Initial commit: DashCaddy v1.0

Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.

dashcaddy-api/routes/auth/keys.js

@@ -0,0 +1,130 @@
+const express = require('express');
+
+module.exports = function(ctx) {
+  const router = express.Router();
+
+  // Helper function to parse expiration strings to milliseconds
+  function parseExpiration(expStr) {
+    const match = expStr.match(/^(\d+)([smhdy])$/);
+    if (!match) return 24 * 60 * 60 * 1000; // default 24h
+
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+
+    const multipliers = {
+      s: 1000,
+      m: 60 * 1000,
+      h: 60 * 60 * 1000,
+      d: 24 * 60 * 60 * 1000,
+      y: 365 * 24 * 60 * 60 * 1000
+    };
+
+    return value * (multipliers[unit] || multipliers.h);
+  }
+
+  // List all API keys
+  router.get('/auth/keys', ctx.asyncHandler(async (req, res) => {
+    // Require session authentication (not API key - can't manage keys with key itself)
+    if (!req.auth || req.auth.type !== 'session') {
+      return ctx.errorResponse(res, 403, 'API key management requires TOTP session authentication');
+    }
+
+    const keys = await ctx.authManager.listAPIKeys();
+    res.json({ success: true, keys });
+  }, 'auth-keys-list'));
+
+  // Generate new API key
+  router.post('/auth/keys', ctx.asyncHandler(async (req, res) => {
+    // Require session authentication
+    if (!req.auth || req.auth.type !== 'session') {
+      return ctx.errorResponse(res, 403, 'API key generation requires TOTP session authentication');
+    }
+
+    const { name, scopes } = req.body;
+
+    if (!name || typeof name !== 'string' || name.trim().length === 0) {
+      return ctx.errorResponse(res, 400, 'API key name is required');
+    }
+
+    // Validate scopes if provided
+    const validScopes = ['read', 'write', 'admin'];
+    if (scopes && (!Array.isArray(scopes) || !scopes.every(s => validScopes.includes(s)))) {
+      return ctx.errorResponse(res, 400, 'Invalid scopes', { validScopes });
+    }
+
+    const keyData = await ctx.authManager.generateAPIKey(
+      name.trim(),
+      scopes || ['read', 'write']
+    );
+
+    res.json({
+      success: true,
+      key: keyData.key,
+      id: keyData.id,
+      name: keyData.name,
+      scopes: keyData.scopes,
+      createdAt: keyData.createdAt,
+      warning: 'Save this key securely - it will not be shown again'
+    });
+  }, 'auth-keys-generate'));
+
+  // Revoke API key
+  router.delete('/auth/keys/:keyId', ctx.asyncHandler(async (req, res) => {
+    // Require session authentication
+    if (!req.auth || req.auth.type !== 'session') {
+      return ctx.errorResponse(res, 403, 'API key revocation requires TOTP session authentication');
+    }
+
+    const { keyId } = req.params;
+
+    if (!keyId || typeof keyId !== 'string') {
+      return ctx.errorResponse(res, 400, 'Key ID is required');
+    }
+
+    const success = await ctx.authManager.revokeAPIKey(keyId);
+
+    if (success) {
+      res.json({ success: true, message: 'API key revoked successfully' });
+    } else {
+      const { NotFoundError } = require('../../errors');
+      throw new NotFoundError('API key');
+    }
+  }, 'auth-keys-revoke'));
+
+  // Generate JWT from TOTP session
+  router.post('/auth/jwt', ctx.asyncHandler(async (req, res) => {
+    // Require session authentication
+    if (!req.auth || req.auth.type !== 'session') {
+      return ctx.errorResponse(res, 403, 'JWT generation requires TOTP session authentication');
+    }
+
+    const { expiresIn, userId } = req.body;
+
+    // Validate expiresIn format if provided (e.g., '24h', '7d', '1y')
+    const validExpiresIn = /^(\d+[smhdy])$/.test(expiresIn || '24h');
+    if (expiresIn && !validExpiresIn) {
+      return ctx.errorResponse(res, 400, 'Invalid expiresIn format. Use: 60s, 15m, 24h, 7d, 1y');
+    }
+
+    const token = await ctx.authManager.generateJWT(
+      {
+        sub: userId || 'dashcaddy-admin',
+        scope: ['admin'] // Session-generated JWTs have admin scope
+      },
+      expiresIn || '24h'
+    );
+
+    // Calculate expiration timestamp
+    const expiresInMs = parseExpiration(expiresIn || '24h');
+    const expiresAt = new Date(Date.now() + expiresInMs).toISOString();
+
+    res.json({
+      success: true,
+      token,
+      expiresAt,
+      usage: 'Include in Authorization header as: Bearer <token>'
+    });
+  }, 'auth-jwt-generate'));
+
+  return router;
+};