@axhub/genie 0.2.9 → 0.2.11

package/server/index.js

@@ -96,7 +96,7 @@ async function getPty() {
 import fetch from 'node-fetch';
 import mime from 'mime-types';
 
-import { getProjects, getProjectsList, getProjectDetails, getSessions, getSessionMessages, renameProject, deleteSession, deleteProject, addProjectManually, extractProjectDirectory, clearProjectDirectoryCache, clearProviderSessionLookupCaches, getGeminiSessionMessages } from './projects.js';
+import { getProjects, getProjectsList, getProjectDetails, getSessions, getSessionMessages, renameProject, deleteSession, deleteProject, addProjectManually, extractProjectDirectory, clearProjectDirectoryCache, clearProviderSessionLookupCaches, getGeminiSessionMessages, deleteGeminiSession } from './projects.js';
 import {
   executeAgentPrompt,
   getActiveAgentSessions,
@@ -104,11 +104,7 @@ import {
   resolveAgentPermission,
   setAgentSessionMode
 } from './acp-runtime/index.js';
-import gitRoutes from './routes/git.js';
 import authRoutes from './routes/auth.js';
-import mcpRoutes from './routes/mcp.js';
-import taskmasterRoutes from './routes/taskmaster.js';
-import mcpUtilsRoutes from './routes/mcp-utils.js';
 import commandsRoutes from './routes/commands.js';
 import settingsRoutes from './routes/settings.js';
 import channelsRoutes from './routes/channels.js';
@@ -127,13 +123,14 @@ import {
 } from './utils/workspaceRoots.js';
 import cliAuthRoutes, { detectProviderInstallationStatus } from './routes/cli-auth.js';
 import ccConnectRoutes from './routes/cc-connect.js';
+import { lanAccessApiRoutes, lanAccessPageRoutes } from './routes/lan-access.js';
 import userRoutes from './routes/user.js';
 import codexRoutes from './routes/codex.js';
 import opencodeRoutes from './routes/opencode.js';
 import sessionCoreRoutes from './routes/session-core.js';
 import { parseCodexTokenCountInfo } from './utils/codexTokenUsage.js';
 import { getConfiguredDefaultProjectPath, resolveWorkingDirectory } from './utils/defaultWorkingDirectory.js';
-import { initializeDatabase } from './database/db.js';
+import { initializeDatabase, userDb } from './database/db.js';
 import { validateApiKey, authenticateToken, authenticateWebSocket } from './middleware/auth.js';
 import { IS_PLATFORM } from './constants/config.js';
 import { getChannelManager } from './channels/index.js';
@@ -423,7 +420,7 @@ const wss = new WebSocketServer({
 
         // Platform mode: always allow internal UI WebSocket connections.
         if (IS_PLATFORM) {
-            const user = authenticateWebSocket(null); // Will return first user
+            const user = authenticateWebSocket(null, info.req); // Will return first user
             if (!user) {
                 console.log('[WARN] Platform mode: No user found in database');
                 done(false, 500, 'Platform mode: No user found in database');
@@ -438,7 +435,7 @@ const wss = new WebSocketServer({
         const token = url.searchParams.get('token') ||
             info.req.headers.authorization?.split(' ')[1];
 
-        const user = authenticateWebSocket(token);
+        const user = authenticateWebSocket(token, info.req);
         if (!user) {
             console.log('[WARN] WebSocket authentication failed');
             done(false, 401, 'Unauthorized');
@@ -497,22 +494,12 @@ app.use('/api', validateApiKey);
 
 // Authentication routes (public)
 app.use('/api/auth', authRoutes);
+app.use('/api/lan-access', lanAccessApiRoutes);
+app.use('/lan-access', lanAccessPageRoutes);
 
 // Projects API Routes (protected)
 app.use('/api/projects', authenticateToken, projectsRoutes);
 
-// Git API Routes (protected)
-app.use('/api/git', authenticateToken, gitRoutes);
-
-// MCP API Routes (protected)
-app.use('/api/mcp', authenticateToken, mcpRoutes);
-
-// TaskMaster API Routes (protected)
-app.use('/api/taskmaster', authenticateToken, taskmasterRoutes);
-
-// MCP utilities
-app.use('/api/mcp-utils', authenticateToken, mcpUtilsRoutes);
-
 // Commands API Routes (protected)
 app.use('/api/commands', authenticateToken, commandsRoutes);
 
@@ -732,6 +719,16 @@ app.get('/api/gemini/sessions/:sessionId/messages', authenticateToken, async (re
     }
 });
 
+app.delete('/api/gemini/sessions/:sessionId', authenticateToken, async (req, res) => {
+    try {
+        const { sessionId } = req.params;
+        await deleteGeminiSession(sessionId);
+        res.json({ success: true });
+    } catch (error) {
+        res.status(500).json({ error: error.message });
+    }
+});
+
 // Rename project endpoint
 app.put('/api/projects/:projectName/rename', authenticateToken, async (req, res) => {
     try {
@@ -976,6 +973,65 @@ app.post('/api/create-folder', authenticateToken, async (req, res) => {
     }
 });
 
+function isWithinProjectRoot(projectRoot, candidatePath) {
+    const relativePath = path.relative(projectRoot, candidatePath);
+    return relativePath === '' || (!relativePath.startsWith('..') && !path.isAbsolute(relativePath));
+}
+
+async function getResolvedProjectRoot(projectName) {
+    const projectRoot = await extractProjectDirectory(projectName).catch(() => null);
+    if (!projectRoot) {
+        const error = new Error('Project not found');
+        error.statusCode = 404;
+        throw error;
+    }
+
+    const resolvedRoot = path.resolve(projectRoot);
+    await fsPromises.access(resolvedRoot);
+    return resolvedRoot;
+}
+
+async function resolveProjectFilePath(projectName, inputPath) {
+    const requestedPath = typeof inputPath === 'string' ? inputPath.trim() : '';
+    if (!requestedPath) {
+        const error = new Error('Invalid file path');
+        error.statusCode = 400;
+        throw error;
+    }
+
+    const projectRoot = await getResolvedProjectRoot(projectName);
+    const absoluteTarget = path.isAbsolute(requestedPath)
+        ? path.resolve(requestedPath)
+        : path.resolve(projectRoot, requestedPath);
+
+    if (!isWithinProjectRoot(projectRoot, absoluteTarget)) {
+        const error = new Error('Path must be under project root');
+        error.statusCode = 403;
+        throw error;
+    }
+
+    return {
+        projectRoot,
+        targetPath: absoluteTarget
+    };
+}
+
+function sendProjectFileError(res, error, missingLabel = 'File not found') {
+    if (error.statusCode) {
+        return res.status(error.statusCode).json({ error: error.message });
+    }
+
+    if (error.code === 'ENOENT') {
+        return res.status(404).json({ error: missingLabel });
+    }
+
+    if (error.code === 'EACCES') {
+        return res.status(403).json({ error: 'Permission denied' });
+    }
+
+    return res.status(500).json({ error: error.message });
+}
+
 // Read file content endpoint
 app.get('/api/projects/:projectName/file', authenticateToken, async (req, res) => {
     try {
@@ -984,36 +1040,12 @@ app.get('/api/projects/:projectName/file', authenticateToken, async (req, res) =
 
         console.log('[DEBUG] File read request:', projectName, filePath);
 
-        // Security: ensure the requested path is inside the project root
-        if (!filePath) {
-            return res.status(400).json({ error: 'Invalid file path' });
-        }
-
-        const projectRoot = await extractProjectDirectory(projectName).catch(() => null);
-        if (!projectRoot) {
-            return res.status(404).json({ error: 'Project not found' });
-        }
-
-        // Handle both absolute and relative paths
-        const resolved = path.isAbsolute(filePath)
-            ? path.resolve(filePath)
-            : path.resolve(projectRoot, filePath);
-        const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
-        }
-
-        const content = await fsPromises.readFile(resolved, 'utf8');
-        res.json({ content, path: resolved });
+        const { targetPath } = await resolveProjectFilePath(projectName, filePath);
+        const content = await fsPromises.readFile(targetPath, 'utf8');
+        res.json({ content, path: targetPath });
     } catch (error) {
         console.error('Error reading file:', error);
-        if (error.code === 'ENOENT') {
-            res.status(404).json({ error: 'File not found' });
-        } else if (error.code === 'EACCES') {
-            res.status(403).json({ error: 'Permission denied' });
-        } else {
-            res.status(500).json({ error: error.message });
-        }
+        sendProjectFileError(res, error, 'File not found');
     }
 });
 
@@ -1025,35 +1057,15 @@ app.get('/api/projects/:projectName/files/content', authenticateToken, async (re
 
         console.log('[DEBUG] Binary file serve request:', projectName, filePath);
 
-        // Security: ensure the requested path is inside the project root
-        if (!filePath) {
-            return res.status(400).json({ error: 'Invalid file path' });
-        }
-
-        const projectRoot = await extractProjectDirectory(projectName).catch(() => null);
-        if (!projectRoot) {
-            return res.status(404).json({ error: 'Project not found' });
-        }
-
-        const resolved = path.resolve(filePath);
-        const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
-        }
-
-        // Check if file exists
-        try {
-            await fsPromises.access(resolved);
-        } catch (error) {
-            return res.status(404).json({ error: 'File not found' });
-        }
+        const { targetPath } = await resolveProjectFilePath(projectName, filePath);
+        await fsPromises.access(targetPath);
 
         // Get file extension and set appropriate content type
-        const mimeType = mime.lookup(resolved) || 'application/octet-stream';
+        const mimeType = mime.lookup(targetPath) || 'application/octet-stream';
         res.setHeader('Content-Type', mimeType);
 
         // Stream the file
-        const fileStream = fs.createReadStream(resolved);
+        const fileStream = fs.createReadStream(targetPath);
         fileStream.pipe(res);
 
         fileStream.on('error', (error) => {
@@ -1066,90 +1078,19 @@ app.get('/api/projects/:projectName/files/content', authenticateToken, async (re
     } catch (error) {
         console.error('Error serving binary file:', error);
         if (!res.headersSent) {
-            res.status(500).json({ error: error.message });
-        }
-    }
-});
-
-// Save file content endpoint
-app.put('/api/projects/:projectName/file', authenticateToken, async (req, res) => {
-    try {
-        const { projectName } = req.params;
-        const { filePath, content } = req.body;
-
-        console.log('[DEBUG] File save request:', projectName, filePath);
-
-        // Security: ensure the requested path is inside the project root
-        if (!filePath) {
-            return res.status(400).json({ error: 'Invalid file path' });
-        }
-
-        if (content === undefined) {
-            return res.status(400).json({ error: 'Content is required' });
-        }
-
-        const projectRoot = await extractProjectDirectory(projectName).catch(() => null);
-        if (!projectRoot) {
-            return res.status(404).json({ error: 'Project not found' });
-        }
-
-        // Handle both absolute and relative paths
-        const resolved = path.isAbsolute(filePath)
-            ? path.resolve(filePath)
-            : path.resolve(projectRoot, filePath);
-        const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
-        }
-
-        // Write the new content
-        await fsPromises.writeFile(resolved, content, 'utf8');
-
-        res.json({
-            success: true,
-            path: resolved,
-            message: 'File saved successfully'
-        });
-    } catch (error) {
-        console.error('Error saving file:', error);
-        if (error.code === 'ENOENT') {
-            res.status(404).json({ error: 'File or directory not found' });
-        } else if (error.code === 'EACCES') {
-            res.status(403).json({ error: 'Permission denied' });
-        } else {
-            res.status(500).json({ error: error.message });
+            sendProjectFileError(res, error, 'File not found');
         }
     }
 });
 
 app.get('/api/projects/:projectName/files', authenticateToken, async (req, res) => {
     try {
-
-        // Using fsPromises from import
-
-        // Use extractProjectDirectory to get the actual project path
-        let actualPath;
-        try {
-            actualPath = await extractProjectDirectory(req.params.projectName);
-        } catch (error) {
-            console.error('Error extracting project directory:', error);
-            // Fallback to simple dash replacement
-            actualPath = req.params.projectName.replace(/-/g, '/');
-        }
-
-        // Check if path exists
-        try {
-            await fsPromises.access(actualPath);
-        } catch (e) {
-            return res.status(404).json({ error: `Project path not found: ${actualPath}` });
-        }
-
-        const files = await getFileTree(actualPath, 10, 0, true);
-        const hiddenFiles = files.filter(f => f.name.startsWith('.'));
+        const projectRoot = await getResolvedProjectRoot(req.params.projectName);
+        const files = await getFileTree(projectRoot, 10, 0, true);
         res.json(files);
     } catch (error) {
         console.error('[ERROR] File tree error:', error.message);
-        res.status(500).json({ error: error.message });
+        sendProjectFileError(res, error, error.statusCode === 404 ? error.message : 'Failed to list files');
     }
 });
 
@@ -2218,6 +2159,7 @@ async function startServer() {
     try {
         // Initialize authentication database
         await initializeDatabase();
+        userDb.ensureDefaultUser();
         await getChannelManager().initialize();
 
         // Check if running in production mode (dist folder exists)

package/server/lan-access/core.js

@@ -0,0 +1,79 @@
+import os from 'os';
+
+function normalizeHost(value) {
+  const raw = String(value || '').trim().toLowerCase();
+  if (!raw) {
+    return '';
+  }
+
+  if (raw.startsWith('[')) {
+    const closingIndex = raw.indexOf(']');
+    return closingIndex >= 0 ? raw.slice(1, closingIndex) : raw;
+  }
+
+  const hostParts = raw.split(':');
+  if (hostParts.length === 2) {
+    return hostParts[0];
+  }
+
+  return raw;
+}
+
+function normalizeAddress(value) {
+  const raw = String(value || '').trim().toLowerCase();
+  if (!raw) {
+    return '';
+  }
+
+  return raw.replace(/^::ffff:/, '');
+}
+
+function isLoopbackHost(host) {
+  const normalizedHost = normalizeHost(host);
+  return normalizedHost === 'localhost'
+    || normalizedHost === '127.0.0.1'
+    || normalizedHost === '::1';
+}
+
+function isLoopbackAddress(address) {
+  const normalizedAddress = normalizeAddress(address);
+  return normalizedAddress === '127.0.0.1' || normalizedAddress === '::1';
+}
+
+function isLoopbackRequest(req) {
+  const forwardedHost = String(req?.headers?.['x-forwarded-host'] || '').split(',')[0].trim();
+  const host = forwardedHost || req?.headers?.host || req?.hostname || '';
+  return isLoopbackHost(host);
+}
+
+function isIPv4Family(value) {
+  return value === 'IPv4' || value === 4;
+}
+
+function collectLanIPv4Addresses(networkInterfaces = os.networkInterfaces()) {
+  const addresses = new Set();
+
+  for (const entries of Object.values(networkInterfaces || {})) {
+    for (const entry of entries || []) {
+      if (!entry || entry.internal || !isIPv4Family(entry.family)) {
+        continue;
+      }
+
+      const address = String(entry.address || '').trim();
+      if (!address) {
+        continue;
+      }
+
+      addresses.add(address);
+    }
+  }
+
+  return Array.from(addresses).sort((left, right) => left.localeCompare(right));
+}
+
+export {
+  collectLanIPv4Addresses,
+  isLoopbackAddress,
+  isLoopbackHost,
+  isLoopbackRequest,
+};

package/server/lan-access/state.js

@@ -0,0 +1,102 @@
+import fs from 'fs';
+import path from 'path';
+import bcrypt from 'bcrypt';
+
+import { getDataFilePath } from '../database/db.js';
+
+const DEFAULT_STATE = Object.freeze({
+  passwordHash: null,
+  sessionVersion: 0,
+  updatedAt: null,
+});
+
+function getLanAccessStatePath() {
+  if (process.env.LAN_ACCESS_STATE_PATH) {
+    return process.env.LAN_ACCESS_STATE_PATH;
+  }
+
+  return path.join(path.dirname(getDataFilePath()), 'lan-access-state.json');
+}
+
+function normalizeState(rawState) {
+  const source = rawState && typeof rawState === 'object' ? rawState : {};
+  return {
+    passwordHash: typeof source.passwordHash === 'string' && source.passwordHash.trim() ? source.passwordHash : null,
+    sessionVersion: Number.isInteger(source.sessionVersion) && source.sessionVersion >= 0 ? source.sessionVersion : 0,
+    updatedAt: typeof source.updatedAt === 'string' ? source.updatedAt : null,
+  };
+}
+
+function ensureStateDir() {
+  const statePath = getLanAccessStatePath();
+  const stateDir = path.dirname(statePath);
+  if (!fs.existsSync(stateDir)) {
+    fs.mkdirSync(stateDir, { recursive: true });
+  }
+}
+
+function readLanAccessState() {
+  const statePath = getLanAccessStatePath();
+  if (!fs.existsSync(statePath)) {
+    return { ...DEFAULT_STATE };
+  }
+
+  try {
+    const parsed = JSON.parse(fs.readFileSync(statePath, 'utf8'));
+    return normalizeState(parsed);
+  } catch {
+    return { ...DEFAULT_STATE };
+  }
+}
+
+function writeLanAccessState(nextState) {
+  ensureStateDir();
+  const statePath = getLanAccessStatePath();
+  const normalized = normalizeState(nextState);
+  const tempPath = `${statePath}.tmp`;
+  fs.writeFileSync(tempPath, `${JSON.stringify(normalized, null, 2)}\n`, 'utf8');
+  fs.renameSync(tempPath, statePath);
+  return normalized;
+}
+
+function hasLanAccessPassword() {
+  return Boolean(readLanAccessState().passwordHash);
+}
+
+function getLanSessionVersion() {
+  return readLanAccessState().sessionVersion;
+}
+
+async function setLanAccessPassword(password) {
+  const trimmedPassword = String(password || '').trim();
+  if (!trimmedPassword) {
+    throw new Error('Access password is required');
+  }
+
+  const currentState = readLanAccessState();
+  const passwordHash = await bcrypt.hash(trimmedPassword, 12);
+  return writeLanAccessState({
+    passwordHash,
+    sessionVersion: currentState.sessionVersion + 1,
+    updatedAt: new Date().toISOString(),
+  });
+}
+
+async function verifyLanAccessPassword(password) {
+  const state = readLanAccessState();
+  if (!state.passwordHash) {
+    return false;
+  }
+
+  return bcrypt.compare(String(password || ''), state.passwordHash);
+}
+
+export {
+  getLanAccessStatePath,
+  getLanSessionVersion,
+  hasLanAccessPassword,
+  readLanAccessState,
+  setLanAccessPassword,
+  verifyLanAccessPassword,
+  writeLanAccessState,
+};

package/server/middleware/auth.js

@@ -1,6 +1,8 @@
 import jwt from 'jsonwebtoken';
 import { userDb } from '../database/db.js';
 import { IS_PLATFORM } from '../constants/config.js';
+import { getLanSessionVersion } from '../lan-access/state.js';
+import { isLoopbackRequest } from '../lan-access/core.js';
 
 // Get JWT secret from environment or use default (for development)
 const JWT_SECRET = process.env.JWT_SECRET || 'claude-ui-dev-secret-change-in-production';
@@ -10,6 +12,37 @@ const PUBLIC_GET_ROUTE_PATTERNS = [
   /^\/api\/session-core\/providers(?:\/[^/]+)?\/?$/i,
 ];
 
+const DEFAULT_TOKEN_EXPIRY = '30d';
+
+function isSessionVersionAllowed(decodedToken, currentSessionVersion = getLanSessionVersion()) {
+  const expectedSessionVersion = Number.isInteger(currentSessionVersion) ? currentSessionVersion : 0;
+  const tokenSessionVersion = Number(decodedToken?.sessionVersion);
+
+  if (expectedSessionVersion <= 0) {
+    return tokenSessionVersion === 0 || Number.isNaN(tokenSessionVersion);
+  }
+
+  return Number.isInteger(tokenSessionVersion) && tokenSessionVersion === expectedSessionVersion;
+}
+
+function verifySignedToken(token, { expectedPurpose = null } = {}) {
+  const decoded = jwt.verify(token, JWT_SECRET);
+
+  if (expectedPurpose && decoded?.purpose !== expectedPurpose) {
+    const error = new Error('Invalid token purpose');
+    error.code = 'INVALID_TOKEN_PURPOSE';
+    throw error;
+  }
+
+  if (!isSessionVersionAllowed(decoded)) {
+    const error = new Error('Token session is no longer valid');
+    error.code = 'STALE_SESSION_VERSION';
+    throw error;
+  }
+
+  return decoded;
+}
+
 // Optional API key middleware
 const validateApiKey = (req, res, next) => {
   // Skip API key validation if not configured
@@ -36,17 +69,17 @@ const authenticateToken = async (req, res, next) => {
   }
 
   // Platform mode:  use single database user
-  if (IS_PLATFORM) {
+  if (IS_PLATFORM || isLoopbackRequest(req)) {
     try {
       const user = userDb.getFirstUser();
       if (!user) {
-        return res.status(500).json({ error: 'Platform mode: No user found in database' });
+        return res.status(500).json({ error: 'No default user found in database' });
       }
       req.user = user;
       return next();
     } catch (error) {
-      console.error('Platform mode error:', error);
-      return res.status(500).json({ error: 'Platform mode: Failed to fetch user' });
+      console.error('Local authentication bypass error:', error);
+      return res.status(500).json({ error: 'Failed to resolve local user' });
     }
   }
 
@@ -64,7 +97,7 @@ const authenticateToken = async (req, res, next) => {
   }
 
   try {
-    const decoded = jwt.verify(token, JWT_SECRET);
+    const decoded = verifySignedToken(token);
 
     // Verify user still exists and is active
     const user = userDb.getUserById(decoded.userId);
@@ -81,21 +114,29 @@ const authenticateToken = async (req, res, next) => {
 };
 
 // Generate JWT token (never expires)
-const generateToken = (user) => {
+const generateToken = (user, options = {}) => {
+  const {
+    expiresIn = DEFAULT_TOKEN_EXPIRY,
+    purpose = 'app',
+    sessionVersion = getLanSessionVersion(),
+  } = options;
+
   return jwt.sign(
-    { 
-      userId: user.id, 
-      username: user.username 
+    {
+      userId: user.id,
+      username: user.username,
+      purpose,
+      sessionVersion,
     },
-    JWT_SECRET
-    // No expiration - token lasts forever
+    JWT_SECRET,
+    expiresIn ? { expiresIn } : undefined
   );
 };
 
 // WebSocket authentication function
-const authenticateWebSocket = (token) => {
+const authenticateWebSocket = (token, request = null) => {
   // Platform mode: bypass token validation, return first user
-  if (IS_PLATFORM) {
+  if (IS_PLATFORM || isLoopbackRequest(request)) {
     try {
       const user = userDb.getFirstUser();
       if (user) {
@@ -114,7 +155,7 @@ const authenticateWebSocket = (token) => {
   }
 
   try {
-    const decoded = jwt.verify(token, JWT_SECRET);
+    const decoded = verifySignedToken(token);
     return decoded;
   } catch (error) {
     console.error('WebSocket token verification error:', error);
@@ -127,5 +168,7 @@ export {
   authenticateToken,
   generateToken,
   authenticateWebSocket,
+  isSessionVersionAllowed,
+  verifySignedToken,
   JWT_SECRET
 };