feat: serve auth script for private configs and accept Bearer token

Hooks returns auth script instead of 403 for curl. Install and config endpoints verify Bearer token for private access.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Author: fullstackjam

src/hooks.server.ts

@@ -1,5 +1,5 @@
 import type { Handle } from '@sveltejs/kit';
-import { generateInstallScript } from '$lib/server/install-script';
+import { generateInstallScript, generatePrivateInstallScript } from '$lib/server/install-script';
 
 const INSTALL_SCRIPT_URL = 'https://raw.githubusercontent.com/openbootdotdev/openboot/main/scripts/install.sh';
 
@@ -48,9 +48,9 @@ export const handle: Handle = async ({ event, resolve }) => {
 		const env = event.platform?.env;
 
 		if (env) {
-			const config = await env.DB.prepare('SELECT c.slug, c.custom_script, c.dotfiles_repo, u.username FROM configs c JOIN users u ON c.user_id = u.id WHERE c.alias = ? AND c.visibility IN (?, ?)')
-				.bind(alias, 'public', 'unlisted')
-				.first<{ slug: string; username: string; custom_script: string; dotfiles_repo: string }>();
+			const config = await env.DB.prepare('SELECT c.slug, c.custom_script, c.dotfiles_repo, c.visibility, u.username FROM configs c JOIN users u ON c.user_id = u.id WHERE c.alias = ?')
+				.bind(alias)
+				.first<{ slug: string; username: string; custom_script: string; dotfiles_repo: string; visibility: string }>();
 
 			if (config) {
 				const ua = event.request.headers.get('user-agent') || '';
@@ -59,6 +59,13 @@ export const handle: Handle = async ({ event, resolve }) => {
 				const isBrowser = accept.includes('text/html');
 
 				if (isCurl || !isBrowser) {
+					if (config.visibility === 'private') {
+						const script = generatePrivateInstallScript(env.APP_URL, config.username, config.slug);
+						return withSecurityHeaders(new Response(script, {
+							headers: { 'Content-Type': 'text/plain; charset=utf-8', 'Cache-Control': 'no-cache' }
+						}));
+					}
+
 					const script = generateInstallScript(config.username, config.slug, config.custom_script, config.dotfiles_repo || '');
 
 					env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE alias = ?').bind(alias).run().catch(() => {});
@@ -92,7 +99,14 @@ export const handle: Handle = async ({ event, resolve }) => {
 					.bind(user.id, slug)
 					.first<{ custom_script: string; visibility: string; dotfiles_repo: string }>();
 
-				if (config && config.visibility !== 'private') {
+				if (config) {
+						if (config.visibility === 'private') {
+							const script = generatePrivateInstallScript(env.APP_URL, username, slug);
+							return withSecurityHeaders(new Response(script, {
+								headers: { 'Content-Type': 'text/plain; charset=utf-8', 'Cache-Control': 'no-cache' }
+							}));
+						}
+
 						const script = generateInstallScript(username, slug, config.custom_script, config.dotfiles_repo || '');
 
 						env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch(() => {});

src/routes/[username]/[slug]/config/+server.ts

@@ -1,7 +1,7 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 
-export const GET: RequestHandler = async ({ platform, params }) => {
+export const GET: RequestHandler = async ({ platform, params, request }) => {
 	const env = platform?.env;
 	if (!env) {
 		return json({ error: 'Platform env not available' }, { status: 500 });
@@ -26,7 +26,17 @@ export const GET: RequestHandler = async ({ platform, params }) => {
 	}
 
 	if (config.visibility === 'private') {
-		return json({ error: 'Config is private' }, { status: 403 });
+		const authHeader = request.headers.get('authorization') || '';
+		const token = authHeader.replace(/^Bearer\s+/i, '');
+		if (!token) {
+			return json({ error: 'Config is private' }, { status: 403 });
+		}
+		const tokenRow = await env.DB.prepare(
+			"SELECT user_id FROM api_tokens WHERE token = ? AND expires_at > datetime('now')"
+		).bind(token).first<{ user_id: string }>();
+		if (!tokenRow || tokenRow.user_id !== user.id) {
+			return json({ error: 'Config is private' }, { status: 403 });
+		}
 	}
 
 	const tapsSet = new Set<string>();

src/routes/[username]/[slug]/install/+server.ts

@@ -1,7 +1,7 @@
 import type { RequestHandler } from './$types';
 import { generateInstallScript } from '$lib/server/install-script';
 
-export const GET: RequestHandler = async ({ platform, params }) => {
+export const GET: RequestHandler = async ({ platform, params, request }) => {
 	const env = platform?.env;
 	if (!env) {
 		return new Response('Platform env not available', { status: 500 });
@@ -21,7 +21,17 @@ export const GET: RequestHandler = async ({ platform, params }) => {
 	}
 
 	if (config.visibility === 'private') {
-		return new Response('Config is private', { status: 403 });
+		const authHeader = request.headers.get('authorization') || '';
+		const token = authHeader.replace(/^Bearer\s+/i, '');
+		if (!token) {
+			return new Response('Config is private', { status: 403 });
+		}
+		const tokenRow = await env.DB.prepare(
+			"SELECT user_id FROM api_tokens WHERE token = ? AND expires_at > datetime('now')"
+		).bind(token).first<{ user_id: string }>();
+		if (!tokenRow || tokenRow.user_id !== user.id) {
+			return new Response('Config is private', { status: 403 });
+		}
 	}
 
 	const script = generateInstallScript(params.username, params.slug, config.custom_script, config.dotfiles_repo || '');