type { APIContext } from "../../context.js";
import { beforeAll, describe, expect, test } from "bun:test";
import { call } from "@orpc/server";
import { createLoggingEmailClient } from "@reviq/emails";
import {
createTestUser,
describeE2E,
getSharedDb,
initTestDb,
TEST_RP,
uniqueTestId,
withTestTransaction,
} from "@reviq/test-helpers";
import { VirtualAuthenticator } from "@reviq/virtual-authenticator";
@@ -99,6 +101,11 @@ function createAPIContext(
rpName: TEST_RP.rpName,
reqHeaders,
resHeaders: new Headers(),
email: {
client: createLoggingEmailClient(),
fromAddress: "test@example.com",
baseUrl: TEST_RP.origin,
},
};
}
@@ -146,7 +153,7 @@ async function createSession(
userId: number,
options?: { deviceId?: bigint },
): Promise<{ token: string; sessionId: number }> {
const token = `test-session-${String(Date.now())}${String(Math.random())}`;
const token = `test-session-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
@@ -154,7 +161,7 @@ async function createSession(
.insertInto("sessions")
.values({
user_id: userId,
device_id: options?.deviceId ? String(options.deviceId) : null,
device_id: options?.deviceId ? options.deviceId.toString() : null,
token_hash: tokenHashValue,
trusted_mode: false,
expires_at: expiresAt,
@@ -178,7 +185,7 @@ async function createLoginRequest(
expiresAt?: Date;
},
): Promise<{ token: string; id: number }> {
const token = `login_test-${String(Date.now())}${String(Math.random())}`;
const token = `login_test-${uniqueTestId()}`;
const expiresAt =
options?.expiresAt ?? new Date(Date.now() + LOGIN_REQUEST_EXPIRY_MS);
@@ -228,7 +235,7 @@ async function createEmailVerification(
userId: number,
options?: { expiresAt?: Date },
): Promise<string> {
const token = `verify-${String(Date.now())}${String(Math.random())}`;
const token = `verify-${uniqueTestId()}`;
const expiresAt =
options?.expiresAt ?? new Date(Date.now() + 24 * 60 * 60 * 1000);
@@ -252,7 +259,7 @@ async function createPasswordReset(
userId: number,
options?: { expiresAt?: Date; usedAt?: Date | null },
): Promise<string> {
const token = `reset-${String(Date.now())}${String(Math.random())}`;
const token = `reset-${uniqueTestId()}`;
const expiresAt = options?.expiresAt ?? new Date(Date.now() + 60 * 60 * 1000);
await db
@@ -457,7 +464,7 @@ describeE2E("auth", () => {
const challenges = await db
.selectFrom("webauthn_challenges")
.selectAll()
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.execute();
expect(challenges.length).toBe(0);
});
@@ -483,7 +490,7 @@ describeE2E("auth", () => {
await db
.updateTable("webauthn_challenges")
.set({ created_at: new Date(Date.now() - 20 * 60 * 1000) }) // 20 minutes ago
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.execute();
// Step 4: Try to signup with expired challenge
@@ -540,7 +547,7 @@ describeE2E("auth", () => {
const challenges = await db
.selectFrom("webauthn_challenges")
.selectAll()
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.execute();
expect(challenges.length).toBe(0);
});
@@ -1072,7 +1079,7 @@ describeE2E("auth", () => {
const loginRequest = await db
.selectFrom("login_requests")
.selectAll()
.where("id", "=", String(loginRequestId))
.where("id", "=", loginRequestId.toString())
.executeTakeFirst();
expect(loginRequest).toBeUndefined();
@@ -1152,7 +1159,7 @@ describeE2E("auth", () => {
});
// Create login request without device fingerprint
const token = `login_test-${String(Date.now())}`;
const token = `login_test-${uniqueTestId()}`;
await db
.insertInto("login_requests")
.values({
@@ -1644,7 +1651,7 @@ describeE2E("auth", () => {
const session = await db
.selectFrom("sessions")
.select(["revoked_at"])
.where("id", "=", String(sessionId))
.where("id", "=", sessionId.toString())
.executeTakeFirst();
expect(session?.revoked_at).not.toBeNull();
@@ -1981,7 +1988,7 @@ describeE2E("auth", () => {
// Clean up registration session
await db
.deleteFrom("sessions")
.where("id", "=", String(regSessionId))
.where("id", "=", regSessionId.toString())
.execute();
// Step 1: Create login request

57
apps/api-server/src/__tests__/e2e/me.test.ts
View File

@@ -23,12 +23,14 @@ import type { Kysely } from "kysely";
import type { APIContext } from "../../context.js";
import { beforeAll, describe, expect, test } from "bun:test";
import { call } from "@orpc/server";
import { createLoggingEmailClient } from "@reviq/emails";
import {
createTestUser,
describeE2E,
getSharedDb,
initTestDb,
TEST_RP,
uniqueTestId,
withTestTransaction,
} from "@reviq/test-helpers";
import { router } from "../../router.js";
@@ -81,6 +83,11 @@ function createAPIContext(
rpName: TEST_RP.rpName,
reqHeaders,
resHeaders: new Headers(),
email: {
client: createLoggingEmailClient(),
fromAddress: "test@example.com",
baseUrl: TEST_RP.origin,
},
};
}
@@ -92,7 +99,7 @@ async function createSession(
userId: number,
options?: { ipAddress?: string; userAgent?: string },
): Promise<{ token: string; sessionId: number }> {
const token = `test-session-${String(Date.now())}${String(Math.random())}`;
const token = `test-session-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
@@ -125,9 +132,7 @@ async function createDevice(
userAgent?: string;
},
): Promise<{ fingerprint: string; deviceId: number }> {
const fingerprint =
options?.fingerprint ??
`test-fp-${String(Date.now())}${String(Math.random())}`;
const fingerprint = options?.fingerprint ?? `test-fp-${uniqueTestId()}`;
const result = await db
.insertInto("user_devices")
@@ -153,7 +158,7 @@ async function createApiToken(
db: Kysely<Database>,
userId: number,
): Promise<{ token: string; name: string }> {
const token = `test-api-token-${String(Date.now())}${String(Math.random())}`;
const token = `test-api-token-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + API_TOKEN_EXPIRY_MS);
@@ -224,7 +229,7 @@ describeE2E("me", () => {
const user = await createTestUser(db, { email: "expired@example.com" });
// Create an expired session
const token = `expired-session-${String(Date.now())}`;
const token = `expired-session-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
await db
.insertInto("sessions")
@@ -249,7 +254,7 @@ describeE2E("me", () => {
const user = await createTestUser(db, { email: "revoked@example.com" });
// Create a revoked session
const token = `revoked-session-${String(Date.now())}`;
const token = `revoked-session-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
await db
.insertInto("sessions")
@@ -925,7 +930,7 @@ describeE2E("me", () => {
country: "US",
trusted_mode: true,
})
.where("id", "=", String(sessionId))
.where("id", "=", sessionId.toString())
.execute();
const context = createAPIContext(db, { sessionToken });
@@ -968,7 +973,7 @@ describeE2E("me", () => {
const session = await db
.selectFrom("sessions")
.select(["revoked_at"])
.where("id", "=", String(sessionId2))
.where("id", "=", sessionId2.toString())
.executeTakeFirstOrThrow();
expect(session.revoked_at).not.toBeNull();
@@ -1021,7 +1026,7 @@ describeE2E("me", () => {
await db
.updateTable("sessions")
.set({ revoked_at: new Date() })
.where("id", "=", String(sessionId2))
.where("id", "=", sessionId2.toString())
.execute();
const context = createAPIContext(db, { sessionToken: sessionToken1 });
@@ -1080,7 +1085,7 @@ describeE2E("me", () => {
const currentSession = await db
.selectFrom("sessions")
.select(["revoked_at"])
.where("id", "=", String(id1))
.where("id", "=", id1.toString())
.executeTakeFirstOrThrow();
expect(currentSession.revoked_at).toBeNull();
@@ -1088,7 +1093,7 @@ describeE2E("me", () => {
const otherSessions = await db
.selectFrom("sessions")
.select(["id", "revoked_at"])
.where("id", "in", [String(id2), String(id3)])
.where("id", "in", [id2.toString(), id3.toString()])
.execute();
for (const session of otherSessions) {
@@ -1116,7 +1121,7 @@ describeE2E("me", () => {
const session = await db
.selectFrom("sessions")
.select(["revoked_at"])
.where("id", "=", String(sessionId))
.where("id", "=", sessionId.toString())
.executeTakeFirstOrThrow();
expect(session.revoked_at).toBeNull();
});
@@ -1147,7 +1152,7 @@ describeE2E("me", () => {
region: "NY",
country: "US",
})
.where("id", "=", String(deviceId))
.where("id", "=", deviceId.toString())
.execute();
const { token: sessionToken } = await createSession(db, user.id);
@@ -1256,7 +1261,7 @@ describeE2E("me", () => {
const device = await db
.selectFrom("user_devices")
.select(["is_trusted", "name"])
.where("id", "=", String(deviceId))
.where("id", "=", deviceId.toString())
.executeTakeFirstOrThrow();
expect(device.is_trusted).toBe(true);
@@ -1401,7 +1406,7 @@ describeE2E("me", () => {
const device = await db
.selectFrom("user_devices")
.select(["is_trusted"])
.where("id", "=", String(deviceId))
.where("id", "=", deviceId.toString())
.executeTakeFirstOrThrow();
expect(device.is_trusted).toBe(false);
@@ -1501,7 +1506,7 @@ async function createTrustedSession(
db: Kysely<Database>,
userId: number,
): Promise<{ token: string; sessionId: number }> {
const token = `test-session-${String(Date.now())}${String(Math.random())}`;
const token = `test-session-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
@@ -1568,7 +1573,7 @@ async function createOrgInvite(
expiresAt?: Date;
},
): Promise<{ id: number }> {
const token = `invite-token-${String(Date.now())}-${Math.random().toString(36).slice(2)}`;
const token = `invite-token-${uniqueTestId()}-${Math.random().toString(36).slice(2)}`;
const result = await db
.insertInto("org_invites")
.values({
@@ -1693,7 +1698,7 @@ describeE2E("me.apiTokens and me.invites", () => {
});
expect(tokens).toHaveLength(1);
expect(tokens[0].name).toBe("User1 Token");
expect(tokens[0]?.name).toBe("User1 Token");
});
});
});
@@ -1727,7 +1732,7 @@ describeE2E("me.apiTokens and me.invites", () => {
.execute();
expect(tokens).toHaveLength(1);
expect(tokens[0].name).toBe("My New Token");
expect(tokens[0]?.name).toBe("My New Token");
});
});
@@ -1937,10 +1942,10 @@ describeE2E("me.apiTokens and me.invites", () => {
});
expect(invites).toHaveLength(1);
expect(invites[0].org.slug).toBe("invite-org");
expect(invites[0].org.displayName).toBe("Invite Org");
expect(invites[0].role).toBe("admin");
expect(invites[0].invitedBy).toBe("Inviter Person");
expect(invites[0]?.org.slug).toBe("invite-org");
expect(invites[0]?.org.displayName).toBe("Invite Org");
expect(invites[0]?.role).toBe("admin");
expect(invites[0]?.invitedBy).toBe("Inviter Person");
});
});
@@ -2086,7 +2091,7 @@ describeE2E("me.apiTokens and me.invites", () => {
describe("me.invites.accept", () => {
test("accepts invite and adds user to org", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const inviter = await createTestUser(db, {
email: `inviter-accept-${uniqueId}@example.com`,
@@ -2188,7 +2193,7 @@ describeE2E("me.apiTokens and me.invites", () => {
test("returns error if already a member", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const inviter = await createTestUser(db, {
email: `inviter-already-${uniqueId}@example.com`,

67
apps/api-server/src/__tests__/e2e/orgs.test.ts
View File

@@ -14,12 +14,14 @@ import type { Kysely } from "kysely";
import type { APIContext } from "../../context.js";
import { beforeAll, describe, expect, test } from "bun:test";
import { call } from "@orpc/server";
import { createLoggingEmailClient } from "@reviq/emails";
import {
createTestUser,
describeE2E,
getSharedDb,
initTestDb,
TEST_RP,
uniqueTestId,
withTestTransaction,
} from "@reviq/test-helpers";
import { router } from "../../router.js";
@@ -57,6 +59,11 @@ function createAPIContext(
rpName: TEST_RP.rpName,
reqHeaders,
resHeaders: new Headers(),
email: {
client: createLoggingEmailClient(),
fromAddress: "test@example.com",
baseUrl: TEST_RP.origin,
},
};
}
@@ -68,7 +75,7 @@ async function createSession(
userId: number,
options?: { trustedMode?: boolean },
): Promise<{ token: string; sessionId: number }> {
const token = `test-session-${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const token = `test-session-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
@@ -166,9 +173,7 @@ async function createOrgInvite(
expiresAt?: Date;
},
): Promise<{ id: number; token: string }> {
const token =
options?.token ??
`invite-${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const token = options?.token ?? `invite-${uniqueTestId()}`;
const expiresAt =
options?.expiresAt ?? new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
@@ -319,7 +324,7 @@ describeE2E("orgs", () => {
describe("orgs.create", () => {
test("creates org and makes user owner", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const user = await createTestUser(db, {
email: `user-${uniqueId}@example.com`,
@@ -349,7 +354,7 @@ describeE2E("orgs", () => {
test("rejects duplicate slug", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const user = await createTestUser(db, {
email: `user-${uniqueId}@example.com`,
@@ -532,7 +537,7 @@ describeE2E("orgs", () => {
describe("orgs.delete", () => {
test("deletes org when user is owner", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const user = await createTestUser(db, {
email: `user-${uniqueId}@example.com`,
@@ -581,7 +586,7 @@ describeE2E("orgs", () => {
describe("orgs.leave", () => {
test("allows member to leave org", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -614,7 +619,7 @@ describeE2E("orgs", () => {
test("allows owner to leave when there are other owners", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner1 = await createTestUser(db, {
email: `owner1-${uniqueId}@example.com`,
@@ -647,7 +652,7 @@ describeE2E("orgs", () => {
test("prevents only owner from leaving", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -770,7 +775,7 @@ describeE2E("orgs", () => {
describe("orgs.members.updateRole", () => {
test("owner can promote member to admin", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -803,7 +808,7 @@ describeE2E("orgs", () => {
test("owner can promote member to owner", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -836,7 +841,7 @@ describeE2E("orgs", () => {
test("owner can demote owner to admin when multiple owners exist", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner1 = await createTestUser(db, {
email: `owner1-${uniqueId}@example.com`,
@@ -869,7 +874,7 @@ describeE2E("orgs", () => {
test("prevents demoting the only owner", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -916,7 +921,7 @@ describeE2E("orgs", () => {
test("rejects when target member not found", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -942,7 +947,7 @@ describeE2E("orgs", () => {
describe("orgs.members.remove", () => {
test("owner can remove member", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -975,7 +980,7 @@ describeE2E("orgs", () => {
test("owner can remove admin", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1008,7 +1013,7 @@ describeE2E("orgs", () => {
test("owner can remove other owner when multiple owners exist", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner1 = await createTestUser(db, {
email: `owner1-${uniqueId}@example.com`,
@@ -1041,7 +1046,7 @@ describeE2E("orgs", () => {
test("prevents removing the only owner", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1065,7 +1070,7 @@ describeE2E("orgs", () => {
test("admin can remove member", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1102,7 +1107,7 @@ describeE2E("orgs", () => {
test("admin cannot remove owner", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1130,7 +1135,7 @@ describeE2E("orgs", () => {
test("admin cannot remove other admin", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1162,7 +1167,7 @@ describeE2E("orgs", () => {
test("member cannot remove anyone", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1192,7 +1197,7 @@ describeE2E("orgs", () => {
test("rejects when target member not found", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1297,7 +1302,7 @@ describeE2E("orgs", () => {
describe("orgs.invites.create", () => {
test("admin can create member invite", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1331,7 +1336,7 @@ describeE2E("orgs", () => {
test("admin can create admin invite", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const admin = await createTestUser(db, {
email: `admin-${uniqueId}@example.com`,
@@ -1385,7 +1390,7 @@ describeE2E("orgs", () => {
test("owner can create owner invite", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1571,7 +1576,7 @@ describeE2E("orgs", () => {
describe("orgs.invites.accept", () => {
test("accepts invite and adds user to org", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,
@@ -1669,9 +1674,7 @@ describeE2E("orgs", () => {
test("rejects when email doesn't match", async () => {
await withTestTransaction(getSharedDb(), async (db) => {
const owner = await createTestUser(db, { email: "owner@example.com" });
const _invitee = await createTestUser(db, {
email: "invitee@example.com",
});
await createTestUser(db, { email: "invitee@example.com" });
const wrongUser = await createTestUser(db, {
email: "wrong@example.com",
});
@@ -1701,7 +1704,7 @@ describeE2E("orgs", () => {
test("handles already a member gracefully", async () => {
const db = getSharedDb();
const uniqueId = `${String(Date.now())}-${Math.random().toString(36).slice(2, 8)}`;
const uniqueId = uniqueTestId();
const owner = await createTestUser(db, {
email: `owner-${uniqueId}@example.com`,

22
apps/api-server/src/__tests__/e2e/webauthn.test.ts
View File

@@ -12,6 +12,7 @@ import type { Kysely } from "kysely";
import type { APIContext } from "../../context.js";
import { afterAll, beforeAll, describe, expect, test } from "bun:test";
import { call } from "@orpc/server";
import { createLoggingEmailClient } from "@reviq/emails";
import {
createTestUser,
describeE2E,
@@ -20,6 +21,7 @@ import {
initTestDb,
KNOWN_AAGUIDS,
TEST_RP,
uniqueTestId,
withTestTransaction,
} from "@reviq/test-helpers";
import { VirtualAuthenticator } from "@reviq/virtual-authenticator";
@@ -50,6 +52,11 @@ function createAPIContext(
rpName: TEST_RP.rpName,
reqHeaders,
resHeaders: new Headers(),
email: {
client: createLoggingEmailClient(),
fromAddress: "test@example.com",
baseUrl: TEST_RP.origin,
},
};
}
@@ -60,7 +67,7 @@ async function createSession(
db: Kysely<Database>,
userId: number,
): Promise<string> {
const token = `test-session-${String(Date.now())}${String(Math.random())}`;
const token = `test-session-${uniqueTestId()}`;
const tokenHashValue = await hashToken(token);
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
@@ -87,7 +94,7 @@ async function createLoginRequest(
userId: number,
email: string,
): Promise<{ id: number; token: string }> {
const token = `test-login-${String(Date.now())}${String(Math.random())}`;
const token = `test-login-${uniqueTestId()}`;
const expiresAt = new Date(Date.now() + 10 * 60 * 1000); // 10 minutes
const result = await db
@@ -132,6 +139,11 @@ function createLoginRequestContext(
rpName: TEST_RP.rpName,
reqHeaders,
resHeaders: new Headers(),
email: {
client: createLoggingEmailClient(),
fromAddress: "test@example.com",
baseUrl: TEST_RP.origin,
},
};
}
@@ -236,7 +248,7 @@ describeE2E("webauthn", () => {
const challengeRow = await db
.selectFrom("webauthn_challenges")
.select("id")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.executeTakeFirst();
expect(challengeRow).toBeDefined();
@@ -382,7 +394,7 @@ describeE2E("webauthn", () => {
const challengeRow = await db
.selectFrom("webauthn_challenges")
.select("id")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.executeTakeFirst();
expect(challengeRow).toBeUndefined();
@@ -585,7 +597,7 @@ describeE2E("webauthn", () => {
const challengeRow = await db
.selectFrom("webauthn_challenges")
.select("id")
.where("id", "=", String(authChallengeId))
.where("id", "=", authChallengeId.toString())
.executeTakeFirst();
expect(challengeRow).toBeUndefined();

7
apps/api-server/src/constants.ts
View File

@@ -22,7 +22,7 @@ export const getAllowedOrigins = (): string[] => {
// Default to localhost origins for development
return [
`http://localhost:${String(DEFAULT_PORT)}`,
`http://localhost:${DEFAULT_PORT.toString()}`,
"http://localhost:6827",
"http://localhost:6828",
];
@@ -36,10 +36,7 @@ export const EMAIL_FROM = Bun.env.EMAIL_FROM ?? "noreply@reviq.io";
/** Base URL for generating email links */
export const BASE_URL = Bun.env.BASE_URL ?? "http://localhost:6827";
/** Dev mode: log emails instead of sending (default: true) */
export const EMAIL_DEV_MODE = Bun.env.EMAIL_DEV_MODE !== "false";
/** Postmark API key (required when EMAIL_DEV_MODE is false) */
/** Postmark API key (optional - uses logging client if not set) */
export const POSTMARK_API_KEY = Bun.env.POSTMARK_API_KEY;
// ===== Token Expiration Times =====

43
apps/api-server/src/context.ts
View File

@@ -3,8 +3,18 @@
*/
import type { Database } from "@reviq/db-schema";
import type { EmailClient } from "@reviq/emails";
import type { Kysely } from "kysely";
/**
* Email configuration for the API
*/
export interface EmailConfig {
client: EmailClient;
fromAddress: string;
baseUrl: string;
}
/**
* Base API context available to all handlers
*/
@@ -23,6 +33,8 @@ export interface APIContext {
resHeaders: Headers;
/** Client IP address from direct connection (fallback when no proxy headers) */
clientIP?: string | null;
/** Email client and configuration */
email: EmailConfig;
}
/**
@@ -103,3 +115,34 @@ export interface SuperuserContext extends AuthenticatedContext {
/** User with superuser privileges */
user: SessionUser & { isSuperuser: true };
}
/**
* Organization info in context
*/
export interface OrgInfo {
id: number;
slug: string;
displayName: string;
logoUrl: string | null;
createdAt: Date;
}
/**
* User's membership in an org
*/
export interface OrgMembership {
id: number;
role: "owner" | "admin" | "member";
createdAt: Date;
}
/**
* Org member context for org-scoped procedures
* Requires user to be a member of the org
*/
export interface OrgMemberContext extends AuthenticatedContext {
/** The organization */
org: OrgInfo;
/** User's membership in the org */
membership: OrgMembership;
}

21
apps/api-server/src/index.ts
View File

@@ -2,11 +2,15 @@ import type { APIContext } from "./context.js";
import { LoggingHandlerPlugin } from "@orpc/experimental-pino";
import { RPCHandler } from "@orpc/server/fetch";
import { createDb } from "@reviq/db";
import { createLoggingEmailClient, createPostmarkClient } from "@reviq/emails";
import pino from "pino";
import {
BASE_URL,
DEFAULT_PORT,
DEFAULT_RP_NAME,
EMAIL_FROM,
getAllowedOrigins,
POSTMARK_API_KEY,
} from "./constants.js";
import { router } from "./router.js";
@@ -24,6 +28,16 @@ if (!databaseUrl) {
throw new Error("DATABASE_URL environment variable is required");
}
const db = createDb(databaseUrl);
// Create email client - use Postmark if API key is set, otherwise log to console
const emailClient = POSTMARK_API_KEY
? createPostmarkClient(POSTMARK_API_KEY)
: createLoggingEmailClient();
if (!POSTMARK_API_KEY) {
logger.info("POSTMARK_API_KEY not set - emails will be logged to console");
}
const handler = new RPCHandler(router, {
plugins: [
new LoggingHandlerPlugin({
@@ -45,7 +59,7 @@ Bun.serve({
if (url.pathname.startsWith("/api/v1/rpc")) {
// Build context for the request
const origin =
request.headers.get("origin") ?? `http://localhost:${String(port)}`;
request.headers.get("origin") ?? `http://localhost:${port.toString()}`;
// Create response headers for setting cookies
const resHeaders = new Headers();
@@ -62,6 +76,11 @@ Bun.serve({
reqHeaders: request.headers,
resHeaders,
clientIP,
email: {
client: emailClient,
fromAddress: EMAIL_FROM,
baseUrl: BASE_URL,
},
};
const { response } = await handler.handle(request, {

181
apps/api-server/src/middleware/auth.ts
View File

@@ -1,181 +0,0 @@
/**
* Authentication middleware for oRPC server
*
* Handles authentication via:
* - Session cookie (rev.session_token) - for browser clients
* - API key header (x-api-key) - for CLI and programmatic access
*/
import type {
APIContext,
AuthenticatedContext,
AuthInfo,
Session,
SessionUser,
} from "../context.js";
import { ORPCError } from "@orpc/server";
import { COOKIE_NAMES, getCookie } from "../utils/cookies.js";
import { hashToken } from "../utils/crypto.js";
/**
* Create the auth middleware function
* This returns a middleware handler that can be used with oRPC procedures
*/
export const createAuthMiddleware = () => {
return async ({
context,
next,
}: {
context: APIContext;
next: (opts: {
context: Omit<AuthenticatedContext, keyof APIContext>;
}) => Promise<unknown>;
}) => {
const { db, reqHeaders } = context;
// Try session cookie first
let tokenHash: string | undefined;
const sessionToken = getCookie(reqHeaders, COOKIE_NAMES.SESSION_TOKEN);
if (sessionToken) {
tokenHash = await hashToken(sessionToken);
}
// Fall back to API key header (for CLI)
const apiKey = reqHeaders.get("x-api-key");
if (!tokenHash && apiKey) {
tokenHash = await hashToken(apiKey);
}
if (!tokenHash) {
throw new ORPCError("UNAUTHORIZED", { message: "No session or API key" });
}
// Look up session (check not expired and not revoked)
const session = await db
.selectFrom("sessions")
.where("token_hash", "=", tokenHash)
.where("expires_at", ">", new Date())
.where("revoked_at", "is", null)
.selectAll()
.executeTakeFirst();
// Fall back to API token if no session found
const apiToken = !session
? await db
.selectFrom("api_tokens")
.where("token_hash", "=", tokenHash)
.where("expires_at", ">", new Date())
.selectAll()
.executeTakeFirst()
: undefined;
const userId = session?.user_id ?? apiToken?.user_id;
if (!userId) {
throw new ORPCError("UNAUTHORIZED", {
message: "Invalid or expired token",
});
}
// Update last_used_at for API tokens
if (apiToken) {
await db
.updateTable("api_tokens")
.set({ last_used_at: new Date() })
.where("id", "=", apiToken.id)
.execute();
}
// Fetch user details
const user = await db
.selectFrom("users")
.where("id", "=", userId)
.select([
"id",
"email",
"display_name",
"email_verified_at",
"is_superuser",
])
.executeTakeFirst();
if (!user) {
throw new ORPCError("UNAUTHORIZED", {
message: "User not found",
});
}
const sessionUser: SessionUser = {
id: user.id,
email: user.email,
displayName: user.display_name,
emailVerifiedAt: user.email_verified_at,
isSuperuser: user.is_superuser,
};
// Build session and auth info based on authentication method
let sessionInfo: Session;
let authInfo: AuthInfo;
if (session) {
sessionInfo = {
id: session.id,
trustedMode: session.trusted_mode,
createdAt: session.created_at,
};
authInfo = {
method: "session",
sessionId: session.id,
expiresAt: session.expires_at,
createdAt: session.created_at,
};
} else if (apiToken) {
sessionInfo = {
// For API token auth, create a synthetic session object
id: "0",
trustedMode: true,
createdAt: apiToken.created_at,
};
authInfo = {
method: "api_token",
tokenId: apiToken.id,
tokenName: apiToken.name,
expiresAt: apiToken.expires_at,
lastUsedAt: apiToken.last_used_at,
createdAt: apiToken.created_at,
};
} else {
// This should never happen since we checked userId above
throw new ORPCError("UNAUTHORIZED", {
message: "Invalid authentication state",
});
}
return next({
context: {
user: sessionUser,
session: sessionInfo,
auth: authInfo,
},
});
};
};
/**
* Middleware to require superuser access
*/
export const createSuperuserMiddleware = () => {
return async ({
context,
next,
}: {
context: AuthenticatedContext;
next: () => Promise<unknown>;
}) => {
if (!context.user.isSuperuser) {
throw new ORPCError("FORBIDDEN", {
message: "Superuser access required",
});
}
return next();
};
};

138
apps/api-server/src/middlewares/auth.ts Normal file
View File

@@ -0,0 +1,138 @@
/**
* Auth middleware - validates session/API token and adds user to context
*/
import type { AuthInfo, Session, SessionUser } from "../context.js";
import { ORPCError } from "@orpc/server";
import { COOKIE_NAMES, getCookie } from "../utils/cookies.js";
import { hashToken } from "../utils/crypto.js";
import { os } from "./os.js";
export const authMiddleware = os.middleware(async ({ context, next }) => {
const { db, reqHeaders } = context;
// Try session cookie first
let tokenHash: string | undefined;
const sessionToken = getCookie(reqHeaders, COOKIE_NAMES.SESSION_TOKEN);
if (sessionToken) {
tokenHash = await hashToken(sessionToken);
}
// Fall back to API key header (for CLI)
const apiKey = reqHeaders.get("x-api-key");
if (!tokenHash && apiKey) {
tokenHash = await hashToken(apiKey);
}
if (!tokenHash) {
throw new ORPCError("UNAUTHORIZED", { message: "No session or API key" });
}
// Look up session (check not expired and not revoked)
const session = await db
.selectFrom("sessions")
.where("token_hash", "=", tokenHash)
.where("expires_at", ">", new Date())
.where("revoked_at", "is", null)
.selectAll()
.executeTakeFirst();
// Fall back to API token if no session found
const apiToken = !session
? await db
.selectFrom("api_tokens")
.where("token_hash", "=", tokenHash)
.where("expires_at", ">", new Date())
.selectAll()
.executeTakeFirst()
: undefined;
const userId = session?.user_id ?? apiToken?.user_id;
if (!userId) {
throw new ORPCError("UNAUTHORIZED", {
message: "Invalid or expired token",
});
}
// Update last_used_at for API tokens
if (apiToken) {
await db
.updateTable("api_tokens")
.set({ last_used_at: new Date() })
.where("id", "=", apiToken.id)
.execute();
}
// Fetch user details
const user = await db
.selectFrom("users")
.where("id", "=", userId)
.select([
"id",
"email",
"display_name",
"email_verified_at",
"is_superuser",
])
.executeTakeFirst();
if (!user) {
throw new ORPCError("UNAUTHORIZED", {
message: "User not found",
});
}
const sessionUser: SessionUser = {
id: user.id,
email: user.email,
displayName: user.display_name,
emailVerifiedAt: user.email_verified_at,
isSuperuser: user.is_superuser,
};
// Build session and auth info based on authentication method
let sessionInfo: Session;
let authInfo: AuthInfo;
if (session) {
sessionInfo = {
id: session.id,
trustedMode: session.trusted_mode,
createdAt: session.created_at,
};
authInfo = {
method: "session",
sessionId: session.id,
expiresAt: session.expires_at,
createdAt: session.created_at,
};
} else if (apiToken) {
sessionInfo = {
// For API token auth, create a synthetic session object
id: "0",
trustedMode: true,
createdAt: apiToken.created_at,
};
authInfo = {
method: "api_token",
tokenId: apiToken.id,
tokenName: apiToken.name,
expiresAt: apiToken.expires_at,
lastUsedAt: apiToken.last_used_at,
createdAt: apiToken.created_at,
};
} else {
// This should never happen since we checked userId above
throw new ORPCError("UNAUTHORIZED", {
message: "Invalid authentication state",
});
}
return next({
context: {
user: sessionUser,
session: sessionInfo,
auth: authInfo,
},
});
});

8
apps/api-server/src/middlewares/index.ts Normal file
View File

@@ -0,0 +1,8 @@
/**
* Middleware exports
*/
export { authMiddleware } from "./auth.js";
export { loginRequestMiddleware } from "./login-request.js";
export { os } from "./os.js";
export { superuserMiddleware } from "./superuser.js";

64
apps/api-server/src/middlewares/login-request.ts Normal file
View File

@@ -0,0 +1,64 @@
/**
* Login request middleware - validates login request token from cookie
*/
import type { SessionUser } from "../context.js";
import { ORPCError } from "@orpc/server";
import { COOKIE_NAMES, getCookie } from "../utils/cookies.js";
import { os } from "./os.js";
export const loginRequestMiddleware = os.middleware(
async ({ context, next }) => {
const { db, reqHeaders } = context;
// Read login request token from cookie
const loginRequestToken = getCookie(
reqHeaders,
COOKIE_NAMES.LOGIN_REQUEST_TOKEN,
);
if (!loginRequestToken) {
throw new ORPCError("BAD_REQUEST", {
message: "No login request found",
});
}
// Fetch login request with user data by token
const result = await db
.selectFrom("login_requests")
.innerJoin("users", "users.id", "login_requests.user_id")
.select([
"login_requests.id",
"login_requests.user_id",
"login_requests.expires_at",
"users.email",
"users.display_name",
"users.email_verified_at",
"users.is_superuser",
])
.where("login_requests.token", "=", loginRequestToken)
.where("login_requests.expires_at", ">", new Date())
.executeTakeFirst();
if (!result) {
throw new ORPCError("BAD_REQUEST", {
message: "Login request expired or not found",
});
}
const sessionUser: SessionUser = {
id: result.user_id,
email: result.email,
displayName: result.display_name,
emailVerifiedAt: result.email_verified_at,
isSuperuser: result.is_superuser,
};
return next({
context: {
loginRequestId: Number(result.id),
user: sessionUser,
},
});
},
);

10
apps/api-server/src/middlewares/os.ts Normal file
View File

@@ -0,0 +1,10 @@
/**
* Base implementer with typed APIContext
* All procedures and middlewares should derive from this
*/
import type { APIContext } from "../context.js";
import { implement } from "@orpc/server";
import { contract } from "@reviq/api-contract";
export const os = implement(contract).$context<APIContext>();

19
apps/api-server/src/middlewares/superuser.ts Normal file
View File

@@ -0,0 +1,19 @@
/**
* Superuser middleware - authenticates and requires superuser access
*
* This middleware chains authMiddleware first, then checks for superuser.
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware } from "./auth.js";
export const superuserMiddleware = authMiddleware.concat(
async ({ context, next }) => {
if (!context.user.isSuperuser) {
throw new ORPCError("FORBIDDEN", {
message: "Superuser access required",
});
}
return next();
},
);

12
apps/api-server/src/procedures/admin/auth/complete-login.ts
View File

@@ -3,12 +3,11 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
export const adminAuthCompleteLogin = os.admin.auth.completeLogin
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminAuthCompleteLogin =
superuserProcedure.admin.auth.completeLogin.handler(
async ({ input, context }) => {
const email = input.email.toLowerCase();
// First check if any login request exists for this email
@@ -48,4 +47,5 @@ export const adminAuthCompleteLogin = os.admin.auth.completeLogin
.execute();
return { success: true };
});
},
);

11
apps/api-server/src/procedures/admin/orgs/create.ts
View File

@@ -3,12 +3,10 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
export const adminOrgsCreate = os.admin.orgs.create
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminOrgsCreate = superuserProcedure.admin.orgs.create.handler(
async ({ input, context }) => {
const { slug, displayName, ownerEmail } = input;
// Find owner user by email (outside transaction - read-only)
@@ -55,4 +53,5 @@ export const adminOrgsCreate = os.admin.orgs.create
});
return { slug };
});
},
);

11
apps/api-server/src/procedures/admin/orgs/delete.ts
View File

@@ -3,12 +3,10 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
export const adminOrgsDelete = os.admin.orgs.delete
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminOrgsDelete = superuserProcedure.admin.orgs.delete.handler(
async ({ input, context }) => {
const { slug } = input;
// Delete org and related records in transaction
@@ -35,4 +33,5 @@ export const adminOrgsDelete = os.admin.orgs.delete
});
return { success: true };
});
},
);

11
apps/api-server/src/procedures/admin/orgs/get.ts
View File

@@ -3,13 +3,11 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
import { toOrgResponse } from "../helpers.js";
export const adminOrgsGet = os.admin.orgs.get
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminOrgsGet = superuserProcedure.admin.orgs.get.handler(
async ({ input, context }) => {
const org = await context.db
.selectFrom("orgs")
.where("slug", "=", input.slug)
@@ -19,4 +17,5 @@ export const adminOrgsGet = os.admin.orgs.get
throw new ORPCError("NOT_FOUND", { message: "Organization not found" });
}
return toOrgResponse(org);
});
},
);

11
apps/api-server/src/procedures/admin/orgs/list.ts
View File

@@ -2,13 +2,12 @@
* admin.orgs.list - List all organizations
*/
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
import { toOrgResponse } from "../helpers.js";
export const adminOrgsList = os.admin.orgs.list
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ context }) => {
export const adminOrgsList = superuserProcedure.admin.orgs.list.handler(
async ({ context }) => {
const orgs = await context.db.selectFrom("orgs").selectAll().execute();
return orgs.map(toOrgResponse);
});
},
);

31
apps/api-server/src/procedures/admin/orgs/sites.ts
View File

@@ -4,13 +4,12 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
import { toSiteResponse } from "../helpers.js";
export const adminOrgsListSites = os.admin.orgs.listSites
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminOrgsListSites =
superuserProcedure.admin.orgs.listSites.handler(
async ({ input, context }) => {
const { slug } = input;
const org = await context.db
@@ -29,12 +28,11 @@ export const adminOrgsListSites = os.admin.orgs.listSites
.execute();
return sites.map(toSiteResponse);
});
},
);
export const adminOrgsAddSite = os.admin.orgs.addSite
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminOrgsAddSite = superuserProcedure.admin.orgs.addSite.handler(
async ({ input, context }) => {
const { slug, domain } = input;
// Use transaction to prevent race condition on site creation
@@ -70,12 +68,12 @@ export const adminOrgsAddSite = os.admin.orgs.addSite
});
return { success: true };
});
},
);
export const adminOrgsRemoveSite = os.admin.orgs.removeSite
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminOrgsRemoveSite =
superuserProcedure.admin.orgs.removeSite.handler(
async ({ input, context }) => {
const { slug, domain } = input;
const org = await context.db
@@ -98,4 +96,5 @@ export const adminOrgsRemoveSite = os.admin.orgs.removeSite
}
return { success: true };
});
},
);

11
apps/api-server/src/procedures/admin/orgs/update.ts
View File

@@ -3,12 +3,10 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
export const adminOrgsUpdate = os.admin.orgs.update
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminOrgsUpdate = superuserProcedure.admin.orgs.update.handler(
async ({ input, context }) => {
const { slug, displayName, logoUrl } = input;
// Check if there are actual updates to make
@@ -49,4 +47,5 @@ export const adminOrgsUpdate = os.admin.orgs.update
}
return { success: true };
});
},
);

12
apps/api-server/src/procedures/admin/users/confirm-email.ts
View File

@@ -3,12 +3,11 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
export const adminUsersConfirmEmail = os.admin.users.confirmEmail
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminUsersConfirmEmail =
superuserProcedure.admin.users.confirmEmail.handler(
async ({ input, context }) => {
const result = await context.db
.updateTable("users")
.set({
@@ -23,4 +22,5 @@ export const adminUsersConfirmEmail = os.admin.users.confirmEmail
}
return { success: true };
});
},
);

11
apps/api-server/src/procedures/admin/users/create.ts
View File

@@ -3,12 +3,10 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
export const adminUsersCreate = os.admin.users.create
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminUsersCreate = superuserProcedure.admin.users.create.handler(
async ({ input, context }) => {
const { email, name, orgSlug, orgRole } = input;
const normalizedEmail = email.toLowerCase();
@@ -62,4 +60,5 @@ export const adminUsersCreate = os.admin.users.create
});
return { success: true };
});
},
);

11
apps/api-server/src/procedures/admin/users/get.ts
View File

@@ -3,13 +3,11 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
import { toUserResponse } from "../helpers.js";
export const adminUsersGet = os.admin.users.get
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminUsersGet = superuserProcedure.admin.users.get.handler(
async ({ input, context }) => {
const user = await context.db
.selectFrom("users")
.where("email", "=", input.email.toLowerCase())
@@ -19,4 +17,5 @@ export const adminUsersGet = os.admin.users.get
throw new ORPCError("NOT_FOUND", { message: "User not found" });
}
return toUserResponse(user);
});
},
);

11
apps/api-server/src/procedures/admin/users/list.ts
View File

@@ -2,13 +2,12 @@
* admin.users.list - List all users
*/
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
import { toUserResponse } from "../helpers.js";
export const adminUsersList = os.admin.users.list
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ context }) => {
export const adminUsersList = superuserProcedure.admin.users.list.handler(
async ({ context }) => {
const users = await context.db.selectFrom("users").selectAll().execute();
return users.map(toUserResponse);
});
},
);

11
apps/api-server/src/procedures/admin/users/update.ts
View File

@@ -3,12 +3,10 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os, superuserMiddleware } from "../../base.js";
import { superuserProcedure } from "../../base.js";
export const adminUsersUpdate = os.admin.users.update
.use(authMiddleware)
.use(superuserMiddleware)
.handler(async ({ input, context }) => {
export const adminUsersUpdate = superuserProcedure.admin.users.update.handler(
async ({ input, context }) => {
const { email, isSuperuser } = input;
const normalizedEmail = email.toLowerCase();
@@ -47,4 +45,5 @@ export const adminUsersUpdate = os.admin.users.update
}
return { success: true };
});
},
);

31
apps/api-server/src/procedures/auth/forgot-password.ts
View File

@@ -6,12 +6,13 @@
* This prevents attackers from determining which emails are registered
*/
import { withTransaction } from "@reviq/db";
import { sendPasswordResetEmail } from "@reviq/emails";
import { TOKEN_DURATIONS } from "../../utils/cookies.js";
import {
generateExpiry,
generateSecureBase58Token,
} from "../../utils/crypto.js";
import { sendPasswordResetEmail } from "../../utils/email.js";
import { os } from "../base.js";
export const forgotPassword = os.auth.forgotPassword.handler(
@@ -30,19 +31,21 @@ export const forgotPassword = os.auth.forgotPassword.handler(
// If user exists, create password reset token and send email
if (user) {
// Delete any existing password reset tokens for this user (security measure)
await context.db
.deleteFrom("password_resets")
.where("user_id", "=", user.id)
.execute();
// Generate secure base58 token
const token = generateSecureBase58Token();
// Create password reset record with 1 hour expiry
const expiresAt = generateExpiry(TOKEN_DURATIONS.PASSWORD_RESET);
await context.db
// Delete old tokens and insert new one in transaction
await withTransaction(context.db, async (trx) => {
// Delete any existing password reset tokens for this user (security measure)
await trx
.deleteFrom("password_resets")
.where("user_id", "=", user.id)
.execute();
await trx
.insertInto("password_resets")
.values({
user_id: user.id,
@@ -50,9 +53,17 @@ export const forgotPassword = os.auth.forgotPassword.handler(
expires_at: expiresAt,
})
.execute();
});
// Send password reset email (stubbed)
await sendPasswordResetEmail(user.email, token);
// Send password reset email
await sendPasswordResetEmail({
client: context.email.client,
fromAddress: context.email.fromAddress,
baseUrl: context.email.baseUrl,
email: user.email,
token,
expiryHours: 1,
});
}
// Always return success (anti-enumeration)

21
apps/api-server/src/procedures/auth/login-if-completed.ts
View File

@@ -16,6 +16,7 @@
* e. Return { status: 'completed', redirectTo: '/dashboard' or '/auth/trust-device' }
*/
import { withTransaction } from "@reviq/db";
import {
COOKIE_NAMES,
COOKIE_OPTIONS,
@@ -89,9 +90,13 @@ export const loginIfRequestIsCompleted =
const geo = getGeoInfo(context.reqHeaders, context.clientIP);
const userAgent = getUserAgent(context.reqHeaders);
// Create session in transaction (atomic: device upsert + session + login_request delete)
const { session, deviceTrusted } = await withTransaction(
context.db,
async (trx) => {
// Upsert user device
const deviceId = await upsertUserDevice(
context.db,
trx,
userId,
deviceFingerprint,
geo,
@@ -99,14 +104,10 @@ export const loginIfRequestIsCompleted =
);
// Check if device is already trusted
const deviceTrusted = await isDeviceTrusted(
context.db,
userId,
deviceFingerprint,
);
const trusted = await isDeviceTrusted(trx, userId, deviceFingerprint);
// Create session with trusted mode = true (email-confirmed login)
const session = await createSession(context.db, {
const newSession = await createSession(trx, {
userId,
deviceId,
trustedMode: true,
@@ -115,11 +116,15 @@ export const loginIfRequestIsCompleted =
});
// Delete the login request (it's been consumed)
await context.db
await trx
.deleteFrom("login_requests")
.where("id", "=", loginRequest.id)
.execute();
return { session: newSession, deviceTrusted: trusted };
},
);
// Set session cookie
setCookie(
context.resHeaders,

11
apps/api-server/src/procedures/auth/login-password.ts
View File

@@ -4,8 +4,8 @@
*/
import { ORPCError } from "@orpc/server";
import { sendLoginConfirmationEmail } from "@reviq/emails";
import { COOKIE_NAMES, getCookie } from "../../utils/cookies.js";
import { sendLoginConfirmationEmail } from "../../utils/email.js";
import { verifyPassword } from "../../utils/password.js";
import { isDeviceTrusted } from "../../utils/session.js";
import { os } from "../base.js";
@@ -108,7 +108,14 @@ export const loginPassword = os.auth.loginPassword.handler(
} else {
// Device is untrusted - send confirmation email with existing token
// The same base58 token is used for both cookie lookup and email confirmation
await sendLoginConfirmationEmail(result.email, result.token);
await sendLoginConfirmationEmail({
client: context.email.client,
fromAddress: context.email.fromAddress,
baseUrl: context.email.baseUrl,
email: result.email,
token: result.token,
expiryMinutes: 15,
});
}
return { success: true };

10
apps/api-server/src/procedures/auth/logout.ts
View File

@@ -3,7 +3,7 @@
*/
import { COOKIE_NAMES, deleteCookie } from "../../utils/cookies.js";
import { authMiddleware, os } from "../base.js";
import { authedProcedure } from "../base.js";
/**
* Logout handler
@@ -11,9 +11,8 @@ import { authMiddleware, os } from "../base.js";
* - Revokes the current session by setting revoked_at to now()
* - Clears the session cookie from the response
*/
export const logout = os.auth.logout
.use(authMiddleware)
.handler(async ({ context }) => {
export const logout = authedProcedure.auth.logout.handler(
async ({ context }) => {
// Revoke the current session
await context.db
.updateTable("sessions")
@@ -25,4 +24,5 @@ export const logout = os.auth.logout
deleteCookie(context.resHeaders, COOKIE_NAMES.SESSION_TOKEN);
return { success: true };
});
},
);

20
apps/api-server/src/procedures/auth/resend-verification.ts
View File

@@ -10,17 +10,16 @@
* 5. Send verification email (stubbed)
*/
import { sendVerificationEmail } from "@reviq/emails";
import { TOKEN_DURATIONS } from "../../utils/cookies.js";
import {
generateExpiry,
generateSecureBase58Token,
} from "../../utils/crypto.js";
import { sendVerificationEmail } from "../../utils/email.js";
import { authMiddleware, os } from "../base.js";
import { authedProcedure } from "../base.js";
export const resendVerificationEmail = os.auth.resendVerificationEmail
.use(authMiddleware)
.handler(async ({ context }) => {
export const resendVerificationEmail =
authedProcedure.auth.resendVerificationEmail.handler(async ({ context }) => {
// Check if email is already verified
if (context.user.emailVerifiedAt !== null) {
// Email already verified, return early
@@ -47,8 +46,15 @@ export const resendVerificationEmail = os.auth.resendVerificationEmail
})
.execute();
// Send verification email (stubbed)
await sendVerificationEmail(context.user.email, token);
// Send verification email
await sendVerificationEmail({
client: context.email.client,
fromAddress: context.email.fromAddress,
baseUrl: context.email.baseUrl,
email: context.user.email,
token,
expiryHours: 24,
});
return { success: true };
});

59
apps/api-server/src/procedures/auth/signup.ts
View File

@@ -10,6 +10,8 @@ import type {
import type { Kysely } from "kysely";
import type { RPInfo } from "../../utils/webauthn.js";
import { ORPCError } from "@orpc/server";
import { withTransaction } from "@reviq/db";
import { sendVerificationEmail } from "@reviq/emails";
import { verifyRegistrationResponse } from "@simplewebauthn/server";
import {
COOKIE_NAMES,
@@ -21,7 +23,6 @@ import {
generateExpiry,
generateSecureBase58Token,
} from "../../utils/crypto.js";
import { sendVerificationEmail } from "../../utils/email.js";
import { getGeoInfo, getUserAgent } from "../../utils/geo.js";
import { hashPassword, validatePassword } from "../../utils/password.js";
import { createSession } from "../../utils/session.js";
@@ -108,7 +109,7 @@ export async function signupWithPasskey(
const challengeRow = await db
.selectFrom("webauthn_challenges")
.select("options")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.where("created_at", ">", fifteenMinutesAgo)
.executeTakeFirst();
@@ -134,7 +135,7 @@ export async function signupWithPasskey(
// Delete the challenge
await db
.deleteFrom("webauthn_challenges")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.execute();
// Log error for debugging but don't expose to client
@@ -149,7 +150,7 @@ export async function signupWithPasskey(
// Delete the challenge
await db
.deleteFrom("webauthn_challenges")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.execute();
throw new ORPCError("BAD_REQUEST", {
@@ -159,7 +160,7 @@ export async function signupWithPasskey(
// Create user and passkey in a transaction (handle race condition if concurrent signup)
try {
const result = await db.transaction().execute(async (trx) => {
const result = await withTransaction(db, async (trx) => {
// Create user
const user = await trx
.insertInto("users")
@@ -200,7 +201,7 @@ export async function signupWithPasskey(
// Delete the challenge
await trx
.deleteFrom("webauthn_challenges")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.execute();
return { userId: newUserId };
@@ -269,8 +270,16 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
});
}
// Generate verification token
const verificationToken = generateSecureBase58Token();
const verificationExpiresAt = generateExpiry(
TOKEN_DURATIONS.EMAIL_VERIFICATION,
);
// Create session and email verification in transaction
const session = await withTransaction(context.db, async (trx) => {
// Create session (7 days, trusted mode false initially, no device)
const session = await createSession(context.db, {
const newSession = await createSession(trx, {
userId,
deviceId: null,
trustedMode: false,
@@ -278,6 +287,19 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
userAgent,
});
// Store verification token (store raw token, not hash - it's already high-entropy)
await trx
.insertInto("email_verifications")
.values({
user_id: userId,
token: verificationToken,
expires_at: verificationExpiresAt,
})
.execute();
return newSession;
});
// Set session cookie
setCookie(
context.resHeaders,
@@ -286,22 +308,15 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
COOKIE_OPTIONS.session,
);
// Generate verification token
const verificationToken = generateSecureBase58Token();
const expiresAt = generateExpiry(TOKEN_DURATIONS.EMAIL_VERIFICATION);
// Store verification token (store raw token, not hash - it's already high-entropy)
await context.db
.insertInto("email_verifications")
.values({
user_id: userId,
// Send verification email
await sendVerificationEmail({
client: context.email.client,
fromAddress: context.email.fromAddress,
baseUrl: context.email.baseUrl,
email,
token: verificationToken,
expires_at: expiresAt,
})
.execute();
// Send verification email (stubbed)
await sendVerificationEmail(email, verificationToken);
expiryHours: 24,
});
return { success: true };
});

229
apps/api-server/src/procedures/base.ts
View File

@@ -8,227 +8,22 @@
import type {
APIContext,
AuthenticatedContext,
AuthInfo,
LoginRequestContext,
Session,
SessionUser,
} from "../context.js";
import { implement, ORPCError } from "@orpc/server";
import { contract } from "@reviq/api-contract";
import { COOKIE_NAMES, getCookie } from "../utils/cookies.js";
import { hashToken } from "../utils/crypto.js";
import {
authMiddleware,
loginRequestMiddleware,
os,
superuserMiddleware,
} from "../middlewares/index.js";
/**
* Base implementer with typed APIContext
* All procedures should be derived from this
*/
export const os = implement(contract).$context<APIContext>();
// Re-export middlewares and os
export { authMiddleware, loginRequestMiddleware, os, superuserMiddleware };
/**
* Auth middleware - validates session/API token and adds user to context
* Use with os.use(authMiddleware) to create authenticated procedures
*/
export const authMiddleware = os.middleware(async ({ context, next }) => {
const { db, reqHeaders } = context;
// Try session cookie first
let tokenHash: string | undefined;
const sessionToken = getCookie(reqHeaders, COOKIE_NAMES.SESSION_TOKEN);
if (sessionToken) {
tokenHash = await hashToken(sessionToken);
}
// Fall back to API key header (for CLI)
const apiKey = reqHeaders.get("x-api-key");
if (!tokenHash && apiKey) {
tokenHash = await hashToken(apiKey);
}
if (!tokenHash) {
throw new ORPCError("UNAUTHORIZED", { message: "No session or API key" });
}
// Look up session (check not expired and not revoked)
const session = await db
.selectFrom("sessions")
.where("token_hash", "=", tokenHash)
.where("expires_at", ">", new Date())
.where("revoked_at", "is", null)
.selectAll()
.executeTakeFirst();
// Fall back to API token if no session found
const apiToken = !session
? await db
.selectFrom("api_tokens")
.where("token_hash", "=", tokenHash)
.where("expires_at", ">", new Date())
.selectAll()
.executeTakeFirst()
: undefined;
const userId = session?.user_id ?? apiToken?.user_id;
if (!userId) {
throw new ORPCError("UNAUTHORIZED", {
message: "Invalid or expired token",
});
}
// Update last_used_at for API tokens
if (apiToken) {
await db
.updateTable("api_tokens")
.set({ last_used_at: new Date() })
.where("id", "=", apiToken.id)
.execute();
}
// Fetch user details
const user = await db
.selectFrom("users")
.where("id", "=", userId)
.select([
"id",
"email",
"display_name",
"email_verified_at",
"is_superuser",
])
.executeTakeFirst();
if (!user) {
throw new ORPCError("UNAUTHORIZED", {
message: "User not found",
});
}
const sessionUser: SessionUser = {
id: user.id,
email: user.email,
displayName: user.display_name,
emailVerifiedAt: user.email_verified_at,
isSuperuser: user.is_superuser,
};
// Build session and auth info based on authentication method
let sessionInfo: Session;
let authInfo: AuthInfo;
if (session) {
sessionInfo = {
id: session.id,
trustedMode: session.trusted_mode,
createdAt: session.created_at,
};
authInfo = {
method: "session",
sessionId: session.id,
expiresAt: session.expires_at,
createdAt: session.created_at,
};
} else if (apiToken) {
sessionInfo = {
// For API token auth, create a synthetic session object
id: "0",
trustedMode: true,
createdAt: apiToken.created_at,
};
authInfo = {
method: "api_token",
tokenId: apiToken.id,
tokenName: apiToken.name,
expiresAt: apiToken.expires_at,
lastUsedAt: apiToken.last_used_at,
createdAt: apiToken.created_at,
};
} else {
// This should never happen since we checked userId above
throw new ORPCError("UNAUTHORIZED", {
message: "Invalid authentication state",
});
}
return next({
context: {
user: sessionUser,
session: sessionInfo,
auth: authInfo,
},
});
});
/**
* Login request middleware - validates login request token from cookie
*/
export const loginRequestMiddleware = os.middleware(
async ({ context, next }) => {
const { db, reqHeaders } = context;
// Read login request token from cookie
const loginRequestToken = getCookie(
reqHeaders,
COOKIE_NAMES.LOGIN_REQUEST_TOKEN,
);
if (!loginRequestToken) {
throw new ORPCError("BAD_REQUEST", {
message: "No login request found",
});
}
// Fetch login request with user data by token
const result = await db
.selectFrom("login_requests")
.innerJoin("users", "users.id", "login_requests.user_id")
.select([
"login_requests.id",
"login_requests.user_id",
"login_requests.expires_at",
"users.email",
"users.display_name",
"users.email_verified_at",
"users.is_superuser",
])
.where("login_requests.token", "=", loginRequestToken)
.where("login_requests.expires_at", ">", new Date())
.executeTakeFirst();
if (!result) {
throw new ORPCError("BAD_REQUEST", {
message: "Login request expired or not found",
});
}
const sessionUser: SessionUser = {
id: result.user_id,
email: result.email,
displayName: result.display_name,
emailVerifiedAt: result.email_verified_at,
isSuperuser: result.is_superuser,
};
return next({
context: {
loginRequestId: Number(result.id),
user: sessionUser,
},
});
},
);
/**
* Superuser middleware - requires admin access (must be used after authMiddleware)
*/
export const superuserMiddleware = os.middleware(async ({ context, next }) => {
// This middleware should be used after authMiddleware
const ctx = context as AuthenticatedContext;
if (!ctx.user.isSuperuser) {
throw new ORPCError("FORBIDDEN", {
message: "Superuser access required",
});
}
return next();
});
// Pre-configured procedures with middleware applied
export const authedProcedure = os.use(authMiddleware);
export const superuserProcedure = os.use(superuserMiddleware);
export const loginRequestProcedure = os.use(loginRequestMiddleware);
// Type exports for use in procedure files
export type { APIContext, AuthenticatedContext, LoginRequestContext };

7
apps/api-server/src/procedures/me/_base.ts Normal file
View File

@@ -0,0 +1,7 @@
/**
* Base route for me procedures with auth middleware applied
*/
import { authedProcedure } from "../base.js";
export const meRoute = authedProcedure.me;

28
apps/api-server/src/procedures/me/api-tokens.ts
View File

@@ -9,7 +9,7 @@ import {
hashToken,
TOKEN_PREFIX,
} from "../../utils/crypto.js";
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
/** Token expiration: 365 days */
const TOKEN_EXPIRATION_DAYS = 365;
@@ -18,9 +18,8 @@ const TOKEN_EXPIRATION_DAYS = 365;
* List all API tokens for the current user
* Returns token metadata (not the actual token values)
*/
export const listApiTokens = os.me.apiTokens.list
.use(authMiddleware)
.handler(async ({ context }) => {
export const listApiTokens = meRoute.apiTokens.list.handler(
async ({ context }) => {
const tokens = await context.db
.selectFrom("api_tokens")
.select(["id", "name", "last_used_at", "created_at", "expires_at"])
@@ -35,15 +34,15 @@ export const listApiTokens = os.me.apiTokens.list
createdAt: token.created_at.toISOString(),
expiresAt: token.expires_at.toISOString(),
}));
});
},
);
/**
* Create a new API token
* Requires superuser status and trusted session
*/
export const createApiToken = os.me.apiTokens.create
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const createApiToken = meRoute.apiTokens.create.handler(
async ({ input, context }) => {
// Require superuser status
if (!context.user.isSuperuser) {
throw new ORPCError("FORBIDDEN", {
@@ -85,17 +84,17 @@ export const createApiToken = os.me.apiTokens.create
token,
expiresAt: expiresAt.toISOString(),
};
});
},
);
/**
* Delete an API token
*/
export const deleteApiToken = os.me.apiTokens.delete
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const deleteApiToken = meRoute.apiTokens.delete.handler(
async ({ input, context }) => {
const result = await context.db
.deleteFrom("api_tokens")
.where("id", "=", String(input.tokenId))
.where("id", "=", input.tokenId.toString())
.where("user_id", "=", context.user.id)
.executeTakeFirst();
@@ -106,4 +105,5 @@ export const deleteApiToken = os.me.apiTokens.delete
}
return { success: true };
});
},
);

6
apps/api-server/src/procedures/me/auth-status.ts
View File

@@ -2,11 +2,9 @@
* Get current user auth status
*/
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
export const meAuthStatus = os.me.authStatus
.use(authMiddleware)
.handler(async ({ context }) => {
export const meAuthStatus = meRoute.authStatus.handler(async ({ context }) => {
const user = await context.db
.selectFrom("users")
.select([

6
apps/api-server/src/procedures/me/delete.ts
View File

@@ -5,7 +5,7 @@
import { ORPCError } from "@orpc/server";
import { COOKIE_NAMES, deleteCookie } from "../../utils/cookies.js";
import { verifyPassword } from "../../utils/password.js";
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
/**
* Delete account handler
@@ -14,9 +14,7 @@ import { authMiddleware, os } from "../base.js";
* - Deletes user record (cascades to sessions, devices, passkeys, etc.)
* - Clears session cookie
*/
export const meDelete = os.me.delete
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const meDelete = meRoute.delete.handler(async ({ input, context }) => {
const { password } = input;
// Fetch user with password hash

44
apps/api-server/src/procedures/me/devices.ts
View File

@@ -3,7 +3,7 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
import { defaultDeviceName, requireDeviceFingerprint } from "./helpers.js";
/**
@@ -13,9 +13,8 @@ import { defaultDeviceName, requireDeviceFingerprint } from "./helpers.js";
* @throws BAD_REQUEST if no device fingerprint found
* @throws NOT_FOUND if device doesn't exist
*/
export const getDeviceInfo = os.me.devices.getInfo
.use(authMiddleware)
.handler(async ({ context }) => {
export const getDeviceInfo = meRoute.devices.getInfo.handler(
async ({ context }) => {
const fingerprint = requireDeviceFingerprint(context.reqHeaders);
const device = await context.db
@@ -39,7 +38,8 @@ export const getDeviceInfo = os.me.devices.getInfo
lastUsedAt: device.last_used_at,
isTrusted: device.is_trusted,
};
});
},
);
/**
* Trust device handler
@@ -48,9 +48,8 @@ export const getDeviceInfo = os.me.devices.getInfo
* @throws BAD_REQUEST if no device fingerprint found
* @throws NOT_FOUND if device doesn't exist
*/
export const trustDevice = os.me.devices.trust
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const trustDevice = meRoute.devices.trust.handler(
async ({ input, context }) => {
const { name } = input;
const fingerprint = requireDeviceFingerprint(context.reqHeaders);
@@ -66,16 +65,16 @@ export const trustDevice = os.me.devices.trust
}
return { success: true };
});
},
);
/**
* List trusted devices handler
* - Requires authentication
* - Returns all trusted devices for the current user
*/
export const listTrustedDevices = os.me.devices.listTrusted
.use(authMiddleware)
.handler(async ({ context }) => {
export const listTrustedDevices = meRoute.devices.listTrusted.handler(
async ({ context }) => {
const devices = await context.db
.selectFrom("user_devices")
.selectAll()
@@ -94,7 +93,8 @@ export const listTrustedDevices = os.me.devices.listTrusted
lastUsedAt: d.last_used_at,
isTrusted: d.is_trusted,
}));
});
},
);
/**
* Untrust device handler
@@ -102,13 +102,12 @@ export const listTrustedDevices = os.me.devices.listTrusted
* - Marks device as untrusted by ID
* @throws NOT_FOUND if device doesn't exist
*/
export const untrustDevice = os.me.devices.untrust
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const untrustDevice = meRoute.devices.untrust.handler(
async ({ input, context }) => {
const result = await context.db
.updateTable("user_devices")
.set({ is_trusted: false })
.where("id", "=", String(input.deviceId))
.where("id", "=", input.deviceId.toString())
.where("user_id", "=", context.user.id)
.executeTakeFirst();
@@ -117,16 +116,16 @@ export const untrustDevice = os.me.devices.untrust
}
return { success: true };
});
},
);
/**
* Revoke all trusted devices handler
* - Requires authentication
* - Marks all devices as untrusted
*/
export const revokeAllTrustedDevices = os.me.devices.revokeAll
.use(authMiddleware)
.handler(async ({ context }) => {
export const revokeAllTrustedDevices = meRoute.devices.revokeAll.handler(
async ({ context }) => {
await context.db
.updateTable("user_devices")
.set({ is_trusted: false })
@@ -134,4 +133,5 @@ export const revokeAllTrustedDevices = os.me.devices.revokeAll
.execute();
return { success: true };
});
},
);

6
apps/api-server/src/procedures/me/get.ts
View File

@@ -2,11 +2,9 @@
* Get current user profile
*/
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
export const meGet = os.me.get
.use(authMiddleware)
.handler(async ({ context }) => {
export const meGet = meRoute.get.handler(async ({ context }) => {
const user = await context.db
.selectFrom("users")
.select([

30
apps/api-server/src/procedures/me/invites.ts
View File

@@ -3,15 +3,13 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
/**
* List pending invites for the current user
* Only returns invites where the user's email matches and email is verified
*/
export const listInvites = os.me.invites.list
.use(authMiddleware)
.handler(async ({ context }) => {
export const listInvites = meRoute.invites.list.handler(async ({ context }) => {
// Only show invites if email is verified
if (!context.user.emailVerifiedAt) {
return [];
@@ -58,9 +56,8 @@ export const listInvites = os.me.invites.list
* Get a specific invite by ID
* Only returns if the invite belongs to the current user's email
*/
export const getInvite = os.me.invites.get
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const getInvite = meRoute.invites.get.handler(
async ({ input, context }) => {
const { inviteId } = input;
// Only show invite if email is verified
@@ -111,15 +108,15 @@ export const getInvite = os.me.invites.get
createdAt: invite.created_at,
expiresAt: invite.expires_at,
};
});
},
);
/**
* Accept an invite by ID
* Adds user to org and deletes the invite
*/
export const acceptInvite = os.me.invites.accept
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const acceptInvite = meRoute.invites.accept.handler(
async ({ input, context }) => {
const { inviteId } = input;
// Only allow accepting if email is verified
@@ -183,15 +180,15 @@ export const acceptInvite = os.me.invites.accept
}
return { success: true };
});
},
);
/**
* Decline an invite
* Deletes the invite if it belongs to the current user's email
*/
export const declineInvite = os.me.invites.decline
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const declineInvite = meRoute.invites.decline.handler(
async ({ input, context }) => {
const { inviteId } = input;
// Delete the invite only if it matches user's email
@@ -208,4 +205,5 @@ export const declineInvite = os.me.invites.decline
}
return { success: true };
});
},
);

30
apps/api-server/src/procedures/me/passkeys.ts
View File

@@ -4,16 +4,15 @@
import { ORPCError } from "@orpc/server";
import { getUserPasskeys } from "../../utils/webauthn.js";
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
/**
* List passkeys handler
* - Requires authentication
* - Returns all passkeys for the current user
*/
export const listPasskeys = os.me.passkeys.list
.use(authMiddleware)
.handler(async ({ context }) => {
export const listPasskeys = meRoute.passkeys.list.handler(
async ({ context }) => {
const passkeys = await getUserPasskeys(context.db, context.user.id);
return passkeys.map((p) => ({
@@ -22,7 +21,8 @@ export const listPasskeys = os.me.passkeys.list
createdAt: p.createdAt,
lastUsedAt: p.lastUsedAt,
}));
});
},
);
/**
* Rename passkey handler
@@ -30,15 +30,14 @@ export const listPasskeys = os.me.passkeys.list
* - Updates passkey name
* @throws NOT_FOUND if passkey doesn't exist
*/
export const renamePasskey = os.me.passkeys.rename
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const renamePasskey = meRoute.passkeys.rename.handler(
async ({ input, context }) => {
const { passkeyId, name } = input;
const result = await context.db
.updateTable("passkeys")
.set({ name })
.where("id", "=", String(passkeyId))
.where("id", "=", passkeyId.toString())
.where("user_id", "=", context.user.id)
.executeTakeFirst();
@@ -47,7 +46,8 @@ export const renamePasskey = os.me.passkeys.rename
}
return { success: true };
});
},
);
/**
* Delete passkey handler
@@ -57,9 +57,8 @@ export const renamePasskey = os.me.passkeys.rename
* @throws NOT_FOUND if passkey doesn't exist
* @throws BAD_REQUEST if trying to delete last passkey without password
*/
export const deletePasskey = os.me.passkeys.delete
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const deletePasskey = meRoute.passkeys.delete.handler(
async ({ input, context }) => {
const { passkeyId } = input;
// Use transaction to prevent race condition when checking last passkey
@@ -86,7 +85,7 @@ export const deletePasskey = os.me.passkeys.delete
const result = await trx
.deleteFrom("passkeys")
.where("id", "=", String(passkeyId))
.where("id", "=", passkeyId.toString())
.where("user_id", "=", context.user.id)
.executeTakeFirst();
@@ -96,4 +95,5 @@ export const deletePasskey = os.me.passkeys.delete
});
return { success: true };
});
},
);

30
apps/api-server/src/procedures/me/sessions.ts
View File

@@ -3,7 +3,7 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
/**
* List sessions handler
@@ -11,9 +11,8 @@ import { authMiddleware, os } from "../base.js";
* - Returns all sessions for the current user
* - Includes isCurrent flag to identify active session
*/
export const listSessions = os.me.sessions.list
.use(authMiddleware)
.handler(async ({ context }) => {
export const listSessions = meRoute.sessions.list.handler(
async ({ context }) => {
const sessions = await context.db
.selectFrom("sessions")
.selectAll()
@@ -33,7 +32,8 @@ export const listSessions = os.me.sessions.list
isCurrent: s.id === context.session.id,
revokedAt: s.revoked_at,
}));
});
},
);
/**
* Revoke session handler
@@ -42,13 +42,12 @@ export const listSessions = os.me.sessions.list
* @throws NOT_FOUND if session doesn't exist
* @throws BAD_REQUEST if trying to revoke current session
*/
export const revokeSession = os.me.sessions.revoke
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const revokeSession = meRoute.sessions.revoke.handler(
async ({ input, context }) => {
const { sessionId } = input;
// Prevent revoking current session (use logout instead)
if (String(sessionId) === context.session.id) {
if (sessionId.toString() === context.session.id) {
throw new ORPCError("BAD_REQUEST", {
message: "Cannot revoke current session. Use logout instead.",
});
@@ -57,7 +56,7 @@ export const revokeSession = os.me.sessions.revoke
const result = await context.db
.updateTable("sessions")
.set({ revoked_at: new Date() })
.where("id", "=", String(sessionId))
.where("id", "=", sessionId.toString())
.where("user_id", "=", context.user.id)
.where("revoked_at", "is", null)
.executeTakeFirst();
@@ -67,16 +66,16 @@ export const revokeSession = os.me.sessions.revoke
}
return { success: true };
});
},
);
/**
* Revoke all sessions handler
* - Requires authentication
* - Revokes all sessions except current
*/
export const revokeAllSessions = os.me.sessions.revokeAll
.use(authMiddleware)
.handler(async ({ context }) => {
export const revokeAllSessions = meRoute.sessions.revokeAll.handler(
async ({ context }) => {
// Revoke all sessions except current
await context.db
.updateTable("sessions")
@@ -87,4 +86,5 @@ export const revokeAllSessions = os.me.sessions.revokeAll
.execute();
return { success: true };
});
},
);

10
apps/api-server/src/procedures/me/set-password.ts
View File

@@ -8,7 +8,7 @@ import {
validatePassword,
verifyPassword,
} from "../../utils/password.js";
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
/**
* Set password handler
@@ -16,9 +16,8 @@ import { authMiddleware, os } from "../base.js";
* - If user has existing password, currentPassword is required
* - Validates new password strength using zxcvbn
*/
export const setPassword = os.me.setPassword
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const setPassword = meRoute.setPassword.handler(
async ({ input, context }) => {
const { currentPassword, newPassword } = input;
// Fetch current password hash
@@ -60,4 +59,5 @@ export const setPassword = os.me.setPassword
.execute();
return { success: true };
});
},
);

10
apps/api-server/src/procedures/me/setup-profile.ts
View File

@@ -2,11 +2,10 @@
* Setup user profile (initial setup after signup)
*/
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
export const setupProfile = os.me.setupProfile
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const setupProfile = meRoute.setupProfile.handler(
async ({ input, context }) => {
const { displayName, fullName, phoneNumber } = input;
await context.db
@@ -21,4 +20,5 @@ export const setupProfile = os.me.setupProfile
.execute();
return { success: true };
});
},
);

10
apps/api-server/src/procedures/me/update-profile.ts
View File

@@ -3,7 +3,7 @@
*/
import type { ProfileUpdate } from "./helpers.js";
import { authMiddleware, os } from "../base.js";
import { meRoute } from "./_base.js";
/**
* Update profile handler
@@ -11,9 +11,8 @@ import { authMiddleware, os } from "../base.js";
* - Allows partial updates to display_name, full_name, phone_number, avatar_url
* - Automatically sets updated_at timestamp
*/
export const updateProfile = os.me.updateProfile
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const updateProfile = meRoute.updateProfile.handler(
async ({ input, context }) => {
const updates: Partial<ProfileUpdate> = {};
if (input.displayName !== undefined) {
updates.display_name = input.displayName;
@@ -38,4 +37,5 @@ export const updateProfile = os.me.updateProfile
}
return { success: true };
});
},
);

26
apps/api-server/src/procedures/orgs/basic.ts
View File

@@ -3,15 +3,14 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os } from "../base.js";
import { authedProcedure } from "../base.js";
import { getMembership, lookupOrgBySlug } from "./helpers.js";
/**
* List all orgs the current user is a member of
*/
export const orgsList = os.orgs.list
.use(authMiddleware)
.handler(async ({ context }) => {
export const orgsList = authedProcedure.orgs.list.handler(
async ({ context }) => {
const orgs = await context.db
.selectFrom("org_members")
.innerJoin("orgs", "orgs.id", "org_members.org_id")
@@ -33,15 +32,15 @@ export const orgsList = os.orgs.list
logoUrl: o.logo_url,
createdAt: o.created_at,
}));
});
},
);
/**
* Create a new org
* The creating user becomes the owner
*/
export const orgsCreate = os.orgs.create
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const orgsCreate = authedProcedure.orgs.create.handler(
async ({ input, context }) => {
const { slug, displayName } = input;
try {
@@ -75,15 +74,15 @@ export const orgsCreate = os.orgs.create
}
throw error;
}
});
},
);
/**
* Get a single org by slug
* Requires membership
*/
export const orgsGet = os.orgs.get
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const orgsGet = authedProcedure.orgs.get.handler(
async ({ input, context }) => {
const { slug } = input;
// Lookup org and verify membership
@@ -97,4 +96,5 @@ export const orgsGet = os.orgs.get
logoUrl: org.logoUrl,
createdAt: org.createdAt,
};
});
},
);

20
apps/api-server/src/procedures/orgs/helpers.ts
View File

@@ -5,25 +5,11 @@
import type { DB, OrgRole } from "@reviq/db-schema";
import type { Kysely } from "kysely";
import type { OrgInfo, OrgMembership } from "../../context.js";
import { ORPCError } from "@orpc/server";
// ===== Types =====
/** Org info returned from lookup */
export interface OrgInfo {
id: number;
slug: string;
displayName: string;
logoUrl: string | null;
createdAt: Date;
}
/** User's membership in an org */
export interface OrgMembership {
id: number;
role: OrgRole;
createdAt: Date;
}
// Re-export types for convenience
export type { OrgInfo, OrgMembership };
// ===== Role Hierarchy =====

48
apps/api-server/src/procedures/orgs/invites.ts
View File

@@ -3,22 +3,21 @@
*/
import { ORPCError } from "@orpc/server";
import { sendOrgInviteEmail } from "@reviq/emails";
import { ORG_INVITE_EXPIRY_DAYS } from "../../constants.js";
import {
generateExpiry,
generateSecureBase58Token,
} from "../../utils/crypto.js";
import { sendOrgInviteEmail } from "../../utils/email.js";
import { authMiddleware, os } from "../base.js";
import { authedProcedure } from "../base.js";
import { getMembership, lookupOrgBySlug, requireRole } from "./helpers.js";
/**
* List pending invites for an org
* Requires admin or owner role
*/
export const invitesList = os.orgs.invites.list
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const invitesList = authedProcedure.orgs.invites.list.handler(
async ({ input, context }) => {
const { slug } = input;
// Lookup org and verify admin+ role
@@ -52,16 +51,16 @@ export const invitesList = os.orgs.invites.list
createdAt: i.created_at,
expiresAt: i.expires_at,
}));
});
},
);
/**
* Create an invite for a new member
* Requires admin or owner role
* Only owners can invite new owners (privilege escalation prevention)
*/
export const invitesCreate = os.orgs.invites.create
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const invitesCreate = authedProcedure.orgs.invites.create.handler(
async ({ input, context }) => {
const { slug, email: rawEmail, role } = input;
const email = rawEmail.toLowerCase();
@@ -122,18 +121,28 @@ export const invitesCreate = os.orgs.invites.create
// Send invitation email
const inviterName = context.user.displayName ?? context.user.email;
await sendOrgInviteEmail(email, token, org.displayName, inviterName, role);
await sendOrgInviteEmail({
client: context.email.client,
fromAddress: context.email.fromAddress,
baseUrl: context.email.baseUrl,
email,
token,
orgName: org.displayName,
inviterName,
role,
expiryDays: ORG_INVITE_EXPIRY_DAYS,
});
return { success: true };
});
},
);
/**
* Cancel a pending invite
* Requires admin or owner role
*/
export const invitesCancel = os.orgs.invites.cancel
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const invitesCancel = authedProcedure.orgs.invites.cancel.handler(
async ({ input, context }) => {
const { slug, inviteId } = input;
// Lookup org and verify admin+ role
@@ -153,16 +162,16 @@ export const invitesCancel = os.orgs.invites.cancel
}
return { success: true };
});
},
);
/**
* Accept an invitation
* Token-based lookup, requires auth but no org membership
* Handles race condition if user is already a member
*/
export const invitesAccept = os.orgs.invites.accept
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const invitesAccept = authedProcedure.orgs.invites.accept.handler(
async ({ input, context }) => {
const { token } = input;
// Find the invite by token (must not be expired)
@@ -225,4 +234,5 @@ export const invitesAccept = os.orgs.invites.accept
}
return { success: true };
});
},
);

26
apps/api-server/src/procedures/orgs/management.ts
View File

@@ -3,7 +3,7 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os } from "../base.js";
import { authedProcedure } from "../base.js";
import {
countOwners,
getMembership,
@@ -15,9 +15,8 @@ import {
* Update org details
* Requires admin or owner role
*/
export const orgsUpdate = os.orgs.update
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const orgsUpdate = authedProcedure.orgs.update.handler(
async ({ input, context }) => {
const { slug, displayName, logoUrl } = input;
// Lookup org and verify membership with admin+ role
@@ -41,16 +40,16 @@ export const orgsUpdate = os.orgs.update
.execute();
return { success: true };
});
},
);
/**
* Delete an org
* Requires owner role
* FK CASCADE handles deleting members, invites, and sites
*/
export const orgsDelete = os.orgs.delete
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const orgsDelete = authedProcedure.orgs.delete.handler(
async ({ input, context }) => {
const { slug } = input;
// Lookup org and verify ownership
@@ -61,16 +60,16 @@ export const orgsDelete = os.orgs.delete
await context.db.deleteFrom("orgs").where("id", "=", org.id).execute();
return { success: true };
});
},
);
/**
* Leave an org
* Cannot leave if you're the only owner
* Uses transaction to prevent race condition where multiple owners leave simultaneously
*/
export const orgsLeave = os.orgs.leave
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const orgsLeave = authedProcedure.orgs.leave.handler(
async ({ input, context }) => {
const { slug } = input;
// Lookup org and get membership
@@ -98,4 +97,5 @@ export const orgsLeave = os.orgs.leave
});
return { success: true };
});
},
);

33
apps/api-server/src/procedures/orgs/members.ts
View File

@@ -3,7 +3,7 @@
*/
import { ORPCError } from "@orpc/server";
import { authMiddleware, os } from "../base.js";
import { authedProcedure } from "../base.js";
import {
countOwners,
getMembership,
@@ -15,9 +15,8 @@ import {
* List all members of an org
* Any member can view the member list
*/
export const membersList = os.orgs.members.list
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const membersList = authedProcedure.orgs.members.list.handler(
async ({ input, context }) => {
const { slug } = input;
// Lookup org and verify membership
@@ -48,21 +47,26 @@ export const membersList = os.orgs.members.list
role: m.role,
createdAt: m.created_at,
}));
});
},
);
/**
* Update a member's role
* Only owners can change roles
* Uses transaction to prevent race condition when demoting owners
*/
export const membersUpdateRole = os.orgs.members.updateRole
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const membersUpdateRole =
authedProcedure.orgs.members.updateRole.handler(
async ({ input, context }) => {
const { slug, userId, role: newRole } = input;
// Lookup org and verify ownership
const org = await lookupOrgBySlug(context.db, slug);
const membership = await getMembership(context.db, org.id, context.user.id);
const membership = await getMembership(
context.db,
org.id,
context.user.id,
);
requireRole(membership, "owner");
await context.db.transaction().execute(async (trx) => {
@@ -97,16 +101,16 @@ export const membersUpdateRole = os.orgs.members.updateRole
});
return { success: true };
});
},
);
/**
* Remove a member from an org
* Owners can remove anyone, admins can only remove members
* Uses transaction to prevent race condition when removing owners
*/
export const membersRemove = os.orgs.members.remove
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const membersRemove = authedProcedure.orgs.members.remove.handler(
async ({ input, context }) => {
const { slug, userId } = input;
// Lookup org and verify membership
@@ -159,4 +163,5 @@ export const membersRemove = os.orgs.members.remove
});
return { success: true };
});
},
);

10
apps/api-server/src/procedures/orgs/sites.ts
View File

@@ -2,16 +2,15 @@
* Org sites procedures - list
*/
import { authMiddleware, os } from "../base.js";
import { authedProcedure } from "../base.js";
import { getMembership, lookupOrgBySlug } from "./helpers.js";
/**
* List all sites for an org
* Any member can view the site list
*/
export const sitesList = os.orgs.sites.list
.use(authMiddleware)
.handler(async ({ input, context }) => {
export const sitesList = authedProcedure.orgs.sites.list.handler(
async ({ input, context }) => {
const { slug } = input;
// Lookup org and verify membership
@@ -31,4 +30,5 @@ export const sitesList = os.orgs.sites.list
domain: s.domain,
createdAt: s.created_at,
}));
});
},
);

2
apps/api-server/src/router.ts
View File

@@ -139,7 +139,7 @@ const verifyAuthentication = os.auth.webauthn.verifyAuthentication
await context.db
.updateTable("login_requests")
.set({ completed_at: new Date() })
.where("id", "=", String(context.loginRequestId))
.where("id", "=", context.loginRequestId.toString())
.execute();
return { success: true };

75
apps/api-server/src/utils/auth.ts
View File

@@ -1,75 +0,0 @@
/**
* Authentication utilities for token handling
*/
import type { Database } from "@reviq/db-schema";
import type { Kysely } from "kysely";
import { hashToken } from "./crypto.js";
export interface AuthenticatedUser {
id: number;
email: string;
isSuperuser: boolean;
}
/**
* Authenticate a request using session token or API key
* Returns the authenticated user or null if not authenticated
*/
export const authenticateRequest = async (
db: Kysely<Database>,
sessionToken?: string,
apiKey?: string,
): Promise<AuthenticatedUser | null> => {
// Try session cookie first, then API key
const token = sessionToken ?? apiKey;
if (!token) {
return null;
}
const tokenHash = await hashToken(token);
// Check sessions table
const session = await db
.selectFrom("sessions")
.innerJoin("users", "users.id", "sessions.user_id")
.where("sessions.token_hash", "=", tokenHash)
.where("sessions.expires_at", ">", new Date())
.where("sessions.revoked_at", "is", null)
.select(["users.id", "users.email", "users.is_superuser"])
.executeTakeFirst();
if (session) {
return {
id: session.id,
email: session.email,
isSuperuser: session.is_superuser,
};
}
// Check API tokens table
const apiToken = await db
.selectFrom("api_tokens")
.innerJoin("users", "users.id", "api_tokens.user_id")
.where("api_tokens.token_hash", "=", tokenHash)
.where("api_tokens.expires_at", ">", new Date())
.select(["users.id", "users.email", "users.is_superuser"])
.executeTakeFirst();
if (apiToken) {
// Update last_used_at
await db
.updateTable("api_tokens")
.set({ last_used_at: new Date() })
.where("token_hash", "=", tokenHash)
.execute();
return {
id: apiToken.id,
email: apiToken.email,
isSuperuser: apiToken.is_superuser,
};
}
return null;
};

2
apps/api-server/src/utils/crypto.ts
View File

@@ -1,4 +1,4 @@
import { generateSecureBase58Token } from "@reviq/utils";
import { generateSecureBase58Token } from "@reviq/server-utils";
import { base58 } from "@scure/base";
// Re-export for convenience

419
apps/api-server/src/utils/email.ts
View File

@@ -1,419 +0,0 @@
/**
* Email sending utilities using Postmark
* Implements Workstream G: Email Service (Backend)
*/
import type { OrgRole } from "@reviq/db-schema";
import { DurationFormat } from "@formatjs/intl-durationformat";
import { ServerClient } from "postmark";
import {
BASE_URL,
EMAIL_DEV_MODE,
EMAIL_FROM,
EMAIL_VERIFICATION_EXPIRY_HOURS,
LOGIN_CONFIRMATION_EXPIRY_MINUTES,
ORG_INVITE_EXPIRY_DAYS,
PASSWORD_RESET_EXPIRY_HOURS,
POSTMARK_API_KEY,
} from "../constants.js";
// ===== Types =====
/**
* Email send result
*/
export interface EmailResult {
success: boolean;
messageId?: string;
error?: string;
}
// ===== Postmark Client =====
let postmarkClient: ServerClient | null = null;
const getPostmarkClient = (): ServerClient => {
if (!postmarkClient) {
if (!POSTMARK_API_KEY) {
throw new Error(
"POSTMARK_API_KEY is required when EMAIL_DEV_MODE is false",
);
}
postmarkClient = new ServerClient(POSTMARK_API_KEY);
}
return postmarkClient;
};
// ===== URL Helpers =====
/**
* Build a URL with query parameters using the URL constructor
*/
const buildUrl = (path: string, params: Record<string, string>): string => {
const url = new URL(path, BASE_URL);
for (const [key, value] of Object.entries(params)) {
url.searchParams.set(key, value);
}
return url.toString();
};
// ===== HTML Escaping =====
/**
* Escape HTML special characters to prevent XSS
*/
const escapeHtml = (unsafe: string): string =>
unsafe
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
// ===== Core Email Function =====
interface SendEmailParams {
to: string;
subject: string;
htmlBody: string;
textBody: string;
}
/**
* Send an email via Postmark (or log in dev mode)
*/
const sendEmail = async (params: SendEmailParams): Promise<EmailResult> => {
const { to, subject, htmlBody, textBody } = params;
// Dev mode: log instead of sending
if (EMAIL_DEV_MODE) {
console.log("=== DEV MODE EMAIL ===");
console.log(`To: ${to}`);
console.log(`Subject: ${subject}`);
console.log(`Body:\n${textBody}`);
console.log("======================");
return { success: true, messageId: "dev-mode" };
}
try {
const client = getPostmarkClient();
const result = await client.sendEmail({
From: EMAIL_FROM,
To: to,
Subject: subject,
HtmlBody: htmlBody,
TextBody: textBody,
});
return { success: true, messageId: result.MessageID };
} catch (error) {
const message = error instanceof Error ? error.message : "Unknown error";
console.error(`Failed to send email to ${to}:`, message);
return { success: false, error: message };
}
};
// ===== Template Helpers =====
const durationFormatter = new DurationFormat("en", { style: "long" });
const formatExpiryHours = (hours: number): string =>
durationFormatter.format({ hours });
const formatExpiryMinutes = (minutes: number): string =>
durationFormatter.format({ minutes });
const formatExpiryDays = (days: number): string =>
durationFormatter.format({ days });
const roleLabels: Record<OrgRole, string> = {
owner: "Owner",
admin: "Admin",
member: "Member",
};
const formatRoleDisplay = (role: OrgRole): string => roleLabels[role];
/**
* Get the correct article (a/an) for a role
*/
const getArticleForRole = (role: OrgRole): string => {
return role === "owner" || role === "admin" ? "an" : "a";
};
// ===== Email Templates =====
// Common styles
const emailStyles = `font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; margin: 0; padding: 20px; background-color: #f5f5f5;`;
const containerStyles =
"max-width: 600px; margin: 0 auto; background: white; border-radius: 8px; padding: 40px;";
const headingStyles = "margin: 0 0 24px; font-size: 24px; color: #1a1a1a;";
const paragraphStyles =
"margin: 0 0 24px; font-size: 16px; color: #4a4a4a; line-height: 1.5;";
const buttonStyles =
"display: inline-block; background-color: #0066cc; color: white; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 500;";
const footerStyles = "margin: 24px 0 0; font-size: 14px; color: #6a6a6a;";
// Verification Email
const buildVerificationEmailHtml = (
verifyUrl: string,
expiresIn: string,
): string => `
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body style="${emailStyles}">
<div style="${containerStyles}">
<h1 style="${headingStyles}">Verify your email</h1>
<p style="${paragraphStyles}">Please verify your email address by clicking the button below:</p>
<a href="${verifyUrl}" style="${buttonStyles}">Verify Email</a>
<p style="${footerStyles}">This link expires in ${expiresIn}.</p>
<p style="${footerStyles}">If you didn't create an account, you can safely ignore this email.</p>
</div>
</body>
</html>
`;
const buildVerificationEmailText = (
verifyUrl: string,
expiresIn: string,
): string =>
`Verify your email
Please verify your email address by clicking the link below:
${verifyUrl}
This link expires in ${expiresIn}.
If you didn't create an account, you can safely ignore this email.
`;
// Password Reset Email
const buildPasswordResetEmailHtml = (
resetUrl: string,
expiresIn: string,
): string => `
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body style="${emailStyles}">
<div style="${containerStyles}">
<h1 style="${headingStyles}">Reset your password</h1>
<p style="${paragraphStyles}">We received a request to reset your password. Click the button below to choose a new password:</p>
<a href="${resetUrl}" style="${buttonStyles}">Reset Password</a>
<p style="${footerStyles}">This link expires in ${expiresIn}.</p>
<p style="${footerStyles}">If you didn't request a password reset, you can safely ignore this email. Your password will remain unchanged.</p>
</div>
</body>
</html>
`;
const buildPasswordResetEmailText = (
resetUrl: string,
expiresIn: string,
): string =>
`Reset your password
We received a request to reset your password. Click the link below to choose a new password:
${resetUrl}
This link expires in ${expiresIn}.
If you didn't request a password reset, you can safely ignore this email. Your password will remain unchanged.
`;
// Login Confirmation Email
const buildLoginConfirmationEmailHtml = (
confirmUrl: string,
expiresIn: string,
): string => `
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body style="${emailStyles}">
<div style="${containerStyles}">
<h1 style="${headingStyles}">Confirm your login</h1>
<p style="${paragraphStyles}">Someone is trying to sign in to your account. If this was you, click the button below to confirm:</p>
<a href="${confirmUrl}" style="${buttonStyles}">Confirm Login</a>
<p style="${footerStyles}">This link expires in ${expiresIn}.</p>
<p style="${footerStyles}">If you didn't try to sign in, you can safely ignore this email. Someone may have entered your email address by mistake.</p>
</div>
</body>
</html>
`;
const buildLoginConfirmationEmailText = (
confirmUrl: string,
expiresIn: string,
): string =>
`Confirm your login
Someone is trying to sign in to your account. If this was you, click the link below to confirm:
${confirmUrl}
This link expires in ${expiresIn}.
If you didn't try to sign in, you can safely ignore this email. Someone may have entered your email address by mistake.
`;
// Org Invite Email
const buildOrgInviteEmailHtml = (
email: string,
orgName: string,
inviterName: string,
role: OrgRole,
inviteUrl: string,
expiresIn: string,
): string => {
const safeOrgName = escapeHtml(orgName);
const safeInviterName = escapeHtml(inviterName);
const safeEmail = escapeHtml(email);
const roleDisplay = formatRoleDisplay(role);
const article = getArticleForRole(role);
return `
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body style="${emailStyles}">
<div style="${containerStyles}">
<h1 style="${headingStyles}">You've been invited to join ${safeOrgName}</h1>
<p style="${paragraphStyles}">${safeInviterName} has invited you to join <strong>${safeOrgName}</strong> as ${article} <strong>${roleDisplay}</strong>.</p>
<a href="${inviteUrl}" style="${buttonStyles}">Accept Invitation</a>
<p style="${footerStyles}">This invitation expires in ${expiresIn}.</p>
<p style="${footerStyles}">This invitation was sent to ${safeEmail}. If you weren't expecting this invitation, you can safely ignore this email.</p>
</div>
</body>
</html>
`;
};
const buildOrgInviteEmailText = (
email: string,
orgName: string,
inviterName: string,
role: OrgRole,
inviteUrl: string,
expiresIn: string,
): string => {
const roleDisplay = formatRoleDisplay(role);
const article = getArticleForRole(role);
return `You've been invited to join ${orgName}
${inviterName} has invited you to join ${orgName} as ${article} ${roleDisplay}.
Click the link below to accept the invitation:
${inviteUrl}
This invitation expires in ${expiresIn}.
This invitation was sent to ${email}. If you weren't expecting this invitation, you can safely ignore this email.
`;
};
// ===== Email Helpers =====
/**
* Send verification email to user
*/
export async function sendVerificationEmail(
email: string,
token: string,
): Promise<EmailResult> {
const url = buildUrl("/auth/verify", { token });
const expiresIn = formatExpiryHours(EMAIL_VERIFICATION_EXPIRY_HOURS);
return sendEmail({
to: email,
subject: "Verify your email address",
htmlBody: buildVerificationEmailHtml(url, expiresIn),
textBody: buildVerificationEmailText(url, expiresIn),
});
}
/**
* Send login confirmation email (for untrusted device flow)
*/
export async function sendLoginConfirmationEmail(
email: string,
token: string,
): Promise<EmailResult> {
const url = buildUrl("/auth/confirm", { token });
const expiresIn = formatExpiryMinutes(LOGIN_CONFIRMATION_EXPIRY_MINUTES);
return sendEmail({
to: email,
subject: "Confirm your login",
htmlBody: buildLoginConfirmationEmailHtml(url, expiresIn),
textBody: buildLoginConfirmationEmailText(url, expiresIn),
});
}
/**
* Send password reset email
*/
export async function sendPasswordResetEmail(
email: string,
token: string,
): Promise<EmailResult> {
const url = buildUrl("/auth/reset-password", { token });
const expiresIn = formatExpiryHours(PASSWORD_RESET_EXPIRY_HOURS);
return sendEmail({
to: email,
subject: "Reset your password",
htmlBody: buildPasswordResetEmailHtml(url, expiresIn),
textBody: buildPasswordResetEmailText(url, expiresIn),
});
}
/**
* Send org invite email
*/
export async function sendOrgInviteEmail(
email: string,
token: string,
orgName: string,
inviterName: string,
role: OrgRole,
): Promise<EmailResult> {
const url = buildUrl("/invite/accept", { token });
const expiresIn = formatExpiryDays(ORG_INVITE_EXPIRY_DAYS);
return sendEmail({
to: email,
subject: `You've been invited to join ${orgName}`,
htmlBody: buildOrgInviteEmailHtml(
email,
orgName,
inviterName,
role,
url,
expiresIn,
),
textBody: buildOrgInviteEmailText(
email,
orgName,
inviterName,
role,
url,
expiresIn,
),
});
}

2
apps/api-server/src/utils/password.ts
View File

@@ -1,7 +1,7 @@
import {
hashPassword as hashPasswordUtil,
verifyPassword as verifyPasswordUtil,
} from "@reviq/utils";
} from "@reviq/server-utils";
import zxcvbn from "zxcvbn";
export interface PasswordValidationResult {

75
apps/api-server/src/utils/session.ts
View File

@@ -1,6 +1,11 @@
import type { Database } from "@reviq/db-schema";
import type { Kysely } from "kysely";
import type { Kysely, Transaction } from "kysely";
import type { GeoInfo } from "./geo.js";
import {
isDeviceTrusted as dbIsDeviceTrusted,
upsertUserDevice as dbUpsertUserDevice,
insertSession,
} from "@reviq/db";
import { COOKIE_DURATIONS } from "./cookies.js";
import { generateExpiry, generateSessionToken, hashToken } from "./crypto.js";
@@ -23,33 +28,26 @@ export interface SessionResult {
* Returns the raw token (to be sent in cookie) and session details
*/
export async function createSession(
db: Kysely<Database>,
db: Kysely<Database> | Transaction<Database>,
options: CreateSessionOptions,
): Promise<SessionResult> {
const token = generateSessionToken();
const tokenHash = await hashToken(token);
const expiresAt = generateExpiry(COOKIE_DURATIONS.SESSION);
const result = await db
.insertInto("sessions")
.values({
user_id: options.userId,
device_id: options.deviceId,
token_hash: tokenHash,
trusted_mode: options.trustedMode,
ip_address: options.geo.ip,
city: options.geo.city,
region: options.geo.region,
country: options.geo.country,
user_agent: options.userAgent,
expires_at: expiresAt,
})
.returning(["id"])
.executeTakeFirstOrThrow();
const result = await insertSession(db, {
userId: options.userId,
deviceId: options.deviceId,
tokenHash,
trustedMode: options.trustedMode,
geo: options.geo,
userAgent: options.userAgent,
expiresAt,
});
return {
token,
sessionId: Number(result.id),
sessionId: result.sessionId,
expiresAt,
};
}
@@ -60,53 +58,22 @@ export async function createSession(
* Returns the device ID
*/
export async function upsertUserDevice(
db: Kysely<Database>,
db: Kysely<Database> | Transaction<Database>,
userId: number,
deviceFingerprint: string,
geo: GeoInfo,
userAgent: string,
): Promise<number> {
const result = await db
.insertInto("user_devices")
.values({
user_id: userId,
device_fingerprint: deviceFingerprint,
user_agent: userAgent,
ip_address: geo.ip,
city: geo.city,
region: geo.region,
country: geo.country,
})
.onConflict((oc) =>
oc.columns(["user_id", "device_fingerprint"]).doUpdateSet({
ip_address: geo.ip,
city: geo.city,
region: geo.region,
country: geo.country,
user_agent: userAgent,
last_used_at: new Date(),
}),
)
.returning(["id"])
.executeTakeFirstOrThrow();
return Number(result.id);
return dbUpsertUserDevice(db, userId, deviceFingerprint, geo, userAgent);
}
/**
* Check if a device is trusted for a user
*/
export async function isDeviceTrusted(
db: Kysely<Database>,
db: Kysely<Database> | Transaction<Database>,
userId: number,
deviceFingerprint: string,
): Promise<boolean> {
const device = await db
.selectFrom("user_devices")
.select(["is_trusted"])
.where("user_id", "=", userId)
.where("device_fingerprint", "=", deviceFingerprint)
.executeTakeFirst();
return device?.is_trusted ?? false;
return dbIsDeviceTrusted(db, userId, deviceFingerprint);
}

10
apps/api-server/src/utils/webauthn.ts
View File

@@ -162,7 +162,7 @@ export const verifyRegistration = async (
const challengeRow = await db
.selectFrom("webauthn_challenges")
.select("options")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.executeTakeFirst();
if (!challengeRow) {
@@ -189,7 +189,7 @@ export const verifyRegistration = async (
// Always delete the challenge
await db
.deleteFrom("webauthn_challenges")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.execute();
}
@@ -278,7 +278,7 @@ export const verifyAuthentication = async (
const challengeRow = await db
.selectFrom("webauthn_challenges")
.select("options")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.executeTakeFirst();
if (!challengeRow) {
@@ -321,7 +321,7 @@ export const verifyAuthentication = async (
counter: verification.authenticationInfo.newCounter.toString(),
last_used_at: new Date(),
})
.where("id", "=", String(passkey.id))
.where("id", "=", passkey.id.toString())
.execute();
return true;
@@ -329,7 +329,7 @@ export const verifyAuthentication = async (
// Always delete the challenge
await db
.deleteFrom("webauthn_challenges")
.where("id", "=", String(challengeId))
.where("id", "=", challengeId.toString())
.execute();
}
};

3
apps/api-server/tsconfig.json
View File

@@ -19,6 +19,5 @@
"isolatedDeclarations": false,
"composite": false
},
"include": ["src/**/*"],
"exclude": ["node_modules", "dist"]
"include": ["src/**/*"]
}

11
apps/cli/src/routes/admin/complete-login.ts
View File

@@ -1,7 +1,7 @@
import type { LocalContext } from "../../context.js";
import { ORPCError } from "@orpc/client";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { formatError } from "../../utils/format-error.js";
interface CompleteLoginFlags {
email: string;
@@ -20,14 +20,7 @@ async function completeLogin(
console.log(`Completed login request for: ${flags.email}`);
} catch (error) {
if (error instanceof ORPCError) {
console.error(`Error [${String(error.code)}]:`, error.message);
} else {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
}
console.error("Error:", formatError(error));
this.process.exit(1);
}
}

6
apps/cli/src/routes/auth/login.ts
View File

@@ -2,6 +2,7 @@ import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { readConfig, writeConfig } from "../../utils/config.js";
import { formatError } from "../../utils/format-error.js";
interface LoginFlags {
token: string;
@@ -47,10 +48,7 @@ async function login(this: LocalContext, flags: LoginFlags): Promise<void> {
console.log(`Logged in as ${authStatus.user.email}`);
console.log("Credentials saved to ~/.config/reviq/credentials.json");
} catch (error) {
console.error(
"Login failed:",
error instanceof Error ? error.message : String(error),
);
console.error("Login failed:", formatError(error));
console.log("\nMake sure your API token is valid.");
console.log("You can create a new token at: /account/api-tokens");
this.process.exit(1);

19
apps/cli/src/routes/auth/status.ts
View File

@@ -2,6 +2,7 @@ import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { getConfigPath, readConfig } from "../../utils/config.js";
import { formatError } from "../../utils/format-error.js";
import { TOKEN_PREFIX } from "../../utils/token.js";
function formatDate(date: Date): string {
@@ -14,19 +15,21 @@ function formatRelativeTime(date: Date): string {
const diffDays = Math.floor(diffMs / (1000 * 60 * 60 * 24));
if (diffDays < 0) {
return `${String(Math.abs(diffDays))} days ago`;
return `${Math.abs(diffDays).toLocaleString()} days ago`;
}
if (diffDays === 0) {
const diffHours = Math.floor(diffMs / (1000 * 60 * 60));
if (diffHours <= 0) {
return "expired";
}
return `in ${String(diffHours)} hours`;
return diffHours <= 0
? "expired"
: `in ${diffHours.toLocaleString()} hours`;
}
if (diffDays === 1) {
return "tomorrow";
}
return `in ${String(diffDays)} days`;
return `in ${diffDays.toLocaleString()} days`;
}
async function status(this: LocalContext): Promise<void> {
@@ -96,9 +99,7 @@ async function status(this: LocalContext): Promise<void> {
);
}
} catch (error) {
console.log(
` Error: ${error instanceof Error ? error.message : String(error)}`,
);
console.log(` Error: ${formatError(error)}`);
console.log(
"\n Unable to connect to API. Local credentials may be invalid.",
);

6
apps/cli/src/routes/bootstrap.ts
View File

@@ -2,6 +2,7 @@ import type { LocalContext } from "../context.js";
import { createDb, executeBootstrap } from "@reviq/db";
import { buildCommand } from "@stricli/core";
import { writeConfig } from "../utils/config.js";
import { formatError } from "../utils/format-error.js";
interface BootstrapFlags {
email: string;
@@ -47,10 +48,7 @@ async function bootstrap(
await db.destroy();
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
console.error("Error:", formatError(error));
await db.destroy();
this.process.exit(1);
}

6
apps/cli/src/routes/completions.ts
View File

@@ -1,9 +1,8 @@
import type { LocalContext } from "../context.js";
import { buildCommand } from "@stricli/core";
type Shell = "bash" | "zsh" | "fish";
const SUPPORTED_SHELLS: readonly Shell[] = ["bash", "zsh", "fish"] as const;
const SUPPORTED_SHELLS = ["bash", "zsh", "fish"] as const;
type Shell = (typeof SUPPORTED_SHELLS)[number];
function parseShell(value: string): Shell {
const shell = value.toLowerCase();
@@ -45,7 +44,6 @@ function completions(
_flags: Record<string, never>,
shell: Shell,
): void {
// biome-ignore lint/nursery/noUnnecessaryConditions: switch on union type is valid
switch (shell) {
case "bash":
console.log("To enable bash completions for reviq, run:\n");

6
apps/cli/src/routes/org/add-site.ts
View File

@@ -1,6 +1,7 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { formatError } from "../../utils/format-error.js";
interface AddSiteFlags {
org: string;
@@ -18,10 +19,7 @@ async function addSite(this: LocalContext, flags: AddSiteFlags): Promise<void> {
console.log(`Added site ${flags.domain} to org ${flags.org}`);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
console.error("Error:", formatError(error));
this.process.exit(1);
}
}

6
apps/cli/src/routes/org/create.ts
View File

@@ -1,6 +1,7 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { formatError } from "../../utils/format-error.js";
interface CreateOrgFlags {
slug: string;
@@ -24,10 +25,7 @@ async function create(
console.log(`Created org: ${result.slug}`);
console.log(`Owner: ${flags.owner}`);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
console.error("Error:", formatError(error));
this.process.exit(1);
}
}

8
apps/cli/src/routes/org/list.ts
View File

@@ -1,6 +1,7 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { formatError } from "../../utils/format-error.js";
async function list(this: LocalContext): Promise<void> {
try {
@@ -23,12 +24,9 @@ async function list(this: LocalContext): Promise<void> {
console.log();
}
console.log(`Total: ${String(orgs.length)} organization(s)`);
console.log(`Total: ${orgs.length.toLocaleString()} organization(s)`);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
console.error("Error:", formatError(error));
this.process.exit(1);
}
}

6
apps/cli/src/routes/user/confirm-email.ts
View File

@@ -1,6 +1,7 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { formatError } from "../../utils/format-error.js";
interface ConfirmEmailFlags {
email: string;
@@ -19,10 +20,7 @@ async function confirmEmail(
console.log(`Confirmed email for: ${flags.email}`);
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
console.error("Error:", formatError(error));
this.process.exit(1);
}
}

18
apps/cli/src/routes/user/create.ts
View File

@@ -1,23 +1,26 @@
import type { LocalContext } from "../../context.js";
import { buildCommand } from "@stricli/core";
import { createApiClient } from "../../utils/api-client.js";
import { formatError } from "../../utils/format-error.js";
type OrgRole = "owner" | "admin" | "member";
const validRoles: OrgRole[] = ["owner", "admin", "member"];
const VALID_ROLES: readonly OrgRole[] = ["owner", "admin", "member"] as const;
function parseRole(role: string | undefined): OrgRole | undefined {
if (!role) {
return undefined;
}
if (validRoles.includes(role as OrgRole)) {
return role as OrgRole;
}
if (!VALID_ROLES.includes(role as OrgRole)) {
throw new Error(
`Invalid role: ${role}. Must be one of: ${validRoles.join(", ")}`,
`Invalid role: ${role}. Must be one of: ${VALID_ROLES.join(", ")}`,
);
}
return role as OrgRole;
}
interface CreateUserFlags {
email: string;
name?: string;
@@ -45,10 +48,7 @@ async function create(
console.log(`Added to org: ${flags.org} as ${flags.role ?? "member"}`);
}
} catch (error) {
console.error(
"Error:",
error instanceof Error ? error.message : String(error),
);
console.error("Error:", formatError(error));
this.process.exit(1);
}
}

28
apps/cli/src/utils/api-client.ts
View File

@@ -10,6 +10,14 @@ import { readConfig } from "./config.js";
export type ApiClient = ContractRouterClient<typeof contract>;
function buildClient(apiUrl: string, token: string): ApiClient {
const link = new RPCLink({
url: `${apiUrl}/api/v1/rpc`,
headers: { "X-API-Key": token },
});
return createORPCClient(link) as unknown as ApiClient;
}
/**
* Create an oRPC API client with provided credentials
*/
@@ -25,18 +33,10 @@ export function createApiClient(
apiUrl?: string,
token?: string,
): ApiClient | Promise<ApiClient> {
// If both arguments are provided, create client directly
if (apiUrl !== undefined && token !== undefined) {
const link = new RPCLink({
url: `${apiUrl}/api/v1/rpc`,
headers: {
"X-API-Key": token,
},
});
return createORPCClient(link) as unknown as ApiClient;
return buildClient(apiUrl, token);
}
// Otherwise, read from config asynchronously
return (async (): Promise<ApiClient> => {
const config = await readConfig();
if (!config) {
@@ -44,14 +44,6 @@ export function createApiClient(
"Not logged in. Run 'reviq bootstrap' or 'reviq auth login' first.",
);
}
const link = new RPCLink({
url: `${config.apiUrl}/api/v1/rpc`,
headers: {
"X-API-Key": config.token,
},
});
return createORPCClient(link) as unknown as ApiClient;
return buildClient(config.apiUrl, config.token);
})();
}

16
apps/cli/src/utils/config.ts
View File

@@ -19,40 +19,42 @@ const CONFIG_FILE = join(CONFIG_DIR, "credentials.json");
/**
* Get the path to the config file
*/
export const getConfigPath = (): string => CONFIG_FILE;
export function getConfigPath(): string {
return CONFIG_FILE;
}
/**
* Read the config file
* Returns null if the file doesn't exist or is invalid
*/
export const readConfig = async (): Promise<Config | null> => {
export async function readConfig(): Promise<Config | null> {
try {
const data = await readFile(CONFIG_FILE, "utf-8");
return JSON.parse(data) as Config;
} catch {
return null;
}
};
}
/**
* Write the config file
* Creates the config directory if it doesn't exist
*/
export const writeConfig = async (config: Config): Promise<void> => {
export async function writeConfig(config: Config): Promise<void> {
await mkdir(CONFIG_DIR, { recursive: true, mode: 0o700 });
await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), {
mode: 0o600,
});
};
}
/**
* Delete the config file
* Ignores errors if the file doesn't exist
*/
export const deleteConfig = async (): Promise<void> => {
export async function deleteConfig(): Promise<void> {
try {
await unlink(CONFIG_FILE);
} catch {
// Ignore if doesn't exist
}
};
}

20
apps/cli/src/utils/format-error.ts Normal file
View File

@@ -0,0 +1,20 @@
import { ORPCError } from "@orpc/client";
/**
* Format an unknown error value into a string message.
* Handles ORPCError, Error instances, strings, and other types safely.
*/
export function formatError(error: unknown): string {
if (error instanceof ORPCError) {
// eslint-disable-next-line @typescript-eslint/restrict-template-expressions -- ORPCError.code is typed as any
return `[${error.code}] ${error.message}`;
}
if (error instanceof Error) {
return error.message;
}
if (typeof error === "string") {
return error;
}
// eslint-disable-next-line @typescript-eslint/restrict-template-expressions -- intentional unknown coercion
return `${error}`;
}

3
apps/cli/tsconfig.json
View File

@@ -19,6 +19,5 @@
"isolatedDeclarations": false,
"composite": false
},
"include": ["src/**/*"],
"exclude": ["node_modules", "dist"]
"include": ["src/**/*"]
}

1
apps/publisher-dashboard/src/lib/components/account/index.ts
View File

@@ -1,7 +1,6 @@
export { default as AccountNav } from "./account-nav.svelte";
export { default as AddPasskeyDialog } from "./add-passkey-dialog.svelte";
export { default as ChangePasswordDialog } from "./change-password-dialog.svelte";
export { default as ConfirmDialog } from "./confirm-dialog.svelte";
export { default as DeleteAccountDialog } from "./delete-account-dialog.svelte";
export { default as PasskeyList } from "./passkey-list.svelte";
export { default as RenamePasskeyDialog } from "./rename-passkey-dialog.svelte";

2
apps/publisher-dashboard/src/lib/components/account/passkey-list.svelte
View File

@@ -5,7 +5,7 @@ import { useQueryClient } from "@tanstack/svelte-query";
import { toast } from "svelte-sonner";
import { api } from "$lib/api/client";
import { Button } from "$lib/components/ui/button";
import ConfirmDialog from "./confirm-dialog.svelte";
import { ConfirmDialog } from "$lib/components/ui/confirm-dialog";
import RenamePasskeyDialog from "./rename-passkey-dialog.svelte";
interface Passkey {

66
apps/publisher-dashboard/src/lib/components/dashboard/tabs/ad-unit-table.svelte
View File

@@ -1,7 +1,11 @@
<script lang="ts">
import * as Table from "$lib/components/ui/table";
import MetricsTable, { type MetricsRow } from "./metrics-table.svelte";
const tableData = [
interface AdUnitRow extends MetricsRow {
name: string;
}
const tableData: AdUnitRow[] = [
{
id: 1,
name: "/header/leaderboard-728x90",
@@ -51,58 +55,10 @@ const tableData = [
impPercent: 9.16,
},
];
function getBarWidth(value: number, max: number): number {
return (value / max) * 100;
}
const maxRevPercent = Math.max(...tableData.map((d) => d.revPercent));
</script>
<Table.Root>
<Table.Header>
<Table.Row class="border-b border-border hover:bg-transparent">
<Table.Head class="h-10 w-10 pl-5"></Table.Head>
<Table.Head class="h-10 text-xs font-medium text-muted-foreground">Ad unit</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Revenue</Table.Head>
<Table.Head class="h-10 w-32 text-right text-xs font-medium text-muted-foreground">
<div class="flex items-center justify-end gap-1">
% of revenue
<svg class="h-3 w-3 text-muted-foreground/60" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
<path d="m18 15-6-6-6 6" stroke-linecap="round" stroke-linejoin="round" />
</svg>
</div>
</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Impressions</Table.Head>
<Table.Head class="h-10 pr-5 text-right text-xs font-medium text-muted-foreground">% of impr.</Table.Head>
</Table.Row>
</Table.Header>
<Table.Body>
{#each tableData as row, i (row.id)}
<Table.Row class="group border-b border-border/50 transition-colors last:border-0 hover:bg-muted/30">
<Table.Cell class="w-10 py-3 pl-5">
<div class="flex h-4 w-4 items-center justify-center rounded border border-border bg-muted/50 text-[10px] font-medium text-muted-foreground">
{i + 1}
</div>
</Table.Cell>
<Table.Cell class="py-3">
<code class="font-mono text-[13px] text-foreground">{row.name}</code>
</Table.Cell>
<Table.Cell class="py-3 text-right font-medium tabular-nums text-foreground">{row.revenue}</Table.Cell>
<Table.Cell class="w-32 py-3">
<div class="flex items-center justify-end gap-2">
<div class="h-1.5 w-16 overflow-hidden rounded-full bg-muted">
<div
class="h-full rounded-full bg-foreground/70 transition-all duration-300"
style="width: {getBarWidth(row.revPercent, maxRevPercent)}%"
></div>
</div>
<span class="w-12 text-right font-medium tabular-nums text-foreground">{row.revPercent.toFixed(2)}%</span>
</div>
</Table.Cell>
<Table.Cell class="py-3 text-right tabular-nums text-muted-foreground">{row.impressions}</Table.Cell>
<Table.Cell class="py-3 pr-5 text-right tabular-nums text-muted-foreground">{row.impPercent.toFixed(2)}%</Table.Cell>
</Table.Row>
{/each}
</Table.Body>
</Table.Root>
<MetricsTable data={tableData} labelHeader="Ad unit" showSortIcon>
{#snippet labelCell({ row })}
<code class="font-mono text-[13px] text-foreground">{(row as AdUnitRow).name}</code>
{/snippet}
</MetricsTable>

63
apps/publisher-dashboard/src/lib/components/dashboard/tabs/country-table.svelte
View File

@@ -1,7 +1,12 @@
<script lang="ts">
import * as Table from "$lib/components/ui/table";
import MetricsTable, { type MetricsRow } from "./metrics-table.svelte";
const tableData = [
interface CountryRow extends MetricsRow {
name: string;
code: string;
}
const tableData: CountryRow[] = [
{
id: 1,
name: "United States",
@@ -57,54 +62,14 @@ const tableData = [
impPercent: 4.68,
},
];
function getBarWidth(value: number, max: number): number {
return (value / max) * 100;
}
const maxRevPercent = Math.max(...tableData.map((d) => d.revPercent));
</script>
<Table.Root>
<Table.Header>
<Table.Row class="border-b border-border hover:bg-transparent">
<Table.Head class="h-10 w-10 pl-5"></Table.Head>
<Table.Head class="h-10 text-xs font-medium text-muted-foreground">Country</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Revenue</Table.Head>
<Table.Head class="h-10 w-32 text-right text-xs font-medium text-muted-foreground">% of revenue</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Impressions</Table.Head>
<Table.Head class="h-10 pr-5 text-right text-xs font-medium text-muted-foreground">% of impr.</Table.Head>
</Table.Row>
</Table.Header>
<Table.Body>
{#each tableData as row, i (row.id)}
<Table.Row class="group border-b border-border/50 transition-colors last:border-0 hover:bg-muted/30">
<Table.Cell class="w-10 py-3 pl-5">
<div class="flex h-4 w-4 items-center justify-center rounded border border-border bg-muted/50 text-[10px] font-medium text-muted-foreground">
{i + 1}
</div>
</Table.Cell>
<Table.Cell class="py-3">
<MetricsTable data={tableData} labelHeader="Country">
{#snippet labelCell({ row })}
{@const countryRow = row as CountryRow}
<div class="flex items-center gap-2">
<span class="rounded bg-muted px-1.5 py-0.5 font-mono text-[11px] font-medium text-muted-foreground">{row.code}</span>
<span class="text-[13px] font-medium text-foreground">{row.name}</span>
<span class="rounded bg-muted px-1.5 py-0.5 font-mono text-[11px] font-medium text-muted-foreground">{countryRow.code}</span>
<span class="text-[13px] font-medium text-foreground">{countryRow.name}</span>
</div>
</Table.Cell>
<Table.Cell class="py-3 text-right font-medium tabular-nums text-foreground">{row.revenue}</Table.Cell>
<Table.Cell class="w-32 py-3">
<div class="flex items-center justify-end gap-2">
<div class="h-1.5 w-16 overflow-hidden rounded-full bg-muted">
<div
class="h-full rounded-full bg-foreground/70 transition-all duration-300"
style="width: {getBarWidth(row.revPercent, maxRevPercent)}%"
></div>
</div>
<span class="w-12 text-right font-medium tabular-nums text-foreground">{row.revPercent.toFixed(2)}%</span>
</div>
</Table.Cell>
<Table.Cell class="py-3 text-right tabular-nums text-muted-foreground">{row.impressions}</Table.Cell>
<Table.Cell class="py-3 pr-5 text-right tabular-nums text-muted-foreground">{row.impPercent.toFixed(2)}%</Table.Cell>
</Table.Row>
{/each}
</Table.Body>
</Table.Root>
{/snippet}
</MetricsTable>

59
apps/publisher-dashboard/src/lib/components/dashboard/tabs/domain-table.svelte
View File

@@ -1,7 +1,11 @@
<script lang="ts">
import * as Table from "$lib/components/ui/table";
import MetricsTable, { type MetricsRow } from "./metrics-table.svelte";
const tableData = [
interface DomainRow extends MetricsRow {
name: string;
}
const tableData: DomainRow[] = [
{
id: 1,
name: "example.com",
@@ -27,51 +31,10 @@ const tableData = [
impPercent: 18.45,
},
];
function getBarWidth(value: number, max: number): number {
return (value / max) * 100;
}
const maxRevPercent = Math.max(...tableData.map((d) => d.revPercent));
</script>
<Table.Root>
<Table.Header>
<Table.Row class="border-b border-border hover:bg-transparent">
<Table.Head class="h-10 w-10 pl-5"></Table.Head>
<Table.Head class="h-10 text-xs font-medium text-muted-foreground">Domain</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Revenue</Table.Head>
<Table.Head class="h-10 w-32 text-right text-xs font-medium text-muted-foreground">% of revenue</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Impressions</Table.Head>
<Table.Head class="h-10 pr-5 text-right text-xs font-medium text-muted-foreground">% of impr.</Table.Head>
</Table.Row>
</Table.Header>
<Table.Body>
{#each tableData as row, i (row.id)}
<Table.Row class="group border-b border-border/50 transition-colors last:border-0 hover:bg-muted/30">
<Table.Cell class="w-10 py-3 pl-5">
<div class="flex h-4 w-4 items-center justify-center rounded border border-border bg-muted/50 text-[10px] font-medium text-muted-foreground">
{i + 1}
</div>
</Table.Cell>
<Table.Cell class="py-3">
<span class="text-[13px] font-medium text-foreground">{row.name}</span>
</Table.Cell>
<Table.Cell class="py-3 text-right font-medium tabular-nums text-foreground">{row.revenue}</Table.Cell>
<Table.Cell class="w-32 py-3">
<div class="flex items-center justify-end gap-2">
<div class="h-1.5 w-16 overflow-hidden rounded-full bg-muted">
<div
class="h-full rounded-full bg-foreground/70 transition-all duration-300"
style="width: {getBarWidth(row.revPercent, maxRevPercent)}%"
></div>
</div>
<span class="w-12 text-right font-medium tabular-nums text-foreground">{row.revPercent.toFixed(2)}%</span>
</div>
</Table.Cell>
<Table.Cell class="py-3 text-right tabular-nums text-muted-foreground">{row.impressions}</Table.Cell>
<Table.Cell class="py-3 pr-5 text-right tabular-nums text-muted-foreground">{row.impPercent.toFixed(2)}%</Table.Cell>
</Table.Row>
{/each}
</Table.Body>
</Table.Root>
<MetricsTable data={tableData} labelHeader="Domain">
{#snippet labelCell({ row })}
<span class="text-[13px] font-medium text-foreground">{(row as DomainRow).name}</span>
{/snippet}
</MetricsTable>

4
apps/publisher-dashboard/src/lib/components/dashboard/tabs/index.ts
View File

@@ -2,4 +2,8 @@ export { default as AdUnitTable } from "./ad-unit-table.svelte";
export { default as CountryTable } from "./country-table.svelte";
export { default as DomainTable } from "./domain-table.svelte";
export { default as KeyValueTable } from "./key-value-table.svelte";
export {
default as MetricsTable,
type MetricsRow,
} from "./metrics-table.svelte";
export { default as SourceTable } from "./source-table.svelte";

12
apps/publisher-dashboard/src/lib/components/dashboard/tabs/key-value-table.svelte
View File

@@ -1,7 +1,17 @@
<script lang="ts">
import * as Table from "$lib/components/ui/table";
const tableData = [
interface KeyValueRow {
id: number;
key: string;
value: string;
revenue: string;
revPercent: number;
impressions: string;
impPercent: number;
}
const tableData: KeyValueRow[] = [
{
id: 1,
key: "device",

77
apps/publisher-dashboard/src/lib/components/dashboard/tabs/metrics-table.svelte Normal file
View File

@@ -0,0 +1,77 @@
<script lang="ts">
import type { Snippet } from "svelte";
import * as Table from "$lib/components/ui/table";
export interface MetricsRow {
id: number;
revenue: string;
revPercent: number;
impressions: string;
impPercent: number;
}
interface Props {
data: MetricsRow[];
labelHeader: string;
labelCell: Snippet<[{ row: MetricsRow; index: number }]>;
showSortIcon?: boolean;
}
let { data, labelHeader, labelCell, showSortIcon = false }: Props = $props();
function getBarWidth(value: number, max: number): number {
return (value / max) * 100;
}
const maxRevPercent = $derived(Math.max(...data.map((d) => d.revPercent)));
</script>
<Table.Root>
<Table.Header>
<Table.Row class="border-b border-border hover:bg-transparent">
<Table.Head class="h-10 w-10 pl-5"></Table.Head>
<Table.Head class="h-10 text-xs font-medium text-muted-foreground">{labelHeader}</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Revenue</Table.Head>
<Table.Head class="h-10 w-32 text-right text-xs font-medium text-muted-foreground">
<div class="flex items-center justify-end gap-1">
% of revenue
{#if showSortIcon}
<svg class="h-3 w-3 text-muted-foreground/60" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
<path d="m18 15-6-6-6 6" stroke-linecap="round" stroke-linejoin="round" />
</svg>
{/if}
</div>
</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Impressions</Table.Head>
<Table.Head class="h-10 pr-5 text-right text-xs font-medium text-muted-foreground">% of impr.</Table.Head>
</Table.Row>
</Table.Header>
<Table.Body>
{#each data as row, i (row.id)}
<Table.Row class="group border-b border-border/50 transition-colors last:border-0 hover:bg-muted/30">
<Table.Cell class="w-10 py-3 pl-5">
<div class="flex h-4 w-4 items-center justify-center rounded border border-border bg-muted/50 text-[10px] font-medium text-muted-foreground">
{i + 1}
</div>
</Table.Cell>
<Table.Cell class="py-3">
{@render labelCell({ row, index: i })}
</Table.Cell>
<Table.Cell class="py-3 text-right font-medium tabular-nums text-foreground">{row.revenue}</Table.Cell>
<Table.Cell class="w-32 py-3">
<div class="flex items-center justify-end gap-2">
<div class="h-1.5 w-16 overflow-hidden rounded-full bg-muted">
<div
class="h-full rounded-full bg-foreground/70 transition-all duration-300"
style="width: {getBarWidth(row.revPercent, maxRevPercent)}%"
></div>
</div>
<span class="w-12 text-right font-medium tabular-nums text-foreground">{row.revPercent.toFixed(2)}%</span>
</div>
</Table.Cell>
<Table.Cell class="py-3 text-right tabular-nums text-muted-foreground">{row.impressions}</Table.Cell>
<Table.Cell class="py-3 pr-5 text-right tabular-nums text-muted-foreground">{row.impPercent.toFixed(2)}%</Table.Cell>
</Table.Row>
{/each}
</Table.Body>
</Table.Root>

59
apps/publisher-dashboard/src/lib/components/dashboard/tabs/source-table.svelte
View File

@@ -1,7 +1,11 @@
<script lang="ts">
import * as Table from "$lib/components/ui/table";
import MetricsTable, { type MetricsRow } from "./metrics-table.svelte";
const tableData = [
interface SourceRow extends MetricsRow {
name: string;
}
const tableData: SourceRow[] = [
{
id: 1,
name: "Google AdX",
@@ -43,51 +47,10 @@ const tableData = [
impPercent: 7.28,
},
];
function getBarWidth(value: number, max: number): number {
return (value / max) * 100;
}
const maxRevPercent = Math.max(...tableData.map((d) => d.revPercent));
</script>
<Table.Root>
<Table.Header>
<Table.Row class="border-b border-border hover:bg-transparent">
<Table.Head class="h-10 w-10 pl-5"></Table.Head>
<Table.Head class="h-10 text-xs font-medium text-muted-foreground">Source</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Revenue</Table.Head>
<Table.Head class="h-10 w-32 text-right text-xs font-medium text-muted-foreground">% of revenue</Table.Head>
<Table.Head class="h-10 text-right text-xs font-medium text-muted-foreground">Impressions</Table.Head>
<Table.Head class="h-10 pr-5 text-right text-xs font-medium text-muted-foreground">% of impr.</Table.Head>
</Table.Row>
</Table.Header>
<Table.Body>
{#each tableData as row, i (row.id)}
<Table.Row class="group border-b border-border/50 transition-colors last:border-0 hover:bg-muted/30">
<Table.Cell class="w-10 py-3 pl-5">
<div class="flex h-4 w-4 items-center justify-center rounded border border-border bg-muted/50 text-[10px] font-medium text-muted-foreground">
{i + 1}
</div>
</Table.Cell>
<Table.Cell class="py-3">
<span class="text-[13px] font-medium text-foreground">{row.name}</span>
</Table.Cell>
<Table.Cell class="py-3 text-right font-medium tabular-nums text-foreground">{row.revenue}</Table.Cell>
<Table.Cell class="w-32 py-3">
<div class="flex items-center justify-end gap-2">
<div class="h-1.5 w-16 overflow-hidden rounded-full bg-muted">
<div
class="h-full rounded-full bg-foreground/70 transition-all duration-300"
style="width: {getBarWidth(row.revPercent, maxRevPercent)}%"
></div>
</div>
<span class="w-12 text-right font-medium tabular-nums text-foreground">{row.revPercent.toFixed(2)}%</span>
</div>
</Table.Cell>
<Table.Cell class="py-3 text-right tabular-nums text-muted-foreground">{row.impressions}</Table.Cell>
<Table.Cell class="py-3 pr-5 text-right tabular-nums text-muted-foreground">{row.impPercent.toFixed(2)}%</Table.Cell>
</Table.Row>
{/each}
</Table.Body>
</Table.Root>
<MetricsTable data={tableData} labelHeader="Source">
{#snippet labelCell({ row })}
<span class="text-[13px] font-medium text-foreground">{(row as SourceRow).name}</span>
{/snippet}
</MetricsTable>

95
apps/publisher-dashboard/src/lib/components/org/confirm-dialog.svelte
View File

@@ -1,95 +0,0 @@
<script lang="ts">
import { X } from "@lucide/svelte";
import { Dialog as DialogPrimitive } from "bits-ui";
import { Button } from "$lib/components/ui/button";
import { cn } from "$lib/utils";
interface Props {
open: boolean;
title: string;
description: string;
confirmLabel?: string;
cancelLabel?: string;
variant?: "destructive" | "default";
loading?: boolean;
onconfirm: () => void;
oncancel: () => void;
}
let {
open = $bindable(false),
title,
description,
confirmLabel = "Confirm",
cancelLabel = "Cancel",
variant = "default",
loading = false,
onconfirm,
oncancel,
}: Props = $props();
function handleCancel() {
open = false;
oncancel();
}
function handleConfirm() {
onconfirm();
}
</script>
<DialogPrimitive.Root bind:open>
<DialogPrimitive.Portal>
<DialogPrimitive.Overlay
class="fixed inset-0 z-50 bg-black/80 data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0"
/>
<DialogPrimitive.Content
class={cn(
"fixed left-1/2 top-1/2 z-50 w-full max-w-md -translate-x-1/2 -translate-y-1/2",
"rounded-lg border bg-background p-6 shadow-lg",
"data-[state=open]:animate-in data-[state=closed]:animate-out",
"data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0",
"data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95",
"data-[state=closed]:slide-out-to-left-1/2 data-[state=closed]:slide-out-to-top-[48%]",
"data-[state=open]:slide-in-from-left-1/2 data-[state=open]:slide-in-from-top-[48%]",
"duration-200"
)}
>
<!-- Close button -->
<DialogPrimitive.Close
class="absolute right-4 top-4 rounded-sm opacity-70 ring-offset-background transition-opacity hover:opacity-100 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:pointer-events-none"
onclick={handleCancel}
>
<X class="h-4 w-4" />
<span class="sr-only">Close</span>
</DialogPrimitive.Close>
<!-- Header -->
<div class="space-y-2">
<DialogPrimitive.Title class="text-lg font-semibold leading-none tracking-tight">
{title}
</DialogPrimitive.Title>
<DialogPrimitive.Description class="text-sm text-muted-foreground">
{description}
</DialogPrimitive.Description>
</div>
<!-- Actions -->
<div class="mt-6 flex justify-end gap-3">
<Button variant="outline" onclick={handleCancel} disabled={loading}>
{cancelLabel}
</Button>
<Button
variant={variant === "destructive" ? "destructive" : "default"}
onclick={handleConfirm}
disabled={loading}
>
{#if loading}
<span class="mr-2 h-4 w-4 animate-spin rounded-full border-2 border-current border-t-transparent"></span>
{/if}
{confirmLabel}
</Button>
</div>
</DialogPrimitive.Content>
</DialogPrimitive.Portal>
</DialogPrimitive.Root>

1
apps/publisher-dashboard/src/lib/components/org/index.ts
View File

@@ -1,3 +1,2 @@
export { default as ConfirmDialog } from "./confirm-dialog.svelte";
export { default as OrgAvatar } from "./org-avatar.svelte";
export { default as RoleBadge } from "./role-badge.svelte";

8
apps/publisher-dashboard/src/lib/components/account/confirm-dialog.svelte → apps/publisher-dashboard/src/lib/components/ui/confirm-dialog/confirm-dialog.svelte
View File

@@ -28,7 +28,7 @@ let {
onConfirm,
}: Props = $props();
async function handleConfirm() {
async function handleConfirm(): Promise<void> {
await onConfirm();
}
</script>
@@ -54,8 +54,8 @@ async function handleConfirm() {
<LoadingButton
variant="destructive"
class="w-full"
loading={loading}
loadingText={loadingText}
{loading}
{loadingText}
onclick={handleConfirm}
>
{confirmText}
@@ -77,7 +77,7 @@ async function handleConfirm() {
{cancelText}
</Button>
<LoadingButton
loading={loading}
{loading}
onclick={handleConfirm}
>
{confirmText}

1
apps/publisher-dashboard/src/lib/components/ui/confirm-dialog/index.ts Normal file
View File

@@ -0,0 +1 @@
export { default as ConfirmDialog } from "./confirm-dialog.svelte";

2
apps/publisher-dashboard/src/routes/account/api-tokens/+page.svelte
View File

@@ -14,7 +14,6 @@ import { toast } from "svelte-sonner";
import { goto } from "$app/navigation";
import { resolve } from "$app/paths";
import { api } from "$lib/api/client";
import { ConfirmDialog } from "$lib/components/account";
import { Alert, AlertDescription } from "$lib/components/ui/alert";
import { Badge } from "$lib/components/ui/badge";
import { Button } from "$lib/components/ui/button";
@@ -25,6 +24,7 @@ import {
CardHeader,
CardTitle,
} from "$lib/components/ui/card";
import { ConfirmDialog } from "$lib/components/ui/confirm-dialog";
import { Input } from "$lib/components/ui/input";
import { Label } from "$lib/components/ui/label";

2
apps/publisher-dashboard/src/routes/account/devices/+page.svelte
View File

@@ -12,7 +12,6 @@ import { formatRelativeTime } from "@reviq/common";
import { createQuery, useQueryClient } from "@tanstack/svelte-query";
import { toast } from "svelte-sonner";
import { api } from "$lib/api/client";
import { ConfirmDialog } from "$lib/components/account";
import { Alert, AlertDescription } from "$lib/components/ui/alert";
import { Badge } from "$lib/components/ui/badge";
import { Button } from "$lib/components/ui/button";
@@ -23,6 +22,7 @@ import {
CardHeader,
CardTitle,
} from "$lib/components/ui/card";
import { ConfirmDialog } from "$lib/components/ui/confirm-dialog";
const queryClient = useQueryClient();

2
apps/publisher-dashboard/src/routes/account/sessions/+page.svelte
View File

@@ -15,7 +15,6 @@ import { createQuery, useQueryClient } from "@tanstack/svelte-query";
import { toast } from "svelte-sonner";
import { UAParser } from "ua-parser-js";
import { api } from "$lib/api/client";
import { ConfirmDialog } from "$lib/components/account";
import { Alert, AlertDescription } from "$lib/components/ui/alert";
import { Badge } from "$lib/components/ui/badge";
import { Button } from "$lib/components/ui/button";
@@ -26,6 +25,7 @@ import {
CardHeader,
CardTitle,
} from "$lib/components/ui/card";
import { ConfirmDialog } from "$lib/components/ui/confirm-dialog";
const queryClient = useQueryClient();

7
apps/publisher-dashboard/src/routes/admin/orgs/+page.svelte
View File

@@ -6,7 +6,6 @@ import { toast } from "svelte-sonner";
import { resolve } from "$app/paths";
import { api } from "$lib/api/client.js";
import { AdminLayout } from "$lib/components/layout";
import ConfirmDialog from "$lib/components/org/confirm-dialog.svelte";
import { Button } from "$lib/components/ui/button/index.js";
import {
Card,
@@ -14,6 +13,7 @@ import {
CardHeader,
CardTitle,
} from "$lib/components/ui/card/index.js";
import { ConfirmDialog } from "$lib/components/ui/confirm-dialog";
import { Skeleton } from "$lib/components/ui/skeleton/index.js";
import {
Table,
@@ -238,8 +238,7 @@ async function executeConfirmAction() {
title={confirmDialogTitle}
description={confirmDialogDescription}
variant="destructive"
confirmLabel="Delete"
confirmText="Delete"
loading={isConfirmLoading}
onconfirm={executeConfirmAction}
oncancel={() => confirmDialogOpen = false}
onConfirm={executeConfirmAction}
/>

Some files were not shown because too many files have changed in this diff Show More