2026-05-19 00:24:47 +02:00
|
|
|
import type { FastifyInstance } from 'fastify';
|
|
|
|
|
import { z } from 'zod';
|
feat(admin): password-auth admin panel with 8 pages + 15 API endpoints
Schema migrations:
- users.is_admin boolean
- users.password_hash text (scrypt N=16384, 16-byte salt)
- users.last_login_at timestamp
- organizations.suspended + suspended_reason
- admin_settings table (DB-stored prompt override + future settings)
Auth (@bmm/auth):
- hashPassword + verifyPassword via node:crypto scrypt (no extra dep)
- loginWithPassword: scrypt-verifies, issues 30-day session, updates last_login_at
- seedAdmin: idempotent upsert keyed on email; creates org + membership on first run
- AuthedUser now carries isAdmin flag
API:
- POST /v1/auth/admin/login (email + password) — 300ms throttle on failure
- requireAdmin preHandler — 401 if no session, 403 if non-admin
- Bootstrap: api on boot calls seedAdmin(ADMIN_EMAIL, ADMIN_PASSWORD, ADMIN_NAME)
if env present. Idempotent.
Admin API routes (all gated by requireAdmin):
- GET /v1/admin/overview (totals, trends 7d, server-status breakdown, builds 24h, recent activity)
- GET /v1/admin/users (search, per-row org + plan + serverCount)
- PATCH /v1/admin/users/:id (isAdmin, name)
- DELETE /v1/admin/users/:id (self-delete blocked)
- GET /v1/admin/orgs (member + server counts)
- PATCH /v1/admin/orgs/:id (plan, quota, suspended; cascades to mcp_servers.status=paused on suspend)
- GET /v1/admin/servers (cross-org with status filter)
- POST /v1/admin/servers/:id/rebuild (re-queues build using last prompt)
- DELETE /v1/admin/servers/:id
- GET /v1/admin/builds (status filter, error messages, prompt previews)
- GET /v1/admin/builds/:id/logs
- GET /v1/admin/audit (system-wide with user email join)
- GET /v1/admin/system (DB ping, Redis ping, BullMQ queue depth, docker ps count)
- GET /v1/admin/prompt (builtin + override + updatedAt)
- PATCH /v1/admin/prompt (value: string | null) — saves DB override or drops it
UI (apps/web/app/admin/*):
- /admin/login — password form, separate from /login magic-link
- AdminLayout — Linear-style sidebar (8 nav items), bottom panel with user email +
'user view' shortcut + logout, client-side requireAdmin guard with redirect
- /admin — overview dashboard with 4 metric cards, 2 panels (status + 24h builds),
recent activity table linking to full audit
- /admin/users — search + admin toggle + delete (self-delete blocked)
- /admin/orgs — plan/quota/suspend actions via prompts
- /admin/servers — cross-org table with rebuild + delete actions, status filter
- /admin/builds — every build cross-fleet with error vs prompt preview
- /admin/audit — system-wide log + CSV export + filter dropdowns
- /admin/system — auto-refreshing 5s health probes for Postgres, Redis, queue, Docker
- /admin/prompt — live editor for the LLM system prompt with built-in baseline,
override-state badge, drop-override action, diff preview, save-as-override
End-to-end verified: login as marco.frangiskatos@gmail.com + Melusa112233.*, every
admin page returns 200, admin login + overview tested via screenshot, docker probe
returns true count of running MCP containers.
2026-05-19 23:01:26 +02:00
|
|
|
import {
|
|
|
|
|
consumeMagicLink,
|
|
|
|
|
destroySession,
|
|
|
|
|
getSession,
|
|
|
|
|
issueMagicLink,
|
|
|
|
|
loginWithPassword,
|
|
|
|
|
} from '@bmm/auth';
|
feat(api,generator): preview endpoint + spec cache + audit-log writes
- POST /v1/servers/preview runs Claude synchronously, validates output, caches spec
in Redis under preview:<id> with 5min TTL, returns previewId+spec+detectedSecrets.
- POST /v1/servers accepts optional previewId; worker reuses the cached spec if
the entry is still present, otherwise regenerates fresh. Skips the second
Claude round-trip (~30s saved on the demoable path).
- audit() helper writes auth.login, auth.logout, server.create, server.iterate,
server.delete to audit_log with ip, metadata, resourceId.
- GET /v1/me/org returns organization + members list for the settings page.
- GET /v1/audit?limit=&action=&resourceType= returns scoped audit entries.
2026-05-19 18:08:29 +02:00
|
|
|
import { audit } from '../lib/audit.js';
|
2026-05-19 00:24:47 +02:00
|
|
|
import { config } from '../config.js';
|
|
|
|
|
|
|
|
|
|
const SESSION_COOKIE = 'bmm_session';
|
|
|
|
|
|
|
|
|
|
export async function authRoutes(app: FastifyInstance): Promise<void> {
|
|
|
|
|
app.post('/v1/auth/magic-link', async (req, reply) => {
|
|
|
|
|
const Body = z.object({ email: z.string().email() });
|
|
|
|
|
const parsed = Body.safeParse(req.body);
|
|
|
|
|
if (!parsed.success) return reply.code(400).send({ error: 'invalid_email' });
|
|
|
|
|
try {
|
|
|
|
|
const { token, expiresAt } = await issueMagicLink(parsed.data.email);
|
|
|
|
|
const callbackUrl = `${config.NEXT_PUBLIC_APP_URL}/login/callback?token=${token}`;
|
|
|
|
|
// Dev transport: print to stdout. Production: send via Resend / SES.
|
|
|
|
|
app.log.info({ to: parsed.data.email, expiresAt }, `[magic-link] -> ${callbackUrl}`);
|
|
|
|
|
console.log(`\n[magic-link] ${parsed.data.email} ->\n ${callbackUrl}\n`);
|
|
|
|
|
return reply.send({ ok: true });
|
|
|
|
|
} catch (e) {
|
|
|
|
|
app.log.error(e);
|
|
|
|
|
return reply.code(400).send({ error: 'magic_link_failed' });
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
app.post('/v1/auth/verify', async (req, reply) => {
|
|
|
|
|
const Body = z.object({ token: z.string().min(10) });
|
|
|
|
|
const parsed = Body.safeParse(req.body);
|
|
|
|
|
if (!parsed.success) return reply.code(400).send({ error: 'invalid_token' });
|
|
|
|
|
try {
|
|
|
|
|
const session = await consumeMagicLink(parsed.data.token, {
|
|
|
|
|
ipAddress: req.ip,
|
|
|
|
|
userAgent: req.headers['user-agent'],
|
|
|
|
|
});
|
|
|
|
|
reply.setCookie(SESSION_COOKIE, session.sessionToken, {
|
|
|
|
|
httpOnly: true,
|
|
|
|
|
sameSite: 'lax',
|
|
|
|
|
path: '/',
|
|
|
|
|
secure: config.NODE_ENV === 'production',
|
|
|
|
|
maxAge: 30 * 24 * 60 * 60,
|
|
|
|
|
});
|
feat(api,generator): preview endpoint + spec cache + audit-log writes
- POST /v1/servers/preview runs Claude synchronously, validates output, caches spec
in Redis under preview:<id> with 5min TTL, returns previewId+spec+detectedSecrets.
- POST /v1/servers accepts optional previewId; worker reuses the cached spec if
the entry is still present, otherwise regenerates fresh. Skips the second
Claude round-trip (~30s saved on the demoable path).
- audit() helper writes auth.login, auth.logout, server.create, server.iterate,
server.delete to audit_log with ip, metadata, resourceId.
- GET /v1/me/org returns organization + members list for the settings page.
- GET /v1/audit?limit=&action=&resourceType= returns scoped audit entries.
2026-05-19 18:08:29 +02:00
|
|
|
await audit({
|
|
|
|
|
orgId: session.orgId,
|
|
|
|
|
userId: session.userId,
|
|
|
|
|
action: 'auth.login',
|
|
|
|
|
resourceType: 'session',
|
|
|
|
|
metadata: { email: session.email },
|
|
|
|
|
ipAddress: req.ip,
|
|
|
|
|
});
|
2026-05-19 00:24:47 +02:00
|
|
|
return reply.send({
|
|
|
|
|
ok: true,
|
|
|
|
|
user: { id: session.userId, email: session.email, orgId: session.orgId },
|
|
|
|
|
});
|
|
|
|
|
} catch (e) {
|
|
|
|
|
app.log.warn({ err: e }, 'magic link verify failed');
|
|
|
|
|
return reply.code(400).send({ error: 'invalid_or_expired_token' });
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
app.get('/v1/auth/me', async (req, reply) => {
|
|
|
|
|
const token = req.cookies[SESSION_COOKIE];
|
|
|
|
|
const session = await getSession(token);
|
|
|
|
|
if (!session) return reply.code(401).send({ error: 'unauthorized' });
|
|
|
|
|
return reply.send({ user: session });
|
|
|
|
|
});
|
|
|
|
|
|
feat(admin): password-auth admin panel with 8 pages + 15 API endpoints
Schema migrations:
- users.is_admin boolean
- users.password_hash text (scrypt N=16384, 16-byte salt)
- users.last_login_at timestamp
- organizations.suspended + suspended_reason
- admin_settings table (DB-stored prompt override + future settings)
Auth (@bmm/auth):
- hashPassword + verifyPassword via node:crypto scrypt (no extra dep)
- loginWithPassword: scrypt-verifies, issues 30-day session, updates last_login_at
- seedAdmin: idempotent upsert keyed on email; creates org + membership on first run
- AuthedUser now carries isAdmin flag
API:
- POST /v1/auth/admin/login (email + password) — 300ms throttle on failure
- requireAdmin preHandler — 401 if no session, 403 if non-admin
- Bootstrap: api on boot calls seedAdmin(ADMIN_EMAIL, ADMIN_PASSWORD, ADMIN_NAME)
if env present. Idempotent.
Admin API routes (all gated by requireAdmin):
- GET /v1/admin/overview (totals, trends 7d, server-status breakdown, builds 24h, recent activity)
- GET /v1/admin/users (search, per-row org + plan + serverCount)
- PATCH /v1/admin/users/:id (isAdmin, name)
- DELETE /v1/admin/users/:id (self-delete blocked)
- GET /v1/admin/orgs (member + server counts)
- PATCH /v1/admin/orgs/:id (plan, quota, suspended; cascades to mcp_servers.status=paused on suspend)
- GET /v1/admin/servers (cross-org with status filter)
- POST /v1/admin/servers/:id/rebuild (re-queues build using last prompt)
- DELETE /v1/admin/servers/:id
- GET /v1/admin/builds (status filter, error messages, prompt previews)
- GET /v1/admin/builds/:id/logs
- GET /v1/admin/audit (system-wide with user email join)
- GET /v1/admin/system (DB ping, Redis ping, BullMQ queue depth, docker ps count)
- GET /v1/admin/prompt (builtin + override + updatedAt)
- PATCH /v1/admin/prompt (value: string | null) — saves DB override or drops it
UI (apps/web/app/admin/*):
- /admin/login — password form, separate from /login magic-link
- AdminLayout — Linear-style sidebar (8 nav items), bottom panel with user email +
'user view' shortcut + logout, client-side requireAdmin guard with redirect
- /admin — overview dashboard with 4 metric cards, 2 panels (status + 24h builds),
recent activity table linking to full audit
- /admin/users — search + admin toggle + delete (self-delete blocked)
- /admin/orgs — plan/quota/suspend actions via prompts
- /admin/servers — cross-org table with rebuild + delete actions, status filter
- /admin/builds — every build cross-fleet with error vs prompt preview
- /admin/audit — system-wide log + CSV export + filter dropdowns
- /admin/system — auto-refreshing 5s health probes for Postgres, Redis, queue, Docker
- /admin/prompt — live editor for the LLM system prompt with built-in baseline,
override-state badge, drop-override action, diff preview, save-as-override
End-to-end verified: login as marco.frangiskatos@gmail.com + Melusa112233.*, every
admin page returns 200, admin login + overview tested via screenshot, docker probe
returns true count of running MCP containers.
2026-05-19 23:01:26 +02:00
|
|
|
app.post('/v1/auth/admin/login', async (req, reply) => {
|
|
|
|
|
const Body = z.object({
|
|
|
|
|
email: z.string().email(),
|
|
|
|
|
password: z.string().min(8),
|
|
|
|
|
});
|
|
|
|
|
const parsed = Body.safeParse(req.body);
|
|
|
|
|
if (!parsed.success) {
|
|
|
|
|
return reply.code(400).send({ error: 'invalid_input' });
|
|
|
|
|
}
|
|
|
|
|
try {
|
|
|
|
|
const session = await loginWithPassword(parsed.data.email, parsed.data.password, {
|
|
|
|
|
ipAddress: req.ip,
|
|
|
|
|
userAgent: req.headers['user-agent'],
|
|
|
|
|
});
|
|
|
|
|
if (!session.isAdmin) {
|
|
|
|
|
await destroySession(session.sessionToken);
|
|
|
|
|
return reply.code(403).send({ error: 'not_admin' });
|
|
|
|
|
}
|
|
|
|
|
reply.setCookie(SESSION_COOKIE, session.sessionToken, {
|
|
|
|
|
httpOnly: true,
|
|
|
|
|
sameSite: 'lax',
|
|
|
|
|
path: '/',
|
|
|
|
|
secure: config.NODE_ENV === 'production',
|
|
|
|
|
maxAge: 30 * 24 * 60 * 60,
|
|
|
|
|
});
|
|
|
|
|
await audit({
|
|
|
|
|
orgId: session.orgId,
|
|
|
|
|
userId: session.userId,
|
|
|
|
|
action: 'admin.login',
|
|
|
|
|
resourceType: 'session',
|
|
|
|
|
metadata: { email: session.email },
|
|
|
|
|
ipAddress: req.ip,
|
|
|
|
|
});
|
|
|
|
|
return reply.send({
|
|
|
|
|
ok: true,
|
|
|
|
|
user: { id: session.userId, email: session.email, orgId: session.orgId, isAdmin: true },
|
|
|
|
|
});
|
|
|
|
|
} catch (err) {
|
|
|
|
|
app.log.warn({ err }, 'admin login failed');
|
|
|
|
|
// Constant-time-ish to discourage username enumeration
|
|
|
|
|
await new Promise((r) => setTimeout(r, 300));
|
|
|
|
|
return reply.code(401).send({ error: 'invalid_credentials' });
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
2026-05-19 00:24:47 +02:00
|
|
|
app.post('/v1/auth/logout', async (req, reply) => {
|
|
|
|
|
const token = req.cookies[SESSION_COOKIE];
|
feat(api,generator): preview endpoint + spec cache + audit-log writes
- POST /v1/servers/preview runs Claude synchronously, validates output, caches spec
in Redis under preview:<id> with 5min TTL, returns previewId+spec+detectedSecrets.
- POST /v1/servers accepts optional previewId; worker reuses the cached spec if
the entry is still present, otherwise regenerates fresh. Skips the second
Claude round-trip (~30s saved on the demoable path).
- audit() helper writes auth.login, auth.logout, server.create, server.iterate,
server.delete to audit_log with ip, metadata, resourceId.
- GET /v1/me/org returns organization + members list for the settings page.
- GET /v1/audit?limit=&action=&resourceType= returns scoped audit entries.
2026-05-19 18:08:29 +02:00
|
|
|
const session = token ? await getSession(token) : null;
|
2026-05-19 00:24:47 +02:00
|
|
|
if (token) await destroySession(token);
|
|
|
|
|
reply.clearCookie(SESSION_COOKIE, { path: '/' });
|
feat(api,generator): preview endpoint + spec cache + audit-log writes
- POST /v1/servers/preview runs Claude synchronously, validates output, caches spec
in Redis under preview:<id> with 5min TTL, returns previewId+spec+detectedSecrets.
- POST /v1/servers accepts optional previewId; worker reuses the cached spec if
the entry is still present, otherwise regenerates fresh. Skips the second
Claude round-trip (~30s saved on the demoable path).
- audit() helper writes auth.login, auth.logout, server.create, server.iterate,
server.delete to audit_log with ip, metadata, resourceId.
- GET /v1/me/org returns organization + members list for the settings page.
- GET /v1/audit?limit=&action=&resourceType= returns scoped audit entries.
2026-05-19 18:08:29 +02:00
|
|
|
if (session) {
|
|
|
|
|
await audit({
|
|
|
|
|
orgId: session.orgId,
|
|
|
|
|
userId: session.userId,
|
|
|
|
|
action: 'auth.logout',
|
|
|
|
|
resourceType: 'session',
|
|
|
|
|
ipAddress: req.ip,
|
|
|
|
|
});
|
|
|
|
|
}
|
2026-05-19 00:24:47 +02:00
|
|
|
return reply.send({ ok: true });
|
|
|
|
|
});
|
|
|
|
|
}
|