gatekeeper/net
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add god-mode API and auto-permissions - SECURE TOKEN IN COOLIFY ENV ONLY

Browse Source
This commit is contained in:
cawcenter
2025-12-14 11:13:34 -05:00
parent 6d9209553e
commit f9947e81af
8 changed files with 692 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

305
GOD_MODE_API.md Normal file
View File

@@ -0,0 +1,305 @@
# God Mode API - Documentation
## 🔐 Overview
The God Mode API provides unrestricted access to the Spark Platform's database and Directus system. It bypasses all authentication and permission checks.
**Security:** Access requires `X-God-Token` header with secret token.
---
## 🔑 Your Secure Token
```
GOD_MODE_TOKEN=jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA
```
**⚠️ CRITICAL:**
- This token is for YOU and your AI assistant ONLY
- NEVER commit to git (already in `.gitignore`)
- NEVER share publicly
- Store in Coolify environment variables
---
## 🚀 Setup in Coolify
1. Go to Coolify → Your Spark Project
2. Click "Directus" service
3. Go to "Environment Variables"
4. Click "Add Variable":
- **Name:** `GOD_MODE_TOKEN`
- **Value:** `jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA`
5. Save and redeploy
---
## 📡 API Endpoints
### Base URL
```
https://spark.jumpstartscaling.com/god
```
All endpoints require header:
```
X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA
```
---
### 1. Check God Mode Status
```bash
curl -X GET https://spark.jumpstartscaling.com/god/status \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA"
```
**Response:**
```json
{
"success": true,
"god_mode": true,
"database": {
"tables": 39,
"collections": 39,
"permissions": 156
},
"timestamp": "2025-12-14T11:05:00.000Z"
}
```
---
### 2. Initialize Database
```bash
# Read SQL file
SQL_CONTENT=$(cat complete_schema.sql)
# Execute
curl -X POST https://spark.jumpstartscaling.com/god/setup/database \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA" \
-H "Content-Type: application/json" \
-d "{\"sql\": $(jq -Rs . < complete_schema.sql)}"
```
**Response:**
```json
{
"success": true,
"tables_created": 39,
"tables": [
"sites",
"pages",
"posts",
"avatar_intelligence",
...
]
}
```
---
### 3. Grant All Permissions
```bash
curl -X POST https://spark.jumpstartscaling.com/god/permissions/grant-all \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA"
```
**Response:**
```json
{
"success": true,
"permissions_granted": 156,
"collections": 39
}
```
---
### 4. Execute Raw SQL
```bash
curl -X POST https://spark.jumpstartscaling.com/god/sql/execute \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA" \
-H "Content-Type: application/json" \
-d '{
"sql": "SELECT * FROM sites ORDER BY date_created DESC LIMIT 5;"
}'
```
**Response:**
```json
{
"success": true,
"rows": [
{
"id": "abc123",
"name": "My Site",
"domain": "example.com"
}
],
"rowCount": 1
}
```
---
### 5. Get All Collections (Including System)
```bash
curl -X GET https://spark.jumpstartscaling.com/god/collections/all \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA"
```
**Response:**
```json
{
"success": true,
"count": 75,
"data": [
{
"collection": "directus_users",
"icon": "people",
...
},
{
"collection": "sites",
"icon": "dns",
...
}
]
}
```
---
### 6. Make User Admin
```bash
curl -X POST https://spark.jumpstartscaling.com/god/user/make-admin \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com"
}'
```
**Response:**
```json
{
"success": true,
"user": {
"id": "user123",
"email": "user@example.com",
"role": "admin-role-id"
}
}
```
---
## 🛡️ Auto-Permissions Hook
The platform includes an auto-permissions hook that runs on Directus startup:
**What it does:**
- Automatically grants all permissions to Administrator policy
- Runs after Directus initialization
- Checks for existing permissions first
- Creates 4 permissions per collection (create, read, update, delete)
**No manual action needed!**
---
## 🎯 Use Cases
### Fresh Deployment Setup
```bash
# 1. Check status
curl -X GET .../god/status -H "X-God-Token: ..."
# 2. Initialize database
curl -X POST .../god/setup/database -H "X-God-Token: ..." -d @schema.json
# 3. Grant permissions
curl -X POST .../god/permissions/grant-all -H "X-God-Token: ..."
# Done! ✅
```
### Fix Permission Issues
```bash
curl -X POST .../god/permissions/grant-all -H "X-God-Token: ..."
```
### Query Database Directly
```bash
curl -X POST .../god/sql/execute \
-H "X-God-Token: ..." \
-d '{"sql": "SELECT COUNT(*) FROM generated_articles WHERE status = '\''published'\'';"}''
```
---
## ⚠️ Security Notes
### What God Mode Can Do:
- ✅ Execute any SQL query
- ✅ Modify any Directus collection
- ✅ Grant/revoke permissions
- ✅ Access system collections
- ✅ Bypass all authentication
- ✅ Create/delete tables
### Security Measures:
- ✅ 128-character random token
- ✅ Token not in git repository
- ✅ Only in Coolify environment variables
- ✅ Logs all access attempts
- ✅ Requires exact token match
### If Token is Compromised:
1. Generate new token:
```bash
node -e "const crypto = require('crypto'); console.log(crypto.randomBytes(64).toString('base64url'));"
```
2. Update in Coolify environment variables
3. Redeploy Directus service
---
## 📝 File Structure
```
directus-extensions/
├── endpoints/
│ └── god/
│ ├── index.js # God Mode API implementation
│ └── package.json # Extension metadata
└── hooks/
└── auto-permissions/
├── index.js # Auto-grant permissions on startup
└── package.json # Hook metadata
```
---
## ✅ Verification
After deployment:
```bash
# Test god mode access
curl -X GET https://spark.jumpstartscaling.com/god/status \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA"
# Should return success: true
```
---
**God Mode is your backdoor into everything. Use responsibly!** 🔥