supermemoryai · shouryamaanjain · Jan 31, 2025
diff --git a/apps/backend/package.json b/apps/backend/package.json
@@ -24,7 +24,11 @@
     "openai": "^4.68.4",
     "postgres": "^3.4.4",
     "uuid": "^11.0.1",
-    "zod": "^3.23.8"
+    "zod": "^3.23.8",
+    "mfa-library": "^1.0.0",
+    "rbac-library": "^1.0.0",
+    "notifications-library": "^1.0.0",
+    "dark-mode-library": "^1.0.0"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20250124.3"

diff --git a/apps/backend/src/auth.ts b/apps/backend/src/auth.ts
@@ -4,6 +4,8 @@ import { and, database, eq, sql } from "@supermemory/db";
 import { User, users } from "@supermemory/db/schema";
 import { Env, Variables } from "./types";
 import { encrypt, decrypt } from "./utils/cipher";
+import { generateMfaCode, verifyMfaCode } from "./utils/mfa";
+import { checkUserRole } from "./utils/rbac";
 
 interface EncryptedData {
   userId: string;
@@ -147,5 +149,19 @@ export const auth = async (
     }
   }
 
+  // Multi-factor authentication (MFA) check
+  if (user && user.mfaEnabled) {
+    const mfaCode = c.req.raw.headers.get("X-MFA-Code");
+    if (!mfaCode || !(await verifyMfaCode(user.id, mfaCode))) {
+      return c.json({ error: "MFA required" }, 401);
+    }
+  }
+
+  // Role-based access control (RBAC) check
+  const requiredRole = c.req.raw.headers.get("X-Required-Role");
+  if (requiredRole && !checkUserRole(user, requiredRole)) {
+    return c.json({ error: "Insufficient permissions" }, 403);
+  }
+
   return next();
 };
diff --git a/apps/backend/src/index.tsx b/apps/backend/src/index.tsx
@@ -23,6 +23,8 @@ import {
   DurableObjectStore,
 } from "@hono-rate-limiter/cloudflare";
 import { ConfigType, GeneralConfigType, rateLimiter } from "hono-rate-limiter";
+import { initNotifications } from "./utils/notifications";
+import { initDarkMode } from "./utils/darkMode";
 
 export const app = new Hono<{ Variables: Variables; Bindings: Env }>()
   .use("*", timing())
@@ -230,6 +232,9 @@ export const app = new Hono<{ Variables: Variables; Bindings: Env }>()
     return c.json({ error: "Internal server error" }, 500);
   });
 
+initNotifications(app);
+initDarkMode(app);
+
 export default {
   fetch: app.fetch,
 };

diff --git a/apps/backend/src/routes/user.ts b/apps/backend/src/routes/user.ts
@@ -11,6 +11,8 @@ import {
 import { decryptApiKey, getApiKey } from "../auth";
 import { DurableObjectStore } from "@hono-rate-limiter/cloudflare";
 import { rateLimiter } from "hono-rate-limiter";
+import { generateMfaCode, verifyMfaCode } from "../utils/mfa";
+import { checkUserRole, assignUserRole } from "../utils/rbac";
 
 const user = new Hono<{ Variables: Variables; Bindings: Env }>()
   .get("/", (c) => {
@@ -195,5 +197,46 @@ const user = new Hono<{ Variables: Variables; Bindings: Env }>()
 
     return c.json({ success: true });
   })
+  .post("/mfa/enable", async (c) => {
+    const user = c.get("user");
+    if (!user) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+
+    const mfaCode = await generateMfaCode(user.id);
+    // Send MFA code to user via email or SMS (implementation not shown)
+    return c.json({ success: true, message: "MFA code sent" });
+  })
+  .post("/mfa/verify", async (c) => {
+    const user = c.get("user");
+    if (!user) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+
+    const { code } = await c.req.json();
+    const isValid = await verifyMfaCode(user.id, code);
+
+    if (!isValid) {
+      return c.json({ error: "Invalid MFA code" }, 400);
+    }
+
+    // Update user to mark MFA as enabled (implementation not shown)
+    return c.json({ success: true, message: "MFA verified and enabled" });
+  })
+  .post("/roles/assign", async (c) => {
+    const user = c.get("user");
+    if (!user) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+
+    const { userId, role } = await c.req.json();
+    const success = await assignUserRole(userId, role);
+
+    if (!success) {
+      return c.json({ error: "Failed to assign role" }, 500);
+    }
+
+    return c.json({ success: true, message: "Role assigned successfully" });
+  });
 
 export default user;
diff --git a/apps/backend/src/utils/darkMode.ts b/apps/backend/src/utils/darkMode.ts
@@ -0,0 +1,24 @@
+import { Hono } from "hono";
+import { Context } from "hono";
+import { Env, Variables } from "../types";
+
+export const toggleDarkMode = async (userId: string, enable: boolean): Promise<void> => {
+  // Implement the logic to toggle dark mode for the user
+  // This could involve updating a user preference in the database
+  // For simplicity, we'll just log the action here
+  console.log(`Toggling dark mode for user ${userId}: ${enable ? "enabled" : "disabled"}`);
+};
+
+export const initDarkMode = (app: Hono<{ Variables: Variables; Bindings: Env }>) => {
+  app.post("/v1/user/dark-mode", async (c: Context<{ Variables: Variables; Bindings: Env }>) => {
+    const user = c.get("user");
+    if (!user) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+
+    const { enable } = await c.req.json();
+    await toggleDarkMode(user.id, enable);
+
+    return c.json({ success: true, message: `Dark mode ${enable ? "enabled" : "disabled"}` });
+  });
+};
diff --git a/apps/backend/src/utils/mfa.ts b/apps/backend/src/utils/mfa.ts
@@ -0,0 +1,33 @@
+import { randomBytes } from 'crypto';
+import { promisify } from 'util';
+import { database, eq } from '@supermemory/db';
+import { mfaCodes } from '@supermemory/db/schema';
+
+const randomBytesAsync = promisify(randomBytes);
+
+export const generateMfaCode = async (userId: string): Promise<string> => {
+  const code = (await randomBytesAsync(3)).toString('hex');
+  await database().insert(mfaCodes).values({
+    userId,
+    code,
+    createdAt: new Date(),
+  });
+  return code;
+};
+
+export const verifyMfaCode = async (userId: string, code: string): Promise<boolean> => {
+  const result = await database()
+    .select()
+    .from(mfaCodes)
+    .where(eq(mfaCodes.userId, userId), eq(mfaCodes.code, code))
+    .limit(1);
+
+  if (result.length === 0) {
+    return false;
+  }
+
+  // Optionally, you can delete the code after verification
+  await database().delete(mfaCodes).where(eq(mfaCodes.userId, userId), eq(mfaCodes.code, code));
+
+  return true;
+};
diff --git a/apps/backend/src/utils/notifications.ts b/apps/backend/src/utils/notifications.ts
@@ -0,0 +1,23 @@
+import { database, eq } from '@supermemory/db';
+import { notifications } from '@supermemory/db/schema';
+
+export const sendNotification = async (userId: string, message: string): Promise<void> => {
+  await database().insert(notifications).values({
+    userId,
+    message,
+    createdAt: new Date(),
+  });
+};
+
+export const getNotifications = async (userId: string): Promise<{ message: string; createdAt: Date }[]> => {
+  const result = await database()
+    .select({
+      message: notifications.message,
+      createdAt: notifications.createdAt,
+    })
+    .from(notifications)
+    .where(eq(notifications.userId, userId))
+    .orderBy(notifications.createdAt, 'desc');
+
+  return result;
+};
diff --git a/apps/backend/src/utils/rbac.ts b/apps/backend/src/utils/rbac.ts
@@ -0,0 +1,26 @@
+import { database, eq } from '@supermemory/db';
+import { userRoles } from '@supermemory/db/schema';
+
+export const checkUserRole = async (userId: string, role: string): Promise<boolean> => {
+  const result = await database()
+    .select()
+    .from(userRoles)
+    .where(eq(userRoles.userId, userId), eq(userRoles.role, role))
+    .limit(1);
+
+  return result.length > 0;
+};
+
+export const assignUserRole = async (userId: string, role: string): Promise<boolean> => {
+  try {
+    await database().insert(userRoles).values({
+      userId,
+      role,
+      createdAt: new Date(),
+    });
+    return true;
+  } catch (error) {
+    console.error('Failed to assign role:', error);
+    return false;
+  }
+};