BetterFrame/server/src/plugins/service-admin-http/routes-setup.ts

/**
 * First-run setup routes.
 */
import { type H3, readBody } from "h3";
import { htmlPage } from "./html-response.js";
import type { AdminDeps } from "./index.js";
import { SetupPage } from "../../web-templates/auth-pages.js";
import { SetupBody, validateBody } from "../../shared/api-schemas.js";

export function registerSetupRoutes(app: H3, deps: AdminDeps): void {
  app.get("/setup", async () => {
    if (await deps.repo.isSetupComplete()) {
      return new Response(null, { status: 302, headers: { location: "/admin/" } });
    }
    return htmlPage(SetupPage({}));
  });

  app.post("/setup", async (event) => {
    if (await deps.repo.isSetupComplete()) {
      return new Response(null, { status: 302, headers: { location: "/admin/" } });
    }

    let body: { username: string; password: string };
    try {
      body = validateBody(SetupBody, await readBody(event));
    } catch {
      return htmlPage(SetupPage({ error: "Username (3-64 chars) and password (12+ chars) required.", username: "" }));
    }
    const username = body.username.trim();
    const password = body.password;
    const errors: string[] = [];

    if (!/^[a-zA-Z0-9_-]+$/.test(username)) {
      errors.push("Username may only contain letters, digits, underscore, or hyphen.");
    }

    if (errors.length > 0) {
      return htmlPage(SetupPage({ error: errors.join(" "), username }));
    }

    const hash = await deps.auth.hashPassword(password);
    await deps.repo.createUser({ username, password_hash: hash, role: "admin" });

    const clusterKey = deps.secrets.generateClusterKey();
    const encryptedCluster = deps.secrets.encryptString(clusterKey, "cluster");
    await deps.repo.setSetupExtra("cluster_key_encrypted", encryptedCluster);
    await deps.repo.markClusterKeyProvisioned();

    // Setup only creates admin user + cluster key.
    // Displays are created when kiosks are paired (kiosk reports HDMI ports).
    // Layouts are created by admin after pairing.
    await deps.repo.markSetupComplete();

    return new Response(null, {
      status: 302,
      headers: { location: "/auth/login?welcome=1" },
    });
  });
}
adding initial project 2026-05-09 23:09:13 +00:00			`/**`
			`* First-run setup routes.`
			`*/`
fix: use Response wrapper instead of h3 tagged template html() h3 v2's html() is a tagged template literal, not a function that accepts a string. JSX-rendered markup passed directly causes "first.reduce is not a function". Created htmlPage() helper that wraps markup in a proper Response with text/html content type. 2026-05-10 00:50:16 +00:00			`import { type H3, readBody } from "h3";`
			`import { htmlPage } from "./html-response.js";`
adding initial project 2026-05-09 23:09:13 +00:00			`import type { AdminDeps } from "./index.js";`
			`import { SetupPage } from "../../web-templates/auth-pages.js";`
feat: add anyvali input validation to all external API endpoints Create shared/api-schemas.ts with av.object schemas for: - pair/initiate, pair/claim (pairing flow) - kiosk/heartbeat (telemetry with displays, partitions, hwmon) - kiosk/event (ONVIF/system events) - kiosk/logs (batched log entries) - firmware/applied, os/applied (update reports) - auth/login, auth/totp, setup (admin auth) Each endpoint now calls validateBody(Schema, body) which returns 400 on schema violation. All string fields have maxLength, numeric fields have min/max ranges, arrays strip unknown keys. Rejects malformed input before it reaches DB or business logic. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-05-26 12:03:58 +00:00			`import { SetupBody, validateBody } from "../../shared/api-schemas.js";`
adding initial project 2026-05-09 23:09:13 +00:00
			`export function registerSetupRoutes(app: H3, deps: AdminDeps): void {`
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors. 2026-05-23 00:07:44 +00:00			`app.get("/setup", async () => {`
			`if (await deps.repo.isSetupComplete()) {`
adding initial project 2026-05-09 23:09:13 +00:00			`return new Response(null, { status: 302, headers: { location: "/admin/" } });`
			`}`
fix: use Response wrapper instead of h3 tagged template html() h3 v2's html() is a tagged template literal, not a function that accepts a string. JSX-rendered markup passed directly causes "first.reduce is not a function". Created htmlPage() helper that wraps markup in a proper Response with text/html content type. 2026-05-10 00:50:16 +00:00			`return htmlPage(SetupPage({}));`
adding initial project 2026-05-09 23:09:13 +00:00			`});`

			`app.post("/setup", async (event) => {`
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors. 2026-05-23 00:07:44 +00:00			`if (await deps.repo.isSetupComplete()) {`
adding initial project 2026-05-09 23:09:13 +00:00			`return new Response(null, { status: 302, headers: { location: "/admin/" } });`
			`}`

feat: add anyvali input validation to all external API endpoints Create shared/api-schemas.ts with av.object schemas for: - pair/initiate, pair/claim (pairing flow) - kiosk/heartbeat (telemetry with displays, partitions, hwmon) - kiosk/event (ONVIF/system events) - kiosk/logs (batched log entries) - firmware/applied, os/applied (update reports) - auth/login, auth/totp, setup (admin auth) Each endpoint now calls validateBody(Schema, body) which returns 400 on schema violation. All string fields have maxLength, numeric fields have min/max ranges, arrays strip unknown keys. Rejects malformed input before it reaches DB or business logic. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-05-26 12:03:58 +00:00			`let body: { username: string; password: string };`
			`try {`
			`body = validateBody(SetupBody, await readBody(event));`
			`} catch {`
			`return htmlPage(SetupPage({ error: "Username (3-64 chars) and password (12+ chars) required.", username: "" }));`
			`}`
			`const username = body.username.trim();`
			`const password = body.password;`
adding initial project 2026-05-09 23:09:13 +00:00			`const errors: string[] = [];`

feat: add anyvali input validation to all external API endpoints Create shared/api-schemas.ts with av.object schemas for: - pair/initiate, pair/claim (pairing flow) - kiosk/heartbeat (telemetry with displays, partitions, hwmon) - kiosk/event (ONVIF/system events) - kiosk/logs (batched log entries) - firmware/applied, os/applied (update reports) - auth/login, auth/totp, setup (admin auth) Each endpoint now calls validateBody(Schema, body) which returns 400 on schema violation. All string fields have maxLength, numeric fields have min/max ranges, arrays strip unknown keys. Rejects malformed input before it reaches DB or business logic. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-05-26 12:03:58 +00:00			`if (!/^[a-zA-Z0-9_-]+$/.test(username)) {`
adding initial project 2026-05-09 23:09:13 +00:00			`errors.push("Username may only contain letters, digits, underscore, or hyphen.");`
			`}`

			`if (errors.length > 0) {`
fix: use Response wrapper instead of h3 tagged template html() h3 v2's html() is a tagged template literal, not a function that accepts a string. JSX-rendered markup passed directly causes "first.reduce is not a function". Created htmlPage() helper that wraps markup in a proper Response with text/html content type. 2026-05-10 00:50:16 +00:00			`return htmlPage(SetupPage({ error: errors.join(" "), username }));`
adding initial project 2026-05-09 23:09:13 +00:00			`}`

			`const hash = await deps.auth.hashPassword(password);`
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors. 2026-05-23 00:07:44 +00:00			`await deps.repo.createUser({ username, password_hash: hash, role: "admin" });`
adding initial project 2026-05-09 23:09:13 +00:00
			`const clusterKey = deps.secrets.generateClusterKey();`
			`const encryptedCluster = deps.secrets.encryptString(clusterKey, "cluster");`
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors. 2026-05-23 00:07:44 +00:00			`await deps.repo.setSetupExtra("cluster_key_encrypted", encryptedCluster);`
			`await deps.repo.markClusterKeyProvisioned();`
adding initial project 2026-05-09 23:09:13 +00:00
refactor: merge templates into layouts, displays from kiosks - Eliminated layout_templates as separate entity — regions/grid now live directly on layouts - Displays created from kiosk pairing (not standalone), each display has kiosk_id FK - Removed Templates from sidebar nav and all template routes/pages - Layout creation uses preset buttons (fullscreen, 2x2, 1+3, 3x3) that set regions directly on the layout - Setup no longer creates default display/layout (deferred to pairing) - Pairing creates HDMI-0 display for new kiosk - Bundle reads regions from layout directly, no template lookup - Rust kiosk updated to match new bundle format - DB migration adds regions/grid_cols/grid_rows to layouts, kiosk_id to displays, copies existing template data 2026-05-10 19:39:09 +00:00			`// Setup only creates admin user + cluster key.`
			`// Displays are created when kiosks are paired (kiosk reports HDMI ports).`
			`// Layouts are created by admin after pairing.`
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors. 2026-05-23 00:07:44 +00:00			`await deps.repo.markSetupComplete();`
adding initial project 2026-05-09 23:09:13 +00:00
			`return new Response(null, {`
			`status: 302,`
			`headers: { location: "/auth/login?welcome=1" },`
			`});`
			`});`
			`}`