diff --git a/.env.example b/.env.example index fda2858b..4b2d53f4 100644 --- a/.env.example +++ b/.env.example @@ -5,12 +5,12 @@ DOMAIN=keycast.example.com # PostgreSQL database password (required for docker-compose) -POSTGRES_PASSWORD=change-this-secure-password-in-production +POSTGRES_PASSWORD=change-this-secure-password-for-nonlocal # Database connection URL # Local dev: postgres://postgres:password@localhost/keycast # Docker: postgres://postgres:${POSTGRES_PASSWORD}@postgres/keycast -DATABASE_URL=postgres://postgres:password@localhost/keycast +DATABASE_URL=postgres://postgres:change-this-secure-password-for-nonlocal@localhost/keycast # Allowed public keys for admin access (comma-separated) # Leave empty to allow any authenticated user @@ -45,7 +45,7 @@ SENDGRID_API_KEY= FROM_EMAIL=noreply@keycast.example.com # Optional: From name for email notifications -FROM_NAME=diVine +FROM_NAME=Synvya # Optional: Base URL for email verification links (used in email templates) # Should match your frontend URL diff --git a/.github/workflows/build-test-push-synvya.yaml b/.github/workflows/build-test-push-synvya.yaml index 4d604401..c885b1b8 100644 --- a/.github/workflows/build-test-push-synvya.yaml +++ b/.github/workflows/build-test-push-synvya.yaml @@ -136,12 +136,21 @@ jobs: key: ${{ secrets.EC2_STAGING_SSH_KEY }} command_timeout: 30m script: | + set -euo pipefail cd /opt/synvya/keycast - git pull origin synvya-staging + if [ -n "$(git status --porcelain)" ]; then + echo "Refusing to deploy from a dirty worktree" + git status --short + exit 1 + fi + git pull --ff-only origin synvya-staging bash scripts/load-secrets.sh staging if [ -n "${{ vars.DISABLE_EMAILS }}" ]; then echo "DISABLE_EMAILS=${{ vars.DISABLE_EMAILS }}" >> /opt/synvya/.env fi + docker system df || true + docker builder prune -af || true + docker image prune -af || true docker compose -f docker-compose.synvya.yml --env-file /opt/synvya/.env \ build postgres redis migrate keycast docker compose -f docker-compose.synvya.yml --env-file /opt/synvya/.env \ @@ -165,12 +174,21 @@ jobs: key: ${{ secrets.EC2_PRODUCTION_SSH_KEY }} command_timeout: 30m script: | + set -euo pipefail cd /opt/synvya/keycast - git pull origin synvya + if [ -n "$(git status --porcelain)" ]; then + echo "Refusing to deploy from a dirty worktree" + git status --short + exit 1 + fi + git pull --ff-only origin synvya bash scripts/load-secrets.sh production if [ -n "${{ vars.DISABLE_EMAILS }}" ]; then echo "DISABLE_EMAILS=${{ vars.DISABLE_EMAILS }}" >> /opt/synvya/.env fi + docker system df || true + docker builder prune -af || true + docker image prune -af || true docker compose -f docker-compose.synvya.yml --env-file /opt/synvya/.env \ build postgres redis migrate keycast docker compose -f docker-compose.synvya.yml --env-file /opt/synvya/.env \ diff --git a/.github/workflows/build-test-push.yaml b/.github/workflows/build-test-push.yaml index aa547696..1c4076a4 100644 --- a/.github/workflows/build-test-push.yaml +++ b/.github/workflows/build-test-push.yaml @@ -121,7 +121,7 @@ jobs: env: AWS_SES_TEST_RECIPIENT: ${{ vars.AWS_SES_TEST_RECIPIENT }} FROM_EMAIL: ${{ vars.AWS_SES_FROM_EMAIL || 'noreply@divine.video' }} - FROM_NAME: ${{ vars.AWS_SES_FROM_NAME || 'diVine' }} + FROM_NAME: ${{ vars.AWS_SES_FROM_NAME || 'Synvya' }} BASE_URL: https://example.com run: | cargo test -p keycast_api --features aws --test aws_ses_test -- --test-threads=1 diff --git a/.gitignore b/.gitignore index cb30aa5f..b0fbf942 100644 --- a/.gitignore +++ b/.gitignore @@ -32,7 +32,10 @@ api/oauth-ui/ specs/ examples/auth-flows-demo/ -# Machine-specific Kamal deployment (Pi homelab only, not for production) +# Machine-specific Kamal deployment# Environment variables +.env +.env.* +!.env.example config/deploy.yml .kamal/ scripts/deploy-to-pi.sh diff --git a/AGENTS.md b/AGENTS.md new file mode 120000 index 00000000..681311eb --- /dev/null +++ b/AGENTS.md @@ -0,0 +1 @@ +CLAUDE.md \ No newline at end of file diff --git a/CLAUDE.md b/CLAUDE.md index 0cb76c79..9550452b 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -201,6 +201,9 @@ Optional: - `SQLX_POOL_SIZE`: Database connection pool size (should match Cloud Run concurrency, default: `50`) - `VITE_ALLOWED_PUBKEYS`: Comma-separated pubkeys for whitelist access (web frontend) - `ENABLE_EXAMPLES`: Enable `/examples` directory serving (default: `false`, set to `true` for development) +- `DISABLE_WEB_UI`: Disable the SvelteKit web frontend (default: `false`). When `true`, non-API requests return 404 or redirect to `WEB_UI_REDIRECT_URL`. Use for deployments (e.g. Synvya) where end users should not access a keycast personal UI. `/api/*`, `/.well-known/*`, `/health*`, `/verify-email` (plus the `/_app/*` static assets it needs), and the server-rendered `/api/oauth/authorize` approval page remain available. +- `WEB_UI_REDIRECT_URL`: When `DISABLE_WEB_UI=true`, redirect non-API requests to this URL (e.g. `https://synvya.com`). If unset, non-API requests return 404. +- `PASSWORD_RESET_BASE_URL`: Base URL used when constructing password reset links in emails (default: `BASE_URL`). Set when the reset page is hosted on a different domain than `BASE_URL` — e.g. Synvya sets this to `https://account.synvya.com` in production and `https://account.staging.synvya.com` in staging, so the link points at the Synvya-hosted reset form that POSTs to keycast's `/api/auth/reset-password`. Development (`.env` in `/web`): - `VITE_ALLOWED_PUBKEYS`: Comma-separated pubkeys for dev access diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..4901fec8 --- /dev/null +++ b/Makefile @@ -0,0 +1,103 @@ +# ───────────────────────────────────────────────────────────────────────────── +# Keycast Development Helper +# ───────────────────────────────────────────────────────────────────────────── + +.PHONY: check-prereq install-prereq setup migrate help dev test env-local env-staging docker-build docker-up docker-down docker-logs + +# Default target: show help +all: help + +help: ## Show this help message + @echo "🔑 \033[1;32mSynvya Keycast\033[0m" + @echo "Unified Nostr key management and event signing service." + @echo "" + @echo "\033[1;34mUsage:\033[0m" + @echo " make " + @echo "" + @echo "\033[1;34mSetup & Environment:\033[0m" + @grep -E '^[-a-zA-Z0-9_]+:.*?## (Setup|Environment).*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf " \033[36m%-15s\033[0m %s\n", $$1, $$2}' + @echo "" + @echo "\033[1;34mDevelopment & Testing:\033[0m" + @grep -E '^[-a-zA-Z0-9_]+:.*?## (Development|Quality).*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf " \033[36m%-15s\033[0m %s\n", $$1, $$2}' + @echo "" + @echo "\033[1;34mDocker & Deployment:\033[0m" + @grep -E '^[-a-zA-Z0-9_]+:.*?## Docker.*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf " \033[36m%-15s\033[0m %s\n", $$1, $$2}' + @echo "" + +# --- Setup & Environment --- + +check-prereq: ## Setup: Verify Rust, Bun, and SQLX are installed + @echo "==> Checking Keycast prerequisites..." + @command -v cargo >/dev/null 2>&1 || (echo " ✗ cargo (Rust) not found"; exit 1) + @command -v bun >/dev/null 2>&1 || (echo " ✗ bun not found"; exit 1) + @command -v sqlx >/dev/null 2>&1 || (echo " ✗ sqlx-cli not found. Run 'make install-prereq'"; exit 1) + @echo " ✓ All Keycast prerequisites met!" + +install-prereq: ## Setup: Install sqlx-cli tool (required for migrations) + @echo "==> Installing prerequisites..." + cargo install sqlx-cli --no-default-features --features postgres + cargo install cargo-nextest --locked + +setup: ## Setup: Initialize .env and generate master key + @echo "==> Initializing environment configuration (.env.local)..." + @if [ ! -f ".env.local" ]; then bash scripts/init.sh --domain localhost --file .env.local; fi + @if grep -q "SERVER_NSEC=$$" .env.local; then \ + echo "==> Generating SERVER_NSEC for .env.local..."; \ + RAND_SEC=$$(openssl rand -hex 32); \ + sed -i '' "s/SERVER_NSEC=.*/SERVER_NSEC=$$RAND_SEC/" .env.local || sed -i "s/SERVER_NSEC=.*/SERVER_NSEC=$$RAND_SEC/" .env.local; \ + fi + @if [ ! -f "master.key" ]; then bun run key:generate; fi + @$(MAKE) env-local + @echo " ✓ Setup complete." + +env-local: ## Environment: Set active environment to .env.local + @echo "==> Setting active environment to .env.local" + @ln -sf .env.local .env + +env-staging: ## Environment: Set active environment to .env.staging + @echo "==> Setting active environment to .env.staging" + @if [ ! -f ".env.staging" ]; then echo " ✗ .env.staging not found. Create it from .env.example"; exit 1; fi + @ln -sf .env.staging .env + +migrate: ## Environment: Run database migrations + @$(MAKE) env-check + @echo "==> Running migrations..." + bun run db:migrate + +# --- Development --- + +dev: ## Development: Start the local development stack (native) + @$(MAKE) env-check + bun run dev + +# --- Quality --- + +test: ## Quality: Run unit and integration tests + @$(MAKE) env-check + bun run test + +# --- Docker --- + +docker-build: ## Docker: Build the docker images + @$(MAKE) env-check + @echo "==> Building Docker images..." + docker compose build + +docker-up: ## Docker: Start the services via docker-compose + @$(MAKE) env-check + @echo "==> Starting Keycast stack..." + docker compose up -d + +docker-down: ## Docker: Stop the services + @$(MAKE) env-check + @echo "==> Stopping Keycast stack..." + docker compose down + +docker-logs: ## Docker: Follow docker logs + @$(MAKE) env-check + docker compose logs -f + +# --- Internal --- + +env-check: + @if [ ! -L ".env" ] && [ ! -f ".env" ]; then echo " ✗ No .env file or symlink found. Run 'make setup'"; exit 1; fi diff --git a/README.md b/README.md index de378078..0bdd649a 100644 --- a/README.md +++ b/README.md @@ -160,25 +160,26 @@ POST to `/api/nostr` with `Authorization: Bearer `: | `nip44_encrypt` / `nip44_decrypt` | NIP-44 encryption | | `nip04_encrypt` / `nip04_decrypt` | NIP-04 encryption | -## Self-Hosting +## Development & Self-Hosting + +The fastest way to get started is using the provided `Makefile`. ```bash git clone https://github.com/ArcadeLabsInc/keycast.git cd keycast -bun install -# Generate encryption key -bun run key:generate +# 1. Interactive setup (generates keys, .env.local, etc.) +make setup -# Configure environment -cp .env.example .env -# Edit DATABASE_URL, SERVER_NSEC, ALLOWED_ORIGINS +# 2. Run with Docker +make docker-build +make docker-up -# Run with Docker -docker compose up -d --build +# 3. Run tests +make test ``` -See [DEVELOPMENT.md](./docs/DEVELOPMENT.md) for local development setup. +For detailed instructions on environment management, native development, and testing architecture, see **[build.README.md](./build.README.md)**. ### Environment Variables @@ -196,7 +197,7 @@ See [DEVELOPMENT.md](./docs/DEVELOPMENT.md) for local development setup. |----------|---------|-------------| | `SENDGRID_API_KEY` | *(none)* | If set, uses SendGrid; otherwise logs emails to console | | `FROM_EMAIL` | `noreply@keycast.app` | Sender email address | -| `FROM_NAME` | `diVine` | Sender display name | +| `FROM_NAME` | `Synvya` | Sender display name | | `BASE_URL` | `https://login.divine.video` | Base URL for email verification links | | `DISABLE_EMAILS` | *(none)* | If set (any value), skips sending emails | @@ -208,6 +209,7 @@ See [DEVELOPMENT.md](./docs/DEVELOPMENT.md) for local development setup. | `APP_URL` | `https://login.divine.video` | Fallback URL for OAuth callbacks | | `ALLOWED_PUBKEYS` | *(none)* | Comma-separated admin pubkeys whitelist | | `ALLOWED_ORIGINS` | *(none)* | CORS origins (comma-separated) | +| `NODE_ENV` | `development` | Set to `production` to enable mandatory HTTPS and `Secure` cookies. | #### Multi-tenancy diff --git a/api/src/api/http/admin.rs b/api/src/api/http/admin.rs index f395e730..c988b4ca 100644 --- a/api/src/api/http/admin.rs +++ b/api/src/api/http/admin.rs @@ -729,7 +729,18 @@ pub async fn batch_create_claim_tokens( // Send email if requested if let (Some(email), Some(svc)) = (&req.delivery_email, &email_service) { - if let Err(e) = svc.send_claim_email(email, &claim_url).await { + // Best-effort kind-0 fetch for the preloaded account so the email + // can show the restaurant's display name + logo on the claim card. + // Falls back to the plain layout on any failure. + let relays = keycast_core::types::authorization::Authorization::get_bunker_relays(); + let profile = crate::nostr_profile::fetch_profile_metadata(&user_pubkey, &relays).await; + let account_display_name = profile.as_ref().and_then(|p| p.display_name.as_deref()); + let account_picture = profile.as_ref().and_then(|p| p.picture.as_deref()); + + if let Err(e) = svc + .send_claim_email(email, &claim_url, account_display_name, account_picture) + .await + { tracing::warn!( "Failed to send claim email for vine_id={} to {}: {}", vine_id, @@ -898,6 +909,262 @@ pub async fn get_user_lookup( Ok(Json(UserLookupResponse { results, total })) } +// ============================================================================ +// GET /api/admin/user-teams?pubkey= - Teams, restaurant keys, and authorizations +// ============================================================================ + +#[derive(Debug, Deserialize)] +pub struct UserTeamsQuery { + pub pubkey: String, +} + +#[derive(Debug, Serialize)] +pub struct UserTeamsResponse { + pub teams: Vec, +} + +#[derive(Debug, Serialize)] +pub struct AdminTeamDetails { + pub id: i32, + pub name: String, + pub role: String, + pub joined_at: String, + pub restaurant_keys: Vec, +} + +#[derive(Debug, Serialize)] +pub struct AdminRestaurantKey { + pub id: i32, + pub name: String, + pub pubkey: String, + pub created_at: String, + pub authorizations: Vec, +} + +#[derive(Debug, Serialize)] +pub struct AdminAuthorization { + pub id: i32, + pub label: Option, + pub bunker_public_key: String, + pub relays: Vec, + pub connected_client_pubkey: Option, + pub connected_at: Option, + pub expires_at: Option, + pub revoked_at: Option, + pub revoked_reason: Option, + pub created_at: String, + pub updated_at: String, +} + +#[derive(sqlx::FromRow)] +struct AuthorizationRow { + id: i32, + label: Option, + bunker_public_key: String, + relays: String, + connected_client_pubkey: Option, + connected_at: Option>, + expires_at: Option>, + revoked_at: Option>, + revoked_reason: Option, + created_at: chrono::DateTime, + updated_at: chrono::DateTime, +} + +/// Return all teams the user is a member of, with the team-owned stored (restaurant) +/// keys and their authorizations. Support admin only. Tenant-scoped. +pub async fn get_user_teams( + tenant: crate::api::tenant::TenantExtractor, + State(auth_state): State, + auth: UcanAuth, + axum::extract::Query(query): axum::extract::Query, +) -> ApiResult> { + let tenant_id = tenant.0.id; + let pool = &auth_state.state.db; + + if !is_support_admin(&auth).await { + return Err(ApiError::forbidden("Admin access required")); + } + + let pubkey = query.pubkey.trim().to_lowercase(); + if pubkey.len() != 64 || !pubkey.chars().all(|c| c.is_ascii_hexdigit()) { + return Err(ApiError::bad_request("pubkey must be a 64-char hex string")); + } + + // Teams the user belongs to (tenant-scoped) + let team_rows: Vec<(i32, String, String, chrono::DateTime)> = sqlx::query_as( + "SELECT t.id, t.name, tu.role, tu.created_at + FROM teams t + INNER JOIN team_users tu ON tu.team_id = t.id + WHERE tu.user_pubkey = $1 AND t.tenant_id = $2 + ORDER BY tu.created_at ASC", + ) + .bind(&pubkey) + .bind(tenant_id) + .fetch_all(pool) + .await + .map_err(|e| ApiError::Internal(format!("Failed to load teams: {}", e)))?; + + let mut teams = Vec::with_capacity(team_rows.len()); + + for (team_id, team_name, role, joined_at) in team_rows { + // Stored (restaurant) keys owned by this team + let key_rows: Vec<(i32, String, String, chrono::DateTime)> = sqlx::query_as( + "SELECT id, name, pubkey, created_at + FROM stored_keys + WHERE team_id = $1 AND tenant_id = $2 + ORDER BY created_at ASC", + ) + .bind(team_id) + .bind(tenant_id) + .fetch_all(pool) + .await + .map_err(|e| ApiError::Internal(format!("Failed to load stored keys: {}", e)))?; + + let mut restaurant_keys = Vec::with_capacity(key_rows.len()); + + for (key_id, key_name, key_pubkey, key_created_at) in key_rows { + let auth_rows: Vec = sqlx::query_as( + "SELECT id, label, bunker_public_key, relays, connected_client_pubkey, + connected_at, expires_at, revoked_at, revoked_reason, + created_at, updated_at + FROM authorizations + WHERE stored_key_id = $1 AND tenant_id = $2 + ORDER BY created_at ASC", + ) + .bind(key_id) + .bind(tenant_id) + .fetch_all(pool) + .await + .map_err(|e| ApiError::Internal(format!("Failed to load authorizations: {}", e)))?; + + let authorizations = auth_rows + .into_iter() + .map(|row| { + let relays: Vec = serde_json::from_str(&row.relays).unwrap_or_default(); + AdminAuthorization { + id: row.id, + label: row.label, + bunker_public_key: row.bunker_public_key, + relays, + connected_client_pubkey: row.connected_client_pubkey, + connected_at: row.connected_at.map(|d| d.to_rfc3339()), + expires_at: row.expires_at.map(|d| d.to_rfc3339()), + revoked_at: row.revoked_at.map(|d| d.to_rfc3339()), + revoked_reason: row.revoked_reason, + created_at: row.created_at.to_rfc3339(), + updated_at: row.updated_at.to_rfc3339(), + } + }) + .collect(); + + restaurant_keys.push(AdminRestaurantKey { + id: key_id, + name: key_name, + pubkey: key_pubkey, + created_at: key_created_at.to_rfc3339(), + authorizations, + }); + } + + teams.push(AdminTeamDetails { + id: team_id, + name: team_name, + role, + joined_at: joined_at.to_rfc3339(), + restaurant_keys, + }); + } + + Ok(Json(UserTeamsResponse { teams })) +} + +// ============================================================================ +// POST /api/admin/authorizations/:id/revoke - Soft-delete a team authorization +// ============================================================================ + +#[derive(Debug, Deserialize)] +pub struct RevokeAuthorizationRequest { + /// Optional free-text reason (e.g. "superseded", "admin_revoke", "client_revoke"). + #[serde(default)] + pub reason: Option, +} + +#[derive(Debug, Serialize)] +pub struct RevokeAuthorizationResponse { + pub revoked: bool, + pub authorization_id: i32, +} + +/// Soft-delete a team authorization by setting `revoked_at = NOW()` and +/// notifying the signer daemon so it drops the in-memory handler. +/// Support admin only; tenant-scoped. +pub async fn revoke_authorization( + tenant: crate::api::tenant::TenantExtractor, + State(auth_state): State, + auth: UcanAuth, + Path(authorization_id): Path, + Json(req): Json, +) -> ApiResult> { + if !is_support_admin(&auth).await { + return Err(ApiError::forbidden("Admin access required")); + } + + let tenant_id = tenant.0.id; + let pool = &auth_state.state.db; + + let reason = req + .reason + .as_deref() + .map(str::trim) + .filter(|s| !s.is_empty()); + + let repo = keycast_core::repositories::AuthorizationRepository::new(pool.clone()); + let bunker_pubkey = repo + .revoke(tenant_id, authorization_id, reason) + .await + .map_err(|e| ApiError::Internal(format!("Failed to revoke authorization: {}", e)))?; + + let Some(bunker_pubkey) = bunker_pubkey else { + // Either not found in this tenant, or already revoked. + return Err(ApiError::not_found( + "Authorization not found or already revoked", + )); + }; + + // Notify the signer daemon to drop the in-memory handler. If the channel + // send fails, the DB write still stands; a daemon restart will pick up the + // revoked state on next lazy load. + if let Some(tx) = &auth_state.auth_tx { + use keycast_core::authorization_channel::AuthorizationCommand; + if let Err(e) = tx + .send(AuthorizationCommand::Remove { + bunker_pubkey: bunker_pubkey.clone(), + }) + .await + { + tracing::warn!( + "Failed to notify signer of revocation for {}: {}", + bunker_pubkey, + e + ); + } + } + + tracing::info!( + "Authorization {} revoked by admin {} (tenant {}, reason: {:?})", + authorization_id, + &auth.pubkey[..8.min(auth.pubkey.len())], + tenant_id, + reason, + ); + + Ok(Json(RevokeAuthorizationResponse { + revoked: true, + authorization_id, + })) +} + // ============================================================================ // Support Admin Management (Redis-backed) // ============================================================================ diff --git a/api/src/api/http/auth.rs b/api/src/api/http/auth.rs index b560e087..beadba2d 100644 --- a/api/src/api/http/auth.rs +++ b/api/src/api/http/auth.rs @@ -41,6 +41,14 @@ pub fn token_expiry_seconds() -> i64 { .unwrap_or(DEFAULT_TOKEN_EXPIRY_HOURS * 3600) } +pub(crate) fn format_session_cookie(token: &str, max_age: i64, secure: bool) -> String { + let secure_flag = if secure { "; Secure" } else { "" }; + format!( + "keycast_session={}; HttpOnly{}; SameSite=Lax; Path=/; Max-Age={}", + token, secure_flag, max_age + ) +} + pub fn generate_secure_token() -> String { use rand::distributions::Alphanumeric; rand::thread_rng() @@ -156,6 +164,8 @@ pub struct RegisterRequest { pub nsec: Option, // Optional: user can provide their own nsec/hex secret key #[serde(skip_serializing_if = "Option::is_none")] pub relays: Option>, // Optional: user's preferred relays + #[serde(skip_serializing_if = "Option::is_none")] + pub redirect_uri: Option, // Optional: where to redirect after email verification } #[derive(Debug, Serialize)] @@ -521,6 +531,7 @@ async fn nostr_auth_login( tenant_id: i64, headers: &HeaderMap, auth_header: &str, + secure_cookies: bool, ) -> Result { // Build expected URL for this endpoint let expected_url = build_expected_url(headers, "/api/auth/login")?; @@ -589,10 +600,7 @@ async fn nostr_auth_login( ); // Create response with UCAN session cookie - let cookie = format!( - "keycast_session={}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=86400", - ucan_token - ); + let cookie = format_session_cookie(&ucan_token, 86400, secure_cookies); Ok(( axum::http::StatusCode::OK, @@ -672,6 +680,12 @@ pub async fn register( // Password hash is NULL initially - will be set by bcrypt worker // Returns Err(RepositoryError::Duplicate) if email already exists, which maps to AuthError::EmailAlreadyExists let user_repo = UserRepository::new(pool.clone()); + // Validate redirect_uri if provided (must be HTTPS or localhost HTTP) + let redirect_uri = req + .redirect_uri + .as_deref() + .filter(|uri| uri.starts_with("https://") || uri.starts_with("http://localhost")); + user_repo .register_with_personal_key( &public_key.to_hex(), @@ -681,6 +695,7 @@ pub async fn register( &verification_token, verification_expires, &encrypted_secret, + redirect_uri, ) .await?; @@ -778,12 +793,13 @@ pub async fn login( body: String, ) -> Result { let tenant_id = tenant.0.id; + let secure_cookies = auth_state.state.secure_cookies; // Check for NIP-98 Authorization header first if let Some(auth_header) = headers.get("Authorization") { if let Ok(auth_str) = auth_header.to_str() { if auth_str.starts_with("Nostr ") { - return nostr_auth_login(tenant_id, &headers, auth_str).await; + return nostr_auth_login(tenant_id, &headers, auth_str, secure_cookies).await; } } } @@ -885,10 +901,7 @@ pub async fn login( ); // Create response with UCAN session cookie - let cookie = format!( - "keycast_session={}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=86400", - ucan_token - ); + let cookie = format_session_cookie(&ucan_token, 86400, secure_cookies); Ok(( axum::http::StatusCode::OK, @@ -904,11 +917,15 @@ pub async fn login( } /// Logout endpoint - clears the keycast_session cookie -pub async fn logout() -> Result { +pub async fn logout( + State(auth_state): State, +) -> Result { tracing::info!("User logging out"); + let secure_cookies = auth_state.state.secure_cookies; + // Clear the session cookie by setting Max-Age=0 - let cookie = "keycast_session=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0"; + let cookie = format_session_cookie("", 0, secure_cookies); let response = ( axum::http::StatusCode::OK, @@ -1540,10 +1557,17 @@ pub async fn verify_email( ); // Set UCAN session cookie - let cookie = format!( - "keycast_session={}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=86400", - ucan_token - ); + let secure_cookies = auth_state.state.secure_cookies; + let cookie = format_session_cookie(&ucan_token, 86400, secure_cookies); + + // If the registration included a redirect_uri, redirect back to the client app + let redirect_to = token_data.redirect_uri.map(|uri| { + if uri.contains('?') { + format!("{}&verified=1", uri) + } else { + format!("{}?verified=1", uri) + } + }); Ok(( axum::http::StatusCode::OK, @@ -1551,7 +1575,7 @@ pub async fn verify_email( axum::Json(VerifyEmailResponse { success: true, message: "Email verified successfully! You are now logged in.".to_string(), - redirect_to: None, + redirect_to, authenticated: Some(true), status: None, retry_after: None, @@ -3093,10 +3117,8 @@ pub async fn change_key( let ucan_token = generate_ucan_token(&new_keys, tenant_id, &email, &redirect_origin, None).await?; - let cookie = format!( - "keycast_session={}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=86400", - ucan_token - ); + let secure_cookies = auth_state.state.secure_cookies; + let cookie = format_session_cookie(&ucan_token, 86400, secure_cookies); let response = ChangeKeyResponse { success: true, @@ -3366,6 +3388,7 @@ mod tests { bcrypt_sender: bcrypt_queue.sender(), redis: None, secret_pool: secret_pool.receiver(), + secure_cookies: false, }), auth_tx: None, } diff --git a/api/src/api/http/claim.rs b/api/src/api/http/claim.rs index 609794af..5de9994b 100644 --- a/api/src/api/http/claim.rs +++ b/api/src/api/http/claim.rs @@ -10,6 +10,7 @@ use axum::{ use nostr_sdk::Keys; use serde::Deserialize; +use super::auth::format_session_cookie; use super::routes::AuthState; use keycast_core::repositories::{ClaimTokenRepository, UserRepository}; @@ -335,11 +336,8 @@ pub async fn claim_post( .map_err(|e| ClaimError::Internal(format!("Failed to generate session: {:?}", e)))?; // Set session cookie - let cookie_value = format!( - "keycast_session={}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age={}", - token, - 60 * 60 * 24 * 7 // 7 days - ); + let secure_cookies = auth_state.state.secure_cookies; + let cookie_value = format_session_cookie(&token, 60 * 60 * 24 * 7, secure_cookies); // Get user info for success page let user_repo = UserRepository::new(pool.clone()); @@ -502,7 +500,7 @@ pub async fn claim_post(
1
Get the App
-
Download diVine for the best experience.
+
Download Synvya for the best experience.
 App Store @@ -532,7 +530,7 @@ pub async fn claim_post(
- Open diVine on Web + Open Synvya on Web

You can also access your account at divine.video

diff --git a/api/src/api/http/oauth.rs b/api/src/api/http/oauth.rs index ea450d38..d20bf311 100644 --- a/api/src/api/http/oauth.rs +++ b/api/src/api/http/oauth.rs @@ -18,6 +18,8 @@ use keycast_core::repositories::{ }; use keycast_core::types::refresh_token::generate_refresh_token; use nostr_sdk::{Keys, ToBech32}; + +use super::auth::format_session_cookie; use rand::Rng; use secrecy::ExposeSecret; use serde::{Deserialize, Serialize}; @@ -25,6 +27,20 @@ use serde::{Deserialize, Serialize}; // Import constants and helpers from auth module use super::auth::{generate_secure_token, token_expiry_seconds, EMAIL_VERIFICATION_EXPIRY_HOURS}; +fn forgot_password_url_for_auth_host() -> &'static str { + let auth_url = std::env::var("APP_URL") + .or_else(|_| std::env::var("VITE_DOMAIN")) + .unwrap_or_default(); + + if auth_url.contains("auth.staging.synvya.com") { + "https://account.staging.synvya.com/login" + } else if auth_url.contains("auth.synvya.com") { + "https://account.synvya.com/login" + } else { + "/forgot-password" + } +} + /// Generate a 256-bit random authorization handle (64 hex characters) /// Used for silent re-authentication in OAuth flows pub fn generate_authorization_handle() -> String { @@ -1193,7 +1209,7 @@ pub async fn authorize_get(

Authorize App

@@ -1224,7 +1240,7 @@ pub async fn authorize_get(

- By authorizing, you agree to diVine's terms and privacy policy. + By authorizing, you agree to Synvya's terms and privacy policy.

@@ -1469,6 +1485,7 @@ pub async fn authorize_get( } } else { // User not authenticated - show login/register form (divine.video-inspired design) + let forgot_password_url = forgot_password_url_for_auth_host(); format!( r#" @@ -1476,7 +1493,7 @@ pub async fn authorize_get( - Sign in - diVine Login + Sign in - Synvya Login @@ -1786,7 +1803,7 @@ pub async fn authorize_get(

Sign in

@@ -1830,7 +1847,7 @@ pub async fn authorize_get(
- Forgot password? + Forgot password?
Don't have an account? Create one @@ -1903,11 +1920,11 @@ pub async fn authorize_get( if (form === 'login') {{ document.getElementById('login_view').classList.add('active'); if (headerTitle) headerTitle.textContent = 'Sign in'; - document.title = 'Sign in - diVine Login'; + document.title = 'Sign in - Synvya Login'; }} else {{ document.getElementById('register_view').classList.add('active'); if (headerTitle) headerTitle.textContent = 'Create account'; - document.title = 'Create account - diVine Login'; + document.title = 'Create account - Synvya Login'; }} hideError(); @@ -2148,6 +2165,7 @@ pub async fn authorize_get( .unwrap_or('A') .to_uppercase(), // app icon letter params.client_id, // app name in card + forgot_password_url, // Forgot password link target params.client_id, // JS clientId params.redirect_uri, // JS redirectUri scope_str, // JS scope @@ -2158,8 +2176,8 @@ pub async fn authorize_get( // If we detected a stale cookie, clear it if clear_cookie { - let clear_cookie_header = - "keycast_session=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0"; + let secure_cookies = auth_state.state.secure_cookies; + let clear_cookie_header = format_session_cookie("", 0, secure_cookies); Ok(( [(axum::http::header::SET_COOKIE, clear_cookie_header)], Html(html), @@ -3008,10 +3026,8 @@ pub async fn oauth_login( tracing::info!("OAuth popup login successful for user: {}", public_key); // Set cookie and return success - page will reload to show approval - let cookie = format!( - "keycast_session={}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=86400", - ucan_token - ); + let secure_cookies = auth_state.state.secure_cookies; + let cookie = format_session_cookie(&ucan_token, 86400, secure_cookies); Ok(( [(axum::http::header::SET_COOKIE, cookie)], @@ -3375,7 +3391,7 @@ pub async fn connect_get( - Authorize Connection - diVine Login + Authorize Connection - Synvya Login @@ -3597,7 +3613,7 @@ pub async fn connect_get(

Authorize Connection

@@ -3619,7 +3635,7 @@ pub async fn connect_get(
- This will allow the app to sign events on your behalf using your diVine-managed keys. + This will allow the app to sign events on your behalf using your Synvya-managed keys.
diff --git a/api/src/api/http/routes.rs b/api/src/api/http/routes.rs index fc488ab0..f19e1417 100644 --- a/api/src/api/http/routes.rs +++ b/api/src/api/http/routes.rs @@ -46,10 +46,12 @@ pub fn api_routes( .layer(auth_cors.clone()) .with_state(auth_state.clone()); - // Logout route - public CORS so third-party OAuth apps can revoke sessions - // Protected by Bearer token (UCAN), not cookies + // Logout route - restricted CORS with credentials + // This endpoint clears the first-party session cookie, so it must use + // auth_cors rather than wildcard public CORS. let logout_route = Router::new() .route("/auth/logout", post(auth::logout)) + .layer(auth_cors.clone()) .with_state(auth_state.clone()); // verify_email needs auth_state for key_manager (to decrypt keys and issue UCAN) @@ -195,6 +197,11 @@ pub fn api_routes( get(admin::get_claim_token_stats), ) .route("/admin/user-lookup", get(admin::get_user_lookup)) + .route("/admin/user-teams", get(admin::get_user_teams)) + .route( + "/admin/authorizations/:id/revoke", + post(admin::revoke_authorization), + ) .route( "/admin/support-admins", get(admin::list_support_admins).post(admin::add_support_admin), @@ -243,6 +250,21 @@ pub fn api_routes( delete(teams::delete_authorization), ) .route("/teams/:id/policies", post(teams::add_policy)) + .route("/teams/:id/invite", post(teams::invite_user)) + .route("/teams/:id/invitations", get(teams::list_invitations)) + .route( + "/teams/:id/invitations/:invitation_id", + delete(teams::revoke_invitation), + ) + .with_state(pool.clone()); + + // Invitation routes (mixed auth: preview is public, accept requires auth) + let invitation_preview_route = Router::new() + .route("/invitations/preview", get(teams::preview_invitation)) + .with_state(pool.clone()); + + let invitation_accept_route = Router::new() + .route("/invitations/accept", post(teams::accept_invitation)) .with_state(pool); // Combine routes @@ -257,7 +279,7 @@ pub fn api_routes( .merge(bunker_routes) // Has auth_cors (bunker creation) .merge(key_export_routes) // Has auth_cors (authenticated, needs cookies) .merge(change_key_route) // Has auth_cors (authenticated, needs cookies) - .merge(logout_route.layer(public_cors.clone())) // Public CORS - Bearer token auth, third-party apps + .merge(logout_route) // Has auth_cors (credentialed cookie logout) .merge(account_delete_route.layer(public_cors.clone())) // Public CORS - Bearer token auth, third-party apps .merge(verify_email_route.layer(public_cors.clone())) // Public CORS - same-origin sets cookie, cross-origin uses Bearer .merge(email_routes.layer(public_cors.clone())) @@ -267,6 +289,8 @@ pub fn api_routes( .merge(signing_routes.layer(public_cors.clone())) .merge(nostr_rpc_routes.layer(public_cors.clone())) // NIP-46 RPC for OAuth apps .merge(team_routes.layer(auth_cors.clone())) // Team routes need credentials + .merge(invitation_preview_route.layer(auth_cors.clone())) // Auth CORS - token-gated but clients may send credentials + .merge(invitation_accept_route.layer(auth_cors.clone())) // Auth - accept invite needs session .merge(discovery_route.layer(public_cors.clone())) .merge(policy_routes.layer(public_cors.clone())) // Public - available to third-party OAuth apps .merge(headless_routes.layer(public_cors.clone())) // Public CORS - embedded flow for web + mobile (PKCE protects token exchange) diff --git a/api/src/api/http/teams.rs b/api/src/api/http/teams.rs index d1992c49..57eaa92a 100644 --- a/api/src/api/http/teams.rs +++ b/api/src/api/http/teams.rs @@ -5,6 +5,7 @@ use axum::{ Json, }; use secrecy::ExposeSecret; +use serde::{Deserialize, Serialize}; use nostr_sdk::prelude::*; @@ -21,7 +22,7 @@ use keycast_core::types::authorization::{Authorization, AuthorizationWithRelatio use keycast_core::types::policy::PolicyWithPermissions; use keycast_core::types::stored_key::PublicStoredKey; use keycast_core::types::team::{KeyWithRelations, Team, TeamWithRelations}; -use keycast_core::types::user::TeamUser; +use keycast_core::types::user::{TeamUser, TeamUserRole}; pub async fn list_teams( tenant: crate::api::tenant::TenantExtractor, @@ -55,9 +56,16 @@ pub async fn create_team( ) -> ApiResult> { let tenant_id = tenant.0.id; let user_pubkey_hex = &auth.pubkey; + let user_pubkey = PublicKey::from_hex(user_pubkey_hex) + .map_err(|_| ApiError::bad_request("Invalid pubkey"))?; + let user_repo = UserRepository::new(pool.clone()); - // Check admin access for team creation - if !super::admin::is_full_admin(&auth) { + let can_create_first_team = user_repo + .count_team_memberships(tenant_id, &user_pubkey) + .await? + == 0; + + if !super::admin::is_full_admin(&auth) && !can_create_first_team { tracing::warn!( "Team creation denied for non-admin pubkey: {}", user_pubkey_hex @@ -523,3 +531,432 @@ pub async fn verify_admin<'a>( Err(_) => Err(ApiError::auth("Failed to verify admin status")), } } + +// --------------------------------------------------------------------------- +// Team invitation handlers +// --------------------------------------------------------------------------- + +use keycast_core::repositories::TeamInvitationRepository; +use keycast_core::types::team_invitation::{ + generate_invitation_token, InvitationListItem, InvitationPreview, +}; + +#[derive(Debug, Deserialize)] +pub struct InviteRequest { + pub email: String, + pub role: TeamUserRole, +} + +#[derive(Debug, Serialize)] +#[serde(tag = "status")] +pub enum InviteResponse { + #[serde(rename = "added")] + Added { member: TeamUser }, + #[serde(rename = "invited")] + Invited { invitation: InvitationListItem }, +} + +#[derive(Debug, Deserialize)] +pub struct AcceptInvitationRequest { + pub token: String, +} + +#[derive(Debug, Serialize)] +pub struct AcceptInvitationResponse { + pub team_id: i32, + pub role: String, +} + +#[derive(Debug, Deserialize)] +pub struct PreviewQuery { + pub token: String, +} + +/// POST /api/teams/:id/invite +/// Invite a user to a team by email. If the user already exists, add them immediately. +/// Otherwise, create an invitation and send an email. +pub async fn invite_user( + tenant: crate::api::tenant::TenantExtractor, + State(pool): State, + UcanAuth { + pubkey: user_pubkey_hex, + .. + }: UcanAuth, + Path(team_id): Path, + Json(request): Json, +) -> ApiResult> { + let tenant_id = tenant.0.id; + verify_admin(&pool, &user_pubkey_hex, team_id, tenant_id).await?; + + // Normalize email + let email = request.email.trim().to_lowercase(); + + // Basic email validation + if !email.contains('@') || email.len() < 5 { + return Err(ApiError::bad_request("Invalid email address")); + } + + let role_str = request.role.as_str(); + let user_repo = UserRepository::new(pool.clone()); + let team_repo = TeamRepository::new(pool.clone()); + let invite_repo = TeamInvitationRepository::new(pool.clone()); + + // Check if calling user is inviting themselves + let caller_email: Option = + sqlx::query_scalar("SELECT email FROM users WHERE pubkey = $1 AND tenant_id = $2") + .bind(&user_pubkey_hex) + .bind(tenant_id) + .fetch_optional(&pool) + .await + .map_err(|e| ApiError::internal(format!("Failed to look up caller email: {}", e)))?; + + if let Some(ref caller_email) = caller_email { + if caller_email.to_lowercase() == email { + return Err(ApiError::bad_request("Cannot invite yourself")); + } + } + + // Check if user with this email already exists + let existing_pubkey = user_repo.find_pubkey_by_email(&email, tenant_id).await?; + + match existing_pubkey { + Some(pubkey) => { + // User exists — add directly + if team_repo.is_member(team_id, &pubkey).await? { + return Err(ApiError::conflict("Already a team member")); + } + + // Ensure user record exists + let pk = PublicKey::from_hex(&pubkey) + .map_err(|_| ApiError::internal("Invalid stored pubkey"))?; + user_repo.find_or_create(tenant_id, &pk).await?; + + let team_user = team_repo.add_member(team_id, &pubkey, role_str).await?; + Ok(Json(InviteResponse::Added { member: team_user })) + } + None => { + // User does not exist — create invitation + if invite_repo + .find_pending_by_email(team_id, &email) + .await? + .is_some() + { + return Err(ApiError::conflict( + "Invitation already pending for this email", + )); + } + + let token = generate_invitation_token(); + + let invitation = invite_repo + .create( + team_id, + tenant_id, + &email, + role_str, + &token, + &user_pubkey_hex, + ) + .await?; + + // Resolve inviter display name (used for the list response regardless of email outcome) + let inviter_name = resolve_display_name(&pool, &user_pubkey_hex, tenant_id).await; + + // For the email body we prefer a real display name → email → pubkey prefix. + // The admin's email is the most useful fallback when no kind-0 display name exists. + let inviter_real_display: Option = + sqlx::query_as::<_, (Option, Option)>( + "SELECT display_name, username FROM users WHERE pubkey = $1 AND tenant_id = $2", + ) + .bind(&user_pubkey_hex) + .bind(tenant_id) + .fetch_optional(&pool) + .await + .ok() + .flatten() + .and_then(|(dn, un)| { + dn.filter(|s| !s.is_empty()) + .or_else(|| un.filter(|s| !s.is_empty())) + }); + let inviter_email_opt = user_repo.get_email(&user_pubkey_hex, tenant_id).await.ok(); + let inviter_label = inviter_real_display + .clone() + .or_else(|| inviter_email_opt.clone()) + .unwrap_or_else(|| inviter_name.clone()); + + // Resolve team name + let team = team_repo.find(tenant_id, team_id).await?; + + // Resolve team's primary stored key (used for kind-0 profile lookup). + let team_key_pubkey: Option = sqlx::query_scalar( + "SELECT pubkey FROM stored_keys + WHERE tenant_id = $1 AND team_id = $2 + ORDER BY id ASC + LIMIT 1", + ) + .bind(tenant_id) + .bind(team_id) + .fetch_optional(&pool) + .await + .map_err(|e| ApiError::internal(format!("Failed to load team key: {}", e)))?; + + // Best-effort kind-0 fetch so the email can show the team's real display + // name and avatar (same as the accept page). Falls back to the DB handle. + let profile = if let Some(ref pk) = team_key_pubkey { + let relays = keycast_core::types::authorization::Authorization::get_bunker_relays(); + crate::nostr_profile::fetch_profile_metadata(pk, &relays).await + } else { + None + }; + let team_display_name = profile + .as_ref() + .and_then(|p| p.display_name.clone()) + .unwrap_or_else(|| team.name.clone()); + let team_picture = profile.as_ref().and_then(|p| p.picture.clone()); + + // Build invite URL + let invite_base_url = std::env::var("INVITE_BASE_URL") + .or_else(|_| std::env::var("BASE_URL")) + .or_else(|_| std::env::var("APP_URL")) + .unwrap_or_else(|_| "http://localhost:5173".to_string()); + let invite_url = format!("{}/accept-invite?token={}", invite_base_url, token); + + // Send invitation email + match crate::email_service::EmailService::new().await { + Ok(email_service) => { + if let Err(e) = email_service + .send_team_invite_email( + &email, + &team_display_name, + team_picture.as_deref(), + &inviter_label, + role_str, + invitation.expires_at, + &invite_url, + ) + .await + { + tracing::error!("Failed to send team invite email to {}: {}", email, e); + } + } + Err(e) => { + tracing::error!("Failed to initialize email service: {}", e); + } + } + + let list_item = InvitationListItem { + id: invitation.id, + email: invitation.email, + role: invitation.role, + invited_by: inviter_name, + created_at: invitation.created_at, + expires_at: invitation.expires_at, + accepted_at: invitation.accepted_at, + revoked_at: invitation.revoked_at, + }; + + Ok(Json(InviteResponse::Invited { + invitation: list_item, + })) + } + } +} + +/// GET /api/teams/:id/invitations +/// List all invitations for a team. +pub async fn list_invitations( + tenant: crate::api::tenant::TenantExtractor, + State(pool): State, + UcanAuth { + pubkey: user_pubkey_hex, + .. + }: UcanAuth, + Path(team_id): Path, +) -> ApiResult>> { + let tenant_id = tenant.0.id; + verify_admin(&pool, &user_pubkey_hex, team_id, tenant_id).await?; + + let invite_repo = TeamInvitationRepository::new(pool.clone()); + let invitations = invite_repo.list_by_team(team_id, tenant_id).await?; + + // Collect unique inviter pubkeys for batch display name resolution + let mut items = Vec::with_capacity(invitations.len()); + for inv in invitations { + let inviter_name = resolve_display_name(&pool, &inv.invited_by, tenant_id).await; + items.push(InvitationListItem { + id: inv.id, + email: inv.email, + role: inv.role, + invited_by: inviter_name, + created_at: inv.created_at, + expires_at: inv.expires_at, + accepted_at: inv.accepted_at, + revoked_at: inv.revoked_at, + }); + } + + Ok(Json(items)) +} + +/// DELETE /api/teams/:id/invitations/:invitation_id +/// Revoke a pending invitation. +pub async fn revoke_invitation( + tenant: crate::api::tenant::TenantExtractor, + State(pool): State, + UcanAuth { + pubkey: user_pubkey_hex, + .. + }: UcanAuth, + Path((team_id, invitation_id)): Path<(i32, i32)>, +) -> ApiResult { + let tenant_id = tenant.0.id; + verify_admin(&pool, &user_pubkey_hex, team_id, tenant_id).await?; + + let invite_repo = TeamInvitationRepository::new(pool.clone()); + invite_repo + .revoke(invitation_id, team_id, tenant_id) + .await?; + + Ok(StatusCode::NO_CONTENT) +} + +/// GET /api/invitations/preview?token=... +/// Public endpoint — returns enough info to render the invite landing page. +pub async fn preview_invitation( + tenant: crate::api::tenant::TenantExtractor, + State(pool): State, + axum::extract::Query(query): axum::extract::Query, +) -> ApiResult> { + let tenant_id = tenant.0.id; + + let invite_repo = TeamInvitationRepository::new(pool.clone()); + let invitation = invite_repo + .find_valid_by_token(&query.token) + .await? + .ok_or_else(|| ApiError::not_found("Invitation not found or expired"))?; + + // Verify tenant match + if invitation.tenant_id != tenant_id { + return Err(ApiError::not_found("Invitation not found or expired")); + } + + // Resolve team name + let team_repo = TeamRepository::new(pool.clone()); + let team = team_repo.find(tenant_id, invitation.team_id).await?; + + // Resolve team's primary stored key pubkey (deterministic: earliest id wins). + // `None` if the team has no stored keys — keeps field shape stable for clients. + let team_key_pubkey: Option = sqlx::query_scalar( + "SELECT pubkey FROM stored_keys + WHERE tenant_id = $1 AND team_id = $2 + ORDER BY id ASC + LIMIT 1", + ) + .bind(tenant_id) + .bind(invitation.team_id) + .fetch_optional(&pool) + .await + .map_err(|e| ApiError::internal(format!("Failed to load team key: {}", e)))?; + + // Resolve inviter display name and email + let inviter_name = resolve_display_name(&pool, &invitation.invited_by, tenant_id).await; + let user_repo = UserRepository::new(pool.clone()); + let invited_by_email = user_repo + .get_email(&invitation.invited_by, tenant_id) + .await + .ok(); + + Ok(Json(InvitationPreview { + team_name: team.name, + team_key_pubkey, + role: invitation.role, + invited_by_display_name: inviter_name, + invited_by_email, + expires_at: invitation.expires_at, + email: invitation.email, + })) +} + +/// POST /api/invitations/accept +/// Accept a team invitation. Requires authenticated session. +pub async fn accept_invitation( + tenant: crate::api::tenant::TenantExtractor, + State(pool): State, + UcanAuth { + pubkey: user_pubkey_hex, + .. + }: UcanAuth, + Json(request): Json, +) -> ApiResult> { + let tenant_id = tenant.0.id; + + let invite_repo = TeamInvitationRepository::new(pool.clone()); + + // Find valid invitation + let invitation = invite_repo + .find_valid_by_token(&request.token) + .await? + .ok_or_else(|| ApiError::not_found("Invitation not found or expired"))?; + + // Verify tenant match + if invitation.tenant_id != tenant_id { + return Err(ApiError::not_found("Invitation not found or expired")); + } + + // Get the authenticated user's email + let user_repo = UserRepository::new(pool.clone()); + let user_email: String = user_repo + .get_email(&user_pubkey_hex, tenant_id) + .await + .map_err(|_| ApiError::bad_request("Could not retrieve your email address"))?; + + // Verify email match (case-insensitive) + if user_email.to_lowercase() != invitation.email.to_lowercase() { + return Err(ApiError::forbidden( + "This invitation was sent to a different email address", + )); + } + + // Check if already a team member + let team_repo = TeamRepository::new(pool.clone()); + if team_repo + .is_member(invitation.team_id, &user_pubkey_hex) + .await? + { + return Err(ApiError::conflict("You are already a member of this team")); + } + + // Add to team + team_repo + .add_member(invitation.team_id, &user_pubkey_hex, &invitation.role) + .await?; + + // Mark invitation as accepted + invite_repo + .accept(&request.token, &user_pubkey_hex) + .await + .map_err(|e| ApiError::internal(format!("Failed to mark invitation as accepted: {}", e)))?; + + Ok(Json(AcceptInvitationResponse { + team_id: invitation.team_id, + role: invitation.role, + })) +} + +/// Resolve a pubkey to a display name, falling back to truncated pubkey. +async fn resolve_display_name(pool: &PgPool, pubkey: &str, tenant_id: i64) -> String { + let result: Option<(Option, Option)> = sqlx::query_as( + "SELECT display_name, username FROM users WHERE pubkey = $1 AND tenant_id = $2", + ) + .bind(pubkey) + .bind(tenant_id) + .fetch_optional(pool) + .await + .unwrap_or(None); + + match result { + Some((Some(display_name), _)) if !display_name.is_empty() => display_name, + Some((_, Some(username))) if !username.is_empty() => username, + _ => format!("{}…", &pubkey[..8]), + } +} diff --git a/api/src/email_service.rs b/api/src/email_service.rs index 15f3fc28..e7de730d 100644 --- a/api/src/email_service.rs +++ b/api/src/email_service.rs @@ -2,6 +2,7 @@ // ABOUTME: Supports SendGrid for production, AWS SES (behind `aws` feature), and DevEmailSender for local development/testing use async_trait::async_trait; +use chrono::{DateTime, Utc}; use serde::Serialize; use std::env; use std::sync::{Arc, Mutex}; @@ -30,7 +31,35 @@ pub trait EmailSender: Send + Sync { ) -> Result<(), String>; /// Send a claim link email for a preloaded account. - async fn send_claim_email(&self, to_email: &str, claim_url: &str) -> Result<(), String>; + /// + /// `account_display_name` and `account_picture` come from the preloaded + /// pubkey's kind-0 metadata when available; when both are `None` the email + /// falls back to the plain single-CTA layout. + async fn send_claim_email( + &self, + to_email: &str, + claim_url: &str, + account_display_name: Option<&str>, + account_picture: Option<&str>, + ) -> Result<(), String>; + + /// Send a team invitation email. + /// + /// `team_display_name` should be the kind-0 display name when available, + /// falling back to the DB team handle. `team_picture` is an optional kind-0 + /// avatar URL (http/https only; callers are responsible for validating). + /// `inviter_label` is the admin's email (preferred) or display name. + #[allow(clippy::too_many_arguments)] + async fn send_team_invite_email( + &self, + to_email: &str, + team_display_name: &str, + team_picture: Option<&str>, + inviter_label: &str, + role: &str, + expires_at: DateTime, + invite_url: &str, + ) -> Result<(), String>; /// Get captured emails (only available in dev/test mode) fn get_captured_emails(&self) -> Vec { @@ -43,34 +72,70 @@ pub trait EmailSender: Send + Sync { } } +/// Resolve the base URL used in password reset links. +/// +/// Defaults to `BASE_URL` but may be overridden via `PASSWORD_RESET_BASE_URL` +/// when the password reset page is hosted on a different domain than the +/// rest of the email flow (e.g. Synvya deployments host the reset form on +/// `account.synvya.com` while verification stays on `auth.synvya.com`). +fn password_reset_base_url(default: &str) -> String { + env::var("PASSWORD_RESET_BASE_URL").unwrap_or_else(|_| default.to_string()) +} + // --------------------------------------------------------------------------- // Shared email templates (used by SendGrid, SES, and any future providers) // --------------------------------------------------------------------------- -fn verification_email_html(verification_url: &str) -> String { +/// Shared layout for single-call-to-action transactional emails (verification, +/// password reset, claim). Keeps the same wordmark / button / footer treatment +/// as the team invitation card, minus the card itself — there's no subject +/// entity to present in these flows, so stylising further risks looking like +/// phishing on what are already high-trust emails. +fn basic_email_html( + heading: &str, + intro: &str, + cta_label: &str, + cta_url: &str, + footer_note: &str, +) -> String { + let heading_esc = html_escape(heading); + let intro_esc = html_escape(intro); + let cta_label_esc = html_escape(cta_label); + let url_esc = html_escape(cta_url); + let footer_esc = html_escape(footer_note); + format!( - r#" - - -

Verify your Synvya email

-

Thanks for signing up! Please verify your email address by clicking the button below:

- -

- Or copy and paste this link into your browser:
- {} -

-

- If you didn't sign up for Synvya, you can safely ignore this email. -

- - - "#, - verification_url, verification_url, verification_url + r#" + + +
+
+ Synvya +
+

{heading_esc}

+

{intro_esc}

+ +

+ Or copy and paste this link into your browser:
+ {url_esc} +

+

{footer_esc}

+
+ + +"# + ) +} + +fn verification_email_html(verification_url: &str) -> String { + basic_email_html( + "Verify your Synvya email", + "Thanks for signing up! Confirm your email address to finish creating your account.", + "Verify Email Address", + verification_url, + "If you didn't sign up for Synvya, you can safely ignore this email.", ) } @@ -82,29 +147,12 @@ fn verification_email_text(verification_url: &str) -> String { } fn password_reset_html(reset_url: &str) -> String { - format!( - r#" - - -

Reset your Synvya password

-

We received a request to reset your password. Click the button below to set a new password:

- -

- Or copy and paste this link into your browser:
- {} -

-

- This link will expire in 1 hour. If you didn't request a password reset, you can safely ignore this email. -

- - - "#, - reset_url, reset_url, reset_url + basic_email_html( + "Reset your Synvya password", + "We received a request to reset your password. Click the button below to set a new one.", + "Reset Password", + reset_url, + "This link will expire in 1 hour. If you didn't request a password reset, you can safely ignore this email.", ) } @@ -115,30 +163,71 @@ fn password_reset_text(reset_url: &str) -> String { ) } -fn claim_email_html(claim_url: &str) -> String { +fn claim_email_html( + claim_url: &str, + recipient_email: &str, + account_display_name: Option<&str>, + account_picture: Option<&str>, +) -> String { + // Without a display name or picture there's nothing to show in a card — + // fall back to the shared plain layout. + if account_display_name.is_none() && account_picture.is_none() { + return basic_email_html( + "Your Synvya account is ready", + "Your Synvya account is ready. Click the button below to claim it and set up your login.", + "Claim Your Account", + claim_url, + "This link will expire in 7 days. If you didn't request this, you can safely ignore this email.", + ); + } + + let name_esc = html_escape(account_display_name.unwrap_or("")); + let recipient_esc = html_escape(recipient_email); + let url_esc = html_escape(claim_url); + + let avatar_html = account_picture + .and_then(safe_http_url) + .map(|url| { + format!( + r#""# + ) + }) + .unwrap_or_default(); + + let name_html = if name_esc.is_empty() { + String::new() + } else { + format!( + r#"
{name_esc}
"# + ) + }; + format!( - r#" - - -

Your Synvya account is ready!

-

Your Synvya account is ready. Click the button below to claim it and set up your login:

- -

- Or copy and paste this link into your browser:
- {} -

-

- This link will expire in 7 days. If you didn't request this, you can safely ignore this email. -

- - - "#, - claim_url, claim_url, claim_url + r#" + + +
+
+ Synvya +
+

Your Synvya account is ready

+
+ {avatar_html}{name_html}
Claim your login for {recipient_esc}.
+
+ +

+ Or copy and paste this link into your browser:
+ {url_esc} +

+

+ This link will expire in 7 days. If you didn't request this, you can safely ignore this email. +

+
+ + +"# ) } @@ -149,6 +238,118 @@ fn claim_email_text(claim_url: &str) -> String { ) } +/// Minimal HTML-attribute/text escape for values interpolated into the template. +/// Handles the five chars that matter in body text and double-quoted attributes. +fn html_escape(s: &str) -> String { + let mut out = String::with_capacity(s.len()); + for c in s.chars() { + match c { + '&' => out.push_str("&"), + '<' => out.push_str("<"), + '>' => out.push_str(">"), + '"' => out.push_str("""), + '\'' => out.push_str("'"), + _ => out.push(c), + } + } + out +} + +/// Keep only http/https URLs; reject anything else to avoid `javascript:` etc. +/// Returned string is already HTML-attribute-safe. +fn safe_http_url(raw: &str) -> Option { + let trimmed = raw.trim(); + if trimmed.starts_with("https://") || trimmed.starts_with("http://") { + Some(html_escape(trimmed)) + } else { + None + } +} + +fn title_case_role(role: &str) -> String { + let mut chars = role.chars(); + match chars.next() { + Some(first) => first.to_uppercase().collect::() + chars.as_str(), + None => String::new(), + } +} + +fn team_invite_html( + team_display_name: &str, + team_picture: Option<&str>, + inviter_label: &str, + recipient_email: &str, + role: &str, + expires_at: DateTime, + invite_url: &str, +) -> String { + let team_name_esc = html_escape(team_display_name); + let inviter_esc = html_escape(inviter_label); + let recipient_esc = html_escape(recipient_email); + let role_esc = html_escape(&title_case_role(role)); + let url_esc = html_escape(invite_url); + // "Apr 28, 2026" — date only, TZ-ambiguous time would confuse recipients. + let expires_fmt = expires_at.format("%b %-d, %Y").to_string(); + + let avatar_html = team_picture + .and_then(safe_http_url) + .map(|url| { + format!( + r#""# + ) + }) + .unwrap_or_default(); + + format!( + r#" + + +
+
+ Synvya +
+

Team Invitation

+
+ {avatar_html}
{team_name_esc}
+
{inviter_esc} invited you to join as {role_esc}.
+
Sent to {recipient_esc}. Expires {expires_fmt}.
+
+ +

+ Or copy and paste this link into your browser:
+ {url_esc} +

+

+ This invitation expires in 7 days. If you didn't expect this email, you can safely ignore it. +

+
+ + +"# + ) +} + +fn team_invite_text( + team_display_name: &str, + inviter_label: &str, + recipient_email: &str, + role: &str, + expires_at: DateTime, + invite_url: &str, +) -> String { + let role_tc = title_case_role(role); + let expires_fmt = expires_at.format("%b %-d, %Y").to_string(); + format!( + "Team Invitation — {team_display_name}\n\n\ + {inviter_label} invited you to join as {role_tc}.\n\ + Sent to {recipient_email}. Expires {expires_fmt}.\n\n\ + Accept the invitation:\n{invite_url}\n\n\ + This invitation expires in 7 days. If you didn't expect this email, you can safely ignore it.\n", + ) +} + // --------------------------------------------------------------------------- // Development email sender // --------------------------------------------------------------------------- @@ -156,6 +357,7 @@ fn claim_email_text(claim_url: &str) -> String { /// Development email sender - logs URLs to console and captures emails for testing pub struct DevEmailSender { base_url: String, + password_reset_base_url: String, captured: Arc>>, } @@ -164,15 +366,18 @@ impl DevEmailSender { let base_url = env::var("BASE_URL") .or_else(|_| env::var("APP_URL")) .unwrap_or_else(|_| "http://localhost:5173".to_string()); + let password_reset_base_url = password_reset_base_url(&base_url); tracing::info!("==========================================="); tracing::info!(" EMAIL SERVICE: Development Mode"); tracing::info!(" Emails will be logged to console"); tracing::info!(" Base URL: {}", base_url); + tracing::info!(" Password reset base URL: {}", password_reset_base_url); tracing::info!("==========================================="); Self { base_url, + password_reset_base_url, captured: Arc::new(Mutex::new(Vec::new())), } } @@ -237,7 +442,10 @@ impl EmailSender for DevEmailSender { to_email: &str, reset_token: &str, ) -> Result<(), String> { - let reset_url = format!("{}/reset-password?token={}", self.base_url, reset_token); + let reset_url = format!( + "{}/reset-password?token={}", + self.password_reset_base_url, reset_token + ); tracing::info!(""); tracing::info!("=================================================="); @@ -270,13 +478,21 @@ impl EmailSender for DevEmailSender { Ok(()) } - async fn send_claim_email(&self, to_email: &str, claim_url: &str) -> Result<(), String> { + async fn send_claim_email( + &self, + to_email: &str, + claim_url: &str, + account_display_name: Option<&str>, + account_picture: Option<&str>, + ) -> Result<(), String> { tracing::info!(""); tracing::info!("=================================================="); tracing::info!(" SYNVYA CLAIM EMAIL"); tracing::info!("=================================================="); tracing::info!(" To: {}", to_email); tracing::info!(" Subject: Your Synvya account is ready to claim"); + tracing::info!(" Display name: {:?}", account_display_name); + tracing::info!(" Picture: {:?}", account_picture); tracing::info!(""); tracing::info!(" Claim link:"); tracing::info!(" {}", claim_url); @@ -300,6 +516,51 @@ impl EmailSender for DevEmailSender { Ok(()) } + async fn send_team_invite_email( + &self, + to_email: &str, + team_display_name: &str, + team_picture: Option<&str>, + inviter_label: &str, + role: &str, + expires_at: DateTime, + invite_url: &str, + ) -> Result<(), String> { + tracing::info!(""); + tracing::info!("=================================================="); + tracing::info!(" TEAM INVITATION EMAIL"); + tracing::info!("=================================================="); + tracing::info!(" To: {}", to_email); + tracing::info!(" Team: {} (as {})", team_display_name, role); + tracing::info!(" Invited by: {}", inviter_label); + tracing::info!(" Picture: {:?}", team_picture); + tracing::info!(" Expires: {}", expires_at); + tracing::info!(""); + tracing::info!(" Accept link:"); + tracing::info!(" {}", invite_url); + tracing::info!("=================================================="); + tracing::info!(""); + + eprintln!( + "\n\x1b[35m[DEV EMAIL]\x1b[0m Team invite for {} to join {}: \x1b[4m{}\x1b[0m\n", + to_email, team_display_name, invite_url + ); + + if let Ok(mut captured) = self.captured.lock() { + captured.push(CapturedEmail { + to: to_email.to_string(), + subject: format!( + "You've been invited to join {} on Synvya", + team_display_name + ), + verification_url: Some(invite_url.to_string()), + reset_url: None, + }); + } + + Ok(()) + } + fn get_captured_emails(&self) -> Vec { self.captured .lock() @@ -369,6 +630,7 @@ pub struct SendGridEmailSender { from_email: String, from_name: String, base_url: String, + password_reset_base_url: String, } impl SendGridEmailSender { @@ -379,14 +641,19 @@ impl SendGridEmailSender { let base_url = env::var("BASE_URL") .or_else(|_| env::var("APP_URL")) .unwrap_or_else(|_| "http://localhost:5173".to_string()); + let password_reset_base_url = password_reset_base_url(&base_url); - tracing::info!("Email service initialized with SendGrid"); + tracing::info!( + "Email service initialized with SendGrid (reset base URL: {})", + password_reset_base_url + ); Self { api_key, from_email, from_name, base_url, + password_reset_base_url, } } @@ -484,7 +751,10 @@ impl EmailSender for SendGridEmailSender { to_email: &str, reset_token: &str, ) -> Result<(), String> { - let reset_url = format!("{}/reset-password?token={}", self.base_url, reset_token); + let reset_url = format!( + "{}/reset-password?token={}", + self.password_reset_base_url, reset_token + ); let subject = "Reset your Synvya password"; let html = password_reset_html(&reset_url); let text = password_reset_text(&reset_url); @@ -492,13 +762,54 @@ impl EmailSender for SendGridEmailSender { self.send_email(to_email, subject, &html, &text).await } - async fn send_claim_email(&self, to_email: &str, claim_url: &str) -> Result<(), String> { + async fn send_claim_email( + &self, + to_email: &str, + claim_url: &str, + account_display_name: Option<&str>, + account_picture: Option<&str>, + ) -> Result<(), String> { let subject = "Your Synvya account is ready to claim"; - let html = claim_email_html(claim_url); + let html = claim_email_html(claim_url, to_email, account_display_name, account_picture); let text = claim_email_text(claim_url); self.send_email(to_email, subject, &html, &text).await } + + async fn send_team_invite_email( + &self, + to_email: &str, + team_display_name: &str, + team_picture: Option<&str>, + inviter_label: &str, + role: &str, + expires_at: DateTime, + invite_url: &str, + ) -> Result<(), String> { + let subject = format!( + "You've been invited to join {} on Synvya", + team_display_name + ); + let html = team_invite_html( + team_display_name, + team_picture, + inviter_label, + to_email, + role, + expires_at, + invite_url, + ); + let text = team_invite_text( + team_display_name, + inviter_label, + to_email, + role, + expires_at, + invite_url, + ); + + self.send_email(to_email, &subject, &html, &text).await + } } // --------------------------------------------------------------------------- @@ -511,6 +822,7 @@ pub struct SesEmailSender { from_email: String, from_name: String, base_url: String, + password_reset_base_url: String, } #[cfg(feature = "aws")] @@ -531,11 +843,13 @@ impl SesEmailSender { let base_url = env::var("BASE_URL") .or_else(|_| env::var("APP_URL")) .unwrap_or_else(|_| "http://localhost:5173".to_string()); + let password_reset_base_url = password_reset_base_url(&base_url); tracing::info!( - "AWS SES email sender initialized (region: {}, from: {})", + "AWS SES email sender initialized (region: {}, from: {}, reset base URL: {})", region, - from_email + from_email, + password_reset_base_url ); Ok(Self { @@ -543,6 +857,7 @@ impl SesEmailSender { from_email, from_name, base_url, + password_reset_base_url, }) } @@ -640,7 +955,10 @@ impl EmailSender for SesEmailSender { to_email: &str, reset_token: &str, ) -> Result<(), String> { - let reset_url = format!("{}/reset-password?token={}", self.base_url, reset_token); + let reset_url = format!( + "{}/reset-password?token={}", + self.password_reset_base_url, reset_token + ); let subject = "Reset your Synvya password"; let html = password_reset_html(&reset_url); let text = password_reset_text(&reset_url); @@ -648,13 +966,54 @@ impl EmailSender for SesEmailSender { self.send_email(to_email, subject, &html, &text).await } - async fn send_claim_email(&self, to_email: &str, claim_url: &str) -> Result<(), String> { + async fn send_claim_email( + &self, + to_email: &str, + claim_url: &str, + account_display_name: Option<&str>, + account_picture: Option<&str>, + ) -> Result<(), String> { let subject = "Your Synvya account is ready to claim"; - let html = claim_email_html(claim_url); + let html = claim_email_html(claim_url, to_email, account_display_name, account_picture); let text = claim_email_text(claim_url); self.send_email(to_email, subject, &html, &text).await } + + async fn send_team_invite_email( + &self, + to_email: &str, + team_display_name: &str, + team_picture: Option<&str>, + inviter_label: &str, + role: &str, + expires_at: DateTime, + invite_url: &str, + ) -> Result<(), String> { + let subject = format!( + "You've been invited to join {} on Synvya", + team_display_name + ); + let html = team_invite_html( + team_display_name, + team_picture, + inviter_label, + to_email, + role, + expires_at, + invite_url, + ); + let text = team_invite_text( + team_display_name, + inviter_label, + to_email, + role, + expires_at, + invite_url, + ); + + self.send_email(to_email, &subject, &html, &text).await + } } // --------------------------------------------------------------------------- @@ -740,7 +1099,39 @@ impl EmailService { .await } - pub async fn send_claim_email(&self, to_email: &str, claim_url: &str) -> Result<(), String> { - self.inner.send_claim_email(to_email, claim_url).await + pub async fn send_claim_email( + &self, + to_email: &str, + claim_url: &str, + account_display_name: Option<&str>, + account_picture: Option<&str>, + ) -> Result<(), String> { + self.inner + .send_claim_email(to_email, claim_url, account_display_name, account_picture) + .await + } + + #[allow(clippy::too_many_arguments)] + pub async fn send_team_invite_email( + &self, + to_email: &str, + team_display_name: &str, + team_picture: Option<&str>, + inviter_label: &str, + role: &str, + expires_at: DateTime, + invite_url: &str, + ) -> Result<(), String> { + self.inner + .send_team_invite_email( + to_email, + team_display_name, + team_picture, + inviter_label, + role, + expires_at, + invite_url, + ) + .await } } diff --git a/api/src/lib.rs b/api/src/lib.rs index 605bf61e..d6016ec6 100644 --- a/api/src/lib.rs +++ b/api/src/lib.rs @@ -5,6 +5,7 @@ pub mod divine_names; pub mod email_service; pub mod handlers; pub mod nip98; +pub mod nostr_profile; pub mod redis; pub mod state; pub mod ucan_auth; diff --git a/api/src/nostr_profile.rs b/api/src/nostr_profile.rs new file mode 100644 index 00000000..efcec289 --- /dev/null +++ b/api/src/nostr_profile.rs @@ -0,0 +1,147 @@ +// ABOUTME: Fetch NIP-01 kind-0 metadata (name, picture) for a pubkey from configured relays. +// ABOUTME: Best-effort with a short timeout; callers fall back to local data on failure. + +use nostr_sdk::prelude::*; +use serde::Deserialize; +use std::time::Duration; + +/// Overall deadline for the relay round-trip. Kept short because this runs +/// inline in the invite-email HTTP handler. +const FETCH_TIMEOUT: Duration = Duration::from_secs(3); + +/// Subset of kind-0 metadata we use in emails. +#[derive(Debug, Clone, Default)] +pub struct ProfileMetadata { + /// Preferred human-readable name (`display_name` → `name`). + pub display_name: Option, + /// Avatar URL (`picture`). + pub picture: Option, +} + +#[derive(Debug, Deserialize)] +struct Kind0Content { + #[serde(default)] + name: Option, + #[serde(default)] + display_name: Option, + #[serde(default)] + picture: Option, +} + +/// Fetch kind-0 metadata for `pubkey_hex` from the given relays. +/// +/// Returns `None` on any failure (bad pubkey, no relays reachable, timeout, +/// no event, malformed JSON). Callers should fall back to local data. +pub async fn fetch_profile_metadata( + pubkey_hex: &str, + relays: &[String], +) -> Option { + if relays.is_empty() { + return None; + } + + let public_key = match PublicKey::from_hex(pubkey_hex) { + Ok(pk) => pk, + Err(e) => { + tracing::warn!( + "fetch_profile_metadata: invalid pubkey {}: {}", + pubkey_hex, + e + ); + return None; + } + }; + + let client = Client::default(); + for relay in relays { + if let Err(e) = client.add_relay(relay.as_str()).await { + tracing::debug!("fetch_profile_metadata: add_relay {} failed: {}", relay, e); + } + } + client.connect().await; + + let filter = Filter::new() + .author(public_key) + .kind(Kind::Metadata) + .limit(1); + + let result = match client.fetch_events(filter, FETCH_TIMEOUT).await { + Ok(events) => events + .into_iter() + .next() + .and_then(|ev| parse_kind0(&ev.content)), + Err(e) => { + tracing::warn!( + "fetch_profile_metadata: fetch_events failed for {}: {}", + pubkey_hex, + e + ); + None + } + }; + + // Best-effort teardown so sockets don't linger. + client.shutdown().await; + + result +} + +fn parse_kind0(content: &str) -> Option { + let parsed: Kind0Content = serde_json::from_str(content).ok()?; + let display_name = parsed + .display_name + .and_then(non_empty) + .or_else(|| parsed.name.and_then(non_empty)); + let picture = parsed.picture.and_then(non_empty); + if display_name.is_none() && picture.is_none() { + return None; + } + Some(ProfileMetadata { + display_name, + picture, + }) +} + +fn non_empty(s: String) -> Option { + let t = s.trim(); + if t.is_empty() { + None + } else { + Some(t.to_string()) + } +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn parses_display_name_preferred_over_name() { + let m = parse_kind0(r#"{"name":"short","display_name":"Long Name"}"#).unwrap(); + assert_eq!(m.display_name.as_deref(), Some("Long Name")); + assert_eq!(m.picture, None); + } + + #[test] + fn falls_back_to_name_when_display_name_missing() { + let m = parse_kind0(r#"{"name":"only"}"#).unwrap(); + assert_eq!(m.display_name.as_deref(), Some("only")); + } + + #[test] + fn ignores_empty_strings() { + let m = parse_kind0(r#"{"name":"","display_name":" ","picture":""}"#); + assert!(m.is_none()); + } + + #[test] + fn extracts_picture() { + let m = parse_kind0(r#"{"name":"a","picture":"https://example.com/x.png"}"#).unwrap(); + assert_eq!(m.picture.as_deref(), Some("https://example.com/x.png")); + } + + #[test] + fn returns_none_on_bad_json() { + assert!(parse_kind0("not json").is_none()); + } +} diff --git a/api/src/state.rs b/api/src/state.rs index 07cadfca..802c15fa 100644 --- a/api/src/state.rs +++ b/api/src/state.rs @@ -46,6 +46,8 @@ pub struct KeycastState { /// Pre-computed secret pool for instant authorization creation /// Background producer generates (secret, bcrypt_hash) pairs ahead of time pub secret_pool: SecretPoolReceiver, + /// Whether to set the Secure attribute on cookies (requires HTTPS) + pub secure_cookies: bool, } pub static KEYCAST_STATE: OnceCell> = OnceCell::new(); diff --git a/api/tests/aws_ses_test.rs b/api/tests/aws_ses_test.rs index 9d3f8d52..195cbb97 100644 --- a/api/tests/aws_ses_test.rs +++ b/api/tests/aws_ses_test.rs @@ -77,7 +77,12 @@ async fn test_ses_send_claim_email() { let sender = SesEmailSender::new().await.expect("SES init failed"); let result = sender - .send_claim_email(&recipient, "https://example.com/claim?token=abc123") + .send_claim_email( + &recipient, + "https://example.com/claim?token=abc123", + None, + None, + ) .await; assert!(result.is_ok(), "Claim email failed: {:?}", result.err()); diff --git a/api/tests/common/mod.rs b/api/tests/common/mod.rs index b8290c99..258f0c22 100644 --- a/api/tests/common/mod.rs +++ b/api/tests/common/mod.rs @@ -41,9 +41,13 @@ pub fn assert_test_database_url() { ]; let url_lower = url.to_lowercase(); + // CRITICAL: Only check the part of the URL AFTER the credentials (if any) + // This prevents false positives from strings like "production" in the password + let checkable_part = url_lower.split('@').next_back().unwrap_or(&url_lower); + for indicator in production_indicators { assert!( - !url_lower.contains(indicator), + !checkable_part.contains(indicator), "\n\n\ ╔══════════════════════════════════════════════════════════════════╗\n\ ║ REFUSING TO RUN: DATABASE_URL appears to be a production DB ║\n\ diff --git a/api/tests/nostr_rpc_integration_test.rs b/api/tests/nostr_rpc_integration_test.rs index 4aa760fb..fb7a580b 100644 --- a/api/tests/nostr_rpc_integration_test.rs +++ b/api/tests/nostr_rpc_integration_test.rs @@ -31,31 +31,9 @@ async fn setup_db() -> PgPool { .await .expect("Failed to connect to database"); - // Run migrations - sqlx::migrate!("../database/migrations") - .run(&pool) - .await - .expect("Failed to run migrations"); - - // Clean up test data from previous runs (preserve tenant ID 1 which is seeded) - sqlx::query("DELETE FROM oauth_authorizations WHERE tenant_id > 1") - .execute(&pool) - .await - .ok(); - sqlx::query("DELETE FROM personal_keys WHERE tenant_id > 1") - .execute(&pool) - .await - .ok(); - sqlx::query("DELETE FROM users WHERE tenant_id > 1") - .execute(&pool) - .await - .ok(); - sqlx::query("DELETE FROM tenants WHERE id > 1") - .execute(&pool) - .await - .ok(); - - // Reset tenant sequence to ensure no conflicts + // The test runner (run-tests.sh) handles dropping/creating/migrating the DB for us. + // We only need to ensure sequences are reset if we reuse the pool within tests, + // though for fresh DBs this is mostly a safety measure. sqlx::query( "SELECT setval('tenants_id_seq', (SELECT COALESCE(MAX(id), 1) FROM tenants), true)", ) diff --git a/build.README.md b/build.README.md new file mode 100644 index 00000000..a1867156 --- /dev/null +++ b/build.README.md @@ -0,0 +1,171 @@ +# Build Instructions — Keycast + +This document covers how to build and run the Keycast Nostr key management service. Keycast is a polyglot project using **Rust** for the backend and **TypeScript (Bun)** for the frontend/tooling. + +## Prerequisites +- **Rust** (Latest stable) +- **Bun** (Latest version) +- **Docker** & **Docker Compose** +- **sqlx-cli** (Install via `make install-prereq`) + +--- + +## 1. Initial Setup + +A `Makefile` is provided to simplify the setup process. + +```bash +# 1. Check prerequisites +make check-prereq + +# 2. Install sqlx-cli (required for migrations) +make install-prereq + +# 3. Initialize .env.local and master key +# This also symlinks .env -> .env.local and generates the SERVER_NSEC secret +make setup +``` + +--- + +## 2. Environment Management + +Keycast supports multiple environments using a symlink strategy to the `.env` file. This allows you to keep your local, staging, and production secrets organized and separate. + +```bash +# Switch to local environment +make env-local + +# Switch to staging (requires .env.staging to exist) +make env-staging +``` + +### Configuration Details +The following key variables are managed in your `.env.*` files: +- `DATABASE_URL`: Postgres connection string (automatically handled in Docker mode). +- `SERVER_NSEC`: Hex-encoded Nostr secret key used for signing session tokens. +- `MASTER_KEY_PATH`: Path to the encryption key generated by `make setup`. +- `BUNKER_RELAYS`: Comma-separated list of Nostr relays for NIP-46 signing. + +--- + +## 3. Running Keycast + +### Option A: Using Docker (Recommended) +This is the easiest way to run the entire stack (API, Frontend, Postgres, and Redis). + +```bash +# Build the images +make docker-build + +# Start the services +make docker-up + +# Follow logs (Ctrl+C to stop trailing) +make docker-logs + +# Stop the services +make docker-down +``` + +### Option B: Native Development (Standalone) +Use this if you want to run the Keycast binary directly on your host for faster debugging. + +```bash +# 1. Start Postgres and Redis dependencies +bun run deps:up + +# 2. Run database migrations +make migrate + +# 3. Start the app in dev mode +make dev +``` + +--- + +## 4. Verification & Access + +After starting the services, use the following to verify and access Keycast: + +### Verify Deployment +```bash +docker compose ps +``` +The `keycast-unified` container should show a status of `Up (healthy)`. + +### Access the Web UI +- **Docker Mode**: The API is on **[http://localhost:3000](http://localhost:3000)** and the Dashboard is on **[http://localhost:5172](http://localhost:5172)**. +- **Native Dev Mode**: The API is on port 3000, and the live-reloading frontend is on **[http://localhost:5173](http://localhost:5173)**. + +--- + +## 5. Cookie Security & Local Development + +Keycast uses a session cookie (`keycast_session`) for authentication. For security, this cookie defaults to using the `Secure` attribute, which requires an HTTPS connection. + +### Development Mode (HTTP) +When running locally via Docker or in native development mode over plain HTTP (`http://localhost`), browsers will reject `Secure` cookies. To facilitate local development: +- **Automatic Detection**: The API checks the `NODE_ENV` environment variable. +- **Insecure Cookies**: If `NODE_ENV` is set to `development` (the default in `docker-compose.yml`), the `Secure` attribute is omitted, allowing the session to persist over HTTP. + +### Production Mode (HTTPS) +In production, ensure `NODE_ENV=production` is set in your environment. This enforces the `Secure` attribute, ensuring session tokens are never transmitted over unencrypted connections. + +> [!IMPORTANT] +> Because this logic is compiled into the Rust binary, any changes to authentication security settings require a Docker rebuild: +> ```bash +> cd keycast +> make docker-build +> make docker-up +> ``` + +--- + +## 6. Advanced: Manual Building + +If you need to build the project artifacts manually outside of Docker: + +### Backend (Rust) +```bash +cargo build --release --bin keycast +``` + +### Frontend (TypeScript) +```bash +bun run build:web +``` + +--- + +## 6. Testing & Quality + +### Unit & Integration Tests +The test suite is optimized for speed. It runs all unit and integration tests in a single compilation pass using `cargo-nextest`. + +```bash +# Standardized, optimized test run +make test +``` + +### Testing Architecture (Behind the Scenes) +The testing workflow is designed for both speed and absolute isolation: + +1. **Database Isolation**: Before every `make test` run, the runner (`scripts/run-tests.sh`) forcefully drops and recreates the `keycast_test` database. This ensures that a failed test never leaves "poisoned" data for the next run. +2. **Centralized Migrations**: Instead of every individual test running its own migrations (which is slow and prone to race conditions), the runner performs a single migration pass using the application's built-in migration logic: `cargo run --bin keycast -- --migrate`. +3. **Intelligent Parallelization**: + - **Unit/Core Tests**: These are run in parallel to maximize CPU usage. + - **Integration Tests**: These share the test database, so they are automatically serialized (`-j 1`) by the runner. This prevents "duplicate key" errors while maintaining the convenience of a single command. +4. **Credential Safety**: The test suite includes an `assert_test_database_url` guard that refuses to run if the database hostname looks like a production environment (e.g., Cloud SQL or GCP IPs). + +### Branding & Naming +When updating rebranding the application (e.g., from "diVine" to "Synvya"), follow these rules: +1. **Code & UI**: You can safely rename strings in `.rs`, `.svelte`, and `.ts` files. +2. **Database Migrations**: **NEVER** edit existing migration files in `database/migrations/`. These files are checksummed; changing them will prevent the Docker environment from starting. + - Instead, create a **NEW** migration file to update existing data: `UPDATE tenants SET name = 'New Name' WHERE id = 1;`. +3. **Environment Variables**: Update `FROM_NAME` and other display-related variables in your `.env.local`. + +### Code Quality Check (Formatting & Linting) +```bash +bun run check +``` diff --git a/cloudbuild.yaml b/cloudbuild.yaml index c0a0d054..17ecf32c 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -41,9 +41,10 @@ steps: export PGPASSWORD="$$DB_PASS" # Skip 0001 (initial schema) - it's not idempotent and should only run once - # Migrations 0002+ are designed to be safe to re-run - for migration in database/migrations/000[2-9]*.sql database/migrations/00[1-9][0-9]*.sql; do + # All other migrations (sequential 0002+ and date-based 2026*) are idempotent and safe to re-run + for migration in database/migrations/*.sql; do [ -f "$$migration" ] || continue + [[ "$$(basename $$migration)" == 0001* ]] && continue echo " → $$(basename $$migration)" psql -h 127.0.0.1 -U $$DB_USER -d $$DB_NAME -f "$$migration" -q 2>&1 | grep -v "already exists" || true done diff --git a/core/src/repositories/authorization.rs b/core/src/repositories/authorization.rs index 0997553b..455ec4b6 100644 --- a/core/src/repositories/authorization.rs +++ b/core/src/repositories/authorization.rs @@ -17,7 +17,8 @@ impl AuthorizationRepository { Self { pool } } - /// Find an authorization by ID. + /// Find an authorization by ID (includes revoked rows — callers that need to + /// exclude revoked should check `revoked_at`). pub async fn find( &self, tenant_id: i64, @@ -26,7 +27,8 @@ impl AuthorizationRepository { sqlx::query_as::<_, Authorization>( "SELECT id, tenant_id, stored_key_id, secret_hash, bunker_public_key, relays, policy_id, max_uses, expires_at, connected_client_pubkey, - connected_at, label, created_at, updated_at + connected_at, label, created_at, updated_at, + revoked_at, revoked_reason FROM authorizations WHERE tenant_id = $1 AND id = $2", ) .bind(tenant_id) @@ -36,40 +38,97 @@ impl AuthorizationRepository { .map_err(Into::into) } - /// Find all authorizations for a stored key. + /// Find active authorizations for a stored key (excludes revoked rows). pub async fn find_by_stored_key( &self, tenant_id: i64, stored_key_id: i32, ) -> Result, RepositoryError> { - sqlx::query_as::<_, Authorization>( - "SELECT id, tenant_id, stored_key_id, secret_hash, bunker_public_key, + self.find_by_stored_key_inner(tenant_id, stored_key_id, false) + .await + } + + /// Find authorizations for a stored key, optionally including revoked rows + /// (for admin views that need to surface soft-deleted history). + pub async fn find_by_stored_key_with_revoked( + &self, + tenant_id: i64, + stored_key_id: i32, + include_revoked: bool, + ) -> Result, RepositoryError> { + self.find_by_stored_key_inner(tenant_id, stored_key_id, include_revoked) + .await + } + + async fn find_by_stored_key_inner( + &self, + tenant_id: i64, + stored_key_id: i32, + include_revoked: bool, + ) -> Result, RepositoryError> { + let base = "SELECT id, tenant_id, stored_key_id, secret_hash, bunker_public_key, relays, policy_id, max_uses, expires_at, connected_client_pubkey, - connected_at, label, created_at, updated_at - FROM authorizations WHERE tenant_id = $1 AND stored_key_id = $2", + connected_at, label, created_at, updated_at, + revoked_at, revoked_reason + FROM authorizations WHERE tenant_id = $1 AND stored_key_id = $2"; + let sql = if include_revoked { + base.to_string() + } else { + format!("{} AND revoked_at IS NULL", base) + }; + sqlx::query_as::<_, Authorization>(&sql) + .bind(tenant_id) + .bind(stored_key_id) + .fetch_all(&self.pool) + .await + .map_err(Into::into) + } + + /// Get all active authorization IDs for a tenant (excludes revoked rows). + pub async fn all_ids(&self, tenant_id: i64) -> Result, RepositoryError> { + sqlx::query_scalar::<_, i32>( + "SELECT id FROM authorizations WHERE tenant_id = $1 AND revoked_at IS NULL", ) .bind(tenant_id) - .bind(stored_key_id) .fetch_all(&self.pool) .await .map_err(Into::into) } - /// Get all authorization IDs for a tenant. - pub async fn all_ids(&self, tenant_id: i64) -> Result, RepositoryError> { - sqlx::query_scalar::<_, i32>("SELECT id FROM authorizations WHERE tenant_id = $1") - .bind(tenant_id) - .fetch_all(&self.pool) - .await - .map_err(Into::into) + /// Get all active authorization IDs for all tenants (excludes revoked rows). + pub async fn all_ids_for_all_tenants(&self) -> Result, RepositoryError> { + sqlx::query_as::<_, (i64, i32)>( + "SELECT tenant_id, id FROM authorizations WHERE revoked_at IS NULL", + ) + .fetch_all(&self.pool) + .await + .map_err(Into::into) } - /// Get all authorization IDs for all tenants. - pub async fn all_ids_for_all_tenants(&self) -> Result, RepositoryError> { - sqlx::query_as::<_, (i64, i32)>("SELECT tenant_id, id FROM authorizations") - .fetch_all(&self.pool) - .await - .map_err(Into::into) + /// Soft-delete an authorization by setting `revoked_at = NOW()`. + /// Returns the bunker_public_key of the revoked row (used by the caller to + /// notify the signer daemon via the authorization channel), or `None` if + /// the authorization didn't exist or was already revoked. + pub async fn revoke( + &self, + tenant_id: i64, + authorization_id: i32, + reason: Option<&str>, + ) -> Result, RepositoryError> { + let bunker_pubkey: Option = sqlx::query_scalar( + "UPDATE authorizations + SET revoked_at = NOW(), + revoked_reason = $3, + updated_at = NOW() + WHERE tenant_id = $1 AND id = $2 AND revoked_at IS NULL + RETURNING bunker_public_key", + ) + .bind(tenant_id) + .bind(authorization_id) + .bind(reason) + .fetch_optional(&self.pool) + .await?; + Ok(bunker_pubkey) } /// Create a new authorization. @@ -92,7 +151,7 @@ impl AuthorizationRepository { sqlx::query_as::<_, Authorization>( "INSERT INTO authorizations (tenant_id, stored_key_id, policy_id, secret_hash, bunker_public_key, relays, max_uses, expires_at, label, created_at, updated_at) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, NOW(), NOW()) - RETURNING id, tenant_id, stored_key_id, secret_hash, bunker_public_key, relays, policy_id, max_uses, expires_at, connected_client_pubkey, connected_at, label, created_at, updated_at", + RETURNING id, tenant_id, stored_key_id, secret_hash, bunker_public_key, relays, policy_id, max_uses, expires_at, connected_client_pubkey, connected_at, label, created_at, updated_at, revoked_at, revoked_reason", ) .bind(tenant_id) .bind(stored_key_id) diff --git a/core/src/repositories/mod.rs b/core/src/repositories/mod.rs index eb164359..db4f3aeb 100644 --- a/core/src/repositories/mod.rs +++ b/core/src/repositories/mod.rs @@ -13,6 +13,7 @@ mod refresh_token; mod registered_client; mod stored_key; mod team; +mod team_invitation; mod user; pub use atproto_oauth_session::{ @@ -32,4 +33,5 @@ pub use refresh_token::RefreshTokenRepository; pub use registered_client::RegisteredClientRepository; pub use stored_key::StoredKeyRepository; pub use team::TeamRepository; +pub use team_invitation::TeamInvitationRepository; pub use user::{AdminUserDetails, DeleteAccountResult, UserRepository, VerificationTokenData}; diff --git a/core/src/repositories/team.rs b/core/src/repositories/team.rs index 9e1770f0..7b733310 100644 --- a/core/src/repositories/team.rs +++ b/core/src/repositories/team.rs @@ -43,8 +43,10 @@ impl TeamRepository { // Get team_users for this team let team_users = sqlx::query_as::<_, TeamUser>( - "SELECT user_pubkey, team_id, role, created_at, updated_at - FROM team_users WHERE team_id = $1", + "SELECT tu.user_pubkey, tu.team_id, tu.role, u.email, tu.created_at, tu.updated_at + FROM team_users tu + LEFT JOIN users u ON u.pubkey = tu.user_pubkey + WHERE tu.team_id = $1", ) .bind(team_id) .fetch_all(&self.pool) @@ -199,9 +201,14 @@ impl TeamRepository { role: &str, ) -> Result { sqlx::query_as::<_, TeamUser>( - "INSERT INTO team_users (team_id, user_pubkey, role, created_at, updated_at) - VALUES ($1, $2, $3, NOW(), NOW()) - RETURNING user_pubkey, team_id, role, created_at, updated_at", + "WITH ins AS ( + INSERT INTO team_users (team_id, user_pubkey, role, created_at, updated_at) + VALUES ($1, $2, $3, NOW(), NOW()) + RETURNING user_pubkey, team_id, role, created_at, updated_at + ) + SELECT ins.user_pubkey, ins.team_id, ins.role, u.email, ins.created_at, ins.updated_at + FROM ins + LEFT JOIN users u ON u.pubkey = ins.user_pubkey", ) .bind(team_id) .bind(pubkey) @@ -213,16 +220,15 @@ impl TeamRepository { /// Check if a user is already a member of a team. pub async fn is_member(&self, team_id: i32, pubkey: &str) -> Result { - let result = sqlx::query_as::<_, TeamUser>( - "SELECT user_pubkey, team_id, role, created_at, updated_at - FROM team_users WHERE team_id = $1 AND user_pubkey = $2", + let count: i64 = sqlx::query_scalar( + "SELECT COUNT(*) FROM team_users WHERE team_id = $1 AND user_pubkey = $2", ) .bind(team_id) .bind(pubkey) - .fetch_optional(&self.pool) + .fetch_one(&self.pool) .await?; - Ok(result.is_some()) + Ok(count > 0) } /// Get a team member. @@ -232,8 +238,10 @@ impl TeamRepository { pubkey: &str, ) -> Result { sqlx::query_as::<_, TeamUser>( - "SELECT user_pubkey, team_id, role, created_at, updated_at - FROM team_users WHERE team_id = $1 AND user_pubkey = $2", + "SELECT tu.user_pubkey, tu.team_id, tu.role, u.email, tu.created_at, tu.updated_at + FROM team_users tu + LEFT JOIN users u ON u.pubkey = tu.user_pubkey + WHERE tu.team_id = $1 AND tu.user_pubkey = $2", ) .bind(team_id) .bind(pubkey) @@ -381,9 +389,14 @@ impl TeamRepository { // Add user as admin let team_user = sqlx::query_as::<_, TeamUser>( - "INSERT INTO team_users (team_id, user_pubkey, role, created_at, updated_at) - VALUES ($1, $2, 'admin', $3, $4) - RETURNING *", + "WITH ins AS ( + INSERT INTO team_users (team_id, user_pubkey, role, created_at, updated_at) + VALUES ($1, $2, 'admin', $3, $4) + RETURNING user_pubkey, team_id, role, created_at, updated_at + ) + SELECT ins.user_pubkey, ins.team_id, ins.role, u.email, ins.created_at, ins.updated_at + FROM ins + LEFT JOIN users u ON u.pubkey = ins.user_pubkey", ) .bind(team.id) .bind(admin_pubkey) @@ -751,4 +764,65 @@ mod tests { assert_eq!(with_relations.team.id, team.id); assert_eq!(with_relations.team_users.len(), 1); } + + #[tokio::test] + async fn test_add_member_populates_email() { + let pool = setup_pool().await; + let team_repo = TeamRepository::new(pool.clone()); + let user_repo = UserRepository::new(pool.clone()); + let suffix = test_suffix(); + + let keys = Keys::generate(); + let pubkey = keys.public_key(); + user_repo.find_or_create(1, &pubkey).await.unwrap(); + + let email = format!("member-{}@test.local", suffix); + sqlx::query("UPDATE users SET email = $1 WHERE pubkey = $2") + .bind(&email) + .bind(pubkey.to_hex()) + .execute(&pool) + .await + .unwrap(); + + let team = team_repo + .create(1, &format!("Email Test {}", suffix)) + .await + .unwrap(); + + let member = team_repo + .add_member(team.id, &pubkey.to_hex(), "member") + .await + .unwrap(); + assert_eq!(member.email.as_deref(), Some(email.as_str())); + + let with_relations = team_repo.find_with_relations(1, team.id).await.unwrap(); + assert_eq!(with_relations.team_users.len(), 1); + assert_eq!( + with_relations.team_users[0].email.as_deref(), + Some(email.as_str()) + ); + } + + #[tokio::test] + async fn test_add_member_without_email_returns_none() { + let pool = setup_pool().await; + let team_repo = TeamRepository::new(pool.clone()); + let user_repo = UserRepository::new(pool.clone()); + let suffix = test_suffix(); + + let keys = Keys::generate(); + let pubkey = keys.public_key(); + user_repo.find_or_create(1, &pubkey).await.unwrap(); + + let team = team_repo + .create(1, &format!("NoEmail Test {}", suffix)) + .await + .unwrap(); + + let member = team_repo + .add_member(team.id, &pubkey.to_hex(), "member") + .await + .unwrap(); + assert!(member.email.is_none()); + } } diff --git a/core/src/repositories/team_invitation.rs b/core/src/repositories/team_invitation.rs new file mode 100644 index 00000000..f16bfba4 --- /dev/null +++ b/core/src/repositories/team_invitation.rs @@ -0,0 +1,169 @@ +use chrono::{Duration, Utc}; +use sqlx::PgPool; + +use crate::repositories::RepositoryError; +use crate::types::team_invitation::{TeamInvitation, INVITATION_EXPIRY_DAYS}; + +/// Repository for team invitation database operations. +#[derive(Debug, Clone)] +pub struct TeamInvitationRepository { + pool: PgPool, +} + +impl TeamInvitationRepository { + pub fn new(pool: PgPool) -> Self { + Self { pool } + } + + /// Create a new team invitation. + pub async fn create( + &self, + team_id: i32, + tenant_id: i64, + email: &str, + role: &str, + token: &str, + invited_by: &str, + ) -> Result { + let now = Utc::now(); + let expires_at = now + Duration::days(INVITATION_EXPIRY_DAYS); + + sqlx::query_as::<_, TeamInvitation>( + "INSERT INTO team_invitations + (team_id, tenant_id, email, role, token, invited_by, expires_at, created_at) + VALUES ($1, $2, $3, $4, $5, $6, $7, $8) + RETURNING *", + ) + .bind(team_id) + .bind(tenant_id) + .bind(email) + .bind(role) + .bind(token) + .bind(invited_by) + .bind(expires_at) + .bind(now) + .fetch_one(&self.pool) + .await + .map_err(Into::into) + } + + /// Find a valid (pending, not expired, not revoked, not accepted) invitation by token. + pub async fn find_valid_by_token( + &self, + token: &str, + ) -> Result, RepositoryError> { + sqlx::query_as::<_, TeamInvitation>( + "SELECT * FROM team_invitations + WHERE token = $1 + AND accepted_at IS NULL + AND revoked_at IS NULL + AND expires_at > NOW()", + ) + .bind(token) + .fetch_optional(&self.pool) + .await + .map_err(Into::into) + } + + /// Find any invitation by token (regardless of status). + pub async fn find_by_token( + &self, + token: &str, + ) -> Result, RepositoryError> { + sqlx::query_as::<_, TeamInvitation>("SELECT * FROM team_invitations WHERE token = $1") + .bind(token) + .fetch_optional(&self.pool) + .await + .map_err(Into::into) + } + + /// List all invitations for a team. + pub async fn list_by_team( + &self, + team_id: i32, + tenant_id: i64, + ) -> Result, RepositoryError> { + sqlx::query_as::<_, TeamInvitation>( + "SELECT * FROM team_invitations + WHERE team_id = $1 AND tenant_id = $2 + ORDER BY created_at DESC", + ) + .bind(team_id) + .bind(tenant_id) + .fetch_all(&self.pool) + .await + .map_err(Into::into) + } + + /// Check if there is already a pending invitation for this email on this team. + pub async fn find_pending_by_email( + &self, + team_id: i32, + email: &str, + ) -> Result, RepositoryError> { + sqlx::query_as::<_, TeamInvitation>( + "SELECT * FROM team_invitations + WHERE team_id = $1 + AND email = $2 + AND accepted_at IS NULL + AND revoked_at IS NULL + AND expires_at > NOW()", + ) + .bind(team_id) + .bind(email) + .fetch_optional(&self.pool) + .await + .map_err(Into::into) + } + + /// Mark an invitation as accepted. + pub async fn accept( + &self, + token: &str, + accepted_by: &str, + ) -> Result { + sqlx::query_as::<_, TeamInvitation>( + "UPDATE team_invitations + SET accepted_at = NOW(), accepted_by = $1 + WHERE token = $2 + AND accepted_at IS NULL + AND revoked_at IS NULL + AND expires_at > NOW() + RETURNING *", + ) + .bind(accepted_by) + .bind(token) + .fetch_one(&self.pool) + .await + .map_err(Into::into) + } + + /// Revoke a pending invitation (soft delete via revoked_at). + pub async fn revoke( + &self, + id: i32, + team_id: i32, + tenant_id: i64, + ) -> Result<(), RepositoryError> { + let result = sqlx::query( + "UPDATE team_invitations + SET revoked_at = NOW() + WHERE id = $1 AND team_id = $2 AND tenant_id = $3 + AND accepted_at IS NULL + AND revoked_at IS NULL", + ) + .bind(id) + .bind(team_id) + .bind(tenant_id) + .execute(&self.pool) + .await?; + + if result.rows_affected() == 0 { + return Err(RepositoryError::NotFound( + "Invitation not found or already resolved".to_string(), + )); + } + + Ok(()) + } +} diff --git a/core/src/repositories/user.rs b/core/src/repositories/user.rs index 53e3589e..c555f8c4 100644 --- a/core/src/repositories/user.rs +++ b/core/src/repositories/user.rs @@ -16,6 +16,7 @@ pub struct VerificationTokenData { pub password_hash: Option, pub created_at: DateTime, pub email_verified: bool, + pub redirect_uri: Option, } /// User details returned by admin lookup. @@ -149,6 +150,25 @@ impl UserRepository { Ok(count > 0) } + /// Count how many teams this user belongs to within the tenant. + pub async fn count_team_memberships( + &self, + tenant_id: i64, + pubkey: &PublicKey, + ) -> Result { + sqlx::query_scalar( + "SELECT COUNT(*) + FROM team_users tu + JOIN teams t ON t.id = tu.team_id + WHERE tu.user_pubkey = $1 AND t.tenant_id = $2", + ) + .bind(pubkey.to_hex()) + .bind(tenant_id) + .fetch_one(&self.pool) + .await + .map_err(Into::into) + } + // ========================================================================= // Authentication methods // ========================================================================= @@ -304,6 +324,7 @@ impl UserRepository { verification_token: &str, verification_expires_at: DateTime, encrypted_secret: &[u8], + redirect_uri: Option<&str>, ) -> Result<(), RepositoryError> { let mut tx = self.pool.begin().await?; let now = Utc::now(); @@ -311,8 +332,8 @@ impl UserRepository { // Insert user with email verification token // password_hash may be NULL for async bcrypt flow (computed in background) sqlx::query( - "INSERT INTO users (pubkey, tenant_id, email, password_hash, email_verified, email_verification_token, email_verification_expires_at, created_at, updated_at) - VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)", + "INSERT INTO users (pubkey, tenant_id, email, password_hash, email_verified, email_verification_token, email_verification_expires_at, redirect_uri, created_at, updated_at) + VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)", ) .bind(pubkey) .bind(tenant_id) @@ -321,6 +342,7 @@ impl UserRepository { .bind(false) .bind(verification_token) .bind(verification_expires_at) + .bind(redirect_uri) .bind(now) .bind(now) .execute(&mut *tx) @@ -354,7 +376,7 @@ impl UserRepository { tenant_id: i64, ) -> Result, RepositoryError> { sqlx::query_as( - "SELECT pubkey, email_verification_expires_at, password_hash, created_at, email_verified FROM users + "SELECT pubkey, email_verification_expires_at, password_hash, created_at, email_verified, redirect_uri FROM users WHERE email_verification_token = $1 AND tenant_id = $2", ) .bind(token) @@ -1402,6 +1424,20 @@ mod tests { result.0 } + async fn create_test_tenant(pool: &PgPool, tenant_id: i64, suffix: &str) { + sqlx::query( + "INSERT INTO tenants (id, domain, name, created_at, updated_at) + VALUES ($1, $2, $3, NOW(), NOW()) + ON CONFLICT (id) DO NOTHING", + ) + .bind(tenant_id) + .bind(format!("tenant-{}.{}.test", tenant_id, suffix)) + .bind(format!("Tenant {}", tenant_id)) + .execute(pool) + .await + .unwrap(); + } + async fn add_user_to_team(pool: &PgPool, pubkey: &str, team_id: i32, role: &str) { sqlx::query( "INSERT INTO team_users (team_id, user_pubkey, role, created_at, updated_at) @@ -1557,6 +1593,50 @@ mod tests { assert!(!result.unwrap(), "User should not be member"); } + #[tokio::test] + async fn test_count_team_memberships_zero_for_new_user() { + let pool = setup_pool().await; + let repo = UserRepository::new(pool.clone()); + let keys = Keys::generate(); + let pubkey = keys.public_key(); + + repo.find_or_create(1, &pubkey).await.unwrap(); + + let result = repo.count_team_memberships(1, &pubkey).await; + assert!(result.is_ok()); + assert_eq!(result.unwrap(), 0, "New user should have zero teams"); + } + + #[tokio::test] + async fn test_count_team_memberships_filters_by_tenant() { + let pool = setup_pool().await; + let repo = UserRepository::new(pool.clone()); + let keys = Keys::generate(); + let pubkey = keys.public_key(); + let suffix = test_suffix(); + + create_test_tenant(&pool, 2, &suffix).await; + repo.find_or_create(1, &pubkey).await.unwrap(); + repo.find_or_create(2, &pubkey).await.unwrap(); + + let team1_id = create_test_team(&pool, &format!("Tenant One {}", suffix)).await; + add_user_to_team(&pool, &pubkey.to_hex(), team1_id, "admin").await; + + let team2_id: i32 = sqlx::query_scalar( + "INSERT INTO teams (tenant_id, name, created_at, updated_at) + VALUES (2, $1, NOW(), NOW()) + RETURNING id", + ) + .bind(format!("Tenant Two {}", suffix)) + .fetch_one(&pool) + .await + .unwrap(); + add_user_to_team(&pool, &pubkey.to_hex(), team2_id, "admin").await; + + assert_eq!(repo.count_team_memberships(1, &pubkey).await.unwrap(), 1); + assert_eq!(repo.count_team_memberships(2, &pubkey).await.unwrap(), 1); + } + #[tokio::test] async fn test_is_team_teammate_true() { let pool = setup_pool().await; diff --git a/core/src/types/authorization.rs b/core/src/types/authorization.rs index 46d4d6e8..a31964a4 100644 --- a/core/src/types/authorization.rs +++ b/core/src/types/authorization.rs @@ -89,6 +89,10 @@ pub struct Authorization { pub created_at: DateTime, /// The date and time the authorization was last updated pub updated_at: DateTime, + /// When this authorization was soft-deleted (NULL = active). + pub revoked_at: Option>, + /// Optional free-text reason for revocation (e.g. "superseded", "admin_revoke"). + pub revoked_reason: Option, } #[derive(Debug, FromRow, Serialize, Deserialize)] @@ -107,7 +111,8 @@ impl Authorization { let authorization = sqlx::query_as::<_, Authorization>( "SELECT id, tenant_id, stored_key_id, secret_hash, bunker_public_key, relays, policy_id, max_uses, expires_at, connected_client_pubkey, - connected_at, label, created_at, updated_at + connected_at, label, created_at, updated_at, + revoked_at, revoked_reason FROM authorizations WHERE tenant_id = $1 AND id = $2", ) .bind(tenant_id) @@ -120,7 +125,7 @@ impl Authorization { pub async fn all_ids(pool: &PgPool, tenant_id: i64) -> Result, AuthorizationError> { let authorizations = sqlx::query_scalar::<_, i32>( r#" - SELECT id FROM authorizations WHERE tenant_id = $1 + SELECT id FROM authorizations WHERE tenant_id = $1 AND revoked_at IS NULL "#, ) .bind(tenant_id) @@ -134,7 +139,7 @@ impl Authorization { ) -> Result, AuthorizationError> { let authorizations = sqlx::query_as::<_, (i64, i32)>( r#" - SELECT tenant_id, id FROM authorizations + SELECT tenant_id, id FROM authorizations WHERE revoked_at IS NULL "#, ) .fetch_all(pool) diff --git a/core/src/types/mod.rs b/core/src/types/mod.rs index f5947e21..e562331c 100644 --- a/core/src/types/mod.rs +++ b/core/src/types/mod.rs @@ -6,4 +6,5 @@ pub mod policy; pub mod refresh_token; pub mod stored_key; pub mod team; +pub mod team_invitation; pub mod user; diff --git a/core/src/types/team.rs b/core/src/types/team.rs index 86425b32..966d5ad5 100644 --- a/core/src/types/team.rs +++ b/core/src/types/team.rs @@ -86,8 +86,10 @@ impl Team { // Get team_users for this team let team_users = sqlx::query_as::<_, TeamUser>( - "SELECT user_pubkey, team_id, role, created_at, updated_at - FROM team_users WHERE team_id = $1", + "SELECT tu.user_pubkey, tu.team_id, tu.role, u.email, tu.created_at, tu.updated_at + FROM team_users tu + LEFT JOIN users u ON u.pubkey = tu.user_pubkey + WHERE tu.team_id = $1", ) .bind(team_id) .fetch_all(pool) diff --git a/core/src/types/team_invitation.rs b/core/src/types/team_invitation.rs new file mode 100644 index 00000000..14e9ac62 --- /dev/null +++ b/core/src/types/team_invitation.rs @@ -0,0 +1,95 @@ +use chrono::{DateTime, Utc}; +use rand::Rng; +use serde::{Deserialize, Serialize}; +use sqlx::FromRow; + +/// Invitation expiry in days +pub const INVITATION_EXPIRY_DAYS: i64 = 7; + +/// A pending, accepted, revoked, or expired team invitation +#[derive(Debug, Clone, FromRow, Serialize, Deserialize)] +pub struct TeamInvitation { + pub id: i32, + pub team_id: i32, + pub tenant_id: i64, + pub email: String, + pub role: String, + pub token: String, + pub invited_by: String, + pub expires_at: DateTime, + pub accepted_at: Option>, + pub accepted_by: Option, + pub revoked_at: Option>, + pub created_at: DateTime, +} + +impl TeamInvitation { + /// Returns true if the invitation is still actionable. + pub fn is_pending(&self) -> bool { + self.accepted_at.is_none() && self.revoked_at.is_none() && self.expires_at > Utc::now() + } +} + +/// Public-facing invitation info returned by the list endpoint +#[derive(Debug, Serialize)] +pub struct InvitationListItem { + pub id: i32, + pub email: String, + pub role: String, + pub invited_by: String, // resolved to display name + pub created_at: DateTime, + pub expires_at: DateTime, + pub accepted_at: Option>, + pub revoked_at: Option>, +} + +/// Public preview returned to unauthenticated users via token +#[derive(Debug, Serialize)] +pub struct InvitationPreview { + pub team_name: String, + /// Hex pubkey of the team's primary stored key. `None` if the team has no + /// stored keys yet. Lets the client fetch the team's kind-0 profile from + /// relays to render a display name and avatar instead of the raw team_name. + pub team_key_pubkey: Option, + pub role: String, + pub invited_by_display_name: String, + /// Email address of the inviter (Keycast user). `None` if the inviter's + /// account is missing an email. Lets the client render a human-readable + /// "invited you" line instead of a truncated pubkey. + pub invited_by_email: Option, + pub expires_at: DateTime, + /// The email address the invitation was sent to. Returned so the client can + /// prefill and lock the email field on the signup/login forms, preventing + /// the "registered with a different email" → 403-at-accept-time footgun. + pub email: String, +} + +/// Generate a cryptographically random invitation token (32 bytes, hex-encoded = 64 chars) +pub fn generate_invitation_token() -> String { + let bytes: [u8; 32] = rand::thread_rng().gen(); + hex::encode(bytes) +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_generate_invitation_token_length() { + let token = generate_invitation_token(); + assert_eq!(token.len(), 64); + } + + #[test] + fn test_generate_invitation_token_uniqueness() { + let t1 = generate_invitation_token(); + let t2 = generate_invitation_token(); + assert_ne!(t1, t2); + } + + #[test] + fn test_generate_invitation_token_is_hex() { + let token = generate_invitation_token(); + assert!(token.chars().all(|c| c.is_ascii_hexdigit())); + } +} diff --git a/core/src/types/user.rs b/core/src/types/user.rs index faa7fcbd..86d76d5e 100644 --- a/core/src/types/user.rs +++ b/core/src/types/user.rs @@ -46,6 +46,9 @@ pub struct TeamUser { pub team_id: i32, /// The user's role in the team pub role: TeamUserRole, + /// The user's email, if any. Populated via LEFT JOIN on the `users` table. + #[serde(default)] + pub email: Option, /// The date and time the user was created pub created_at: DateTime, /// The date and time the user was last updated @@ -117,8 +120,10 @@ impl User { // Batch fetch all team_users for all teams let all_team_users = sqlx::query_as::<_, TeamUser>( - "SELECT user_pubkey, team_id, role, created_at, updated_at - FROM team_users WHERE team_id = ANY($1)", + "SELECT tu.user_pubkey, tu.team_id, tu.role, u.email, tu.created_at, tu.updated_at + FROM team_users tu + LEFT JOIN users u ON u.pubkey = tu.user_pubkey + WHERE tu.team_id = ANY($1)", ) .bind(&team_ids) .fetch_all(pool) diff --git a/database/migrations/20260412000000_add_user_redirect_uri.sql b/database/migrations/20260412000000_add_user_redirect_uri.sql new file mode 100644 index 00000000..9e1ac9ee --- /dev/null +++ b/database/migrations/20260412000000_add_user_redirect_uri.sql @@ -0,0 +1,3 @@ +-- Add redirect_uri to users table for post-verification redirect +-- When a client app registers a user, it can specify where to redirect after email verification +ALTER TABLE users ADD COLUMN redirect_uri TEXT; diff --git a/database/migrations/20260413000000_add_team_invitations.sql b/database/migrations/20260413000000_add_team_invitations.sql new file mode 100644 index 00000000..1a83970a --- /dev/null +++ b/database/migrations/20260413000000_add_team_invitations.sql @@ -0,0 +1,28 @@ +-- Team invitations for email-based team member onboarding +CREATE TABLE team_invitations ( + id SERIAL PRIMARY KEY, + team_id INT NOT NULL REFERENCES teams(id) ON DELETE CASCADE, + tenant_id BIGINT NOT NULL, + email VARCHAR(255) NOT NULL, + role VARCHAR(20) NOT NULL DEFAULT 'member', + token VARCHAR(64) NOT NULL UNIQUE, + invited_by VARCHAR(64) NOT NULL, -- hex pubkey of the admin who sent the invite + expires_at TIMESTAMPTZ NOT NULL, + accepted_at TIMESTAMPTZ, + accepted_by VARCHAR(64), -- hex pubkey of the user who accepted + revoked_at TIMESTAMPTZ, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + + CONSTRAINT chk_invitation_role CHECK (role IN ('admin', 'member')) +); + +-- Fast token lookup +CREATE INDEX idx_team_invitations_token ON team_invitations(token); + +-- List invitations for a team +CREATE INDEX idx_team_invitations_team ON team_invitations(team_id); + +-- Prevent duplicate pending invitations for the same email on the same team +CREATE UNIQUE INDEX uq_pending_invite + ON team_invitations(team_id, email) + WHERE accepted_at IS NULL AND revoked_at IS NULL; diff --git a/database/migrations/20260413120000_add_revoked_at_to_authorizations.sql b/database/migrations/20260413120000_add_revoked_at_to_authorizations.sql new file mode 100644 index 00000000..53c82a1c --- /dev/null +++ b/database/migrations/20260413120000_add_revoked_at_to_authorizations.sql @@ -0,0 +1,14 @@ +-- Add soft-delete columns to team authorizations. +-- Mirrors oauth_authorizations.revoked_at so the signer daemon can skip stale +-- team authorizations (e.g. duplicate "Synvya Client (staging)" rows) without +-- hard-deleting and losing forensic history. + +ALTER TABLE authorizations + ADD COLUMN IF NOT EXISTS revoked_at TIMESTAMP WITH TIME ZONE, + ADD COLUMN IF NOT EXISTS revoked_reason TEXT; + +-- Partial index to speed up the "active authorizations" lookup used by the +-- signer daemon and repository methods. +CREATE INDEX IF NOT EXISTS idx_authorizations_active + ON authorizations (tenant_id, bunker_public_key) + WHERE revoked_at IS NULL; diff --git a/database/migrations/20260421133000_update_branding.sql b/database/migrations/20260421133000_update_branding.sql new file mode 100644 index 00000000..ccf3c8cb --- /dev/null +++ b/database/migrations/20260421133000_update_branding.sql @@ -0,0 +1,8 @@ +-- ABOUTME: Rebrands the default tenant from diVine to Synvya +-- ABOUTME: This is the correct way to update branding without breaking migration checksums + +UPDATE tenants SET name = 'Synvya' WHERE id = 1; + +-- If there are other system-wide display names in the DB, update them here too. +-- For example, if we have any admin-created OAuth clients representing the server itself. +UPDATE oauth_authorizations SET client_id = 'Synvya' WHERE client_id = 'diVine'; diff --git a/docker-compose.deps.yml b/docker-compose.deps.yml index 86439429..54effdd1 100644 --- a/docker-compose.deps.yml +++ b/docker-compose.deps.yml @@ -7,7 +7,7 @@ services: image: postgres:16 container_name: keycast-postgres environment: - POSTGRES_PASSWORD: password + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-pass-apr-2026-local} POSTGRES_DB: keycast POSTGRES_USER: postgres ports: diff --git a/docker-compose.synvya.yml b/docker-compose.synvya.yml index 0974b891..fa342787 100644 --- a/docker-compose.synvya.yml +++ b/docker-compose.synvya.yml @@ -73,7 +73,11 @@ services: FROM_NAME: ${FROM_NAME:-Synvya} BASE_URL: ${BASE_URL:?error} APP_URL: ${APP_URL:?error} - DISABLE_EMAILS: ${DISABLE_EMAILS:-} + INVITE_BASE_URL: ${INVITE_BASE_URL:?error} + # Synvya hosts the password reset page on a different domain + # (account.synvya.com / account.staging.synvya.com) from the auth host. + PASSWORD_RESET_BASE_URL: ${PASSWORD_RESET_BASE_URL:?error} + DISABLE_EMAILS: # Frontend VITE_DOMAIN: ${VITE_DOMAIN:-} VITE_ALLOWED_PUBKEYS: ${VITE_ALLOWED_PUBKEYS:-} @@ -81,6 +85,10 @@ services: VITE_NDK_BUNKER_RELAYS: ${VITE_NDK_BUNKER_RELAYS:-} # Performance SQLX_POOL_SIZE: ${SQLX_POOL_SIZE:-10} + # Disable keycast web UI in Synvya deployments — users manage identity + # via Synvya, not via keycast. See issue #24. + DISABLE_WEB_UI: ${DISABLE_WEB_UI:-true} + WEB_UI_REDIRECT_URL: ${WEB_UI_REDIRECT_URL:-https://www.synvya.com} depends_on: postgres: condition: service_healthy diff --git a/docker-compose.yml b/docker-compose.yml index ff18b90b..468248f3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,6 +14,8 @@ services: timeout: 3s retries: 5 restart: unless-stopped + ports: + - "5432:5432" networks: - keycast logging: @@ -26,6 +28,8 @@ services: redis: image: redis:7-alpine container_name: keycast-redis + ports: + - "16379:6379" healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 5s @@ -68,7 +72,7 @@ services: command: unified ports: - "3000:3000" - - "5173:5173" + - "5172:5173" volumes: - ./master.key:/app/master.key:ro environment: @@ -84,7 +88,7 @@ services: # Email configuration SENDGRID_API_KEY: ${SENDGRID_API_KEY:-} FROM_EMAIL: ${FROM_EMAIL:-noreply@divine.video} - FROM_NAME: ${FROM_NAME:-diVine} + FROM_NAME: ${FROM_NAME:-Synvya} BASE_URL: ${BASE_URL:-http://localhost:5173} # DISABLE_EMAILS: ${DISABLE_EMAILS:-} # Server configuration diff --git a/docs/synvya/architecture-context.md b/docs/synvya/architecture-context.md index 696e1bca..f6a6dce9 100644 --- a/docs/synvya/architecture-context.md +++ b/docs/synvya/architecture-context.md @@ -61,3 +61,13 @@ The client represents humans. The server represents the always-on restaurant ope - deployable AWS hosting for Keycast itself - support for background provisioning of server-side restaurant authorizations - bot-resistant email endpoints (via AWS WAF rate limiting) + +## Team Bootstrap Rule + +Keycast now supports a narrow self-serve bootstrap path for Synvya: + +- an authenticated user may create their first team even if they are not whitelisted +- the creator becomes the team admin under the normal Keycast model +- once the user already belongs to a team, additional team creation should move through Synvya's manual-approval or server-managed provisioning flow + +This is a bootstrap rule, not a restaurant-ownership rule. Synvya/server remains the system that decides whether a restaurant team is official, approved, or allowed to proceed beyond onboarding. diff --git a/docs/synvya/aws-ses-provider.md b/docs/synvya/aws-ses-provider.md index e8082b3d..a4eab340 100644 --- a/docs/synvya/aws-ses-provider.md +++ b/docs/synvya/aws-ses-provider.md @@ -57,7 +57,7 @@ pub trait EmailSender: Send + Sync { - Templates are hardcoded HTML/text strings in Rust (not external template files) - Click tracking and open tracking are **disabled** for security-sensitive emails -- From address configurable via `FROM_EMAIL` (default: `noreply@divine.video`) and `FROM_NAME` (default: `diVine`) +- From address configurable via `FROM_EMAIL` (default: `noreply@divine.video`) and `FROM_NAME` (default: `Synvya`) - Base URL for links configurable via `BASE_URL` (verification/reset) and `APP_URL` (claim) - Brand color: `#00B488` @@ -136,7 +136,7 @@ impl SesEmailSender { let client = SesClient::new(&config); let from_email = env::var("FROM_EMAIL").unwrap_or_else(|_| "noreply@divine.video".to_string()); - let from_name = env::var("FROM_NAME").unwrap_or_else(|_| "diVine".to_string()); + let from_name = env::var("FROM_NAME").unwrap_or_else(|_| "Synvya".to_string()); let base_url = env::var("BASE_URL").unwrap_or_else(|_| "http://localhost:5173".to_string()); let app_url = env::var("APP_URL").unwrap_or_else(|_| "http://localhost:3000".to_string()); diff --git a/docs/synvya/restaurant-team-e2e.md b/docs/synvya/restaurant-team-e2e.md index 3c3f8e7f..899e1c31 100644 --- a/docs/synvya/restaurant-team-e2e.md +++ b/docs/synvya/restaurant-team-e2e.md @@ -17,6 +17,8 @@ If you need to hand this off to a `Synvya/server` implementation session, start 5. creates a team authorization for that imported key 6. returns the `bunkerUrl` and related IDs for test code +In the Synvya product flow, Keycast now allows an authenticated user to create their first team even if they are not whitelisted. This helper still uses the admin E2E account because it is a deterministic provisioning path for integration tests and avoids coupling tests to onboarding state. + This is the correct Synvya model when: - the restaurant already published events with its own Nostr key @@ -236,7 +238,8 @@ For a full server integration test, assert all of the following: - Do not commit the real demo restaurant `nsec` into the repo. - This helper is only suitable for restaurants whose private key is available. - If a partner restaurant's `nsec` is unavailable, you cannot preserve its existing pubkey with this flow. -- The helper uses the whitelisted E2E admin account because team creation in this repo is admin-gated. +- Keycast now allows self-serve creation of a user's first team. Additional restaurant teams should still be created through the Synvya manual-approval or server-managed path. +- The helper still uses the whitelisted E2E admin account because this document is about deterministic test provisioning, not the end-user onboarding flow. ## Failure Modes diff --git a/docs/synvya/server-e2e-handoff.md b/docs/synvya/server-e2e-handoff.md index 4009cc7f..8cbecb1f 100644 --- a/docs/synvya/server-e2e-handoff.md +++ b/docs/synvya/server-e2e-handoff.md @@ -59,6 +59,8 @@ That helper: So the server test does not need to care about raw key import. It only needs to consume the resulting bunker URL and prove signing works correctly. +For Synvya product behavior, Keycast now allows a newly authenticated user to create their first team without being whitelisted. That bootstrap rule is separate from this helper, which still provisions through the admin E2E account for repeatable test setup. Additional restaurant teams remain a Synvya approval or server-provisioning concern rather than an open self-serve Keycast action. + ## What The Server Session Should Build The server coding session should implement an end-to-end test harness with this shape: diff --git a/docs/synvya/session-prompt.md b/docs/synvya/session-prompt.md new file mode 100644 index 00000000..8b0b6835 --- /dev/null +++ b/docs/synvya/session-prompt.md @@ -0,0 +1,100 @@ +# Keycast Implementation — Session Prompt + +Copy everything below the line and paste it as the opening message in a new Claude Code session with the working directory set to `/Users/alejandro/Synvya/keycast`. + +--- + +## Project Context + +I'm deploying Keycast (a Nostr key custody and authentication service) on AWS as part of Synvya's restaurant platform. The repo at `/Users/alejandro/Synvya/keycast` is a fork of `divinevideo/keycast`. All architecture decisions and specs are already written — your job is to implement them. + +## Read These First + +Before writing any code, read these documents in order: + +1. **Fork workflow and branching strategy**: `SYNVYA.md` (repo root) +2. **Architecture context and links to all specs**: `docs/synvya/architecture-context.md` +3. **AWS KMS provider spec**: `docs/synvya/aws-kms-provider.md` +4. **AWS SES email provider spec**: `docs/synvya/aws-ses-provider.md` +5. **EC2 deployment spec**: `docs/synvya/ec2-deployment.md` +6. **Existing Keycast CLAUDE.md**: `CLAUDE.md` (repo root) + +Also read the existing code you'll be modifying: +- `core/src/encryption/mod.rs` (KeyManager trait) +- `core/src/encryption/aws_key_manager.rs` (stub to implement) +- `core/src/encryption/gcp_key_manager.rs` (reference implementation to follow) +- `core/src/encryption/file_key_manager.rs` (reference implementation) +- `api/src/email_service.rs` (EmailSender trait + SendGrid + Dev implementations) +- `keycast/src/main.rs` (provider selection at startup, around lines 260-275 and 440-455) +- `core/Cargo.toml` (dependencies) + +## Implementation Order + +There are three features to implement. Do them in this order: + +### 1. AWS KMS Provider (`feat/aws-kms` branch, from `main`) + +This is an upstream contribution — NO Synvya-specific code. Follow the spec in `docs/synvya/aws-kms-provider.md`: + +- Implement `AwsKeyManager` in `core/src/encryption/aws_key_manager.rs` +- Add `aws` Cargo feature flag gating `aws-sdk-kms` and `aws-config` +- Gate the module with `#[cfg(feature = "aws")]` +- Update `main.rs`: replace `USE_GCP_KMS` boolean with `KMS_PROVIDER` env var (backward-compatible) +- Add integration test gated behind `AWS_KMS_KEY_ID` +- Forward the feature flag in `keycast/Cargo.toml` + +### 2. AWS SES Email Provider (`feat/aws-ses` branch, from `main`) + +This is also an upstream contribution — NO Synvya-specific code. Follow the spec in `docs/synvya/aws-ses-provider.md`: + +- Extract hardcoded HTML/text email templates from `SendGridEmailSender` into shared functions (pure refactor first) +- Implement `SesEmailSender` using `aws-sdk-sesv2`, gated behind the `aws` feature +- Update `create_email_sender()`: replace implicit SendGrid detection with `EMAIL_PROVIDER` env var (backward-compatible) +- Forward the feature flag in `keycast/Cargo.toml` to include `keycast_api/aws` + +### 3. EC2 Deployment (`synvya/*` branch, from `synvya-staging`) + +This is Synvya-specific. Follow the spec in `docs/synvya/ec2-deployment.md`: + +- Create `docker-compose.synvya.yml` +- Modify `Dockerfile` to accept `CARGO_FEATURES` build arg +- Create `scripts/load-secrets.sh` (environment-aware: staging vs prod) +- Create `scripts/backup-postgres.sh` +- Create `.github/workflows/deploy-staging.yml` +- Create `.github/workflows/deploy-prod.yml` + +## Key Rules + +- **Read SYNVYA.md carefully** — it defines which branch to use for each type of work +- `feat/aws-*` branches come from `main` and must contain zero Synvya references +- `synvya/*` branches come from `synvya-staging` +- Follow the GCP KMS implementation patterns exactly (retry logic, logging, error handling) +- Do NOT modify the `KeyManager` or `EmailSender` trait interfaces +- The `aws` feature flag must be optional — default builds should work without AWS SDK + +## Workflow per Feature + +For `feat/aws-*` branches (KMS, SES): +1. Create the branch from `main` +2. Implement the full feature per the spec +3. Run `cargo check --features aws` and `cargo test` to verify +4. Commit with clear messages and push to origin +5. Do NOT create a PR to `divinevideo/keycast` — I will do that manually after review +6. Merge the feature branch into `synvya-staging` so we can use it in staging: + ``` + git checkout synvya-staging + git merge feat/aws- + git push origin synvya-staging + ``` +7. Move immediately to the next feature + +For `synvya/*` branches (EC2 deployment): +1. Create the branch from `synvya-staging` +2. Implement the full feature per the spec +3. Commit with clear messages and push to origin +4. Create internal PR: `gh pr create --base synvya-staging` +5. Merge the PR into `synvya-staging` + +## Start + +Work through all three features (KMS → SES → EC2 deployment) without stopping. Do not ask me questions — if something is ambiguous, make a reasonable decision based on the specs and document what you chose in the commit message. Read all the specs and code listed above, then begin with step 1 (AWS KMS). diff --git a/docs/synvya/team-invite-by-email.md b/docs/synvya/team-invite-by-email.md new file mode 100644 index 00000000..085ef563 --- /dev/null +++ b/docs/synvya/team-invite-by-email.md @@ -0,0 +1,400 @@ +# Team Invite by Email + +Spec for email-based team invitations in Keycast. Adds a `team_invitations` table, an invite endpoint that sends email to new users (or instantly adds existing users), and an accept flow that converts a token into team membership. + +**Issue**: [Synvya/client#365](https://github.com/Synvya/client/issues/365) + +**System context**: +- [Keycast Boundary](keycast-boundary.md) +- [Cross-repo: Team Invite by Email](https://github.com/Synvya/docs/blob/main/architecture/team-invite-by-email.md) — sequence diagrams and contract between repos + +--- + +## 1. Scope + +Keycast already owns team membership (`POST /teams/:id/users`). This feature extends that ownership to include invitation lifecycle: creation, email delivery, preview, acceptance, revocation, and expiry. + +### What Keycast owns (new) +- `team_invitations` table and all CRUD +- Email delivery of invitation links +- Token validation and acceptance (resolving token → team membership) +- Invitation preview for unauthenticated users (enough to render a landing page) + +### What Keycast does NOT own +- The invitation landing page UI (that's the client) +- Deciding where the invite link points (client provides the base URL, or it's derived from the tenant's configured redirect origin) + +## 2. Data Model + +### 2.1 New Table: `team_invitations` + +```sql +CREATE TABLE team_invitations ( + id SERIAL PRIMARY KEY, + team_id INT NOT NULL REFERENCES teams(id) ON DELETE CASCADE, + tenant_id BIGINT NOT NULL, + email VARCHAR(255) NOT NULL, + role VARCHAR(20) NOT NULL DEFAULT 'member', + token VARCHAR(64) NOT NULL UNIQUE, + invited_by VARCHAR(64) NOT NULL, -- hex pubkey of the admin who sent the invite + expires_at TIMESTAMPTZ NOT NULL, + accepted_at TIMESTAMPTZ, + accepted_by VARCHAR(64), -- hex pubkey of the user who accepted + revoked_at TIMESTAMPTZ, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + + CONSTRAINT chk_invitation_role CHECK (role IN ('admin', 'member')) +); + +CREATE INDEX idx_team_invitations_token ON team_invitations(token); +CREATE INDEX idx_team_invitations_team ON team_invitations(team_id); + +-- Partial unique index: only one pending invite per email per team +-- Allows re-inviting after revocation or expiry (application checks expires_at) +CREATE UNIQUE INDEX uq_pending_invite + ON team_invitations(team_id, email) + WHERE accepted_at IS NULL AND revoked_at IS NULL; +``` + +Token generation: 32 random bytes, hex-encoded (64 chars). Use the same `generate_claim_token` pattern from `keycast_core::types::claim_token`. + +Invitation expiry: **7 days** from creation. + +### 2.2 Rust Types + +```rust +// keycast_core/src/types/team_invitation.rs + +pub struct TeamInvitation { + pub id: i32, + pub team_id: i32, + pub tenant_id: i64, + pub email: String, + pub role: String, + pub token: String, + pub invited_by: String, + pub expires_at: DateTime, + pub accepted_at: Option>, + pub accepted_by: Option, + pub revoked_at: Option>, + pub created_at: DateTime, +} + +impl TeamInvitation { + pub fn is_pending(&self) -> bool { + self.accepted_at.is_none() + && self.revoked_at.is_none() + && self.expires_at > Utc::now() + } +} +``` + +### 2.3 Repository + +```rust +// keycast_core/src/repositories/team_invitation.rs + +pub struct TeamInvitationRepository { pool: PgPool } + +impl TeamInvitationRepository { + pub async fn create(...) -> Result; + pub async fn find_by_token(token: &str) -> Result>; + pub async fn find_valid_by_token(token: &str) -> Result>; + pub async fn list_by_team(team_id: i32, tenant_id: i64) -> Result>; + pub async fn find_pending_by_email(team_id: i32, email: &str) -> Result>; + pub async fn accept(token: &str, accepted_by: &str) -> Result<()>; + pub async fn revoke(id: i32, team_id: i32, tenant_id: i64) -> Result<()>; +} +``` + +`find_valid_by_token` returns `Some` only if `accepted_at IS NULL AND revoked_at IS NULL AND expires_at > NOW()`. + +## 3. Endpoints + +### 3.1 `POST /api/teams/:id/invite` + +**Auth**: UCAN session (requires team admin). + +**Request**: +```json +{ "email": "manager@restaurant.com", "role": "Member" } +``` + +**Logic**: + +``` +1. Verify caller is admin of team :id +2. Normalize email (lowercase, trim) +3. Validate email format +4. Check if email belongs to the calling user → 400 "Cannot invite yourself" +5. Look up user by email in this tenant: + a. User exists: + - Check if already a team member → 409 "Already a team member" + - Add to team via TeamRepository::add_member + - Return { status: "added", member: { ... } } + b. User does not exist: + - Check for existing pending invitation for this email+team → 409 "Invitation already pending" + - Generate token (32 random bytes, hex) + - Insert into team_invitations + - Build invite URL: {client_origin}/accept-invite?token={token} + - Send invitation email via EmailSender::send_team_invite_email + - Return { status: "invited", invitation: { ... } } +``` + +**Response codes**: 200 (success), 400 (bad input), 409 (conflict), 403 (not admin). + +### 3.2 `GET /api/teams/:id/invitations` + +**Auth**: UCAN session (requires team admin). + +Returns all invitations for the team (pending, accepted, revoked, expired). Client filters as needed. + +**Response**: +```json +[ + { + "id": 42, + "email": "manager@restaurant.com", + "role": "Member", + "invited_by": "Alejandro", + "created_at": "2026-04-12T...", + "expires_at": "2026-04-19T...", + "accepted_at": null, + "revoked_at": null + } +] +``` + +The `invited_by` field is resolved to a display name (from `user_profiles`) for the response. Falls back to truncated pubkey if no profile exists. + +### 3.3 `DELETE /api/teams/:id/invitations/:invitation_id` + +**Auth**: UCAN session (requires team admin). + +Sets `revoked_at = NOW()` on the invitation. Only works if the invitation is still pending (not yet accepted, not yet revoked, not expired). + +**Response**: 204 No Content. + +### 3.4 `GET /api/invitations/preview?token=...` + +**Auth**: None (public endpoint). + +Returns enough data for the client to render the invite landing page without authentication. + +**Response**: +```json +{ + "team_name": "Taqueria La Estrella", + "team_key_pubkey": "5e7f...", + "role": "Member", + "invited_by_display_name": "Alejandro", + "invited_by_email": "alejandro@synvya.com", + "expires_at": "2026-04-19T...", + "email": "muralirk@gmail.com" +} +``` + +Returns 404 if the token is invalid, expired, accepted, or revoked. The response intentionally omits the token itself (it's already in the query string). + +The `email` field echoes the invitation's stored email so the client can prefill and lock the email field on the signup/login forms. This prevents the invitee from registering a Synvya account with a different address and hitting a 403 at `POST /api/invitations/accept`. + +The `team_key_pubkey` field is the hex pubkey of the team's primary stored key (the signer behind the team's Nostr identity). The client uses it to fetch the team's kind-0 profile from relays and render a display name + avatar instead of the raw `team_name` handle. `null` if the team has no stored key yet. + +The `invited_by_email` field is the inviter's Keycast user email. Lets the client render `"alejandro@synvya.com invited you to join..."` instead of a truncated pubkey. `null` if the inviter's account has no email on file. + +**Security**: This endpoint leaks the team name, team signing pubkey, inviter name, inviter email, and invited email to anyone holding the token. Since tokens are 256-bit random and only delivered via email, the token holder is already authorized to act on the invitation. Exposing `invited_by_email` is acceptable in this flow — the inviter explicitly chose to invite this person — but is a deliberate widening relative to the prior response shape. + +### 3.5 `POST /api/invitations/accept` + +**Auth**: UCAN session (authenticated user). + +**Request**: +```json +{ "token": "abc123..." } +``` + +**Logic**: +``` +1. Validate token → find_valid_by_token +2. Token not found or not pending → 404 / 410 Gone +3. Get authenticated user's email from session +4. Compare with invitation email (case-insensitive) → 403 if mismatch +5. Check if user is already a team member → 409 +6. Add user to team with invitation's role +7. Mark invitation as accepted (accepted_at = NOW(), accepted_by = user pubkey) +8. Return { team_id, role } +``` + +**Response codes**: 200 (success), 403 (email mismatch), 404 (invalid, expired, or already used token), 409 (already member). + +## 4. Email + +### 4.1 EmailSender Trait Extension + +Add to the existing `EmailSender` trait: + +```rust +async fn send_team_invite_email( + &self, + to_email: &str, + team_name: &str, + inviter_name: &str, + role: &str, + invite_url: &str, +) -> Result<(), String>; +``` + +### 4.2 Email Content + +**Subject**: "You've been invited to join {team_name} on Synvya" + +**Body** (key elements): +- "{inviter_name} has invited you to join **{team_name}** as a **{role}**." +- CTA button: "Accept Invitation" → `{invite_url}` +- Footer: "This invitation expires in 7 days. If you didn't expect this email, you can safely ignore it." + +Use the same HTML email template style as existing verification and password-reset emails. + +### 4.3 Invite URL Construction + +The invite URL must point to the client app, not to a Keycast-hosted page. Derive the base URL from the tenant's configured redirect origin or from a new `INVITE_BASE_URL` env var: + +``` +{INVITE_BASE_URL}/accept-invite?token={token} +``` + +For the Synvya tenant: `https://account.synvya.com/accept-invite?token=...` +For staging: `https://account.staging.synvya.com/accept-invite?token=...` + +## 5. CORS + +- `POST /teams/:id/invite`, `GET /teams/:id/invitations`, `DELETE /teams/:id/invitations/:id` — same CORS as existing team routes (first-party `auth_cors`). +- `GET /invitations/preview` — public CORS (no auth, called from client before login). +- `POST /invitations/accept` — first-party `auth_cors` (requires session cookie). + +## 6. Routing + +Added to `routes.rs`: + +```rust +// Under team_routes (existing, auth_cors): +.route("/teams/:id/invite", post(teams::invite_user)) +.route("/teams/:id/invitations", get(teams::list_invitations)) +.route("/teams/:id/invitations/:invitation_id", delete(teams::revoke_invitation)) + +// Separate routers for different CORS/auth requirements: +let invitation_preview_route = Router::new() + .route("/invitations/preview", get(teams::preview_invitation)) // public_cors, no auth + .with_state(pool.clone()); + +let invitation_accept_route = Router::new() + .route("/invitations/accept", post(teams::accept_invitation)) // auth_cors, session required + .with_state(pool); +``` + +## 7. Security Considerations + +| Concern | Mitigation | +|---|---| +| Token brute-force | 256-bit random tokens (64 hex chars). Rate-limit preview/accept endpoints | +| Email enumeration via invite | The `invite` endpoint requires admin auth. The response distinguishes "added" vs "invited" only to the admin, which is acceptable since the admin already knows their team members | +| Preview leaks team name | Acceptable given token entropy. No PII beyond team name and inviter display name | +| Invitation to wrong person | Accept endpoint verifies authenticated user's email matches invitation email | +| Replay after acceptance | `accepted_at` is set; `find_valid_by_token` excludes accepted tokens | + +## 8. Relationship to Existing Endpoints + +- `POST /teams/:id/users` (add by pubkey) **remains unchanged**. It continues to work for programmatic/admin use. The new `invite` endpoint calls the same `TeamRepository::add_member` internally when the user already exists. +- The claim-token system (`/claim`, `/admin/claim-tokens`) is separate — it's for Vine-imported preloaded accounts, not team invitations. +- The `EmailSender` trait gains one new method; existing email types are untouched. + +## 9. Team Member Email in Roster Responses + +Follow-on to the invitation flow. Once a member joins (either instantly via the "added" branch of `POST /teams/:id/invite` or after accepting an invitation), the client's Team Settings view needs to identify them by email instead of by truncated pubkey. See the client-side spec [§ 9](https://github.com/Synvya/client/blob/main/docs/specs/team-invite-by-email.md) for the UI rendering. + +### 9.1 Scope + +Extend the `TeamUser` serialization returned by team-membership endpoints to include the member's email. No new endpoints, no new permissions, no new auth surface. + +### 9.2 Wire Change + +Add `email` to every response that currently serializes `TeamUser`: + +```json +{ + "team_id": 5, + "user_pubkey": "abc...", + "role": "Admin", + "email": "manager@restaurant.com", + "created_at": "...", + "updated_at": "..." +} +``` + +Affected endpoints (all already team-admin or team-member authenticated): + +| Endpoint | Where `TeamUser` appears | +|---|---| +| `GET /api/teams` | `team_users[]` inside each team | +| `POST /api/teams/:id/users` | Response body | +| `POST /api/teams/:id/invite` | `member` field of `{ status: "added", member: ... }` | +| `GET /api/teams/:id/keys/:pubkey` | Indirectly if membership is echoed (verify per-handler) | + +### 9.3 Source of the Email + +The team_users row stores `user_pubkey`. The user's email lives on the `users` (or equivalent account) table keyed by pubkey. Serializing `TeamUser` requires a JOIN `team_users → users` or a batched lookup in the handler. + +Implementation note: where roster serialization is in a hot path (e.g. `GET /api/teams` for a user on many teams), a single JOIN at the SQL level is cheaper than N lookups in Rust. + +### 9.4 Privacy and Authorization + +- Callers already prove team membership to reach these endpoints; no new authorization layer is required. +- Adding `email` to this surface does **not** widen the audience: everyone who currently sees the roster already sees the pubkey. Email is the same trust scope. +- The privacy boundary is the team. Do not surface emails via any endpoint that returns team membership to non-members (if such an endpoint ever exists, it must strip `email`). + +### 9.5 Rust Type Change + +```rust +// Whichever module defines the serialization DTO for team membership: + +#[derive(Serialize)] +pub struct TeamUserResponse { + pub team_id: i32, + pub user_pubkey: String, + pub role: String, // "Admin" | "Member" + pub email: String, // ← new + pub created_at: DateTime, + pub updated_at: DateTime, +} +``` + +Repository method (or query builder) adjusted to fetch email alongside membership. + +### 9.6 Back-compat + +The field is additive. Older clients that don't know about `email` will ignore it. The current client (pre-release of this change) already tolerates the old shape; post-release it prefers `email` and falls back to the short npub label if absent. + +### 9.7 Edge Cases + +| Scenario | Behavior | +|---|---| +| Member account deleted but team_users row lingers | Should not happen if CASCADE is in place; if it does, serialize with empty email (or filter the row out — whichever matches existing invariants). | +| User has no email (claim-token-only account) | Serialize empty string. Client falls back to npub label. | +| Tenant isolation | Email lookup must respect the same tenant boundary as the existing `users` query — never cross tenants. | + +### 9.8 Tests + +- Repository/query test: roster fetch returns email populated for a normal user. +- Handler test: `GET /api/teams` response snapshot includes `email` on each `team_users` entry. +- Handler test: `POST /api/teams/:id/invite` "added" branch response includes `email` on `member`. +- Tenant isolation test: a user's email from tenant A never appears in tenant B's roster response. + +## 10. Implementation Order + +1. Migration: create `team_invitations` table +2. Core: `TeamInvitation` type + `TeamInvitationRepository` +3. Email: `send_team_invite_email` on `EmailSender` trait + implementations (SendGrid, SES, Dev) +4. API: `POST /teams/:id/invite` (both paths) +5. API: `GET /teams/:id/invitations`, `DELETE /teams/:id/invitations/:id` +6. API: `GET /invitations/preview`, `POST /invitations/accept` +7. Tests: unit tests for repository, integration tests for invite + accept flow diff --git a/e2e/scripts/provision-restaurant-team.ts b/e2e/scripts/provision-restaurant-team.ts index a7fda698..76a76ce1 100644 --- a/e2e/scripts/provision-restaurant-team.ts +++ b/e2e/scripts/provision-restaurant-team.ts @@ -15,6 +15,7 @@ async function main(): Promise { baseURL, extraHTTPHeaders: { accept: "application/json", + Origin: baseURL, }, }); diff --git a/keycast/src/main.rs b/keycast/src/main.rs index ed71247d..bf694f68 100644 --- a/keycast/src/main.rs +++ b/keycast/src/main.rs @@ -377,11 +377,15 @@ async fn async_main(worker_threads: usize) -> Result<(), Box Result<(), Box Result<(), Box { - // Inject runtime environment variables into HTML - let injected_content = inject_runtime_env(&content); - Html(injected_content).into_response() + // SvelteKit frontend serving is optional. + // + // In deployments where end users should never see a keycast personal UI + // (e.g. Synvya, where identity is managed by the parent product and keycast + // only needs to expose its OAuth/API surface), set DISABLE_WEB_UI=true. + // Non-API requests then redirect to WEB_UI_REDIRECT_URL (if set) or 404. + // + // /api/*, /.well-known/*, /health*, and the server-rendered + // /api/oauth/authorize approval page are unaffected. + let disable_web_ui = env::var("DISABLE_WEB_UI") + .unwrap_or_else(|_| "false".to_string()) + .parse::() + .unwrap_or(false); + + let app = if disable_web_ui { + let redirect_url = env::var("WEB_UI_REDIRECT_URL").ok(); + tracing::info!( + "✔︎ Web UI disabled (DISABLE_WEB_UI=true). Non-API requests will {}", + match &redirect_url { + Some(url) => format!("redirect to {}", url), + None => "return 404".to_string(), + } + ); + + // Email verification links land on /verify-email, a SvelteKit SPA route. + // Even in DISABLE_WEB_UI deployments we must serve this page (plus its JS/CSS + // assets) so the client can POST the token to /api/auth/verify-email. + let index_path = PathBuf::from(&web_build_dir).join("index.html"); + let verify_index_path = index_path.clone(); + let verify_email_handler = move || { + let index_path = verify_index_path.clone(); + async move { + match tokio::fs::read_to_string(&index_path).await { + Ok(content) => Html(inject_runtime_env(&content)).into_response(), + Err(_) => (StatusCode::NOT_FOUND, "Not found").into_response(), } - Err(_) => (StatusCode::NOT_FOUND, "Not found").into_response(), } - } - }; + }; - let inject_handler_index = move || { - let index_path = index_path_for_index.clone(); - async move { - match tokio::fs::read_to_string(&index_path).await { - Ok(content) => { - // Inject runtime environment variables into HTML - let injected_content = inject_runtime_env(&content); - Html(injected_content).into_response() + let app = app.route("/verify-email", axum::routing::get(verify_email_handler)); + + // Serve SvelteKit static assets (/_app/*, favicon, logos) needed by the + // verify-email page; unmatched routes redirect to WEB_UI_REDIRECT_URL. + let redirect_url_for_fallback = redirect_url.clone(); + app.fallback_service(ServeDir::new(&web_build_dir).fallback(axum::routing::any( + move || { + let redirect_url = redirect_url_for_fallback.clone(); + async move { + match redirect_url { + Some(url) => axum::response::Redirect::temporary(&url).into_response(), + None => (StatusCode::NOT_FOUND, "Not found").into_response(), + } + } + }, + ))) + } else { + // SvelteKit frontend - explicitly handle root and index.html with injection + // This ensures index.html always goes through injection, not served as static file + let index_path = PathBuf::from(&web_build_dir).join("index.html"); + let index_path_for_root = index_path.clone(); + let index_path_for_index = index_path.clone(); + + // Handler that injects runtime env vars into index.html + let inject_handler = move || { + let index_path = index_path_for_root.clone(); + async move { + match tokio::fs::read_to_string(&index_path).await { + Ok(content) => { + let injected_content = inject_runtime_env(&content); + Html(injected_content).into_response() + } + Err(_) => (StatusCode::NOT_FOUND, "Not found").into_response(), } - Err(_) => (StatusCode::NOT_FOUND, "Not found").into_response(), } - } - }; + }; - // Explicitly route root and index.html to injection handler - let app = app - .route("/", axum::routing::get(inject_handler)) - .route("/index.html", axum::routing::get(inject_handler_index)); - - // Serve other static files, with fallback for SPA routes (non-file routes) - let web_build_dir_for_fallback = web_build_dir.clone(); - let index_path_for_fallback = PathBuf::from(&web_build_dir).join("index.html"); - let app = app.fallback_service(ServeDir::new(&web_build_dir).fallback(axum::routing::get( - move || { - let index_path = index_path_for_fallback.clone(); - let _web_build_dir = web_build_dir_for_fallback.clone(); + let inject_handler_index = move || { + let index_path = index_path_for_index.clone(); async move { match tokio::fs::read_to_string(&index_path).await { Ok(content) => { - // Inject runtime environment variables into HTML let injected_content = inject_runtime_env(&content); Html(injected_content).into_response() } Err(_) => (StatusCode::NOT_FOUND, "Not found").into_response(), } } - }, - ))); + }; + + let app = app + .route("/", axum::routing::get(inject_handler)) + .route("/index.html", axum::routing::get(inject_handler_index)); + + // Serve other static files, with fallback for SPA routes (non-file routes) + let web_build_dir_for_fallback = web_build_dir.clone(); + let index_path_for_fallback = PathBuf::from(&web_build_dir).join("index.html"); + app.fallback_service(ServeDir::new(&web_build_dir).fallback(axum::routing::get( + move || { + let index_path = index_path_for_fallback.clone(); + let _web_build_dir = web_build_dir_for_fallback.clone(); + async move { + match tokio::fs::read_to_string(&index_path).await { + Ok(content) => { + let injected_content = inject_runtime_env(&content); + Html(injected_content).into_response() + } + Err(_) => (StatusCode::NOT_FOUND, "Not found").into_response(), + } + } + }, + ))) + }; // Add request tracing with trace_id for debugging // TraceLayer creates a span for each request with method, uri, and trace_id diff --git a/package.json b/package.json index be83c03f..d6756350 100644 --- a/package.json +++ b/package.json @@ -6,11 +6,11 @@ "scripts": { "predev": "cd keycast-login && bun run build", "dev": "bun run deps:up && npx concurrently -n api,web -c blue,green \"bun run dev:api\" \"bun run dev:web\"", - "dev:e2e": "docker compose -f docker-compose.deps.yml --profile e2e up -d --wait && cargo build --bin keycast && DATABASE_URL=postgres://postgres:password@localhost/keycast REDIS_URL=redis://localhost:16379 RUST_LOG=debug,hyper=info,h2=info,rustls=info,sqlx=info,nostr_relay_pool=info,tower_http=info MASTER_KEY_PATH=./master.key ENABLE_EXAMPLES=true ALLOWED_ORIGINS=http://localhost:5173,http://localhost:5174,http://localhost:3000 SERVER_NSEC=0000000000000000000000000000000000000000000000000000000000000001 WEB_BUILD_DIR=./web/build BUNKER_RELAYS=ws://localhost:8080 ALLOWED_PUBKEYS=25fa07621969c92191feb4433fca94fdb500f2b445fd4f017c0a332ceecbf813 ./target/debug/keycast", + "dev:e2e": "docker compose -f docker-compose.deps.yml --profile e2e up -d --wait && cargo build --bin keycast && DATABASE_URL=postgres://postgres:pass-apr-2026-local@localhost/keycast REDIS_URL=redis://localhost:16379 RUST_LOG=debug,hyper=info,h2=info,rustls=info,sqlx=info,nostr_relay_pool=info,tower_http=info MASTER_KEY_PATH=./master.key ENABLE_EXAMPLES=true ALLOWED_ORIGINS=http://localhost:5173,http://localhost:5174,http://localhost:3000 SERVER_NSEC=0000000000000000000000000000000000000000000000000000000000000001 WEB_BUILD_DIR=./web/build BUNKER_RELAYS=ws://localhost:8080 ALLOWED_PUBKEYS=25fa07621969c92191feb4433fca94fdb500f2b445fd4f017c0a332ceecbf813 ./target/debug/keycast", "deps:up": "docker compose -f docker-compose.deps.yml up -d --wait", "deps:down": "docker compose -f docker-compose.deps.yml down", "deps:logs": "docker compose -f docker-compose.deps.yml logs -f", - "dev:api": "DATABASE_URL=postgres://postgres:password@localhost/keycast REDIS_URL=redis://localhost:16379 RUST_LOG=debug,hyper=info,h2=info,rustls=info,sqlx=info,nostr_relay_pool=info,tower_http=info MASTER_KEY_PATH=./master.key ENABLE_EXAMPLES=true ALLOWED_ORIGINS=http://localhost:5173,http://localhost:5174,http://localhost:3000 SERVER_NSEC=0000000000000000000000000000000000000000000000000000000000000001 WEB_BUILD_DIR=./web/build BUNKER_RELAYS=ws://localhost:8080 ALLOWED_PUBKEYS=89ef92b9ebe6dc1e4ea398f6477f227e95429627b0a33dc89b640e137b256be5 cargo watch -i e2e/ -i .playwright-mcp/ -i web/ -i keycast-login/ -x 'run --bin keycast'", + "dev:api": "DATABASE_URL=postgres://postgres:pass-apr-2026-local@localhost/keycast REDIS_URL=redis://localhost:16379 RUST_LOG=debug,hyper=info,h2=info,rustls=info,sqlx=info,nostr_relay_pool=info,tower_http=info MASTER_KEY_PATH=./master.key ENABLE_EXAMPLES=true ALLOWED_ORIGINS=http://localhost:5173,http://localhost:5174,http://localhost:3000 SERVER_NSEC=0000000000000000000000000000000000000000000000000000000000000001 WEB_BUILD_DIR=./web/build BUNKER_RELAYS=ws://localhost:8080 ALLOWED_PUBKEYS=89ef92b9ebe6dc1e4ea398f6477f227e95429627b0a33dc89b640e137b256be5 cargo watch -i e2e/ -i .playwright-mcp/ -i web/ -i keycast-login/ -x 'run --bin keycast'", "dev:web": "cd web && VITE_ALLOWED_PUBKEYS=89ef92b9ebe6dc1e4ea398f6477f227e95429627b0a33dc89b640e137b256be5 bun run dev", "build": "cargo build --release --bin keycast", "build:web": "cd web && bun run build", @@ -18,16 +18,16 @@ "deploy": "gcloud builds submit --config=cloudbuild.yaml --project=openvine-co", "logs": "./scripts/view-logs.sh", "logs:watch": "./scripts/logs-watch.sh", - "db:reset": "bun run deps:up && sqlx database reset -y --database-url postgres://postgres:password@localhost/keycast --source ./database/migrations", - "db:migrate": "bun run deps:up && sqlx migrate run --database-url postgres://postgres:password@localhost/keycast --source ./database/migrations", - "db:test:setup": "bun run deps:up && sqlx database setup --database-url postgres://postgres:password@localhost/keycast_test --source ./database/migrations", + "db:reset": "bun run deps:up && sqlx database reset -y --database-url ${DATABASE_URL:-postgres://postgres:pass-apr-2026-local@localhost/keycast} --source ./database/migrations", + "db:migrate": "bun run deps:up && sqlx migrate run --database-url ${DATABASE_URL:-postgres://postgres:pass-apr-2026-local@localhost/keycast} --source ./database/migrations", + "db:test:setup": "bun run deps:up && sqlx database setup --database-url ${DATABASE_URL_TEST:-postgres://postgres:pass-apr-2026-local@localhost/keycast_test} --source ./database/migrations", "db:migrate:prod": "./tools/run-migrations.sh", "db:sql:prod": "./tools/run-sql.sh", "key:generate": "./scripts/generate_key.sh", "key:generate:force": "./scripts/generate_key.sh --force", "setup:hooks": "cp scripts/hooks/pre-push .git/hooks/ && chmod +x .git/hooks/pre-push", - "test": "(test -f master.key || ./scripts/generate_key.sh) && bun run deps:up && (docker exec keycast-postgres psql -U postgres -tc \"SELECT 1 FROM pg_database WHERE datname = 'keycast_test'\" | grep -q 1 || docker exec keycast-postgres createdb -U postgres keycast_test) && DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} cargo run --bin keycast -- --migrate && DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} REDIS_URL=${REDIS_URL:-redis://localhost:16379} TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo nextest run --workspace && DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} REDIS_URL=${REDIS_URL:-redis://localhost:16379} TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo test -p keycast_core --features integration-tests --lib && DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} REDIS_URL=${REDIS_URL:-redis://localhost:16379} TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo test -p keycast_api --features integration-tests --lib --tests && DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} REDIS_URL=${REDIS_URL:-redis://localhost:16379} TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo test -p keycast_signer --features integration-tests --lib --tests && TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo test -p cluster-hashring --lib -- --ignored", - "test:ci": "DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} REDIS_URL=${REDIS_URL:-redis://localhost:16379} TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo nextest run --workspace && DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} REDIS_URL=${REDIS_URL:-redis://localhost:16379} TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo test -p keycast_core --features integration-tests --lib && DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} REDIS_URL=${REDIS_URL:-redis://localhost:16379} TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo test -p keycast_api --features integration-tests --lib --tests && DATABASE_URL=${DATABASE_URL:-postgres://postgres:password@localhost:5432/keycast_test} REDIS_URL=${REDIS_URL:-redis://localhost:16379} TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo test -p keycast_signer --features integration-tests --lib --tests && TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} cargo test -p cluster-hashring --lib -- --ignored", + "test": "bash scripts/run-tests.sh", + "test:ci": "bash scripts/run-ci-tests.sh", "check": "cargo fmt --all -- --check && cargo clippy --workspace --all-targets --all-features -- -D warnings -A deprecated && cargo test --workspace" }, "devDependencies": { diff --git a/scripts/init.sh b/scripts/init.sh index b75a89f9..b8030fc4 100755 --- a/scripts/init.sh +++ b/scripts/init.sh @@ -7,19 +7,20 @@ chmod +x "$0" # Function to print usage print_usage() { - echo "Usage: $0 --domain [--allowed-pubkeys ]" + echo "Usage: $0 --domain [--allowed-pubkeys ] [--file ]" echo "Example:" echo " $0 --domain keycast.example.com" - echo " $0 --domain keycast.example.com --allowed-pubkeys \"hexpubkey1,hexpubkey2\"" - echo "If you don't provide allowed pubkeys, the default is to allow all pubkeys." + echo " $0 --domain keycast.example.com --file .env.local" exit 1 } # Parse named arguments +ENV_FILE=".env" while [[ "$#" -gt 0 ]]; do case $1 in --domain) DOMAIN="$2"; shift ;; --allowed-pubkeys) ALLOWED_PUBKEYS="$2"; shift ;; + --file) ENV_FILE="$2"; shift ;; *) echo "Unknown parameter: $1"; print_usage ;; esac shift @@ -50,30 +51,30 @@ fi # Create database directory if it doesn't exist mkdir -p database -# Create .env from example if it doesn't exist -if [ ! -f ".env" ]; then - echo "Creating .env file..." - cp .env.example .env +# Create env file from example if it doesn't exist +if [ ! -f "$ENV_FILE" ]; then + echo "Creating $ENV_FILE file..." + cp .env.example "$ENV_FILE" - # Update domain in .env file + # Update domain in environment file if [[ "$OSTYPE" == "darwin"* ]]; then # macOS requires an empty string after -i - sed -i '' "s/DOMAIN=.*/DOMAIN=$DOMAIN/" .env + sed -i '' "s/DOMAIN=.*/DOMAIN=$DOMAIN/" "$ENV_FILE" # Update allowed pubkeys (escape for sed) ESCAPED_PUBKEYS=$(echo "${ALLOWED_PUBKEYS:-}" | sed 's/[\/&]/\\&/g') - sed -i '' "s/ALLOWED_PUBKEYS=.*/ALLOWED_PUBKEYS=$ESCAPED_PUBKEYS/" .env + sed -i '' "s/ALLOWED_PUBKEYS=.*/ALLOWED_PUBKEYS=$ESCAPED_PUBKEYS/" "$ENV_FILE" else # Linux version - sed -i "s/DOMAIN=.*/DOMAIN=$DOMAIN/" .env + sed -i "s/DOMAIN=.*/DOMAIN=$DOMAIN/" "$ENV_FILE" # Update allowed pubkeys (escape for sed) ESCAPED_PUBKEYS=$(echo "${ALLOWED_PUBKEYS:-}" | sed 's/[\/&]/\\&/g') - sed -i "s/ALLOWED_PUBKEYS=.*/ALLOWED_PUBKEYS=$ESCAPED_PUBKEYS/" .env + sed -i "s/ALLOWED_PUBKEYS=.*/ALLOWED_PUBKEYS=$ESCAPED_PUBKEYS/" "$ENV_FILE" fi - echo "Updated DOMAIN in .env to: $DOMAIN" - echo "Updated ALLOWED_PUBKEYS in .env to: ${ALLOWED_PUBKEYS:-}" + echo "Updated DOMAIN in $ENV_FILE to: $DOMAIN" + echo "Updated ALLOWED_PUBKEYS in $ENV_FILE to: ${ALLOWED_PUBKEYS:-}" else - echo "Note: .env file already exists. Skipping .env creation." - echo "If you need to update the values, edit the .env file manually." + echo "Note: $ENV_FILE file already exists. Skipping file creation." + echo "If you need to update the values, edit the $ENV_FILE file manually." fi echo "✅ Initialization complete!" diff --git a/scripts/load-secrets.sh b/scripts/load-secrets.sh index 712d49db..b07e9f44 100755 --- a/scripts/load-secrets.sh +++ b/scripts/load-secrets.sh @@ -17,14 +17,19 @@ get_secret() { if [ "$ENV" = "staging" ]; then DOMAIN=auth.staging.synvya.com KMS_KEY_ID=alias/keycast-master-key + INVITE_BASE_URL=https://account.staging.synvya.com + PASSWORD_RESET_BASE_URL=https://account.staging.synvya.com elif [ "$ENV" = "production" ]; then DOMAIN=auth.synvya.com KMS_KEY_ID=alias/synvya-production-keycast-masterkey + INVITE_BASE_URL=https://account.synvya.com + PASSWORD_RESET_BASE_URL=https://account.synvya.com else echo "Error: environment must be 'staging' or 'production'" >&2 exit 1 fi +EXTRA_ALLOWED_ORIGINS="https://account.synvya.com,https://account.staging.synvya.com,https://server.synvya.com,https://server.staging.synvya.com" ALLOWED_PUBKEYS=$(get_secret synvya/$ENV/keycast/allowed-pubkeys 2>/dev/null || echo "") cat > /opt/synvya/.env < /dev/null +docker exec keycast-postgres createdb -U postgres keycast_test > /dev/null + +# 3. Run Migrations +# Ensure the schema is up-to-date before running tests. +echo "🏗️ Running migrations..." +export DATABASE_URL="postgres://postgres:${PG_PASS}@localhost:5432/keycast_test" +cargo run --bin keycast -- --migrate + +# 4. Set Test Environment +export REDIS_URL=${REDIS_URL:-redis://localhost:16379} +export TEST_REDIS_URL=${TEST_REDIS_URL:-redis://localhost:16379} + +# 5. Run Tests +# Optimization: Parallelize unit tests, but serialize integration tests to prevent DB collisions. +echo "🚀 Running unit and core tests (parallel)..." +cargo nextest run --workspace --lib + +echo "🚀 Running integration tests (serialized)..." +cargo nextest run --workspace --features integration-tests -j 1 + +echo "✅ All tests passed!" \ No newline at end of file diff --git a/signer/src/signer_daemon.rs b/signer/src/signer_daemon.rs index a24931c0..106869c2 100644 --- a/signer/src/signer_daemon.rs +++ b/signer/src/signer_daemon.rs @@ -850,7 +850,8 @@ impl UnifiedSigner { // Load regular authorization let auth_data: Option<(i32, String, i64)> = sqlx::query_as( "SELECT id, secret_hash, stored_key_id FROM authorizations - WHERE tenant_id = $1 AND bunker_public_key = $2", + WHERE tenant_id = $1 AND bunker_public_key = $2 + AND revoked_at IS NULL", ) .bind(tenant_id) .bind(bunker_pubkey) diff --git a/web/.gitignore b/web/.gitignore index 3b462cb0..3a8a09c4 100644 --- a/web/.gitignore +++ b/web/.gitignore @@ -1,4 +1,5 @@ node_modules +package-lock.json # Output .output diff --git a/web/src/app.html b/web/src/app.html index ce2652e9..e24f9e26 100644 --- a/web/src/app.html +++ b/web/src/app.html @@ -6,13 +6,13 @@ - + - diVine Login + Synvya Login %sveltekit.head% diff --git a/web/src/lib/brand.ts b/web/src/lib/brand.ts index 0b1cf9d8..86b3118c 100644 --- a/web/src/lib/brand.ts +++ b/web/src/lib/brand.ts @@ -1,5 +1,5 @@ export const BRAND = { - name: 'diVine Login', - shortName: 'diVine', + name: 'Synvya Login', + shortName: 'Synvya', tagline: 'Sign in to Nostr apps with your email', } as const; diff --git a/web/src/lib/components/CreateBunkerModal.svelte b/web/src/lib/components/CreateBunkerModal.svelte index f835a7e1..f37f0630 100644 --- a/web/src/lib/components/CreateBunkerModal.svelte +++ b/web/src/lib/components/CreateBunkerModal.svelte @@ -1,7 +1,7 @@ + + {#if showHeader}
{/if} -
- -
-
-
-
-
+{#if isHeaderHidden} {@render children()} -
+{:else} +
+ +
+
+
+
+
+ {@render children()} +
+{/if} diff --git a/web/src/routes/+page.svelte b/web/src/routes/+page.svelte index fc42a051..b124e59c 100644 --- a/web/src/routes/+page.svelte +++ b/web/src/routes/+page.svelte @@ -1,292 +1,332 @@ - {currentUser ? 'Dashboard' : 'Welcome'} - {BRAND.name} + {currentUser ? "Dashboard" : "Welcome"} - {BRAND.name} {#if isCheckingAuth} @@ -303,20 +343,22 @@ $effect(() => {

- {#if authMethod === 'nip07'} + {#if authMethod === "nip07"} Admin Access {:else} Manage Your Identity {/if}

- {#if authMethod === 'nip07'} + {#if authMethod === "nip07"}
- Signed in via NIP-07 extension + Signed in via NIP-07 extension Admin
@@ -338,9 +380,13 @@ $effect(() => {
{userEmail} {#if !emailVerified} - Not verified + Not verified {:else} - Verified + Verified {/if}
@@ -350,10 +396,22 @@ $effect(() => {
- - {formatPubkey(currentUser.pubkey).slice(0, 12)}...{formatPubkey(currentUser.pubkey).slice(-8)} + + {formatPubkey(currentUser.pubkey).slice( + 0, + 12, + )}...{formatPubkey(currentUser.pubkey).slice( + -8, + )} - - + ?
- {#if authMethod === 'cookie'} + {#if authMethod === "cookie"}
- {#if adminRole === 'full'} + {#if adminRole === "full"} Admin Dashboard {/if} - {#if adminRole === 'full' || adminRole === 'support'} + {#if adminRole === "full" || adminRole === "support"} Support Tools @@ -396,223 +464,557 @@ $effect(() => { - {#if authMethod !== 'nip07'} -
- + {#if authMethod !== "nip07"} +
+ - {#if showLearnMore} -
-
-

Your Keys Explained

-

Your npub (public key) is like a username. Share it so others can find you across any Nostr app.

-

Your nsec (private key) proves you own this identity. Keep it safe! Find it in Security Settings if you need to export it.

-
+ {#if showLearnMore} +
+
+

+ Your Keys Explained +

+

+ Your npub (public key) is like + a username. Share it so others can find you across + any Nostr app. +

+

+ Your nsec (private key) + proves you own this identity. Keep it safe! + Find it in + Security Settings if you need to export it. +

+
-
-

Where Is Your Key?

-

When you sign up with email and password, diVine generates a Nostr key for you and stores it on login.divine.video, encrypted using the same standards banks and password managers rely on (1,2). Your key is only decrypted in memory when an app needs to sign on your behalf, and is never stored in plain text.

-

Any Nostr app that supports diVine Login, like Priv DM , can use your identity with just your email and password. No copying keys between apps, no manual setup.

-
+
+

+ Where + Is Your Key? +

+

+ When you sign up with email and password, + Synvya generates a Nostr key for you and + stores it on login.divine.video, encrypted using the same standards banks + and password managers rely on (1,2). Your key is only decrypted in memory + when an app needs to sign on your behalf, + and is never stored in plain text. +

+

+ Any Nostr app that supports Synvya Login, + like Priv DM , can use your identity with just your + email and password. No copying keys between + apps, no manual setup. +

+
-
-

Already Have a Nostr Key?

-

You don't need a diVine account at all. Import your nsec into the diVine app and everything stays on your device.

-
+
+

+ Already Have + a Nostr Key? +

+

+ You don't need a Synvya account at all. + Import your nsec into the Synvya app and + everything stays on your device. +

+
-
-

Want Full Control of Your Key?

-

If you started with email and password but want full control, export your nsec from Security Settings and move it to:

-
    -
  • Your phone: Primal (iOS & Android), Amber (Android), or nsec.app (any browser) turn your device into a personal signing server. When a Nostr app needs your signature, it asks your device and your key never leaves it.
    • -
  • Your browser: Extensions like Alby or Soapbox Signer (Chrome, Firefox) keep your key in the browser itself. Nostash does the same for Safari on iOS.
    • -
-

With these options, each app that needs your signature must connect to your signer individually. diVine Login handles that for you automatically.

-
+
+

+ Want Full + Control of Your Key? +

+

+ If you started with email and password but + want full control, export your nsec from Security Settings and move it to: +

+
    +
  • + Your phone: + Primal + (iOS & Android), + Amber + (Android), or + nsec.app (any browser) turn your device into a personal + signing server. When a Nostr app needs your + signature, it asks your device and your key + never leaves it. +
    • +
  • + Your browser: + Extensions like + Alby + or + Soapbox Signer + (Chrome, Firefox) keep your key in the browser + itself. + Nostash does the same for Safari on iOS. +
    • +
+

+ With these options, each app that needs your + signature must connect to your signer + individually. Synvya Login handles that for + you automatically. +

+
-
-

Why This Matters

-

Unlike Twitter or Facebook, no company owns your Nostr identity. Even if diVine disappeared tomorrow, your identity and content would still exist on the network. Export your key and continue anywhere.

-

That's the power of Nostr.

-
- Explore Nostr apps at nostrapps.com +
+

+ Why This + Matters +

+

+ Unlike Twitter or Facebook, no company owns your Nostr identity. Even if Synvya disappeared tomorrow, your + identity and content would still exist on + the network. Export your key and continue + anywhere. +

+

+ That's the power of Nostr. +

+
+ Explore Nostr apps at nostrapps.com +
-
- {/if} -
+ {/if} +
{/if} - {#if authMethod !== 'nip07'} -
-
-

App Connections

- -
- - {#if groupedSessions.length === 0} -
-

No app connections yet.

-

- The diVine app and any app with "Sign in with diVine" already work with your email and password. Use this to connect to other Nostr apps. Browse them at nostrapps.com. -

+ {#if authMethod !== "nip07"} +
+
+

App Connections

+
- {:else} -
- {#each groupedSessions as group} - {@const isExpanded = expandedSessions.has(group.key)} -
- - - {#if isExpanded} -
-
- {#if group.isOAuth} -
- Domain - {group.redirect_origin} -
-
- Created - {formatDate(group.earliest_created)} -
-
- Last Activity - - {group.latest_activity ? formatDate(group.latest_activity) : 'Never'} - -
-
- Total Requests - {group.total_activity} -
- {:else} - {@const session = group.sessions[0]} -
- Domain - {session.redirect_origin} -
-
- Created - {formatDate(session.created_at)} -
-
- Last Activity - - {session.last_activity ? formatDate(session.last_activity) : 'Never'} - -
-
- Total Requests - {session.activity_count} -
- {#if session.client_pubkey} -
-
- Client Pubkey -
+ + + {#if isExpanded} +
+
+ {#if group.isOAuth} +
+ Domain + {group.redirect_origin} +
+
+ Created + {formatDate( + group.earliest_created, + )} +
+
+ Last Activity + + {group.latest_activity + ? formatDate( + group.latest_activity, + ) + : "Never"} + +
+
+ Total Requests + {group.total_activity} +
+ {:else} + {@const session = + group.sessions[0]} +
+ Domain + {session.redirect_origin} +
+
+ Created + {formatDate( + session.created_at, + )} +
+
+ Last Activity + + {session.last_activity + ? formatDate( + session.last_activity, + ) + : "Never"} + +
+
+ Total Requests + {session.activity_count} +
+ {#if session.client_pubkey} +
+
- {pubkeyFormat === 'hex' ? 'npub' : 'hex'} - + Client + Pubkey + +
+
+ {formatPubkey( + session.client_pubkey, + )} + +
-
- {formatPubkey(session.client_pubkey)} + {/if} +
+
+ Bunker Pubkey + {#if !session.client_pubkey} + + {/if} +
+
+ {formatPubkey( + session.bunker_pubkey, + )}
{/if} -
-
- Bunker Pubkey - {#if !session.client_pubkey} - - {/if} -
-
- {formatPubkey(session.bunker_pubkey)} - -
-
- {/if} -
-
- +
+
+ +
-
- {/if} -
- {/each} -
- {/if} -
+ {/if} +
+ {/each} +
+ {/if} + {/if} @@ -631,16 +1033,25 @@ $effect(() => { {#if teams.length === 0}

No teams yet.

-

Teams let you manage shared Nostr keys with role-based permissions.

+

+ Teams let you manage shared Nostr keys with + role-based permissions. +

{:else}
{#each teams as team} - +
-

{team.team.name}

+

+ {team.team.name} +

- {team.team_users.length} members • {team.stored_keys.length} keys + {team.team_users.length} members • {team + .stored_keys.length} keys

@@ -665,7 +1076,13 @@ $effect(() => { {#if showRevokeModal && sessionToRevoke} -
{ showRevokeModal = false; sessionToRevoke = null; }}> +
{ + showRevokeModal = false; + sessionToRevoke = null; + }} + >
e.stopPropagation()}> @@ -674,14 +1091,25 @@ $effect(() => { Are you sure you want to revoke access for {sessionToRevoke.application_name}?

-

This app will no longer be able to sign events on your behalf.

+

+ This app will no longer be able to sign events on your + behalf. +

- @@ -696,28 +1124,37 @@ $effect(() => {

One account for every Nostr app

-

We handle your Nostr keys. You just use your email and password.

+

+ We handle your Nostr keys. You just use your email and password. +

- Get Started + Get Started Sign In
{#if hasExtension} - + {/if} @@ -727,7 +1164,10 @@ $effect(() => {

Just email and password

-

No technical setup. Create an account like you would on any other service.

+

+ No technical setup. Create an account like you would on + any other service. +

@@ -735,7 +1175,10 @@ $effect(() => {

Works across apps

-

Sign in to any Nostr app that supports diVine Login. One account, everywhere.

+

+ Sign in to any Nostr app that supports Synvya Login. One + account, everywhere. +

@@ -743,12 +1186,19 @@ $effect(() => {

Secure by default

-

Your keys are encrypted and stored safely, like your passwords in iCloud or Google.

+

+ Your keys are encrypted and stored safely, like your + passwords in iCloud or Google. +

- New to Nostr? Learn how it works + New to Nostr? Learn how it works

@@ -856,17 +1306,29 @@ $effect(() => { } .status-badge.warning { - background: color-mix(in srgb, var(--color-divine-warning) 20%, transparent); + background: color-mix( + in srgb, + var(--color-divine-warning) 20%, + transparent + ); color: var(--color-divine-warning); } .status-badge.success { - background: color-mix(in srgb, var(--color-divine-green) 20%, transparent); + background: color-mix( + in srgb, + var(--color-divine-green) 20%, + transparent + ); color: var(--color-divine-green); } .status-badge.admin { - background: color-mix(in srgb, var(--color-divine-purple, #8b5cf6) 20%, transparent); + background: color-mix( + in srgb, + var(--color-divine-purple, #8b5cf6) 20%, + transparent + ); color: var(--color-divine-purple, #8b5cf6); } @@ -920,7 +1382,11 @@ $effect(() => { .learn-link:hover { color: var(--color-divine-green); - background: color-mix(in srgb, var(--color-divine-green) 20%, transparent); + background: color-mix( + in srgb, + var(--color-divine-green) 20%, + transparent + ); } .identity-actions { @@ -1053,7 +1519,11 @@ $effect(() => { } .learn-block.highlight { - background: color-mix(in srgb, var(--color-divine-green) 8%, transparent); + background: color-mix( + in srgb, + var(--color-divine-green) 8%, + transparent + ); border-radius: 8px; padding: 1rem; border-bottom: none; @@ -1069,7 +1539,8 @@ $effect(() => { .learn-explore { margin-top: 0.75rem; padding-top: 0.75rem; - border-top: 1px solid color-mix(in srgb, var(--color-divine-green) 15%, transparent); + border-top: 1px solid + color-mix(in srgb, var(--color-divine-green) 15%, transparent); } .learn-explore a { @@ -1160,7 +1631,11 @@ $effect(() => { } .app-card:hover { - border-color: color-mix(in srgb, var(--color-divine-green) 50%, var(--color-divine-border)); + border-color: color-mix( + in srgb, + var(--color-divine-green) 50%, + var(--color-divine-border) + ); } .app-card.expanded { @@ -1202,15 +1677,29 @@ $effect(() => { } .connection-badge.oauth { - background: color-mix(in srgb, var(--color-divine-green) 15%, transparent); + background: color-mix( + in srgb, + var(--color-divine-green) 15%, + transparent + ); color: var(--color-divine-green); - border: 1px solid color-mix(in srgb, var(--color-divine-green) 30%, transparent); + border: 1px solid + color-mix(in srgb, var(--color-divine-green) 30%, transparent); } .connection-badge.manual { - background: color-mix(in srgb, var(--color-divine-text-tertiary) 10%, transparent); + background: color-mix( + in srgb, + var(--color-divine-text-tertiary) 10%, + transparent + ); color: var(--color-divine-text-secondary); - border: 1px solid color-mix(in srgb, var(--color-divine-text-tertiary) 25%, transparent); + border: 1px solid + color-mix( + in srgb, + var(--color-divine-text-tertiary) 25%, + transparent + ); } .app-domain { @@ -1438,11 +1927,11 @@ $effect(() => { } .landing-logo-img { - height: 36px; + height: 64px; } .landing-logo-sub { - font-family: 'Inter', sans-serif; + font-family: "Inter", sans-serif; font-weight: 500; font-size: 12px; letter-spacing: 3px; @@ -1527,7 +2016,11 @@ $effect(() => { .feature-icon { width: 48px; height: 48px; - background: color-mix(in srgb, var(--color-divine-green) 15%, transparent); + background: color-mix( + in srgb, + var(--color-divine-green) 15%, + transparent + ); border-radius: 12px; display: flex; align-items: center; diff --git a/web/src/routes/app/callback/+page.svelte b/web/src/routes/app/callback/+page.svelte index d3eb87df..a901f557 100644 --- a/web/src/routes/app/callback/+page.svelte +++ b/web/src/routes/app/callback/+page.svelte @@ -1,33 +1,41 @@ - Returning to App - diVine Login - + Returning to App - Synvya Login +
- - - - + + + +

Authentication Complete

Tap the button below to return to the app.

- - Open in App - + Open in App

If the app doesn't open, make sure the app is installed. @@ -89,7 +97,9 @@ const currentUrl = $derived(browser ? $page.url.href : ""); background: var(--color-divine-green); border-radius: 9999px; text-decoration: none; - transition: background 0.2s, box-shadow 0.2s; + transition: + background 0.2s, + box-shadow 0.2s; } .open-app-button:hover { diff --git a/web/src/routes/demo/+page.svelte b/web/src/routes/demo/+page.svelte index 71d83294..569da8ea 100644 --- a/web/src/routes/demo/+page.svelte +++ b/web/src/routes/demo/+page.svelte @@ -22,13 +22,8 @@ // Configuration const SERVER_URL = getViteDomain(); - const CLIENT_ID = "diVine Login Demo"; - console.log( - "SERVER_URL:", - SERVER_URL, - "VITE_DOMAIN:", - getViteDomain(), - ); + const CLIENT_ID = "Synvya Login Demo"; + console.log("SERVER_URL:", SERVER_URL, "VITE_DOMAIN:", getViteDomain()); // Create Keycast client (initialized in onMount for SSR safety) let client: ReturnType | null = null; @@ -437,7 +432,7 @@

To test the OAuth approval flow again, first revoke the "diVine Login Demo" authorizationrevoke the "Synvya Login Demo" authorization in your dashboard, then click Disconnect above.

@@ -794,7 +789,6 @@ const signed = await signer.signEvent(unsignedEvent); + import { onMount } from 'svelte'; import { toast } from 'svelte-hot-french-toast'; import { KeycastApi } from '$lib/keycast_api.svelte'; import { BRAND } from '$lib/brand'; + import { getLoginUrl } from '$lib/utils/env'; const api = new KeycastApi(); + const loginUrl = getLoginUrl(); + const isManagedExternally = loginUrl !== '/login'; let email = $state(''); let isLoading = $state(false); let emailSent = $state(false); + onMount(() => { + if (isManagedExternally) { + window.location.replace(loginUrl); + } + }); + async function handleSubmit() { if (!email) { toast.error('Please enter your email address'); @@ -38,19 +48,31 @@
- {BRAND.shortName} + {BRAND.shortName} Login

Forgot Password

-

Enter your email and we'll send you a reset link

+

+ {#if isManagedExternally} + Redirecting you to Synvya account login. + {:else} + Enter your email and we'll send you a reset link + {/if} +

- {#if emailSent} + {#if isManagedExternally} +
+

Password reset now lives in the Synvya account app.

+

If you are not redirected automatically, continue below.

+
+ Continue to Login + {:else if emailSent}

If an account exists with that email, you'll receive a password reset link shortly.

Check your inbox and spam folder.

- Back to Login + Back to Login {:else} { e.preventDefault(); handleSubmit(); }}>
@@ -72,7 +94,7 @@ {/if}

- Remember your password? Sign in + Remember your password? Sign in

diff --git a/web/src/routes/login/+page.svelte b/web/src/routes/login/+page.svelte index c0c9ff65..b104fba3 100644 --- a/web/src/routes/login/+page.svelte +++ b/web/src/routes/login/+page.svelte @@ -6,10 +6,12 @@ import { setCurrentUser } from '$lib/current_user.svelte'; import { BRAND } from '$lib/brand'; import { signin, SigninMethod, signout } from '$lib/utils/auth'; + import { getLoginUrl } from '$lib/utils/env'; import { PlugsConnected } from 'phosphor-svelte'; import { onMount } from 'svelte'; const api = new KeycastApi(); + const loginUrl = getLoginUrl(); let isNip07Loading = $state(false); let hasExtension = $state(false); let checkingSession = $state(true); @@ -157,7 +159,7 @@
- {BRAND.shortName} + {BRAND.shortName} Login @@ -239,7 +241,7 @@

- Forgot password? + Forgot password?

diff --git a/web/src/routes/register/+page.svelte b/web/src/routes/register/+page.svelte index b76f6d42..63e668f0 100644 --- a/web/src/routes/register/+page.svelte +++ b/web/src/routes/register/+page.svelte @@ -1,40 +1,46 @@ - Register - {BRAND.name} + {pageTitle} -

-
+
+
- - {BRAND.shortName} - Login + + {#if isSynvyaManaged} + Synvya + {:else} + {BRAND.shortName} + Login + {/if} -

Create your account

-

Your Nostr identity, simplified

+ {#if !showVerificationNotice} +
+

+ {isSynvyaManaged + ? "Create your account" + : "Create your account"} +

+

+ {isSynvyaManaged + ? "Enter your details below to get started." + : "Your Nostr identity, simplified"} +

+
+ {/if} {#if showVerificationNotice}
- - + +

Check your email

-

We've sent a verification link to {registeredEmail}

-

Click the link in the email to verify your account and sign in.

- Go to Login +

+ We've sent a verification link to {registeredEmail} +

+

+ Click the link in the email to verify your account and + sign in. +

+ Go to Login
{:else} -
{ e.preventDefault(); handleRegister(); }}> -
- - -
- -
- - -
- -
- - -
- - +
+ + +
- {#if showAdvanced} -
- + +
+ +
+ + -

Import your existing key to use it with diVine Login. Leave empty to create a new one.

-
- {/if} - -
+ {#if !isSynvyaManaged} + + + {#if showAdvanced} +
+
+ + +

+ Import your existing key to use it with + Synvya Login. Leave empty to create a new + one. +

+
+
+ {/if} + {/if} + + +

- Already have an account? Sign in + Already have an account? Sign in

- {#if hasExtension} -

- Admin? Sign in with your Nostr extension -

+ {#if !isSynvyaManaged && hasExtension} +

+ Admin? Sign in with your Nostr extension +

{/if} {/if}
@@ -196,6 +257,11 @@ background: var(--color-divine-bg); } + .synvya-page { + padding: 1.5rem; + background: #ffffff; + } + .auth-container { background: var(--color-divine-surface); border: 1px solid var(--color-divine-border); @@ -206,6 +272,18 @@ box-shadow: 0 2px 8px rgba(39, 197, 139, 0.08); } + .synvya-container { + background: transparent; + border: none; + border-radius: 0; + padding: 0; + box-shadow: none; + max-width: 24rem; + display: flex; + flex-direction: column; + gap: 1.5rem; + } + .auth-branding { display: flex; flex-direction: column; @@ -216,6 +294,10 @@ margin-bottom: 1.5rem; } + .synvya-container .auth-branding { + margin-bottom: 0; + } + .auth-branding:hover { opacity: 0.85; } @@ -224,8 +306,13 @@ height: 28px; } + .synvya-logo-img { + height: 2.75rem; + width: auto; + } + .auth-logo-sub { - font-family: 'Inter', sans-serif; + font-family: "Inter", sans-serif; font-weight: 500; font-size: 11px; letter-spacing: 3px; @@ -234,6 +321,12 @@ opacity: 0.6; } + .auth-copy { + display: flex; + flex-direction: column; + gap: 0.5rem; + } + h1 { margin: 0 0 0.5rem 0; color: var(--color-divine-text); @@ -244,6 +337,15 @@ letter-spacing: -0.02em; } + .synvya-container h1 { + color: #0f172a; + font-family: var(--font-sans); + font-size: 1.875rem; + font-weight: 600; + letter-spacing: -0.01em; + line-height: 1.15; + } + .subtitle { color: var(--color-divine-text-secondary); margin: 0 0 1.5rem 0; @@ -251,10 +353,25 @@ font-size: 0.95rem; } + .synvya-container .subtitle, + .synvya-container .auth-link { + color: #64748b; + } + + .synvya-container .subtitle { + margin: 0; + font-size: 0.975rem; + line-height: 1.5; + } + .form-group { margin-bottom: 1rem; } + .synvya-container .form-group { + margin-bottom: 0; + } + label { display: block; margin-bottom: 0.375rem; @@ -263,6 +380,11 @@ font-weight: 500; } + .synvya-container label { + margin-bottom: 0.5rem; + color: #0f172a; + } + input { width: 100%; padding: 0.75rem 1rem; @@ -272,7 +394,9 @@ color: var(--color-divine-text); font-size: 1rem; box-sizing: border-box; - transition: border-color 0.2s, box-shadow 0.2s; + transition: + border-color 0.2s, + box-shadow 0.2s; } input:focus { @@ -291,6 +415,30 @@ cursor: not-allowed; } + .synvya-container input { + background: #eff6ff; + border-color: #dbe4f0; + border-radius: 0.75rem; + color: #0f172a; + padding: 0.875rem 1rem; + } + + .synvya-container input::placeholder { + color: #9aa7b8; + opacity: 1; + } + + .synvya-container input:focus { + border-color: #22c55e; + box-shadow: 0 0 0 3px rgba(34, 197, 94, 0.15); + } + + .synvya-container form { + display: flex; + flex-direction: column; + gap: 1rem; + } + .advanced-toggle { display: flex; align-items: center; @@ -346,11 +494,22 @@ margin-top: 0.5rem; } + .synvya-container .btn-primary { + margin-top: 0.25rem; + border-radius: 0.75rem; + background: #22c55e; + box-shadow: none; + } + .btn-primary:hover:not(:disabled) { background: var(--color-divine-green-dark); box-shadow: 0 2px 8px rgba(39, 197, 139, 0.16); } + .synvya-container .btn-primary:hover:not(:disabled) { + background: #16a34a; + } + .btn-primary:disabled { opacity: 0.5; cursor: not-allowed; @@ -373,6 +532,13 @@ text-decoration: underline; } + .synvya-container .auth-link a { + color: #334155; + text-decoration: underline; + text-underline-offset: 2px; + font-weight: 400; + } + .auth-note { text-align: center; margin-top: 1.5rem; @@ -406,6 +572,10 @@ color: var(--color-divine-green); } + .synvya-container .verification-notice .notice-icon.success { + color: #22c55e; + } + .verification-notice h2 { font-size: 1.25rem; font-weight: 600; @@ -413,6 +583,11 @@ margin-bottom: 0.5rem; } + .synvya-container .verification-notice h2 { + color: #0f172a; + font-size: 1.5rem; + } + .verification-notice p { color: var(--color-divine-text-secondary); font-size: 0.9rem; @@ -420,10 +595,18 @@ margin-bottom: 0.5rem; } + .synvya-container .verification-notice p { + color: #64748b; + } + .verification-notice strong { color: var(--color-divine-text); } + .synvya-container .verification-notice strong { + color: #0f172a; + } + .verification-notice .subtext { font-size: 0.8rem; margin-bottom: 1.5rem; @@ -443,8 +626,29 @@ transition: all 0.2s; } + .synvya-container .btn-secondary { + border-radius: 0.75rem; + color: #334155; + border-color: #dbe4f0; + } + .btn-secondary:hover { background: var(--color-divine-muted); color: var(--color-divine-text); } + + .synvya-container .btn-secondary:hover { + background: #f8fafc; + border-color: #94a3b8; + } + + @media (max-width: 640px) { + .synvya-page { + padding: 1.25rem; + } + + .synvya-container h1 { + font-size: 1.625rem; + } + } diff --git a/web/src/routes/reset-password/+page.svelte b/web/src/routes/reset-password/+page.svelte index 411596dc..50646c1b 100644 --- a/web/src/routes/reset-password/+page.svelte +++ b/web/src/routes/reset-password/+page.svelte @@ -4,15 +4,29 @@ import { toast } from 'svelte-hot-french-toast'; import { KeycastApi } from '$lib/keycast_api.svelte'; import { BRAND } from '$lib/brand'; + import { getLoginUrl } from '$lib/utils/env'; const api = new KeycastApi(); + const loginUrl = getLoginUrl(); + const isSynvyaManaged = loginUrl !== '/login'; + const pageTitle = isSynvyaManaged ? 'Reset Password - Synvya' : `Reset Password - ${BRAND.name}`; let password = $state(''); let confirmPassword = $state(''); let isLoading = $state(false); + let showSuccess = $state(false); const token = $derived($page.url.searchParams.get('token')); + function redirectToLogin() { + if (loginUrl.startsWith('http://') || loginUrl.startsWith('https://')) { + window.location.assign(loginUrl); + return; + } + + goto(loginUrl); + } + async function handleSubmit() { if (!token) { toast.error('Invalid or missing reset token'); @@ -38,7 +52,7 @@ }); toast.success('Password reset successfully!'); - goto('/login'); + showSuccess = true; } catch (err: any) { console.error('Reset password error:', err); toast.error(err.message || 'Failed to reset password. The link may have expired.'); @@ -49,62 +63,85 @@ - Reset Password - {BRAND.name} + {pageTitle} -
-
- - {BRAND.shortName} - Login +
+
+ + {#if isSynvyaManaged} + Synvya + {:else} + {BRAND.shortName} + Login + {/if} -

Reset Password

-

Enter your new password

- - {#if !token} -
-

Invalid or missing reset token.

-

Please request a new password reset link.

+ {#if showSuccess} +
+
+ + + +
+

Password updated

+

Your password has been reset successfully. You can now sign in with your new password.

+ {#if isSynvyaManaged && loginUrl.startsWith('http')} + Sign in + {:else} + Sign in + {/if}
- Request New Link {:else} -
{ e.preventDefault(); handleSubmit(); }}> -
- - -
+
+

{isSynvyaManaged ? 'Set new password' : 'Reset Password'}

+

{isSynvyaManaged ? 'Enter your new password below.' : 'Enter your new password'}

+
-
- - + {#if !token} +
+

Invalid or missing reset token.

+

Please request a new password reset link.

- - - + Request New Link + {:else} +
{ e.preventDefault(); handleSubmit(); }}> +
+ + +
+ +
+ + +
+ + +
+ {/if} + +

+ Back to Login +

{/if} - -

- Back to Login -

@@ -118,6 +155,11 @@ background: var(--color-divine-bg); } + .synvya-page { + padding: 1.5rem; + background: #ffffff; + } + .auth-container { background: var(--color-divine-surface); border: 1px solid var(--color-divine-border); @@ -128,6 +170,18 @@ box-shadow: 0 2px 8px rgba(39, 197, 139, 0.08); } + .synvya-container { + background: transparent; + border: none; + border-radius: 0; + padding: 0; + box-shadow: none; + max-width: 24rem; + display: flex; + flex-direction: column; + gap: 1.5rem; + } + .auth-branding { display: flex; flex-direction: column; @@ -146,6 +200,17 @@ height: 28px; } + .synvya-logo-img { + height: 2.75rem; + width: auto; + } + + .auth-copy { + display: flex; + flex-direction: column; + gap: 0.5rem; + } + .auth-logo-sub { font-family: 'Inter', sans-serif; font-weight: 500; @@ -166,6 +231,15 @@ letter-spacing: -0.02em; } + .synvya-container h1 { + color: #0f172a; + font-family: var(--font-sans); + font-size: 1.875rem; + font-weight: 600; + letter-spacing: -0.01em; + line-height: 1.15; + } + .subtitle { color: var(--color-divine-text-secondary); margin: 0 0 1.5rem 0; @@ -173,10 +247,25 @@ font-size: 0.95rem; } + .synvya-container .subtitle, + .synvya-container .auth-link { + color: #64748b; + } + + .synvya-container .subtitle { + margin: 0; + font-size: 0.975rem; + line-height: 1.5; + } + .form-group { margin-bottom: 1rem; } + .synvya-container .form-group { + margin-bottom: 0; + } + label { display: block; margin-bottom: 0.375rem; @@ -185,6 +274,11 @@ font-weight: 500; } + .synvya-container label { + margin-bottom: 0.5rem; + color: #0f172a; + } + input { width: 100%; padding: 0.75rem 1rem; @@ -213,6 +307,30 @@ cursor: not-allowed; } + .synvya-container input { + background: #eff6ff; + border-color: #dbe4f0; + border-radius: 0.75rem; + color: #0f172a; + padding: 0.875rem 1rem; + } + + .synvya-container input::placeholder { + color: #9aa7b8; + opacity: 1; + } + + .synvya-container input:focus { + border-color: #22c55e; + box-shadow: 0 0 0 3px rgba(34, 197, 94, 0.15); + } + + .synvya-container form { + display: flex; + flex-direction: column; + gap: 1rem; + } + .btn-primary { display: block; width: 100%; @@ -230,11 +348,22 @@ margin-top: 0.5rem; } + .synvya-container .btn-primary { + margin-top: 0.25rem; + border-radius: 0.75rem; + background: #22c55e; + box-shadow: none; + } + .btn-primary:hover:not(:disabled) { background: var(--color-divine-green-dark); box-shadow: 0 2px 8px rgba(39, 197, 139, 0.16); } + .synvya-container .btn-primary:hover:not(:disabled) { + background: #16a34a; + } + .btn-primary:disabled { opacity: 0.5; cursor: not-allowed; @@ -257,6 +386,13 @@ text-decoration: underline; } + .synvya-container .auth-link a { + color: #334155; + text-decoration: underline; + text-underline-offset: 2px; + font-weight: 400; + } + .error-message { background: rgba(239, 68, 68, 0.1); border: 1px solid var(--color-divine-error); @@ -273,4 +409,53 @@ .error-message p:last-child { margin-bottom: 0; } + + .synvya-container .error-message { + margin-bottom: 0; + background: #fef2f2; + border-color: #fecaca; + color: #b91c1c; + } + + .success-notice { + text-align: center; + padding: 1rem 0; + } + + .success-notice .notice-icon { + display: flex; + justify-content: center; + margin-bottom: 1rem; + } + + .success-notice .notice-icon.success { + color: var(--color-divine-green); + } + + .synvya-container .success-notice .notice-icon.success { + color: #22c55e; + } + + .success-notice h1 { + margin-bottom: 0.5rem; + } + + .success-notice .subtitle { + margin-bottom: 1.5rem; + } + + .synvya-container .success-notice .subtitle { + color: #64748b; + margin-bottom: 1.5rem; + } + + @media (max-width: 640px) { + .synvya-page { + padding: 1.25rem; + } + + .synvya-container h1 { + font-size: 1.625rem; + } + } diff --git a/web/src/routes/support-admin/+page.svelte b/web/src/routes/support-admin/+page.svelte index 19952e40..6f930476 100644 --- a/web/src/routes/support-admin/+page.svelte +++ b/web/src/routes/support-admin/+page.svelte @@ -3,12 +3,15 @@ import { BRAND } from '$lib/brand'; import { KeycastApi } from '$lib/keycast_api.svelte'; import { goto } from '$app/navigation'; + import { getLoginUrl } from '$lib/utils/env'; import Loader from '$lib/components/Loader.svelte'; - import { ShieldCheck, Warning, MagnifyingGlass, User, Key, Calendar, Globe, Copy, Check, CheckCircle, XCircle, Link, CaretDown, CaretRight } from 'phosphor-svelte'; + import { ShieldCheck, Warning, MagnifyingGlass, User, Key, Calendar, Globe, Copy, Check, CheckCircle, XCircle, Link, CaretDown, CaretRight, Storefront, UsersThree, Plug } from 'phosphor-svelte'; import { nip19 } from 'nostr-tools'; import { toast } from 'svelte-hot-french-toast'; const api = new KeycastApi(); + const isSynvyaManaged = getLoginUrl() !== '/login'; + const brandName = isSynvyaManaged ? 'Synvya' : BRAND.name; let status = $state<'loading' | 'not-admin' | 'ready'>('loading'); let adminRole = $state(null); @@ -32,6 +35,41 @@ let isGeneratingClaimToken = $state(false); let copiedClaimUrl = $state(false); + // Teams / restaurants / authorizations state (lazy-loaded per expand) + let userTeams = $state(null); + let isLoadingTeams = $state(false); + let teamsError = $state(''); + + interface AdminAuthorization { + id: number; + label: string | null; + bunker_public_key: string; + relays: string[]; + connected_client_pubkey: string | null; + connected_at: string | null; + expires_at: string | null; + revoked_at: string | null; + revoked_reason: string | null; + created_at: string; + updated_at: string; + } + + interface RestaurantKey { + id: number; + name: string; + pubkey: string; + created_at: string; + authorizations: AdminAuthorization[]; + } + + interface TeamDetails { + id: number; + name: string; + role: string; + joined_at: string; + restaurant_keys: RestaurantKey[]; + } + interface UserDetails { pubkey: string; email: string | null; @@ -173,6 +211,148 @@ expandedPubkey = expandedPubkey === pubkey ? null : pubkey; } + async function loadUserTeams(pubkey: string) { + isLoadingTeams = true; + teamsError = ''; + userTeams = null; + try { + const result = await api.get<{ teams: TeamDetails[] }>( + `/admin/user-teams?pubkey=${encodeURIComponent(pubkey)}` + ); + userTeams = result.teams; + } catch (err: any) { + teamsError = err.message || 'Failed to load teams'; + } finally { + isLoadingTeams = false; + } + } + + function formatAuthLabel(a: AdminAuthorization): string { + return a.label && a.label.trim() ? a.label : `Authorization #${a.id}`; + } + + function isSynvyaServerAuth(label: string | null): boolean { + return !!label && /synvya\s+server/i.test(label); + } + + function isSynvyaClientAuth(label: string | null): boolean { + return !!label && /synvya\s+client/i.test(label); + } + + interface AuthGroup { + key: string; // group key for UI (`(no label)` for empty labels) + label: string | null; + displayLabel: string; + serverAuth: boolean; + clientAuth: boolean; + authorizations: AdminAuthorization[]; // newest-first + } + + /** Group authorizations by label, newest-first within each group. */ + function groupAuthorizations(auths: AdminAuthorization[]): AuthGroup[] { + const groups = new Map(); + for (const a of auths) { + const labelNorm = a.label && a.label.trim() ? a.label.trim() : ''; + const key = labelNorm || '(no label)'; + let group = groups.get(key); + if (!group) { + group = { + key, + label: labelNorm || null, + displayLabel: labelNorm || '(no label)', + serverAuth: isSynvyaServerAuth(labelNorm || null), + clientAuth: isSynvyaClientAuth(labelNorm || null), + authorizations: [], + }; + groups.set(key, group); + } + group.authorizations.push(a); + } + for (const group of groups.values()) { + group.authorizations.sort( + (x, y) => new Date(y.created_at).getTime() - new Date(x.created_at).getTime(), + ); + } + // Order groups by the most recent authorization within each group (newest first). + return Array.from(groups.values()).sort( + (a, b) => + new Date(b.authorizations[0].created_at).getTime() - + new Date(a.authorizations[0].created_at).getTime(), + ); + } + + // Per-group expand/collapse for older authorizations in the Synvya admin view. + // Keyed by `${restaurantKeyId}|${groupKey}`; presence = expanded. + let expandedAuthGroups = $state>(new Set()); + + function authGroupExpandKey(keyId: number, groupKey: string): string { + return `${keyId}|${groupKey}`; + } + + function toggleAuthGroup(keyId: number, groupKey: string) { + const k = authGroupExpandKey(keyId, groupKey); + const next = new Set(expandedAuthGroups); + if (next.has(k)) { + next.delete(k); + } else { + next.add(k); + } + expandedAuthGroups = next; + } + + // Show revoked authorizations per restaurant key (keyed by RestaurantKey.id). + let showRevokedKeys = $state>(new Set()); + function toggleShowRevoked(keyId: number) { + const next = new Set(showRevokedKeys); + if (next.has(keyId)) next.delete(keyId); else next.add(keyId); + showRevokedKeys = next; + } + + function isRevoked(a: AdminAuthorization): boolean { + return a.revoked_at !== null && a.revoked_at !== undefined; + } + + function countRevoked(auths: AdminAuthorization[]): number { + return auths.filter(isRevoked).length; + } + + function visibleAuthorizations(key: RestaurantKey): AdminAuthorization[] { + if (showRevokedKeys.has(key.id)) return key.authorizations; + return key.authorizations.filter(a => !isRevoked(a)); + } + + let revokingAuthIds = $state>(new Set()); + + async function revokeAuthorization(authId: number) { + const reason = window.prompt( + `Revoke authorization #${authId}?\n\nOptional: enter a reason (visible in admin audit).`, + '', + ); + // prompt returns null if user cancels; empty string is OK (reason optional). + if (reason === null) return; + const trimmed = reason.trim(); + + const next = new Set(revokingAuthIds); + next.add(authId); + revokingAuthIds = next; + try { + await api.post(`/admin/authorizations/${authId}/revoke`, { + reason: trimmed.length > 0 ? trimmed : null, + }); + toast.success(`Authorization #${authId} revoked`); + if (expandedPubkey) { + await loadUserTeams(expandedPubkey); + } + } catch (err) { + const msg = err instanceof Error ? err.message : String(err); + toast.error(`Failed to revoke: ${msg}`); + } finally { + const after = new Set(revokingAuthIds); + after.delete(authId); + revokingAuthIds = after; + } + } + $effect(() => { if (expandedPubkey && searchResult) { const user = searchResult.results.find(u => u.pubkey === expandedPubkey); @@ -181,17 +361,26 @@ } else { claimToken = null; } + loadUserTeams(expandedPubkey); } else { claimToken = null; + userTeams = null; + teamsError = ''; } }); - Support Admin - {BRAND.name} + Support Admin - {brandName} -
+
+ {#if isSynvyaManaged} +
+ + Support Admin +
+ {/if} {#if status === 'loading'}
@@ -388,6 +577,242 @@ {/if}
{/if} + + {#if isSynvyaManaged} +
+
+ + Teams & Restaurants +
+ + {#if isLoadingTeams} +

Loading teams…

+ {:else if teamsError} +
{teamsError}
+ {:else if userTeams && userTeams.length === 0} +

This user is not a member of any team.

+ {:else if userTeams} +
+ {#each userTeams as team (team.id)} +
+
+
+ + {team.name} +
+
+ {team.role} + joined {formatDate(team.joined_at)} +
+
+ + {#if team.restaurant_keys.length === 0} +

No restaurant keys in this team.

+ {:else} + {#each team.restaurant_keys as key (key.id)} +
+
+ Restaurant + {key.name} +
+
+ Pubkey + + {truncateFormatted(key.pubkey)} + + +
+ +
+ + Authorizations + shared across the team + {#if isSynvyaManaged && countRevoked(key.authorizations) > 0} + + {/if} +
+ + {#if key.authorizations.length === 0} +

No authorizations on this key.

+ {:else if isSynvyaManaged} + {@const visibleAuths = visibleAuthorizations(key)} +
+ {#if visibleAuths.length === 0} +

All authorizations on this key are revoked. Click "Show revoked" above to view them.

+ {/if} + {#each groupAuthorizations(visibleAuths) as group (group.key)} + {@const expanded = expandedAuthGroups.has(authGroupExpandKey(key.id, group.key))} + {@const newest = group.authorizations[0]} + {@const olderCount = group.authorizations.length - 1} +
+
+ {group.displayLabel} + · {group.authorizations.length} + {#if group.serverAuth} + 24/7 + {:else if group.clientAuth} + interactive + {/if} +
+
+
+ Authorization #{newest.id} · newest + {#if isRevoked(newest)} + revoked + {/if} +
+
+
+ Bunker + {truncateFormatted(newest.bunker_public_key)} +
+
+ Created + {formatDate(newest.created_at)} +
+
+ Connected + {newest.connected_at ? formatDate(newest.connected_at) : '—'} +
+
+ Expires + {newest.expires_at ? formatDate(newest.expires_at) : 'Never'} +
+
+ Relays + {newest.relays.length === 0 ? '—' : newest.relays.join(', ')} +
+
+ {#if isRevoked(newest)} +
+ Revoked {formatDate(newest.revoked_at!)} + {#if newest.revoked_reason} + "{newest.revoked_reason}" + {/if} +
+ {:else} +
+ +
+ {/if} +
+ {#if olderCount > 0} + + {#if expanded} +
+ {#each group.authorizations.slice(1) as a (a.id)} +
+
+ Authorization #{a.id} + {#if isRevoked(a)} + revoked + {/if} +
+
+
+ Bunker + {truncateFormatted(a.bunker_public_key)} +
+
+ Created + {formatDate(a.created_at)} +
+
+ Connected + {a.connected_at ? formatDate(a.connected_at) : '—'} +
+
+ Expires + {a.expires_at ? formatDate(a.expires_at) : 'Never'} +
+
+ Relays + {a.relays.length === 0 ? '—' : a.relays.join(', ')} +
+
+ {#if isRevoked(a)} +
+ Revoked {formatDate(a.revoked_at!)} + {#if a.revoked_reason} + "{a.revoked_reason}" + {/if} +
+ {:else} +
+ +
+ {/if} +
+ {/each} +
+ {/if} + {/if} +
+ {/each} +
+ {:else} +
+ {#each key.authorizations as a (a.id)} + {@const serverAuth = isSynvyaServerAuth(a.label)} + {@const clientAuth = isSynvyaClientAuth(a.label)} +
+
+ {formatAuthLabel(a)} + {#if serverAuth} + 24/7 + {:else if clientAuth} + interactive + {/if} +
+
+
+ Bunker + {truncateFormatted(a.bunker_public_key)} +
+
+ Created + {formatDate(a.created_at)} +
+
+ Connected + {a.connected_at ? formatDate(a.connected_at) : '—'} +
+
+ Expires + {a.expires_at ? formatDate(a.expires_at) : 'Never'} +
+
+ Relays + {a.relays.length === 0 ? '—' : a.relays.join(', ')} +
+
+
+ {/each} +
+ {/if} +
+ {/each} + {/if} +
+ {/each} +
+ {/if} +
+ {/if}
{/if}
@@ -909,4 +1334,533 @@ color: var(--color-divine-text-tertiary); font-size: 0.8rem; } + + /* ========================================================= + Teams & Authorizations (shared markup, inherits dark theme) + ========================================================= */ + .teams-section { + padding: 0.875rem 1.25rem 1rem; + border-top: 1px solid var(--color-divine-border); + } + + .section-header { + display: flex; + align-items: center; + gap: 0.375rem; + color: var(--color-divine-text); + margin-bottom: 0.625rem; + } + + .section-title { + font-size: 0.825rem; + font-weight: 600; + } + + .muted-text { + font-size: 0.8rem; + color: var(--color-divine-text-tertiary); + margin: 0.25rem 0; + } + + .muted-text.indent { + padding-left: 0.5rem; + } + + .inline-error { + display: flex; + align-items: center; + gap: 0.375rem; + font-size: 0.8rem; + color: var(--color-divine-error); + } + + .teams-list { + display: flex; + flex-direction: column; + gap: 0.625rem; + } + + .team-card { + background: var(--color-divine-bg); + border: 1px solid var(--color-divine-border); + border-radius: 10px; + padding: 0.75rem 0.875rem; + } + + .team-header { + display: flex; + justify-content: space-between; + align-items: center; + gap: 0.5rem; + flex-wrap: wrap; + margin-bottom: 0.5rem; + } + + .team-header-main { + display: flex; + align-items: center; + gap: 0.375rem; + color: var(--color-divine-green); + } + + .team-name { + color: var(--color-divine-text); + font-weight: 600; + font-size: 0.9rem; + } + + .team-header-meta { + display: flex; + align-items: center; + gap: 0.5rem; + } + + .team-joined { + font-size: 0.7rem; + color: var(--color-divine-text-tertiary); + } + + .pill { + display: inline-flex; + align-items: center; + padding: 0.1rem 0.5rem; + font-size: 0.65rem; + font-weight: 600; + border-radius: 9999px; + text-transform: uppercase; + letter-spacing: 0.03em; + } + + .pill-role { + background: color-mix(in srgb, var(--color-divine-purple, #8b5cf6) 18%, transparent); + color: var(--color-divine-purple, #8b5cf6); + } + + .pill-server { + background: color-mix(in srgb, var(--color-divine-green) 20%, transparent); + color: var(--color-divine-green); + } + + .pill-client { + background: color-mix(in srgb, #3b82f6 20%, transparent); + color: #3b82f6; + } + + .pill-revoked { + background: color-mix(in srgb, #dc2626 18%, transparent); + color: #dc2626; + } + + .auth-card-revoked { + opacity: 0.65; + border-color: color-mix(in srgb, #dc2626 40%, var(--color-divine-border)); + background: color-mix(in srgb, #dc2626 4%, transparent); + } + + .auth-card-revoked .auth-sub-label { + text-decoration: line-through; + } + + .auth-revoked-info { + display: flex; + flex-direction: column; + gap: 0.15rem; + padding: 0.4rem 0.6rem; + margin-top: 0.35rem; + border-top: 1px dashed color-mix(in srgb, #dc2626 40%, var(--color-divine-border)); + font-size: 0.78rem; + } + + .auth-revoked-label { + color: #dc2626; + font-weight: 600; + } + + .auth-revoked-reason { + color: var(--color-divine-text-muted, #64748b); + font-style: italic; + } + + .auth-card-actions { + display: flex; + justify-content: flex-end; + padding: 0.35rem 0.5rem 0.5rem; + } + + .btn-revoke { + background: transparent; + border: 1px solid color-mix(in srgb, #dc2626 60%, transparent); + color: #dc2626; + font-size: 0.75rem; + font-weight: 600; + padding: 0.2rem 0.55rem; + border-radius: 6px; + cursor: pointer; + transition: background 0.15s, color 0.15s; + } + + .btn-revoke:hover:not(:disabled) { + background: #dc2626; + color: white; + } + + .btn-revoke:disabled { + opacity: 0.5; + cursor: not-allowed; + } + + .show-revoked-toggle { + margin-left: auto; + background: transparent; + border: 1px solid var(--color-divine-border); + color: var(--color-divine-text-muted, #64748b); + font-size: 0.72rem; + padding: 0.12rem 0.45rem; + border-radius: 5px; + cursor: pointer; + } + + .show-revoked-toggle:hover { + background: var(--color-divine-surface); + color: var(--color-divine-text, inherit); + } + + .restaurant-block { + margin-top: 0.5rem; + padding: 0.625rem 0.75rem; + background: var(--color-divine-surface); + border: 1px solid var(--color-divine-border); + border-radius: 8px; + } + + .restaurant-row { + display: flex; + justify-content: space-between; + align-items: center; + gap: 0.75rem; + padding: 0.2rem 0; + font-size: 0.8rem; + } + + .restaurant-label { + display: inline-flex; + align-items: center; + gap: 0.25rem; + color: var(--color-divine-text-secondary); + } + + .restaurant-name { + color: var(--color-divine-text); + font-weight: 500; + } + + .auth-header { + display: flex; + align-items: center; + gap: 0.375rem; + margin-top: 0.625rem; + margin-bottom: 0.375rem; + font-size: 0.75rem; + font-weight: 600; + color: var(--color-divine-text-secondary); + } + + .auth-scope-hint { + margin-left: auto; + font-weight: 400; + font-size: 0.7rem; + color: var(--color-divine-text-tertiary); + font-style: italic; + } + + .auth-list { + display: flex; + flex-direction: column; + gap: 0.5rem; + } + + .auth-card { + border: 1px solid var(--color-divine-border); + border-radius: 8px; + padding: 0.5rem 0.625rem; + background: var(--color-divine-bg); + } + + .auth-card.auth-server { + border-left: 3px solid var(--color-divine-green); + } + + .auth-card.auth-client { + border-left: 3px solid #3b82f6; + } + + /* Grouped authorizations (Synvya admin view) */ + .auth-group { + border: 1px solid var(--color-divine-border); + border-radius: 8px; + background: var(--color-divine-bg); + padding: 0.5rem 0.625rem; + display: flex; + flex-direction: column; + gap: 0.5rem; + } + + .auth-group.auth-server { + border-left: 3px solid var(--color-divine-green); + } + + .auth-group.auth-client { + border-left: 3px solid #3b82f6; + } + + .auth-group-header { + display: flex; + align-items: center; + gap: 0.5rem; + flex-wrap: wrap; + } + + .auth-count-badge { + font-size: 0.75rem; + font-weight: 600; + color: var(--color-divine-text-secondary); + } + + .auth-card-plain { + border: none; + border-left: none; + padding: 0.375rem 0; + background: transparent; + border-radius: 0; + } + + .auth-sub-label { + font-size: 0.75rem; + font-weight: 500; + color: var(--color-divine-text-secondary); + } + + .auth-older-toggle { + display: inline-flex; + align-items: center; + gap: 0.25rem; + background: transparent; + border: 1px dashed var(--color-divine-border); + border-radius: 6px; + padding: 0.25rem 0.5rem; + font-size: 0.75rem; + color: var(--color-divine-text-secondary); + cursor: pointer; + align-self: flex-start; + } + + .auth-older-toggle:hover { + background: var(--color-divine-surface); + color: var(--color-divine-text); + } + + .auth-older-list { + display: flex; + flex-direction: column; + gap: 0.25rem; + border-top: 1px dashed var(--color-divine-border); + padding-top: 0.375rem; + } + + .auth-card-older { + opacity: 0.75; + } + + .auth-card-header { + display: flex; + justify-content: space-between; + align-items: center; + gap: 0.5rem; + margin-bottom: 0.375rem; + } + + .auth-label { + font-size: 0.825rem; + font-weight: 600; + color: var(--color-divine-text); + } + + .auth-meta { + display: grid; + grid-template-columns: auto 1fr; + column-gap: 0.75rem; + row-gap: 0.2rem; + } + + .auth-meta-row { + display: contents; + } + + .auth-meta-label { + font-size: 0.7rem; + color: var(--color-divine-text-tertiary); + text-transform: uppercase; + letter-spacing: 0.03em; + } + + .auth-meta-value { + font-size: 0.75rem; + color: var(--color-divine-text); + word-break: break-all; + } + + .auth-meta-value.relays { + font-family: var(--font-mono); + font-size: 0.7rem; + color: var(--color-divine-text-secondary); + } + + /* ========================================================= + Synvya light admin variant (overrides when .synvya-admin) + ========================================================= */ + .support-page.synvya-admin { + max-width: 720px; + padding: 2rem 1.5rem 3rem; + background: transparent; + } + + :global(body:has(.support-page.synvya-admin)) { + background: #f7f9f8; + } + + .synvya-brand { + display: flex; + align-items: baseline; + gap: 0.5rem; + margin-bottom: 1.5rem; + } + + .synvya-brand-logo { + height: 26px; + } + + .synvya-brand-sub { + font-size: 0.85rem; + color: #5a6b6a; + font-weight: 500; + } + + /* Card surfaces → white with subtle border */ + .support-page.synvya-admin .admin-header, + .support-page.synvya-admin .status-card, + .support-page.synvya-admin .no-result, + .support-page.synvya-admin .user-list, + .support-page.synvya-admin .link-card, + .support-page.synvya-admin .results-banner, + .support-page.synvya-admin .search-input-wrap { + background: #ffffff; + border-color: #e2e8e6; + color: #1f2937; + } + + .support-page.synvya-admin .tools-section h2, + .support-page.synvya-admin .admin-label, + .support-page.synvya-admin .list-name, + .support-page.synvya-admin .field-value, + .support-page.synvya-admin .team-name, + .support-page.synvya-admin .restaurant-name, + .support-page.synvya-admin .auth-label, + .support-page.synvya-admin .section-title, + .support-page.synvya-admin .link-title, + .support-page.synvya-admin .claim-title, + .support-page.synvya-admin .auth-meta-value { + color: #0f1f1c; + } + + .support-page.synvya-admin .field-label, + .support-page.synvya-admin .restaurant-label, + .support-page.synvya-admin .auth-header { + color: #4b5e5a; + } + + .support-page.synvya-admin .search-hint, + .support-page.synvya-admin .list-username, + .support-page.synvya-admin .list-sessions, + .support-page.synvya-admin .team-joined, + .support-page.synvya-admin .auth-meta-label, + .support-page.synvya-admin .auth-scope-hint, + .support-page.synvya-admin .muted-text, + .support-page.synvya-admin .link-desc, + .support-page.synvya-admin .status-text, + .support-page.synvya-admin .status-neutral, + .support-page.synvya-admin .auth-meta-value.relays { + color: #7a8a86; + } + + .support-page.synvya-admin .search-input { + color: #0f1f1c; + } + + .support-page.synvya-admin .search-input::placeholder { + color: #9ba8a4; + } + + .support-page.synvya-admin .user-list-item { + border-bottom-color: #e9efed; + } + + .support-page.synvya-admin .user-list-item.expanded { + background: #f4f9f7; + } + + .support-page.synvya-admin .user-list-row:hover { + background: #eff5f3; + } + + .support-page.synvya-admin .user-card, + .support-page.synvya-admin .status-strip, + .support-page.synvya-admin .teams-section, + .support-page.synvya-admin .claim-section { + border-top-color: #e9efed; + } + + .support-page.synvya-admin .status-strip { + background: #f4f9f7; + } + + .support-page.synvya-admin .team-card, + .support-page.synvya-admin .auth-card, + .support-page.synvya-admin .auth-group { + background: #ffffff; + border-color: #e2e8e6; + } + + .support-page.synvya-admin .auth-sub-label, + .support-page.synvya-admin .auth-count-badge { + color: #4b5e5a; + } + + .support-page.synvya-admin .restaurant-block { + background: #f7fbf9; + border-color: #dbe7e3; + } + + .support-page.synvya-admin .claim-section { + background: #f1faf5; + } + + .support-page.synvya-admin .claim-url-input { + background: #ffffff; + border-color: #dbe7e3; + color: #0f1f1c; + } + + .support-page.synvya-admin .format-toggle { + background: #eef4f1; + border-color: #dbe7e3; + color: #4b5e5a; + } + + .support-page.synvya-admin .icon-btn { + color: #7a8a86; + } + .support-page.synvya-admin .icon-btn:hover { + color: var(--color-divine-green); + background: #eef4f1; + } diff --git a/web/src/routes/verify-email/+page.svelte b/web/src/routes/verify-email/+page.svelte index eb04749b..7c6dfc39 100644 --- a/web/src/routes/verify-email/+page.svelte +++ b/web/src/routes/verify-email/+page.svelte @@ -5,9 +5,13 @@ import { toast } from 'svelte-hot-french-toast'; import { KeycastApi } from '$lib/keycast_api.svelte'; import { BRAND } from '$lib/brand'; + import { getLoginUrl } from '$lib/utils/env'; + import { CheckCircle, XCircle, Warning, CircleNotch } from 'phosphor-svelte'; const api = new KeycastApi(); - + const loginUrl = getLoginUrl(); + const isSynvyaManaged = loginUrl !== '/login'; + const pageTitle = isSynvyaManaged ? 'Verify Email - Synvya' : `Verify Email - ${BRAND.name}`; let status = $state<'loading' | 'processing' | 'success' | 'oauth_redirect' | 'headless_verified' | 'error' | 'no-token'>('loading'); let message = $state(''); let redirectUrl = $state(''); @@ -142,33 +146,31 @@ - Verify Email - {BRAND.name} + {pageTitle} -
-
+
+
- - {BRAND.shortName} - Login + + {#if isSynvyaManaged} + Synvya + {:else} + {BRAND.shortName} + Login + {/if} {#if status === 'loading'}
- - - - + {#if isSynvyaManaged}{:else} {/if}

Verifying your email...

Please wait

{:else if status === 'processing'}
- - - - + {#if isSynvyaManaged}{:else} {/if}

Almost there...

{message}

@@ -176,9 +178,7 @@ {:else if status === 'oauth_redirect'}
- - - + {#if isSynvyaManaged}{:else} {/if}

Email Verified!

{message}

@@ -186,18 +186,14 @@ {:else if status === 'headless_verified'}
- - - + {#if isSynvyaManaged}{:else} {/if}

Email Verified!

{message}

{:else if status === 'success'}
- - - + {#if isSynvyaManaged}{:else} {/if}

Email Verified!

{message}

@@ -206,27 +202,23 @@ {:else if status === 'error'}
- - - + {#if isSynvyaManaged}{:else} {/if}

Verification Failed

{message}

- Go to Login + Go to Login Create New Account
{:else if status === 'no-token'}
- - - + {#if isSynvyaManaged}{:else} {/if}

Invalid Link

This verification link is invalid or incomplete.

- Go to Login + Go to Login Create New Account
{/if} @@ -243,6 +235,10 @@ background: var(--color-divine-bg); } + .synvya-page { + background: color-mix(in srgb, var(--color-divine-muted) 60%, white); + } + .verify-container { background: var(--color-divine-surface); border: 1px solid var(--color-divine-border); @@ -254,6 +250,15 @@ box-shadow: 0 2px 8px rgba(39, 197, 139, 0.08); } + .synvya-container { + background: transparent; + border: none; + border-radius: 0; + padding: 0; + box-shadow: none; + max-width: 24rem; + } + .verify-branding { display: inline-flex; flex-direction: column; @@ -267,6 +272,17 @@ opacity: 0.85; } + .synvya-branding { + flex-direction: column; + align-items: center; + gap: 0; + opacity: 1; + } + + .synvya-branding:hover { + opacity: 0.95; + } + .verify-logo-img { height: 28px; } @@ -281,6 +297,11 @@ opacity: 0.6; } + .synvya-logo-img { + height: 3rem; + width: auto; + } + .status-icon { display: flex; justify-content: center; @@ -316,12 +337,56 @@ font-weight: 700; } + .synvya-container h1 { + color: #0f172a; + font-size: 1.25rem; + font-weight: 600; + letter-spacing: -0.01em; + } + .subtitle { color: var(--color-divine-text-secondary); margin: 0 0 1.25rem 0; font-size: 0.95rem; } + .synvya-container .subtitle, + .synvya-container .redirect-notice, + .synvya-container .processing-notice { + color: #475569; + } + + /* Synvya-themed status icons: small chip with soft background instead of + a large filled-circle SVG. */ + .synvya-container .status-icon { + margin-bottom: 1rem; + } + + .synvya-container .status-icon :global(svg) { + padding: 0.45rem; + border-radius: 999px; + background: rgba(15, 23, 42, 0.04); + } + + .synvya-container .status-icon.success :global(svg) { + color: #16a34a; + background: rgba(22, 163, 74, 0.1); + } + + .synvya-container .status-icon.error :global(svg) { + color: #dc2626; + background: rgba(220, 38, 38, 0.08); + } + + .synvya-container .status-icon.loading :global(svg) { + color: #0f172a; + background: rgba(15, 23, 42, 0.04); + } + + .synvya-container .status-icon :global(.synvya-spin) { + animation: spin 1s linear infinite; + } + .redirect-notice { color: var(--color-divine-text-tertiary); font-size: 0.85rem; @@ -354,11 +419,20 @@ transition: all 0.2s; } + .synvya-container .btn-primary { + background: #0f172a; + box-shadow: none; + } + .btn-primary:hover { background: var(--color-divine-green-dark); box-shadow: 0 2px 8px rgba(39, 197, 139, 0.16); } + .synvya-container .btn-primary:hover { + background: #111827; + } + .btn-secondary { display: block; padding: 0.75rem 1.5rem; @@ -373,8 +447,19 @@ transition: all 0.2s; } + .synvya-container .btn-secondary { + background: rgba(255, 255, 255, 0.72); + border-color: rgba(15, 23, 42, 0.12); + color: #0f172a; + } + .btn-secondary:hover { background: var(--color-divine-muted); color: var(--color-divine-text); } + + .synvya-container .btn-secondary:hover { + background: rgba(248, 250, 252, 1); + border-color: rgba(15, 23, 42, 0.2); + } diff --git a/web/static/site.webmanifest b/web/static/site.webmanifest index b4dddbbd..962ebaf2 100644 --- a/web/static/site.webmanifest +++ b/web/static/site.webmanifest @@ -1,6 +1,6 @@ { - "name": "diVine Login", - "short_name": "diVine", + "name": "Synvya Login", + "short_name": "Synvya", "icons": [ { "src": "/web-app-manifest-192x192.png", diff --git a/web/static/synvya-logo.png b/web/static/synvya-logo.png new file mode 100644 index 00000000..77c60336 Binary files /dev/null and b/web/static/synvya-logo.png differ diff --git a/web/static/synvya-logo.svg b/web/static/synvya-logo.svg new file mode 100644 index 00000000..61f3e292 --- /dev/null +++ b/web/static/synvya-logo.svg @@ -0,0 +1,10 @@ + + + + + + + + + Synvya +