@axhub/genie 0.2.8 → 0.2.10

package/server/routes/lan-access.js

@@ -0,0 +1,231 @@
+import express from 'express';
+import QRCode from 'qrcode';
+
+import { authenticateToken, generateToken, verifySignedToken } from '../middleware/auth.js';
+import { userDb } from '../database/db.js';
+import { collectLanIPv4Addresses } from '../lan-access/core.js';
+import {
+  getLanSessionVersion,
+  hasLanAccessPassword,
+  setLanAccessPassword,
+  verifyLanAccessPassword,
+} from '../lan-access/state.js';
+
+const apiRouter = express.Router();
+const pageRouter = express.Router();
+
+function getDefaultUser() {
+  return userDb.ensureDefaultUser();
+}
+
+function getRequestProtocol(req) {
+  const forwardedProto = String(req.headers['x-forwarded-proto'] || '').trim();
+  if (forwardedProto) {
+    return forwardedProto.split(',')[0].trim() || 'http';
+  }
+
+  return req.protocol || 'http';
+}
+
+function buildAppUrl(req, address) {
+  const protocol = getRequestProtocol(req);
+  const requestUrl = new URL(`${protocol}://${req.headers.host || 'localhost'}`);
+  requestUrl.hostname = address;
+  requestUrl.pathname = '/';
+  requestUrl.search = '';
+  requestUrl.hash = '';
+  return requestUrl.toString();
+}
+
+function buildExchangeUrl(req, address, exchangeToken) {
+  const protocol = getRequestProtocol(req);
+  const requestUrl = new URL(`${protocol}://${req.headers.host || 'localhost'}`);
+  requestUrl.hostname = address;
+  requestUrl.pathname = '/lan-access/exchange';
+  requestUrl.search = '';
+  requestUrl.searchParams.set('token', exchangeToken);
+  return requestUrl.toString();
+}
+
+function renderExchangeDocument(token) {
+  const serializedToken = JSON.stringify(String(token || ''));
+  return `<!DOCTYPE html>
+<html lang="zh-CN">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Axhub Genie</title>
+    <style>
+      body {
+        margin: 0;
+        min-height: 100vh;
+        display: grid;
+        place-items: center;
+        font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+        background: linear-gradient(180deg, #f8fafc 0%, #eef2ff 100%);
+        color: #0f172a;
+      }
+      .card {
+        width: min(92vw, 420px);
+        border-radius: 24px;
+        padding: 28px;
+        background: rgba(255, 255, 255, 0.92);
+        box-shadow: 0 30px 80px rgba(15, 23, 42, 0.12);
+        text-align: center;
+      }
+      h1 {
+        margin: 0 0 10px;
+        font-size: 22px;
+      }
+      p {
+        margin: 0;
+        color: #475569;
+        font-size: 14px;
+      }
+      .dots {
+        margin: 18px auto 0;
+        display: inline-flex;
+        gap: 8px;
+      }
+      .dot {
+        width: 8px;
+        height: 8px;
+        border-radius: 999px;
+        background: #2563eb;
+        animation: bounce 1s infinite ease-in-out;
+      }
+      .dot:nth-child(2) { animation-delay: 0.12s; }
+      .dot:nth-child(3) { animation-delay: 0.24s; }
+      @keyframes bounce {
+        0%, 80%, 100% { transform: translateY(0); opacity: 0.4; }
+        40% { transform: translateY(-4px); opacity: 1; }
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>正在进入 Axhub Genie</h1>
+      <p>验证通过后会自动跳转。</p>
+      <div class="dots" aria-hidden="true">
+        <span class="dot"></span>
+        <span class="dot"></span>
+        <span class="dot"></span>
+      </div>
+    </div>
+    <script>
+      try {
+        localStorage.setItem('auth-token', ${serializedToken});
+        window.location.replace('/');
+      } catch (error) {
+        document.body.innerHTML = '<div class="card"><h1>进入失败</h1><p>无法写入本地访问凭证，请检查浏览器隐私设置后重试。</p></div>';
+      }
+    </script>
+  </body>
+</html>`;
+}
+
+apiRouter.get('/summary', authenticateToken, async (_req, res) => {
+  res.json({
+    success: true,
+    hasPassword: hasLanAccessPassword(),
+    addresses: collectLanIPv4Addresses(),
+    sessionVersion: getLanSessionVersion(),
+  });
+});
+
+apiRouter.post('/password', authenticateToken, async (req, res) => {
+  try {
+    const password = String(req.body?.password || '');
+    const state = await setLanAccessPassword(password);
+    res.json({
+      success: true,
+      hasPassword: true,
+      sessionVersion: state.sessionVersion,
+      message: '局域网访问密码已更新。'
+    });
+  } catch (error) {
+    const message = error?.message || 'Failed to update LAN access password';
+    const statusCode = message.includes('required') ? 400 : 500;
+    res.status(statusCode).json({ success: false, error: message });
+  }
+});
+
+apiRouter.post('/token', authenticateToken, async (req, res) => {
+  try {
+    const address = String(req.body?.address || '').trim();
+    if (!address) {
+      return res.status(400).json({ success: false, error: 'Address is required' });
+    }
+
+    if (!hasLanAccessPassword()) {
+      return res.status(412).json({ success: false, error: '请先设置局域网访问密码。' });
+    }
+
+    const user = getDefaultUser();
+    const exchangeToken = generateToken(user, {
+      expiresIn: '8m',
+      purpose: 'lan-exchange',
+    });
+    const appUrl = buildAppUrl(req, address);
+    const exchangeUrl = buildExchangeUrl(req, address, exchangeToken);
+    const qrCodeDataUrl = await QRCode.toDataURL(exchangeUrl, {
+      margin: 1,
+      width: 256,
+    });
+
+    res.json({
+      success: true,
+      address,
+      accessUrl: appUrl,
+      exchangeUrl,
+      qrCodeDataUrl,
+      expiresInSeconds: 8 * 60,
+    });
+  } catch (error) {
+    console.error('LAN access token error:', error);
+    res.status(500).json({ success: false, error: 'Failed to generate LAN access link' });
+  }
+});
+
+apiRouter.post('/login', async (req, res) => {
+  try {
+    if (!hasLanAccessPassword()) {
+      return res.status(412).json({ success: false, error: '局域网访问密码尚未设置。' });
+    }
+
+    const password = String(req.body?.password || '');
+    const isValidPassword = await verifyLanAccessPassword(password);
+    if (!isValidPassword) {
+      return res.status(401).json({ success: false, error: '访问密码不正确。' });
+    }
+
+    const user = getDefaultUser();
+    const token = generateToken(user);
+    res.json({ success: true, token, user });
+  } catch (error) {
+    console.error('LAN access login error:', error);
+    res.status(500).json({ success: false, error: 'Failed to sign in with LAN access password' });
+  }
+});
+
+pageRouter.get('/exchange', async (req, res) => {
+  try {
+    const exchangeToken = String(req.query?.token || '');
+    if (!exchangeToken) {
+      return res.status(400).send(renderExchangeDocument(''));
+    }
+
+    const decoded = verifySignedToken(exchangeToken, { expectedPurpose: 'lan-exchange' });
+    const user = userDb.getUserById(decoded.userId) || getDefaultUser();
+    const token = generateToken(user);
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    res.send(renderExchangeDocument(token));
+  } catch (error) {
+    res.status(403).send(`<!DOCTYPE html><html lang="zh-CN"><body style="font-family: ui-sans-serif, sans-serif; padding: 32px;"><h1 style="margin:0 0 12px;">链接已失效</h1><p style="margin:0;color:#475569;">请重新生成局域网访问链接或二维码。</p></body></html>`);
+  }
+});
+
+export {
+  apiRouter as lanAccessApiRoutes,
+  pageRouter as lanAccessPageRoutes,
+};

package/server/routes/projects.js

@@ -19,39 +19,116 @@ export {
 
 const router = express.Router();
 
-// System-critical paths that should never be used as workspace directories
-export const FORBIDDEN_PATHS = [
-  // Unix
-  '/',
-  '/etc',
-  '/bin',
-  '/sbin',
-  '/usr',
-  '/dev',
-  '/proc',
-  '/sys',
-  '/var',
-  '/boot',
-  '/root',
-  '/lib',
-  '/lib64',
-  '/opt',
-  '/tmp',
-  '/run',
-  // Windows
-  'C:\\Windows',
-  'C:\\Program Files',
-  'C:\\Program Files (x86)',
-  'C:\\ProgramData',
-  'C:\\System Volume Information',
-  'C:\\$Recycle.Bin'
+const SYSTEM_PATH_RULES = [
+  { label: '/', kind: 'exact' },
+  { label: '/etc', kind: 'prefix' },
+  { label: '/bin', kind: 'prefix' },
+  { label: '/sbin', kind: 'prefix' },
+  { label: '/usr', kind: 'prefix' },
+  { label: '/dev', kind: 'prefix' },
+  { label: '/proc', kind: 'prefix' },
+  { label: '/sys', kind: 'prefix' },
+  { label: '/var', kind: 'prefix' },
+  { label: '/boot', kind: 'prefix' },
+  { label: '/root', kind: 'prefix' },
+  { label: '/lib', kind: 'prefix' },
+  { label: '/lib64', kind: 'prefix' },
+  { label: '/opt', kind: 'prefix' },
+  { label: '/tmp', kind: 'exact' },
+  { label: '/run', kind: 'prefix' },
+  { label: 'C:\\Windows', kind: 'prefix' },
+  { label: 'C:\\Program Files', kind: 'prefix' },
+  { label: 'C:\\Program Files (x86)', kind: 'prefix' },
+  { label: 'C:\\ProgramData', kind: 'prefix' },
+  { label: 'C:\\System Volume Information', kind: 'prefix' },
+  { label: 'C:\\$Recycle.Bin', kind: 'prefix' }
 ];
 
-/**
- * Validates that a path is safe for workspace operations
- * @param {string} requestedPath - The path to validate
- * @returns {Promise<{valid: boolean, resolvedPath?: string, error?: string}>}
- */
+export const FORBIDDEN_PATHS = Object.freeze(SYSTEM_PATH_RULES.map((rule) => rule.label));
+
+function normalizeCandidatePath(candidatePath) {
+  return path.normalize(path.resolve(candidatePath));
+}
+
+function isVarException(candidatePath) {
+  return candidatePath.startsWith('/var/tmp') || candidatePath.startsWith('/var/folders');
+}
+
+function findSystemPathViolation(candidatePath) {
+  for (const rule of SYSTEM_PATH_RULES) {
+    if (rule.label === '/var' && isVarException(candidatePath)) {
+      continue;
+    }
+
+    if (rule.kind === 'exact' && candidatePath === rule.label) {
+      return rule.label;
+    }
+
+    if (rule.kind === 'prefix' && (candidatePath === rule.label || candidatePath.startsWith(`${rule.label}${path.sep}`))) {
+      return rule.label;
+    }
+  }
+
+  return null;
+}
+
+async function resolvePathForValidation(candidatePath, fsImpl) {
+  try {
+    await fsImpl.access(candidatePath);
+    return await fsImpl.realpath(candidatePath);
+  } catch (error) {
+    if (error.code !== 'ENOENT') {
+      throw error;
+    }
+
+    const parentPath = path.dirname(candidatePath);
+
+    try {
+      const resolvedParent = await fsImpl.realpath(parentPath);
+      return path.join(resolvedParent, path.basename(candidatePath));
+    } catch (parentError) {
+      if (parentError.code === 'ENOENT') {
+        return candidatePath;
+      }
+      throw parentError;
+    }
+  }
+}
+
+async function assertSymlinkDoesNotEscape(candidatePath, options) {
+  const {
+    fsImpl,
+    hasWorkspaceRootRestriction,
+    allowedWorkspaceRoots,
+    resolvedWorkspaceRoots
+  } = options;
+
+  if (!hasWorkspaceRootRestriction || allowedWorkspaceRoots.length === 0) {
+    return null;
+  }
+
+  try {
+    const stat = await fsImpl.lstat(candidatePath);
+    if (!stat.isSymbolicLink()) {
+      return null;
+    }
+
+    const linkTarget = await fsImpl.readlink(candidatePath);
+    const resolvedTarget = path.resolve(path.dirname(candidatePath), linkTarget);
+    const realTarget = await fsImpl.realpath(resolvedTarget);
+
+    if (!isPathWithinAllowedRoots(realTarget, resolvedWorkspaceRoots)) {
+      return 'Symlink target is outside the allowed workspace root';
+    }
+  } catch (error) {
+    if (error.code !== 'ENOENT') {
+      throw error;
+    }
+  }
+
+  return null;
+}
+
 export async function validateWorkspacePath(requestedPath, options = {}) {
   try {
     const {
@@ -60,73 +137,29 @@ export async function validateWorkspacePath(requestedPath, options = {}) {
       allowedWorkspaceRoots = WORKSPACES_ROOTS
     } = options;
 
-    // Resolve to absolute path
-    let absolutePath = path.resolve(requestedPath);
+    const absoluteCandidate = normalizeCandidatePath(requestedPath);
+    const violation = findSystemPathViolation(absoluteCandidate);
 
-    // Check if path is a forbidden system directory
-    const normalizedPath = path.normalize(absolutePath);
-    if (FORBIDDEN_PATHS.includes(normalizedPath) || normalizedPath === '/') {
+    if (violation) {
       return {
         valid: false,
-        error: 'Cannot use system-critical directories as workspace locations'
+        error: violation === '/'
+          ? 'Cannot use system-critical directories as workspace locations'
+          : `Cannot create workspace in system directory: ${violation}`
       };
     }
 
-    // Additional check for paths starting with forbidden directories
-    for (const forbidden of FORBIDDEN_PATHS) {
-      if (normalizedPath === forbidden ||
-          normalizedPath.startsWith(forbidden + path.sep)) {
-        // Exception: /var/tmp and similar user-accessible paths might be allowed
-        // but /var itself and most /var subdirectories should be blocked
-        if (forbidden === '/var' &&
-            (normalizedPath.startsWith('/var/tmp') ||
-             normalizedPath.startsWith('/var/folders'))) {
-          continue; // Allow these specific cases
-        }
-
-        return {
-          valid: false,
-          error: `Cannot create workspace in system directory: ${forbidden}`
-        };
-      }
-    }
-
-    // Try to resolve the real path (following symlinks)
-    let realPath;
-    try {
-      // Check if path exists to resolve real path
-      await fsImpl.access(absolutePath);
-      realPath = await fsImpl.realpath(absolutePath);
-    } catch (error) {
-      if (error.code === 'ENOENT') {
-        // Path doesn't exist yet - check parent directory
-        let parentPath = path.dirname(absolutePath);
-        try {
-          const parentRealPath = await fsImpl.realpath(parentPath);
-
-          // Reconstruct the full path with real parent
-          realPath = path.join(parentRealPath, path.basename(absolutePath));
-        } catch (parentError) {
-          if (parentError.code === 'ENOENT') {
-            // Parent doesn't exist either - use the absolute path as-is
-            // We'll validate it's within allowed root
-            realPath = absolutePath;
-          } else {
-            throw parentError;
-          }
-        }
-      } else {
-        throw error;
-      }
-    }
+    const resolvedPath = await resolvePathForValidation(absoluteCandidate, fsImpl);
+    const normalizedResolvedPath = normalizeCandidatePath(resolvedPath);
 
+    let resolvedWorkspaceRoots = [];
     if (hasWorkspaceRootRestriction && allowedWorkspaceRoots.length > 0) {
-      const resolvedWorkspaceRoots = await resolveAllowedWorkspaceRoots({
+      resolvedWorkspaceRoots = await resolveAllowedWorkspaceRoots({
         fsImpl,
         allowedWorkspaceRoots
       });
 
-      if (!isPathWithinAllowedRoots(realPath, resolvedWorkspaceRoots)) {
+      if (!isPathWithinAllowedRoots(normalizedResolvedPath, resolvedWorkspaceRoots)) {
         return {
           valid: false,
           error: `Workspace path must be within one of the allowed workspace roots: ${formatAllowedWorkspaceRoots(allowedWorkspaceRoots)}`
@@ -134,40 +167,24 @@ export async function validateWorkspacePath(requestedPath, options = {}) {
       }
     }
 
-    // Additional symlink check for existing paths
-    try {
-      await fsImpl.access(absolutePath);
-      const stats = await fsImpl.lstat(absolutePath);
-
-      if (stats.isSymbolicLink() && hasWorkspaceRootRestriction && allowedWorkspaceRoots.length > 0) {
-        const resolvedWorkspaceRoots = await resolveAllowedWorkspaceRoots({
-          fsImpl,
-          allowedWorkspaceRoots
-        });
-        // Verify symlink target is also within allowed root
-        const linkTarget = await fsImpl.readlink(absolutePath);
-        const resolvedTarget = path.resolve(path.dirname(absolutePath), linkTarget);
-        const realTarget = await fsImpl.realpath(resolvedTarget);
-
-        if (!isPathWithinAllowedRoots(realTarget, resolvedWorkspaceRoots)) {
-          return {
-            valid: false,
-            error: 'Symlink target is outside the allowed workspace root'
-          };
-        }
-      }
-    } catch (error) {
-      if (error.code !== 'ENOENT') {
-        throw error;
-      }
-      // Path doesn't exist - that's fine for new workspace creation
+    const symlinkViolation = await assertSymlinkDoesNotEscape(absoluteCandidate, {
+      fsImpl,
+      hasWorkspaceRootRestriction,
+      allowedWorkspaceRoots,
+      resolvedWorkspaceRoots
+    });
+
+    if (symlinkViolation) {
+      return {
+        valid: false,
+        error: symlinkViolation
+      };
     }
 
     return {
       valid: true,
-      resolvedPath: realPath
+      resolvedPath: normalizedResolvedPath
     };
-
   } catch (error) {
     return {
       valid: false,
@@ -176,38 +193,30 @@ export async function validateWorkspacePath(requestedPath, options = {}) {
   }
 }
 
-/**
- * Create a new workspace
- * POST /api/projects/create-workspace
- *
- * Body:
- * - workspaceType: 'existing' | 'new'
- * - path: string (workspace path)
- */
 router.post('/create-workspace', async (req, res) => {
   try {
-    const { workspaceType, path: workspacePath, githubUrl, githubTokenId, newGithubToken } = req.body;
+    const {
+      workspaceType,
+      path: workspacePath,
+      githubUrl,
+      githubTokenId,
+      newGithubToken
+    } = req.body;
 
-    // Validate required fields
     if (!workspaceType || !workspacePath) {
       return res.status(400).json({ error: 'workspaceType and path are required' });
     }
 
-    if (
-      githubUrl !== undefined
-      || githubTokenId !== undefined
-      || newGithubToken !== undefined
-    ) {
+    if (githubUrl !== undefined || githubTokenId !== undefined || newGithubToken !== undefined) {
       return res.status(400).json({
         error: 'GitHub-based workspace creation has been removed. Create an empty workspace or add an existing local workspace instead.'
       });
     }
 
-    if (!['existing', 'new'].includes(workspaceType)) {
+    if (workspaceType !== 'existing' && workspaceType !== 'new') {
       return res.status(400).json({ error: 'workspaceType must be "existing" or "new"' });
     }
 
-    // Validate path safety before any operations
     const validation = await validateWorkspacePath(workspacePath);
     if (!validation.valid) {
       return res.status(400).json({
@@ -216,16 +225,12 @@ router.post('/create-workspace', async (req, res) => {
       });
     }
 
-    const absolutePath = validation.resolvedPath;
+    const targetPath = validation.resolvedPath;
 
-    // Handle existing workspace
     if (workspaceType === 'existing') {
-      // Check if the path exists
       try {
-        await fs.access(absolutePath);
-        const stats = await fs.stat(absolutePath);
-
-        if (!stats.isDirectory()) {
+        const stat = await fs.stat(targetPath);
+        if (!stat.isDirectory()) {
           return res.status(400).json({ error: 'Path exists but is not a directory' });
         }
       } catch (error) {
@@ -235,9 +240,7 @@ router.post('/create-workspace', async (req, res) => {
         throw error;
       }
 
-      // Add the existing workspace to the project list
-      const project = await addProjectManually(absolutePath);
-
+      const project = await addProjectManually(targetPath);
       return res.json({
         success: true,
         project,
@@ -245,26 +248,19 @@ router.post('/create-workspace', async (req, res) => {
       });
     }
 
-    // Handle new workspace creation
-    if (workspaceType === 'new') {
-      // Create the directory if it doesn't exist
-      await fs.mkdir(absolutePath, { recursive: true });
-
-      // Add the new workspace to the project list (no clone)
-      const project = await addProjectManually(absolutePath);
-
-      return res.json({
-        success: true,
-        project,
-        message: 'New workspace created successfully'
-      });
-    }
+    await fs.mkdir(targetPath, { recursive: true });
+    const project = await addProjectManually(targetPath);
 
+    res.json({
+      success: true,
+      project,
+      message: 'New workspace created successfully'
+    });
   } catch (error) {
     console.error('Error creating workspace:', error);
     res.status(500).json({
-      error: error.message || 'Failed to create workspace',
-      details: process.env.NODE_ENV === 'development' ? error.stack : undefined
+      error: 'Failed to create workspace',
+      details: error.message
     });
   }
 });