Merge pull request #988 from fosrl/dev

1.6.0

Author: miloschwartz

.dockerignore

@@ -26,3 +26,4 @@ install/
 bruno/
 LICENSE
 CONTRIBUTING.md
+dist

.github/workflows/linting.yml

@@ -0,0 +1,34 @@
+name: ESLint
+
+on:
+    pull_request:
+        paths:
+            - '**/*.js'
+            - '**/*.jsx'
+            - '**/*.ts'
+            - '**/*.tsx'
+            - '.eslintrc*'
+            - 'package.json'
+            - 'yarn.lock'
+            - 'pnpm-lock.yaml'
+            - 'package-lock.json'
+
+jobs:
+    Linter:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Set up Node.js
+              uses: actions/setup-node@v4
+              with:
+                node-version: '20'
+
+            - name: Install dependencies
+              run: |
+                npm ci
+
+            - name: Run ESLint
+              run: |
+                npx eslint . --ext .js,.jsx,.ts,.tsx

.gitignore

@@ -32,4 +32,5 @@ installer
 bin
 .secrets
 test_event.json
-.idea/
+.idea/
+server/db/index.ts

Dockerfile

@@ -13,6 +13,7 @@ RUN echo 'export * from "./sqlite";' > server/db/index.ts
 RUN npx drizzle-kit generate --dialect sqlite --schema ./server/db/sqlite/schema.ts --out init
 
 RUN npm run build:sqlite
+RUN npm run build:cli
 
 FROM node:20-alpine AS runner
 
@@ -30,6 +31,9 @@ COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/init ./dist/init
 
+COPY ./cli/wrapper.sh /usr/local/bin/pangctl
+RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
+
 COPY server/db/names.json ./dist/names.json
 
 COPY public ./public

Dockerfile.pg

@@ -13,6 +13,7 @@ RUN echo 'export * from "./pg";' > server/db/index.ts
 RUN npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema.ts --out init
 
 RUN npm run build:pg
+RUN npm run build:cli
 
 FROM node:20-alpine AS runner
 
@@ -30,6 +31,9 @@ COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/init ./dist/init
 
+COPY ./cli/wrapper.sh /usr/local/bin/pangctl
+RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
+
 COPY server/db/names.json ./dist/names.json
 
 COPY public ./public

cli/commands/setAdminCredentials.ts

@@ -0,0 +1,141 @@
+import { CommandModule } from "yargs";
+import { hashPassword, verifyPassword } from "@server/auth/password";
+import { db, resourceSessions, sessions } from "@server/db";
+import { users } from "@server/db";
+import { eq, inArray } from "drizzle-orm";
+import moment from "moment";
+import { fromError } from "zod-validation-error";
+import { passwordSchema } from "@server/auth/passwordSchema";
+import { UserType } from "@server/types/UserTypes";
+import { generateRandomString, RandomReader } from "@oslojs/crypto/random";
+
+type SetAdminCredentialsArgs = {
+    email: string;
+    password: string;
+};
+
+export const setAdminCredentials: CommandModule<{}, SetAdminCredentialsArgs> = {
+    command: "set-admin-credentials",
+    describe: "Set the server admin credentials",
+    builder: (yargs) => {
+        return yargs
+            .option("email", {
+                type: "string",
+                demandOption: true,
+                describe: "Admin email address"
+            })
+            .option("password", {
+                type: "string",
+                demandOption: true,
+                describe: "Admin password"
+            });
+    },
+    handler: async (argv: { email: string; password: string }) => {
+        try {
+            const { email, password } = argv;
+
+            const parsed = passwordSchema.safeParse(password);
+
+            if (!parsed.success) {
+                throw Error(
+                    `Invalid server admin password: ${fromError(parsed.error).toString()}`
+                );
+            }
+
+            const passwordHash = await hashPassword(password);
+
+            await db.transaction(async (trx) => {
+                try {
+                    const [existing] = await trx
+                        .select()
+                        .from(users)
+                        .where(eq(users.serverAdmin, true));
+
+                    if (existing) {
+                        const passwordChanged = !(await verifyPassword(
+                            password,
+                            existing.passwordHash!
+                        ));
+
+                        if (passwordChanged) {
+                            await trx
+                                .update(users)
+                                .set({ passwordHash })
+                                .where(eq(users.userId, existing.userId));
+
+                            await invalidateAllSessions(existing.userId);
+                            console.log("Server admin password updated");
+                        }
+
+                        if (existing.email !== email) {
+                            await trx
+                                .update(users)
+                                .set({ email, username: email })
+                                .where(eq(users.userId, existing.userId));
+
+                            console.log("Server admin email updated");
+                        }
+                    } else {
+                        const userId = generateId(15);
+
+                        await trx.update(users).set({ serverAdmin: false });
+
+                        await db.insert(users).values({
+                            userId: userId,
+                            email: email,
+                            type: UserType.Internal,
+                            username: email,
+                            passwordHash,
+                            dateCreated: moment().toISOString(),
+                            serverAdmin: true,
+                            emailVerified: true
+                        });
+
+                        console.log("Server admin created");
+                    }
+                } catch (e) {
+                    console.error("Failed to set admin credentials", e);
+                    trx.rollback();
+                    throw e;
+                }
+            });
+
+            console.log("Admin credentials updated successfully");
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};
+
+export async function invalidateAllSessions(userId: string): Promise<void> {
+    try {
+        await db.transaction(async (trx) => {
+            const userSessions = await trx
+                .select()
+                .from(sessions)
+                .where(eq(sessions.userId, userId));
+            await trx.delete(resourceSessions).where(
+                inArray(
+                    resourceSessions.userSessionId,
+                    userSessions.map((s) => s.sessionId)
+                )
+            );
+            await trx.delete(sessions).where(eq(sessions.userId, userId));
+        });
+    } catch (e) {
+        console.log("Failed to all invalidate user sessions", e);
+    }
+}
+
+const random: RandomReader = {
+    read(bytes: Uint8Array): void {
+        crypto.getRandomValues(bytes);
+    }
+};
+
+export function generateId(length: number): string {
+    const alphabet = "abcdefghijklmnopqrstuvwxyz0123456789";
+    return generateRandomString(random, alphabet, length);
+}

cli/index.ts

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
+
+yargs(hideBin(process.argv))
+    .scriptName("pangctl")
+    .command(setAdminCredentials)
+    .demandCommand()
+    .help().argv;

cli/wrapper.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+cd /app/
+./dist/cli.mjs "$@"

config/config.example.yml

@@ -41,11 +41,6 @@ rate_limits:
         window_minutes: 1
         max_requests: 500
 
-users:
-    server_admin:
-        email: "admin@example.com"
-        password: "Password123!"
-
 flags:
     require_email_verification: false
     disable_signup_without_invite: true

crowdin.yml

@@ -0,0 +1,3 @@
+files:
+  - source: /messages/en-US.json
+    translation: /messages/%locale%.json