feat(worker): GitHub OAuth login + API key dashboard

Add a minimal web dashboard served by the same Worker:

- GitHub OAuth flow (/auth/github, /auth/github/callback, /auth/logout)
- HttpOnly Secure session cookies, 30-day TTL stored in D1
- Dashboard pages (/login, /dashboard) — Tailwind CDN + vanilla JS
- /api/me, /api/keys CRUD endpoints, session-gated
- D1 schema additions: users, api_keys (sha-256 hashed), sessions
- authMiddleware accepts dashboard-issued keys alongside legacy API_KEY
- Optional ADMIN_GITHUB_USERS allowlist via wrangler [vars]
- New env vars/secrets: GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, BASE_URL

Author: mrgoonie

CLAUDE.md

@@ -36,13 +36,23 @@ pnpm deploy           # Deploy Worker to Cloudflare
 
 | Method | Path | Auth | Handler |
 |--------|------|------|---------|
-| POST | /upload | Yes | routes/upload-route.ts |
+| POST | /upload | Bearer | routes/upload-route.ts |
 | GET | /:id/:filename | No | routes/serve-route.ts |
-| GET | /files | Yes | routes/files-route.ts |
-| GET | /info/:id | Yes | routes/files-route.ts |
-| DELETE | /:id | Yes | index.ts (inline) |
-| GET | /usage | Yes | routes/usage-route.ts |
+| GET | /files | Bearer | routes/files-route.ts |
+| GET | /info/:id | Bearer | routes/files-route.ts |
+| DELETE | /:id | Bearer | index.ts (inline) |
+| GET | /usage | Bearer | routes/usage-route.ts |
 | GET | /health | No | index.ts |
+| GET | /login, /dashboard, / | Cookie | routes/web-route.ts |
+| GET | /auth/github, /auth/github/callback | No | routes/oauth-route.ts |
+| POST | /auth/logout | Cookie | routes/oauth-route.ts |
+| GET | /api/me | Cookie | routes/dashboard-api-route.ts |
+| GET/POST/DELETE | /api/keys[/:id] | Cookie | routes/dashboard-api-route.ts |
+
+**Auth modes:**
+- `Bearer`: API key (legacy `API_KEY` env OR sha-256 hashed key in D1 `api_keys`)
+- `Cookie`: HttpOnly `f2u_session` cookie set after GitHub OAuth login
+- `No`: Public
 
 ## CLI Commands
 

README.md

@@ -256,19 +256,42 @@ wrangler d1 create f2u-db
 cd packages/worker
 wrangler d1 execute f2u-db --file=src/db/schema.sql --remote
 
-# Set API key secret (enter your chosen key when prompted)
+# (Optional) Legacy single API key — for CLI access without the dashboard
 wrangler secret put API_KEY
 
+# GitHub OAuth — required for the web dashboard
+# 1. Create an OAuth App at https://github.com/settings/developers
+#    Authorization callback URL: https://your-domain.com/auth/github/callback
+# 2. Set the credentials as Worker secrets:
+wrangler secret put GITHUB_CLIENT_ID
+wrangler secret put GITHUB_CLIENT_SECRET
+
+# 3. (Strongly recommended) Restrict who can sign in. Edit wrangler.toml [vars]:
+#    ADMIN_GITHUB_USERS = "your-github-login,teammate-login"
+#    Leave empty to allow ANY GitHub user (not recommended for personal deploys).
+
 # Update custom domain in wrangler.toml (optional)
 # Edit [[routes]] pattern to your domain
+# Also update BASE_URL under [vars] to match.
 
 # Deploy
 wrangler deploy
 
 # Verify
 curl https://your-domain.com/health
+# Then visit https://your-domain.com/login in a browser
 ```
 
+### Web Dashboard
+
+Once deployed, visit `https://your-domain.com/login` to sign in with GitHub
+and manage API keys from the browser. Created keys are shown **once** —
+copy them immediately. Use them with the CLI via `f2u auth --key <KEY>`
+or as the `Authorization: Bearer <KEY>` header.
+
+The legacy `API_KEY` secret (if set) continues to work for backwards
+compatibility alongside dashboard-issued keys.
+
 ### Custom Domain
 
 1. Your domain must be on Cloudflare DNS (proxied)

packages/worker/src/db/schema.sql

@@ -13,3 +13,41 @@ CREATE TABLE IF NOT EXISTS files (
 
 CREATE INDEX IF NOT EXISTS idx_expires_at ON files(expires_at);
 CREATE INDEX IF NOT EXISTS idx_deleted ON files(deleted);
+
+CREATE TABLE IF NOT EXISTS users (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  github_id INTEGER NOT NULL UNIQUE,
+  github_login TEXT NOT NULL,
+  name TEXT,
+  email TEXT,
+  avatar_url TEXT,
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  last_login_at TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_users_github_id ON users(github_id);
+
+CREATE TABLE IF NOT EXISTS api_keys (
+  id TEXT PRIMARY KEY,
+  user_id INTEGER NOT NULL,
+  name TEXT NOT NULL,
+  key_hash TEXT NOT NULL UNIQUE,
+  prefix TEXT NOT NULL,
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  last_used_at TEXT,
+  revoked INTEGER DEFAULT 0,
+  FOREIGN KEY (user_id) REFERENCES users(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_api_keys_user ON api_keys(user_id);
+CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+
+CREATE TABLE IF NOT EXISTS sessions (
+  id TEXT PRIMARY KEY,
+  user_id INTEGER NOT NULL,
+  expires_at TEXT NOT NULL,
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  FOREIGN KEY (user_id) REFERENCES users(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);

packages/worker/src/index.ts

@@ -6,6 +6,9 @@ import uploadRoute from './routes/upload-route';
 import serveRoute from './routes/serve-route';
 import filesRoute from './routes/files-route';
 import usageRoute from './routes/usage-route';
+import oauthRoute from './routes/oauth-route';
+import dashboardApiRoute from './routes/dashboard-api-route';
+import webRoute from './routes/web-route';
 import { cleanupExpiredFiles } from './cron/cleanup-expired-files';
 
 const app = new Hono<{ Bindings: Env }>();
@@ -17,7 +20,16 @@ app.use('*', cors());
 
 app.get('/health', (c) => c.json({ status: 'ok', ts: new Date().toISOString() }));
 
-// --- Protected routes (auth required) — registered BEFORE serve wildcard ---
+// Web pages (login, dashboard, root) — single-segment paths, no conflict with serve wildcard
+app.route('/', webRoute);
+
+// GitHub OAuth flow (public)
+app.route('/', oauthRoute);
+
+// Dashboard API (session-gated inside the route handlers)
+app.route('/', dashboardApiRoute);
+
+// --- Protected file API (Bearer token) — registered BEFORE serve wildcard ---
 
 app.use('/upload', authMiddleware);
 app.route('/', uploadRoute);
@@ -33,9 +45,6 @@ app.route('/', serveRoute);
 
 // DELETE /:id — auth applied inline to avoid conflicting with serve route
 app.delete('/:id', authMiddleware, async (c) => {
-  // Delegate to filesRoute handler by re-using its logic inline
-  // (Hono sub-app DELETE handler is already defined in filesRoute but registering
-  //  it here ensures auth middleware fires before the wildcard serve GET)
   const { id } = c.req.param();
   const db = c.env.D1_DATABASE;
 

packages/worker/src/lib/cookies.ts

@@ -0,0 +1,32 @@
+// Minimal cookie helpers — no external deps
+
+export function parseCookies(header: string | undefined | null): Record<string, string> {
+  const out: Record<string, string> = {};
+  if (!header) return out;
+  for (const part of header.split(';')) {
+    const idx = part.indexOf('=');
+    if (idx < 0) continue;
+    const k = part.slice(0, idx).trim();
+    const v = part.slice(idx + 1).trim();
+    if (k) out[k] = decodeURIComponent(v);
+  }
+  return out;
+}
+
+export interface CookieOptions {
+  maxAge?: number;
+  path?: string;
+  httpOnly?: boolean;
+  secure?: boolean;
+  sameSite?: 'Lax' | 'Strict' | 'None';
+}
+
+export function serializeCookie(name: string, value: string, opts: CookieOptions = {}): string {
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  if (opts.maxAge !== undefined) parts.push(`Max-Age=${opts.maxAge}`);
+  parts.push(`Path=${opts.path ?? '/'}`);
+  if (opts.httpOnly !== false) parts.push('HttpOnly');
+  if (opts.secure !== false) parts.push('Secure');
+  parts.push(`SameSite=${opts.sameSite ?? 'Lax'}`);
+  return parts.join('; ');
+}

packages/worker/src/lib/crypto.ts

@@ -0,0 +1,34 @@
+// Web Crypto helpers — Workers runtime provides crypto.subtle and crypto.getRandomValues
+
+const HEX_TABLE = '0123456789abcdef';
+
+function bytesToHex(bytes: Uint8Array): string {
+  let out = '';
+  for (let i = 0; i < bytes.length; i++) {
+    const b = bytes[i]!;
+    out += HEX_TABLE[b >>> 4]! + HEX_TABLE[b & 0x0f]!;
+  }
+  return out;
+}
+
+export async function sha256Hex(input: string): Promise<string> {
+  const data = new TextEncoder().encode(input);
+  const digest = await crypto.subtle.digest('SHA-256', data);
+  return bytesToHex(new Uint8Array(digest));
+}
+
+export function randomToken(byteLength = 32): string {
+  const bytes = new Uint8Array(byteLength);
+  crypto.getRandomValues(bytes);
+  return bytesToHex(bytes);
+}
+
+// Constant-time string comparison to avoid timing attacks
+export function safeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}

packages/worker/src/lib/sessions.ts

@@ -0,0 +1,44 @@
+import type { Env } from '../types';
+import { randomToken } from './crypto';
+
+const SESSION_TTL_SECONDS = 60 * 60 * 24 * 30; // 30 days
+export const SESSION_COOKIE = 'f2u_session';
+
+export interface SessionRow {
+  id: string;
+  user_id: number;
+  expires_at: string;
+  created_at: string;
+}
+
+export async function createSession(env: Env, userId: number): Promise<{ id: string; expiresAt: Date }> {
+  const id = randomToken(32);
+  const expiresAt = new Date(Date.now() + SESSION_TTL_SECONDS * 1000);
+  await env.D1_DATABASE.prepare(
+    'INSERT INTO sessions (id, user_id, expires_at) VALUES (?, ?, ?)',
+  )
+    .bind(id, userId, expiresAt.toISOString())
+    .run();
+  return { id, expiresAt };
+}
+
+export async function getSession(env: Env, sessionId: string | undefined): Promise<SessionRow | null> {
+  if (!sessionId) return null;
+  const row = await env.D1_DATABASE.prepare(
+    'SELECT * FROM sessions WHERE id = ? LIMIT 1',
+  )
+    .bind(sessionId)
+    .first<SessionRow>();
+  if (!row) return null;
+  if (new Date(row.expires_at) < new Date()) {
+    await deleteSession(env, sessionId).catch(() => undefined);
+    return null;
+  }
+  return row;
+}
+
+export async function deleteSession(env: Env, sessionId: string): Promise<void> {
+  await env.D1_DATABASE.prepare('DELETE FROM sessions WHERE id = ?').bind(sessionId).run();
+}
+
+export const SESSION_MAX_AGE = SESSION_TTL_SECONDS;

packages/worker/src/middleware/auth-middleware.ts

@@ -1,7 +1,14 @@
 import { createMiddleware } from 'hono/factory';
 import type { Env } from '../types';
+import { sha256Hex, safeEqual } from '../lib/crypto';
 
-// Validates Bearer token against API_KEY env var
+/**
+ * Validates Bearer token. Accepts either:
+ *  1. Legacy single API_KEY env (constant-time compare)
+ *  2. User-issued key from D1 api_keys table (sha-256 hash lookup)
+ *
+ * Updates last_used_at on successful D1 key match (best-effort, non-blocking).
+ */
 export const authMiddleware = createMiddleware<{ Bindings: Env }>(async (c, next) => {
   const authHeader = c.req.header('Authorization');
 
@@ -11,9 +18,35 @@ export const authMiddleware = createMiddleware<{ Bindings: Env }>(async (c, next
 
   const token = authHeader.slice(7);
 
-  if (token !== c.env.API_KEY) {
-    return c.json({ error: 'Unauthorized: invalid API key' }, 401);
+  // Legacy single-key fallback
+  if (c.env.API_KEY && safeEqual(token, c.env.API_KEY)) {
+    await next();
+    return;
   }
 
-  await next();
+  // D1-backed key lookup
+  try {
+    const hash = await sha256Hex(token);
+    const row = await c.env.D1_DATABASE
+      .prepare('SELECT id FROM api_keys WHERE key_hash = ? AND revoked = 0 LIMIT 1')
+      .bind(hash)
+      .first<{ id: string }>();
+    if (row) {
+      // Best-effort last_used_at update — do not block request
+      c.executionCtx.waitUntil(
+        c.env.D1_DATABASE
+          .prepare('UPDATE api_keys SET last_used_at = ? WHERE id = ?')
+          .bind(new Date().toISOString(), row.id)
+          .run()
+          .catch(() => undefined),
+      );
+      await next();
+      return;
+    }
+  } catch (err) {
+    console.error('auth lookup error:', err);
+    return c.json({ error: 'Auth lookup failed' }, 500);
+  }
+
+  return c.json({ error: 'Unauthorized: invalid API key' }, 401);
 });