added scripts and issues

Author: Xpitfire

backend/TESTING.md

@@ -105,6 +105,28 @@ deno run -A backend/scripts/activate_subscription.ts
 - First login (with active subscription): `POST /session` returns `{ api_key: "ext_..." }` once.
 - Manual issue (admin): `POST /admin/users/:id/keys` → returns `{ key: "ext_..." }` (plaintext once).
 
+### Helper script (login and issue key)
+```
+export SUPABASE_URL=https://lkiyoqrviddogkizywgd.supabase.co
+export SUPABASE_ANON_KEY=<anon key>
+export EMAIL=user@example.com
+export PASSWORD=secret
+export BASE_URL=https://lkiyoqrviddogkizywgd.functions.supabase.co
+deno run -A backend/scripts/issue_custom_key.ts
+```
+If you see “Subscription required”, activate a test subscription first using `backend/scripts/activate_subscription.ts`.
+
+### Helper script (login and first-login session key)
+```
+export SUPABASE_URL=https://lkiyoqrviddogkizywgd.supabase.co
+export SUPABASE_ANON_KEY=<anon key>
+export EMAIL=user@example.com
+export PASSWORD=secret
+export BASE_URL=https://lkiyoqrviddogkizywgd.functions.supabase.co
+deno run -A backend/scripts/login_and_session_key.ts
+```
+This returns `SESSION_TOKEN` and, if eligible (active subscription and no key yet), `API_KEY` once.
+
 ## 1:1 OpenAI Gateway (no DNS)
 - Base: `https://lkiyoqrviddogkizywgd.functions.supabase.co/openai`
 - Use `Authorization: Bearer ext_...` (custom key) and call `/v1/*` endpoints as usual.

backend/USAGE.md

@@ -42,6 +42,28 @@ Set in app config (`Config.plist` or environment):
 - Manual (admin): `POST /admin/users/:id/keys` returns a plaintext `ext_…` key once.
 - Users can view masked keys via `GET /key`.
 
+### CLI helper: login and issue a key
+```
+export SUPABASE_URL=https://lkiyoqrviddogkizywgd.supabase.co
+export SUPABASE_ANON_KEY=<anon key>
+export EMAIL=user@example.com
+export PASSWORD=secret
+export BASE_URL=https://lkiyoqrviddogkizywgd.functions.supabase.co
+deno run -A backend/scripts/issue_custom_key.ts
+```
+If it reports “Subscription required”, activate a test subscription via `backend/scripts/activate_subscription.ts`.
+
+### CLI helper: login and receive first-login key via /session
+```
+export SUPABASE_URL=https://lkiyoqrviddogkizywgd.supabase.co
+export SUPABASE_ANON_KEY=<anon key>
+export EMAIL=user@example.com
+export PASSWORD=secret
+export BASE_URL=https://lkiyoqrviddogkizywgd.functions.supabase.co
+deno run -A backend/scripts/login_and_session_key.ts
+```
+The script prints `SESSION_TOKEN` and, if eligible, `API_KEY` (store in Config.plist).
+
 ## 6) Admin Operations (JWT with `profiles.is_admin = true`)
 - Aggregates: `GET /admin`
 - Users list: `GET /admin/users?limit=100`

backend/scripts/issue_custom_key.ts

@@ -0,0 +1,72 @@
+// Login with email/password and issue a custom API key via /key
+// Env required:
+//  SUPABASE_URL=https://<ref>.supabase.co
+//  SUPABASE_ANON_KEY=...
+//  EMAIL=user@example.com
+//  PASSWORD=secret
+//  BASE_URL=https://<ref>.functions.supabase.co   # backend base (no /openai)
+// Usage:
+//  deno run -A backend/scripts/issue_custom_key.ts
+
+const supaUrl = Deno.env.get('SUPABASE_URL');
+const anonKey = Deno.env.get('SUPABASE_ANON_KEY');
+const email = Deno.env.get('EMAIL');
+const password = Deno.env.get('PASSWORD');
+const base = (Deno.env.get('BASE_URL') || '').replace(/\/$/, '');
+
+if (!supaUrl || !anonKey || !email || !password || !base) {
+  console.error('Missing env. Need SUPABASE_URL, SUPABASE_ANON_KEY, EMAIL, PASSWORD, BASE_URL');
+  Deno.exit(1);
+}
+
+const tokenEndpoint = `${supaUrl.replace(/\/$/, '')}/auth/v1/token?grant_type=password`;
+const authRes = await fetch(tokenEndpoint, {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json', apikey: anonKey },
+  body: JSON.stringify({ email, password }),
+});
+if (!authRes.ok) {
+  console.error('Auth failed:', authRes.status, await authRes.text());
+  Deno.exit(1);
+}
+const auth = await authRes.json();
+const accessToken: string | undefined = auth?.access_token;
+const userId: string | undefined = auth?.user?.id;
+if (!accessToken) {
+  console.error('No access_token in auth response');
+  console.log(JSON.stringify(auth, null, 2));
+  Deno.exit(1);
+}
+console.log('Logged in as:', userId || '(unknown)');
+
+// Attempt to issue a new custom API key
+const keyEndpoint = `${base}/key`;
+const keyRes = await fetch(keyEndpoint, {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${accessToken}` },
+});
+
+const bodyText = await keyRes.text();
+if (keyRes.status === 402) {
+  console.error('Subscription required to issue API key.');
+  console.error('Tip: activate a test subscription via backend/scripts/activate_subscription.ts');
+  Deno.exit(2);
+}
+if (!keyRes.ok) {
+  console.error('Issuing key failed:', keyRes.status, bodyText);
+  Deno.exit(1);
+}
+
+try {
+  const data = JSON.parse(bodyText);
+  if (data?.key && data?.prefix) {
+    console.log('Issued custom API key:');
+    console.log('KEY=', data.key);
+    console.log('PREFIX=', data.prefix);
+  } else {
+    console.log('Response:', data);
+  }
+} catch {
+  console.log('Response (raw):', bodyText);
+}
+

backend/scripts/login_and_session_key.ts

@@ -0,0 +1,64 @@
+// Login with email/password and call /session to receive first-login api_key (if active subscription)
+// Env required:
+//  SUPABASE_URL=https://<ref>.supabase.co
+//  SUPABASE_ANON_KEY=...
+//  EMAIL=user@example.com
+//  PASSWORD=secret
+//  BASE_URL=https://<ref>.functions.supabase.co   # backend base (no /openai)
+// Usage:
+//  deno run -A backend/scripts/login_and_session_key.ts
+
+const supaUrl = Deno.env.get('SUPABASE_URL');
+const anonKey = Deno.env.get('SUPABASE_ANON_KEY');
+const email = Deno.env.get('EMAIL');
+const password = Deno.env.get('PASSWORD');
+const base = (Deno.env.get('BASE_URL') || '').replace(/\/$/, '');
+
+if (!supaUrl || !anonKey || !email || !password || !base) {
+  console.error('Missing env. Need SUPABASE_URL, SUPABASE_ANON_KEY, EMAIL, PASSWORD, BASE_URL');
+  Deno.exit(1);
+}
+
+const tokenEndpoint = `${supaUrl.replace(/\/$/, '')}/auth/v1/token?grant_type=password`;
+const authRes = await fetch(tokenEndpoint, {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json', apikey: anonKey },
+  body: JSON.stringify({ email, password }),
+});
+if (!authRes.ok) {
+  console.error('Auth failed:', authRes.status, await authRes.text());
+  Deno.exit(1);
+}
+const auth = await authRes.json();
+const accessToken: string | undefined = auth?.access_token;
+const userId: string | undefined = auth?.user?.id;
+if (!accessToken) {
+  console.error('No access_token in auth response');
+  console.log(JSON.stringify(auth, null, 2));
+  Deno.exit(1);
+}
+console.log('Logged in as:', userId || '(unknown)');
+
+// Call /session (Supabase Edge Function) with Authorization: Bearer <JWT>
+const sessRes = await fetch(`${base}/session`, {
+  method: 'POST',
+  headers: { Authorization: `Bearer ${accessToken}` },
+});
+const sessBody = await sessRes.text();
+if (!sessRes.ok) {
+  console.error('Session failed:', sessRes.status, sessBody);
+  Deno.exit(1);
+}
+try {
+  const data = JSON.parse(sessBody);
+  console.log('SESSION_TOKEN=', data?.token || '(missing)');
+  if (data?.api_key) {
+    console.log('API_KEY=', data.api_key);
+    console.log('(Store API_KEY in Config.plist for the app)');
+  } else {
+    console.log('No api_key returned (either already issued or subscription inactive).');
+  }
+} catch {
+  console.log('Session response (raw):', sessBody);
+}
+