@blamejs/blamejs-shop 0.4.21 → 0.4.23

package/lib/storefront.js

@@ -9085,13 +9085,70 @@ function _setSidCookie(req, res, sid) {
   });
 }
 
+// Store-free device-fingerprint binding for the sealed auth cookie. The
+// sealed envelope is tamper-proof but device-PORTABLE: a cookie lifted
+// off one device replays for the full 14-day life on any other. We bind
+// it softly to a SHAKE256 fingerprint of the device shape (User-Agent +
+// sorted Accept-Language / Accept-Encoding) carried INSIDE the sealed
+// envelope, recomputed + constant-time-compared on read. No external
+// store: `binding.fingerprint(req)` is a pure function of the request, so
+// the fingerprint lives in the cookie itself rather than a session table.
+//
+// The IP component is deliberately disabled (`ipPrefixBits {v4:0, v6:0}`):
+// a mobile or VPN visitor roams networks constantly, and signing them out
+// on a network hop is a worse outcome than the residual portability a
+// UA+Accept-only fingerprint leaves. Drift in the device shape is the
+// signal; a network change is not.
+//
+// `b.sessionDeviceBinding.create()` refuses to construct without either a
+// bindingStore or storeInSession — neither of which the store-free
+// `fingerprint()` path touches. Pass a b.cache-shaped no-op so the
+// constructor's opt-shape gate is satisfied; its methods are never called.
+var _NOOP_BINDING_STORE = {
+  get: function () { return undefined; },
+  set: function () { return undefined; },
+  del: function () { return undefined; },
+};
+var _deviceBinding = null;
+function _deviceBindingInstance() {
+  if (!_deviceBinding) {
+    _deviceBinding = b.sessionDeviceBinding.create({
+      bindingStore: _NOOP_BINDING_STORE,
+      ipPrefixBits: { v4: 0, v6: 0 },
+    });
+  }
+  return _deviceBinding;
+}
+
+// The hex device fingerprint for THIS request, or null when it can't be
+// computed (a request shape the primitive refuses). A null fingerprint is
+// stored as "no binding" — the read side skips the check rather than
+// signing the visitor out over a missing signal.
+function _authDeviceFingerprint(req) {
+  try {
+    var fp = _deviceBindingInstance().fingerprint(req);
+    return fp ? fp.toString("hex") : null;
+  } catch (_e) {
+    return null;
+  }
+}
+
 // Auth + WebAuthn-challenge cookies carry a vault-sealed JSON envelope.
 // writeSealed/readSealed handle the seal + the on-wire prefix; the
 // caller works in plain objects.
 function _setAuthCookie(req, res, env) {
   var T = b.constants.TIME;
   var secure = _secureForReq(req);
-  _cookieJar().writeSealed(res, _authCookieName(secure), JSON.stringify(env), {
+  // Stash the device fingerprint inside the sealed envelope at mint time
+  // so a later read can detect a cookie that has moved to a different
+  // device shape. Additive: an env handed in WITHOUT `fp` (a caller that
+  // doesn't know about binding) just gets it filled here.
+  var sealed = env;
+  if (env && env.fp == null) {
+    var fp = _authDeviceFingerprint(req);
+    if (fp) sealed = Object.assign({}, env, { fp: fp });
+  }
+  _cookieJar().writeSealed(res, _authCookieName(secure), JSON.stringify(sealed), {
     expires: new Date(Date.now() + T.days(14)),
     secure:  secure,
   });
@@ -9570,6 +9627,14 @@ var LOGIN_ERROR_MESSAGES = {
   link:            "That sign-in link is invalid or has expired. Request a fresh one.",
 };
 
+// Neutral (non-error) notices surfaced on the sign-in screen. The
+// device-binding soft sign-out lands here: a reassuring "sign in again"
+// message, never an alarming error, and it discloses nothing about WHY
+// (no "your session looked suspicious" — the visitor just signs in again).
+var LOGIN_NOTICE_MESSAGES = {
+  device: "You've been signed out for your security. Please sign in again.",
+};
+
 function renderAccountLogin(opts) {
   opts = opts || {};
   var oauthButtons = "";
@@ -9588,6 +9653,12 @@ function renderAccountLogin(opts) {
   var errHtml = (opts.error && LOGIN_ERROR_MESSAGES[opts.error])
     ? "<p class=\"auth-form__message auth-form__message--err\">" + b.template.escapeHtml(LOGIN_ERROR_MESSAGES[opts.error]) + "</p>"
     : "";
+  // Neutral notice (e.g. the device-binding soft sign-out) renders in the
+  // same slot with non-error styling. Error wins if both are somehow set.
+  if (!errHtml && opts.notice && LOGIN_NOTICE_MESSAGES[opts.notice]) {
+    errHtml = "<p class=\"auth-form__message\" role=\"status\">" +
+      b.template.escapeHtml(LOGIN_NOTICE_MESSAGES[opts.notice]) + "</p>";
+  }
   // Render the email-link path INLINE (a working no-JS form), not as a link
   // to a separate page, so both passwordless paths live on one screen.
   var magicHtml = opts.magic_link_enabled ? LOGIN_MAGIC_INLINE : "";
@@ -11910,9 +11981,28 @@ function mount(router, deps) {
   // block) and the account routes inside it, so there's one auth-cookie
   // reader rather than a copy per call site. A missing / malformed /
   // expired cookie returns null — never throws.
+  //
+  // Device-binding (soft): an envelope carrying a stashed `fp` is checked
+  // against THIS request's recomputed fingerprint with a constant-time
+  // compare. On drift the visitor reads as signed-out (return null) and a
+  // one-shot `req._authDeviceDrift` flag is set so the page-level gates
+  // clear the now-stale cookie and bounce to a neutral sign-in — never a
+  // hard 401 mid-page. A pre-binding envelope (no `fp`, minted before this
+  // shipped) passes through unchanged until its natural expiry, so a
+  // deploy never mass-signs-out live sessions.
   function _currentCustomerEnv(req) {
     var env = _readAuthEnv(req);
     if (!env || !env.customer_id || !env.exp || env.exp < Date.now()) return null;
+    if (typeof env.fp === "string" && env.fp.length > 0) {
+      var current = _authDeviceFingerprint(req);
+      // A request whose fingerprint can't be recomputed (current === null)
+      // is NOT treated as drift — absence of signal is not evidence of a
+      // moved cookie. Only a present-but-mismatching fingerprint signs out.
+      if (current !== null && !b.crypto.timingSafeEqual(env.fp, current)) {
+        if (req) req._authDeviceDrift = true;
+        return null;
+      }
+    }
     return env;
   }
 
@@ -14808,6 +14898,9 @@ function mount(router, deps) {
         res.status(303); res.setHeader && res.setHeader("location", "/account");
         return res.end ? res.end() : res.send("");
       }
+      // A drifted cookie that reached the sign-in screen directly still gets
+      // cleared so the next request carries no stale envelope.
+      if (req && req._authDeviceDrift) _clearAuthCookie(req, res);
       var cartCount = await _cartCountForReq(req);
       var url = req.url ? new URL(req.url, "http://localhost") : null;
       // Login captcha is opt-in (CAPTCHA_GATE_LOGIN). The widget + the scoped
@@ -14827,6 +14920,7 @@ function mount(router, deps) {
         apple_enabled:  !!deps.oauthApple,
         magic_link_enabled: !!(deps.customerPortal && deps.customerPortalEmail),
         error:          url && url.searchParams.get("error"),
+        notice:         url && url.searchParams.get("signed_out"),
         captcha_kind:        captchaLoginOn ? captchaKind   : null,
         captcha_public_key:  captchaLoginOn ? captchaPubKey : null,
       }));
@@ -15247,7 +15341,12 @@ function mount(router, deps) {
         throw e;
       }
       if (!auth) {
-        res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+        // On device-binding drift, clear the stale cookie + surface a
+        // neutral sign-in notice (matches _accountAuth's soft sign-out).
+        if (req && req._authDeviceDrift) _clearAuthCookie(req, res);
+        res.status(303);
+        res.setHeader && res.setHeader("location",
+          (req && req._authDeviceDrift) ? "/account/login?signed_out=device" : "/account/login");
         return res.end ? res.end() : res.send("");
       }
       var customer = await deps.customers.get(auth.customer_id);
@@ -15505,7 +15604,14 @@ function mount(router, deps) {
         throw e;
       }
       if (!auth) {
-        res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+        // Device-binding drift: clear the now-stale cookie and bounce to a
+        // neutral sign-in notice (never a hard 401 mid-page). Any other
+        // not-signed-in case (no cookie, expired) bounces to the plain
+        // login with no notice.
+        if (req && req._authDeviceDrift) _clearAuthCookie(req, res);
+        res.status(303);
+        res.setHeader && res.setHeader("location",
+          (req && req._authDeviceDrift) ? "/account/login?signed_out=device" : "/account/login");
         res.end ? res.end() : res.send("");
         return null;
       }
@@ -19993,7 +20099,22 @@ function mount(router, deps) {
 
     router.post("/unsubscribe", async function (req, res) {
       var body = req.body || {};
-      var token = typeof body.token === "string" ? body.token : "";
+      // RFC 8058 one-click: the mail client POSTs to the EXACT URL in the
+      // List-Unsubscribe header — token in the `?token=` query string —
+      // with a `List-Unsubscribe=One-Click` form body and NOTHING else
+      // (no token of its own). So the URL token is authoritative; the
+      // body `token` is only the fallback the on-page confirm form POSTs
+      // from its hidden field. Reading body.token alone (the prior shape)
+      // meant a native one-click POST carried no token -> "not-found" ->
+      // the recipient was never unsubscribed. Parse the token off req.url
+      // (the router only populates req.query when a route declares a query
+      // validator), then fall back to the confirm-form body field.
+      var urlToken = "";
+      try {
+        var u = req.url ? new URL(req.url, "http://localhost") : null;
+        if (u) urlToken = u.searchParams.get("token") || "";
+      } catch (_eUrl) { urlToken = ""; }
+      var token = urlToken || (typeof body.token === "string" ? body.token : "");
       var cartCount = 0;
       try { cartCount = await _cartCountForReq(req); } catch (_e) { /* drop-silent — empty cart fallback */ }
       var outcome;
@@ -20001,6 +20122,9 @@ function mount(router, deps) {
         // `consumeUnsubscribeToken` returns a structured result (it does
         // not throw on a bad/missing token — it returns `{ ok:false,
         // error:"not-found" }`). An empty token is handled the same way.
+        // It is single-use, so the one-click POST and a later confirm-form
+        // POST of the same token are idempotent (the second reads
+        // "already" — still a success page, no error).
         var result = await deps.newsletter.consumeUnsubscribeToken(token);
         outcome = _unsubscribeOutcome(result);
       } catch (e) {

package/lib/support-tickets.js

@@ -435,11 +435,18 @@ function create(opts) {
       return await _refresh(id);
     },
 
-    // Append a message to the ticket thread. Operator replies flip
-    // `new -> in_progress` and stamp `first_response_at` if unset.
-    // Operator replies also bump `last_action_at`; customer replies
-    // do NOT advance the SLA clock (the clock measures operator
-    // responsiveness, not customer chatter).
+    // Append a message to the ticket thread.
+    //   * A CUSTOMER-VISIBLE operator reply (internal=false) flips
+    //     `new -> in_progress`, stamps `first_response_at` if unset, and
+    //     bumps `last_action_at`. An INTERNAL operator note (internal=true)
+    //     is operator-to-operator: append-only, no status flip, no
+    //     first-response stamp (the customer never sees it, so it can't
+    //     satisfy the response SLA).
+    //   * A customer reply doesn't advance `last_action_at` on the
+    //     operator's-clock states, but DOES requeue the ticket: a reply to
+    //     `waiting_customer` returns it to `in_progress`, and a reply to a
+    //     `resolved` ticket reopens it (`resolved -> reopened`, with a
+    //     fresh SLA clock) so the operator's pushback never goes unseen.
     reply: async function (input) {
       if (!input || typeof input !== "object") {
         throw new TypeError("supportTickets.reply: input object required");
@@ -479,30 +486,57 @@ function create(opts) {
       );
 
       if (author === "operator") {
-        // Operator reply flips `new -> in_progress` automatically.
-        // Other states keep their status; SLA timer + first-response
-        // stamp still advance.
-        var newStatus = ticket.status;
-        if (ticket.status === "new") {
-          newStatus = "in_progress";
-          await _writeStatusHistory(ticketId, ticket.status, newStatus, "operator-reply", ts);
+        // Only a CUSTOMER-VISIBLE operator reply counts as a first
+        // response or advances the workflow. An INTERNAL note (internal=1)
+        // is operator-to-operator — the customer never sees it, so
+        // stamping first_response_at off it would satisfy the SLA with
+        // content that never reached the person waiting. An internal note
+        // is append-only here: no status flip, no first_response_at, no
+        // last_action_at bump (it isn't operator responsiveness TO the
+        // customer). The message row was already inserted above.
+        if (!internal) {
+          // A customer-visible operator reply flips `new -> in_progress`
+          // automatically; other states keep their status. The
+          // first-response stamp + SLA timer advance only on this path.
+          var newStatus = ticket.status;
+          if (ticket.status === "new") {
+            newStatus = "in_progress";
+            await _writeStatusHistory(ticketId, ticket.status, newStatus, "operator-reply", ts);
+          }
+          var firstResp = ticket.first_response_at == null ? ts : ticket.first_response_at;
+          await query(
+            "UPDATE support_tickets SET status = ?1, first_response_at = ?2, last_action_at = ?3 WHERE id = ?4",
+            [newStatus, firstResp, ts, ticketId],
+          );
         }
-        var firstResp = ticket.first_response_at == null ? ts : ticket.first_response_at;
-        await query(
-          "UPDATE support_tickets SET status = ?1, first_response_at = ?2, last_action_at = ?3 WHERE id = ?4",
-          [newStatus, firstResp, ts, ticketId],
-        );
       } else if (author === "customer") {
-        // Customer replies don't advance last_action_at — that
-        // would mask SLA breach. They DO move the ticket out of
-        // `waiting_customer` back into `in_progress` because the
-        // operator now owes the next move.
+        // Customer replies don't advance last_action_at on the
+        // operator's-clock states — that would mask an SLA breach. They DO
+        // move the ticket back into a queue the operator owes the next
+        // move on:
+        //   * waiting_customer -> in_progress (the customer answered)
+        //   * resolved        -> reopened     (the customer pushed back; an
+        //                                       FSM-legal edge, resolved ->
+        //                                       reopened). Without this, a
+        //                                       reply to a resolved ticket
+        //                                       was silently dropped from
+        //                                       every operator queue.
+        // last_action_at bumps ONLY on the resolved->reopened move so the
+        // reopened ticket surfaces with a fresh SLA clock (the operator now
+        // owes a response); the waiting_customer->in_progress move keeps the
+        // existing clock (the operator's responsiveness window never paused).
         if (ticket.status === "waiting_customer") {
           await _writeStatusHistory(ticketId, ticket.status, "in_progress", "customer-reply", ts);
           await query(
             "UPDATE support_tickets SET status = 'in_progress' WHERE id = ?1",
             [ticketId],
           );
+        } else if (ticket.status === "resolved") {
+          await _writeStatusHistory(ticketId, ticket.status, "reopened", "customer-reply", ts);
+          await query(
+            "UPDATE support_tickets SET status = 'reopened', last_action_at = ?1 WHERE id = ?2",
+            [ts, ticketId],
+          );
         }
       }
       // system author: append-only; no state mutation.
@@ -596,56 +630,82 @@ function create(opts) {
       return await _refresh(ticketId);
     },
 
+    // Add a tag. The mutation is a SINGLE atomic JSON1 statement —
+    // `json_insert(..., '$[#]', ?)` appends only when the tag isn't
+    // already present (the json_each NOT-EXISTS guard) AND the ticket is
+    // under the cap (json_array_length guard). A prior read-modify-write
+    // (decode -> push in JS -> write the whole array back) lost one of two
+    // concurrent addTag writes: both read the same array, both appended
+    // their own tag, the last write clobbered the other. Doing the append
+    // inside SQLite removes the read-then-write window entirely. The read
+    // that remains exists ONLY to classify a zero-row update (idempotent
+    // dup vs cap-exceeded error) — it never feeds the write.
     addTag: async function (input) {
       if (!input || typeof input !== "object") {
         throw new TypeError("supportTickets.addTag: input object required");
       }
       var ticketId = _uuid(input.ticket_id, "ticket_id");
       var tag      = _singleTag(input.tag);
-      var ticket = await _getRaw(ticketId);
-      if (!ticket) {
-        var err = new Error("supportTickets.addTag: ticket " + ticketId + " not found");
-        err.code = "SUPPORT_TICKET_NOT_FOUND";
-        throw err;
-      }
-      var tags;
-      try { tags = JSON.parse(ticket.tags_json || "[]"); }
-      catch (_e) { tags = []; }
-      if (tags.indexOf(tag) === -1) {
-        if (tags.length >= MAX_TAG_COUNT) {
+      var res = await query(
+        "UPDATE support_tickets " +
+        "SET tags_json = json_insert(COALESCE(tags_json, '[]'), '$[#]', ?1) " +
+        "WHERE id = ?2 " +
+        "  AND (SELECT COUNT(*) FROM json_each(COALESCE(tags_json, '[]')) WHERE value = ?1) = 0 " +
+        "  AND json_array_length(COALESCE(tags_json, '[]')) < ?3",
+        [tag, ticketId, MAX_TAG_COUNT],
+      );
+      if (Number((res && res.rowCount) || 0) === 0) {
+        // The atomic UPDATE matched no row. Read once to classify: a
+        // missing ticket is a hard error; an already-present tag is an
+        // idempotent no-op; otherwise the ticket is at the tag cap.
+        var ticket = await _getRaw(ticketId);
+        if (!ticket) {
+          var err = new Error("supportTickets.addTag: ticket " + ticketId + " not found");
+          err.code = "SUPPORT_TICKET_NOT_FOUND";
+          throw err;
+        }
+        var tags;
+        try { tags = JSON.parse(ticket.tags_json || "[]"); }
+        catch (_e) { tags = []; }
+        if (tags.indexOf(tag) === -1 && tags.length >= MAX_TAG_COUNT) {
           throw new TypeError("supportTickets.addTag: ticket already has " + MAX_TAG_COUNT + " tags");
         }
-        tags.push(tag);
-        await query(
-          "UPDATE support_tickets SET tags_json = ?1 WHERE id = ?2",
-          [JSON.stringify(tags), ticketId],
-        );
+        // else: tag already present — idempotent success, nothing to do.
       }
       return await _refresh(ticketId);
     },
 
+    // Remove a tag. Single atomic JSON1 statement — rebuild the array
+    // from `json_each` minus the target value. Same lost-update hazard as
+    // addTag if done read-modify-write; doing it in SQLite removes the
+    // window. Idempotent: a tag that isn't present matches no row in the
+    // EXISTS guard and the update is a no-op. A missing ticket is read
+    // back only to raise the not-found error (the update wrote nothing).
     removeTag: async function (input) {
       if (!input || typeof input !== "object") {
         throw new TypeError("supportTickets.removeTag: input object required");
       }
       var ticketId = _uuid(input.ticket_id, "ticket_id");
       var tag      = _singleTag(input.tag);
-      var ticket = await _getRaw(ticketId);
-      if (!ticket) {
-        var err = new Error("supportTickets.removeTag: ticket " + ticketId + " not found");
-        err.code = "SUPPORT_TICKET_NOT_FOUND";
-        throw err;
-      }
-      var tags;
-      try { tags = JSON.parse(ticket.tags_json || "[]"); }
-      catch (_e) { tags = []; }
-      var idx = tags.indexOf(tag);
-      if (idx !== -1) {
-        tags.splice(idx, 1);
-        await query(
-          "UPDATE support_tickets SET tags_json = ?1 WHERE id = ?2",
-          [JSON.stringify(tags), ticketId],
-        );
+      var res = await query(
+        "UPDATE support_tickets " +
+        "SET tags_json = (" +
+        "  SELECT COALESCE(json_group_array(value), '[]') " +
+        "  FROM json_each(COALESCE(tags_json, '[]')) WHERE value <> ?1" +
+        ") " +
+        "WHERE id = ?2 " +
+        "  AND EXISTS (SELECT 1 FROM json_each(COALESCE(tags_json, '[]')) WHERE value = ?1)",
+        [tag, ticketId],
+      );
+      if (Number((res && res.rowCount) || 0) === 0) {
+        // No row changed — either the ticket is missing (hard error) or
+        // the tag simply wasn't present (idempotent no-op).
+        var ticket = await _getRaw(ticketId);
+        if (!ticket) {
+          var err = new Error("supportTickets.removeTag: ticket " + ticketId + " not found");
+          err.code = "SUPPORT_TICKET_NOT_FOUND";
+          throw err;
+        }
       }
       return await _refresh(ticketId);
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.21",
+  "version": "0.4.23",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {