@atercates/claude-deck 0.2.1 → 0.2.3

package/lib/auth/session.ts

@@ -0,0 +1,83 @@
+import { randomBytes } from "crypto";
+import { queries } from "@/lib/db";
+import type { User } from "@/lib/db";
+
+const SESSION_DURATION_DAYS = 30;
+const SESSION_TOKEN_BYTES = 32;
+
+export function createSession(userId: string): {
+  token: string;
+  expiresAt: string;
+} {
+  const id = randomBytes(16).toString("hex");
+  const token = randomBytes(SESSION_TOKEN_BYTES).toString("hex");
+  const expiresAt = new Date(
+    Date.now() + SESSION_DURATION_DAYS * 24 * 60 * 60 * 1000
+  ).toISOString();
+
+  queries.createAuthSession(id, token, userId, expiresAt);
+
+  return { token, expiresAt };
+}
+
+export function validateSession(token: string): User | null {
+  if (!token || token.length !== SESSION_TOKEN_BYTES * 2) return null;
+
+  const session = queries.getAuthSessionByToken(token);
+  if (!session) return null;
+
+  if (new Date(session.expires_at) < new Date()) {
+    queries.deleteAuthSession(token);
+    return null;
+  }
+
+  const user = queries.getUserById(session.user_id);
+  if (!user) {
+    queries.deleteAuthSession(token);
+    return null;
+  }
+
+  return user;
+}
+
+export function renewSession(token: string): void {
+  const expiresAt = new Date(
+    Date.now() + SESSION_DURATION_DAYS * 24 * 60 * 60 * 1000
+  ).toISOString();
+  queries.renewAuthSession(token, expiresAt);
+}
+
+export function deleteSession(token: string): void {
+  queries.deleteAuthSession(token);
+}
+
+export function cleanupExpiredSessions(): void {
+  queries.deleteExpiredAuthSessions();
+}
+
+export const COOKIE_NAME = "claude_deck_session";
+
+export function buildSessionCookie(token: string): string {
+  const maxAge = SESSION_DURATION_DAYS * 24 * 60 * 60;
+  return `${COOKIE_NAME}=${token}; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=${maxAge}`;
+}
+
+export function buildClearCookie(): string {
+  return `${COOKIE_NAME}=; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=0`;
+}
+
+export function parseCookies(
+  cookieHeader: string | undefined
+): Record<string, string> {
+  if (!cookieHeader) return {};
+  return Object.fromEntries(
+    cookieHeader.split(";").map((c) => {
+      const [key, ...rest] = c.trim().split("=");
+      return [key, rest.join("=")];
+    })
+  );
+}
+
+export function hasUsers(): boolean {
+  return queries.getUserCount() > 0;
+}

package/lib/auth/totp.ts

@@ -0,0 +1,36 @@
+import { TOTP, Secret } from "otpauth";
+
+const ISSUER = "ClaudeDeck";
+
+export function generateTotpSecret(username: string): {
+  secret: string;
+  uri: string;
+} {
+  const secret = new Secret({ size: 20 });
+  const totp = new TOTP({
+    issuer: ISSUER,
+    label: username,
+    algorithm: "SHA1",
+    digits: 6,
+    period: 30,
+    secret,
+  });
+
+  return {
+    secret: secret.base32,
+    uri: totp.toString(),
+  };
+}
+
+export function verifyTotpCode(secret: string, code: string): boolean {
+  const totp = new TOTP({
+    issuer: ISSUER,
+    algorithm: "SHA1",
+    digits: 6,
+    period: 30,
+    secret: Secret.fromBase32(secret),
+  });
+
+  const delta = totp.validate({ token: code, window: 1 });
+  return delta !== null;
+}

package/lib/claude/process-manager.ts

@@ -1,7 +1,7 @@
 import { spawn, ChildProcess } from "child_process";
 import { WebSocket } from "ws";
 import { StreamParser } from "./stream-parser";
-import { queries, type Session } from "../db";
+import { queries } from "../db";
 import type { ClaudeSessionOptions, ClientEvent } from "./types";
 
 interface ManagedSession {

package/lib/code-search.ts

@@ -1,4 +1,4 @@
-import { execSync } from "child_process";
+import { execSync, spawnSync } from "child_process";
 
 /**
  * Check if ripgrep is available on the system
@@ -46,13 +46,13 @@ export function searchCode(
   const {
     maxResults = 100,
     contextLines = 2,
-    filePattern = "*",
-    caseSensitive = false,
+    filePattern: _filePattern = "*",
+    caseSensitive: _caseSensitive = false,
   } = options;
 
   try {
     // Use spawn instead of execSync for better control
-    const { spawnSync } = require("child_process");
+    // spawnSync imported at top level
 
     const args = [
       "--json",
@@ -100,7 +100,7 @@ export function searchCode(
   } catch (error) {
     console.error("Error in searchCode:", error);
     // ENOENT = command not found
-    if ((error as any).code === "ENOENT") {
+    if ((error as NodeJS.ErrnoException).code === "ENOENT") {
       throw new Error(
         "ripgrep (rg) not found. Install with: brew install ripgrep"
       );

package/lib/db/index.ts

@@ -1,4 +1,5 @@
 import Database from "better-sqlite3";
+import fs from "fs";
 import path from "path";
 import os from "os";
 import { createSchema } from "./schema";
@@ -14,7 +15,6 @@ let _db: Database.Database | null = null;
 
 export function getDb(): Database.Database {
   if (!_db) {
-    const fs = require("fs");
     fs.mkdirSync(path.dirname(DB_PATH), { recursive: true });
 
     _db = new Database(DB_PATH);

package/lib/db/queries.ts

@@ -6,6 +6,8 @@ import type {
   ProjectDevServer,
   ProjectRepository,
   DevServer,
+  User,
+  AuthSession,
 } from "./types";
 
 function query<T>(sql: string, params: unknown[] = []): T[] {
@@ -457,4 +459,66 @@ export const queries = {
       itemType,
       itemId,
     ]),
+
+  getUserCount(): number {
+    return (
+      queryOne<{ count: number }>("SELECT COUNT(*) as count FROM users") ?? {
+        count: 0,
+      }
+    ).count;
+  },
+
+  getUserByUsername(username: string): User | null {
+    return queryOne<User>("SELECT * FROM users WHERE username = ?", [username]);
+  },
+
+  getUserById(id: string): User | null {
+    return queryOne<User>("SELECT * FROM users WHERE id = ?", [id]);
+  },
+
+  createUser(
+    id: string,
+    username: string,
+    passwordHash: string,
+    totpSecret: string | null
+  ): void {
+    execute(
+      "INSERT INTO users (id, username, password_hash, totp_secret) VALUES (?, ?, ?, ?)",
+      [id, username, passwordHash, totpSecret]
+    );
+  },
+
+  getAuthSessionByToken(token: string): AuthSession | null {
+    return queryOne<AuthSession>(
+      "SELECT * FROM auth_sessions WHERE token = ?",
+      [token]
+    );
+  },
+
+  createAuthSession(
+    id: string,
+    token: string,
+    userId: string,
+    expiresAt: string
+  ): void {
+    execute(
+      "INSERT INTO auth_sessions (id, token, user_id, expires_at) VALUES (?, ?, ?, ?)",
+      [id, token, userId, expiresAt]
+    );
+  },
+
+  renewAuthSession(token: string, expiresAt: string): void {
+    execute("UPDATE auth_sessions SET expires_at = ? WHERE token = ?", [
+      expiresAt,
+      token,
+    ]);
+  },
+
+  deleteAuthSession(token: string): void {
+    execute("DELETE FROM auth_sessions WHERE token = ?", [token]);
+  },
+
+  deleteExpiredAuthSessions(): void {
+    execute("DELETE FROM auth_sessions WHERE expires_at < datetime('now')");
+  },
 };

package/lib/db/schema.ts

@@ -110,5 +110,24 @@ export function createSchema(db: Database.Database): void {
 
     INSERT OR IGNORE INTO projects (id, name, working_directory, is_uncategorized, sort_order)
     VALUES ('uncategorized', 'Uncategorized', '~', 1, 999999);
+
+    CREATE TABLE IF NOT EXISTS users (
+      id TEXT PRIMARY KEY,
+      username TEXT NOT NULL UNIQUE,
+      password_hash TEXT NOT NULL,
+      totp_secret TEXT,
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE TABLE IF NOT EXISTS auth_sessions (
+      id TEXT PRIMARY KEY,
+      token TEXT NOT NULL UNIQUE,
+      user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      expires_at TEXT NOT NULL,
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_auth_sessions_token ON auth_sessions(token);
+    CREATE INDEX IF NOT EXISTS idx_auth_sessions_expires ON auth_sessions(expires_at);
   `);
 }

package/lib/db/types.ts

@@ -90,3 +90,19 @@ export interface DevServer {
   created_at: string;
   updated_at: string;
 }
+
+export interface User {
+  id: string;
+  username: string;
+  password_hash: string;
+  totp_secret: string | null;
+  created_at: string;
+}
+
+export interface AuthSession {
+  id: string;
+  token: string;
+  user_id: string;
+  expires_at: string;
+  created_at: string;
+}

package/lib/git-history.ts

@@ -241,7 +241,7 @@ export function getCommitDetail(
     }
 
     // Get total stats
-    let totalFilesChanged = files.length;
+    const totalFilesChanged = files.length;
     let totalAdditions = 0;
     let totalDeletions = 0;
     for (const file of files) {

package/lib/git.ts

@@ -5,7 +5,6 @@
 import { exec } from "child_process";
 import { promisify } from "util";
 import * as path from "path";
-import * as fs from "fs";
 
 const execAsync = promisify(exec);
 

package/lib/multi-repo-git.ts

@@ -7,7 +7,6 @@ import {
   isGitRepo,
   expandPath,
   type GitFile,
-  type GitStatus,
 } from "./git-status";
 import type { ProjectRepository } from "./db";
 

package/lib/projects.ts

@@ -5,7 +5,6 @@
  * Sessions inherit settings from their parent project.
  */
 
-import { randomUUID } from "crypto";
 import fs from "fs";
 import path from "path";
 import { exec } from "child_process";
@@ -187,7 +186,9 @@ export async function getAllProjects(): Promise<Project[]> {
 /**
  * Get all projects with their dev server configurations
  */
-export async function getAllProjectsWithDevServers(): Promise<ProjectWithRepositories[]> {
+export async function getAllProjectsWithDevServers(): Promise<
+  ProjectWithRepositories[]
+> {
   const projects = await getAllProjects();
   const result: ProjectWithRepositories[] = [];
   for (const p of projects) {
@@ -242,7 +243,10 @@ export async function updateProject(
 /**
  * Toggle project expanded state
  */
-export async function toggleProjectExpanded(id: string, expanded: boolean): Promise<void> {
+export async function toggleProjectExpanded(
+  id: string,
+  expanded: boolean
+): Promise<void> {
   await queries.updateProjectExpanded(expanded, id);
 }
 
@@ -273,7 +277,9 @@ export async function deleteProject(id: string): Promise<boolean> {
 /**
  * Get sessions for a project
  */
-export async function getProjectSessions(projectId: string): Promise<Session[]> {
+export async function getProjectSessions(
+  projectId: string
+): Promise<Session[]> {
   return queries.getSessionsByProject(projectId);
 }
 
@@ -478,7 +484,9 @@ export function validateWorkingDirectory(dir: string): boolean {
 /**
  * Get repositories for a project
  */
-export async function getProjectRepositories(projectId: string): Promise<ProjectRepository[]> {
+export async function getProjectRepositories(
+  projectId: string
+): Promise<ProjectRepository[]> {
   const rawRepos = await queries.getProjectRepositories(projectId);
   return rawRepos.map((r) => ({
     ...r,
@@ -509,14 +517,23 @@ export async function addProjectRepository(
     for (const repo of existing) {
       if (repo.is_primary) {
         await queries.updateProjectRepository(
-          repo.name, repo.path, false, repo.sort_order, repo.id
+          repo.name,
+          repo.path,
+          false,
+          repo.sort_order,
+          repo.id
         );
       }
     }
   }
 
   await queries.createProjectRepository(
-    id, projectId, opts.name, opts.path, isPrimary, maxOrder + 1
+    id,
+    projectId,
+    opts.name,
+    opts.path,
+    isPrimary,
+    maxOrder + 1
   );
 
   const raw = (await queries.getProjectRepository(id))!;
@@ -549,7 +566,11 @@ export async function updateProjectRepository(
     for (const repo of allRepos) {
       if (repo.is_primary && repo.id !== id) {
         await queries.updateProjectRepository(
-          repo.name, repo.path, false, repo.sort_order, repo.id
+          repo.name,
+          repo.path,
+          false,
+          repo.sort_order,
+          repo.id
         );
       }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atercates/claude-deck",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "Self-hosted web UI for managing Claude Code sessions",
   "bin": {
     "claude-deck": "./scripts/claude-deck"
@@ -28,7 +28,7 @@
   ],
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/atercates/claude-deck.git"
+    "url": "git+https://github.com/ATERCATES/claude-deck.git"
   },
   "keywords": [
     "claude",
@@ -43,9 +43,9 @@
     "node": ">=24"
   },
   "bugs": {
-    "url": "https://github.com/atercates/claude-deck/issues"
+    "url": "https://github.com/ATERCATES/claude-deck/issues"
   },
-  "homepage": "https://github.com/atercates/claude-deck#readme",
+  "homepage": "https://github.com/ATERCATES/claude-deck#readme",
   "dependencies": {
     "@anthropic-ai/claude-agent-sdk": "^0.2.104",
     "@codemirror/lang-css": "^6.3.1",
@@ -78,6 +78,7 @@
     "@xterm/addon-search": "^0.16.0",
     "@xterm/addon-web-links": "^0.12.0",
     "@xterm/xterm": "^6.0.0",
+    "bcryptjs": "^3.0.3",
     "better-sqlite3": "^12.8.0",
     "chokidar": "^5.0.0",
     "class-variance-authority": "^0.7.1",
@@ -88,6 +89,8 @@
     "next": "^16.2.3",
     "next-themes": "^0.4.6",
     "node-pty": "1.2.0-beta.12",
+    "otpauth": "^9.5.0",
+    "qrcode": "^1.5.4",
     "react": "^19.2.5",
     "react-dom": "^19.2.5",
     "react-markdown": "^10.1.0",
@@ -107,6 +110,7 @@
     "@tauri-apps/cli": "^2.10.1",
     "@types/better-sqlite3": "^7.6.13",
     "@types/node": "^25.6.0",
+    "@types/qrcode": "^1.5.6",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@types/ws": "^8.18.1",

package/scripts/agent-os

@@ -9,7 +9,7 @@ set -euo pipefail
 # Configuration
 AGENT_OS_HOME="${AGENT_OS_HOME:-$HOME/.agent-os}"
 PORT="${AGENT_OS_PORT:-3011}"
-REPO_URL="https://github.com/atercates/agent-os.git"
+REPO_URL="https://github.com/ATERCATES/agent-os.git"
 
 # Derived paths
 REPO_DIR="$AGENT_OS_HOME/repo"

package/scripts/install.sh

@@ -3,7 +3,7 @@
 # ClaudeDeck Installer
 #
 # Usage:
-#   curl -fsSL https://raw.githubusercontent.com/atercates/claude-deck/main/scripts/install.sh | bash
+#   curl -fsSL https://raw.githubusercontent.com/ATERCATES/claude-deck/main/scripts/install.sh | bash
 #
 
 set -e
@@ -19,7 +19,7 @@ log_info() { echo -e "${BLUE}==>${NC} $1"; }
 log_success() { echo -e "${GREEN}==>${NC} $1"; }
 log_error() { echo -e "${RED}==>${NC} $1"; }
 
-REPO_URL="https://github.com/atercates/claude-deck.git"
+REPO_URL="https://github.com/ATERCATES/claude-deck.git"
 INSTALL_DIR="$HOME/.claude-deck/repo"
 
 echo ""

package/server.ts

@@ -5,6 +5,12 @@ import { WebSocketServer, WebSocket } from "ws";
 import * as pty from "node-pty";
 import { initDb } from "./lib/db";
 import { startWatcher, addUpdateClient } from "./lib/claude/watcher";
+import {
+  validateSession,
+  parseCookies,
+  COOKIE_NAME,
+  hasUsers,
+} from "./lib/auth";
 
 const dev = process.env.NODE_ENV !== "production";
 const hostname = "0.0.0.0";
@@ -35,6 +41,19 @@ app.prepare().then(async () => {
   server.on("upgrade", (request, socket, head) => {
     const { pathname } = parse(request.url || "");
 
+    // Validate auth for WebSocket connections
+    if (hasUsers()) {
+      const cookies = parseCookies(request.headers.cookie);
+      const token = cookies[COOKIE_NAME];
+      const user = token ? validateSession(token) : null;
+
+      if (!user) {
+        socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+        socket.destroy();
+        return;
+      }
+    }
+
     if (pathname === "/ws/terminal") {
       terminalWss.handleUpgrade(request, socket, head, (ws) => {
         terminalWss.emit("connection", ws, request);
@@ -49,7 +68,7 @@ app.prepare().then(async () => {
 
   // Heartbeat: ping every 30s, kill if no pong in 10s
   const HEARTBEAT_INTERVAL = 30000;
-  const HEARTBEAT_TIMEOUT = 10000;
+  const _HEARTBEAT_TIMEOUT = 10000;
 
   function setupHeartbeat(ws: WebSocket) {
     let alive = true;