@bod.ee/db 0.9.0 → 0.10.1

package/src/server/KeyAuthEngine.ts

@@ -0,0 +1,481 @@
+import type { BodDB } from './BodDB.ts';
+import {
+  fingerprint, generateNonce, generateSessionId,
+  encryptPrivateKey, decryptPrivateKey,
+  generateEd25519KeyPair, signData, verifySignature,
+  encodeToken, decodeToken,
+  type KeyAuthAccount, type KeyAuthDevice, type KeyAuthRole,
+  type KeyAuthSession, type KeyAuthContext, type KeyAuthTokenPayload,
+} from '../shared/keyAuth.ts';
+
+export class KeyAuthEngineOptions {
+  /** Session token TTL in seconds (default 24h) */
+  sessionTtl: number = 86400;
+  /** Nonce TTL in seconds (default 60s) */
+  nonceTtl: number = 60;
+  /** Path to server key file (default: <dbPath>.keyauth.json) */
+  keyPath?: string;
+  /** Clock skew tolerance in seconds for token expiry */
+  clockSkew: number = 30;
+  /** Allow unauthenticated device registration (default true) */
+  allowOpenRegistration: boolean = true;
+}
+
+/** Reserved prefix — _auth/ writes blocked for external clients */
+export const AUTH_PREFIX = '_auth/';
+
+export class KeyAuthEngine {
+  readonly options: KeyAuthEngineOptions;
+  private db: BodDB;
+  private serverPublicKey!: Uint8Array;
+  private serverPrivateKey!: Uint8Array;
+  private serverFingerprint!: string;
+
+  constructor(db: BodDB, options?: Partial<KeyAuthEngineOptions>) {
+    this.options = { ...new KeyAuthEngineOptions(), ...options };
+    this.db = db;
+    this._initServerKey();
+  }
+
+  /** Load or generate server Ed25519 key pair (private on filesystem only) */
+  private _initServerKey(): void {
+    const fs = require('fs');
+    const path = require('path');
+    const dbPath = this.db.options.path;
+    const keyPath = this.options.keyPath ?? (dbPath === ':memory:' ? null : dbPath + '.keyauth.json');
+
+    if (keyPath && fs.existsSync(keyPath)) {
+      const raw = fs.readFileSync(keyPath);
+      const parsed = JSON.parse(raw.toString());
+      this.serverPrivateKey = new Uint8Array(Buffer.from(parsed.privateKey, 'base64'));
+      this.serverPublicKey = new Uint8Array(Buffer.from(parsed.publicKey, 'base64'));
+    } else {
+      const kp = generateEd25519KeyPair();
+      this.serverPublicKey = kp.publicKey;
+      this.serverPrivateKey = kp.privateKey;
+
+      if (keyPath) {
+        const dir = path.dirname(keyPath);
+        if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(keyPath, JSON.stringify({
+          publicKey: Buffer.from(kp.publicKey).toString('base64'),
+          privateKey: Buffer.from(kp.privateKey).toString('base64'),
+        }), { mode: 0o600 });
+      }
+    }
+
+    this.serverFingerprint = fingerprint(Buffer.from(this.serverPublicKey).toString('base64'));
+    this.db.set('_auth/server/publicKey', Buffer.from(this.serverPublicKey).toString('base64'));
+    this.db.set('_auth/server/fingerprint', this.serverFingerprint);
+  }
+
+  /** Initialize root account from a public key */
+  initRoot(publicKeyBase64: string): void {
+    const fp = fingerprint(publicKeyBase64);
+    this.db.set('_auth/root', { publicKey: publicKeyBase64, fingerprint: fp });
+  }
+
+  /** Create a new account with password-encrypted private key.
+   *  If devicePublicKey is provided, auto-links that device to the new account.
+   *  If this is the first account ever created, it is auto-elevated to root. */
+  createAccount(password: string, roles: string[] = [], displayName?: string, devicePublicKey?: string): { publicKey: string; fingerprint: string; isRoot: boolean; deviceFingerprint?: string } {
+    const kp = generateEd25519KeyPair();
+    const enc = encryptPrivateKey(kp.privateKey, password);
+    const fp = fingerprint(kp.publicKeyBase64);
+
+    // First account becomes root automatically
+    const isFirstAccount = this.db.getShallow('_auth/accounts').length === 0;
+
+    const account: KeyAuthAccount = {
+      publicKey: kp.publicKeyBase64,
+      fingerprint: fp,
+      encryptedPrivateKey: enc.encrypted,
+      salt: enc.salt,
+      iv: enc.iv,
+      authTag: enc.authTag,
+      displayName,
+      roles,
+      createdAt: Date.now(),
+      lastAuth: 0,
+    };
+    this.db.set(`_auth/accounts/${fp}`, account);
+
+    if (isFirstAccount) {
+      this.initRoot(kp.publicKeyBase64);
+    }
+
+    // Auto-link calling device if provided
+    let deviceFingerprint: string | undefined;
+    if (devicePublicKey) {
+      const linked = this.linkDevice(fp, password, devicePublicKey);
+      if (linked) deviceFingerprint = linked.fingerprint;
+    }
+
+    return { publicKey: kp.publicKeyBase64, fingerprint: fp, isRoot: isFirstAccount, deviceFingerprint };
+  }
+
+  /** Register a device (client-generated keypair). No password — client holds the only copy of the private key. */
+  registerDevice(publicKeyBase64: string, displayName?: string, roles: string[] = []): { fingerprint: string } {
+    const fp = fingerprint(publicKeyBase64);
+    // If account already exists, just return its fingerprint (idempotent)
+    const existing = this.db.get(`_auth/accounts/${fp}`);
+    if (existing) return { fingerprint: fp };
+    const account: KeyAuthAccount = {
+      publicKey: publicKeyBase64,
+      fingerprint: fp,
+      encryptedPrivateKey: '', // no server-side private key
+      salt: '',
+      iv: '',
+      authTag: '',
+      displayName,
+      roles,
+      createdAt: Date.now(),
+      lastAuth: 0,
+    };
+    this.db.set(`_auth/accounts/${fp}`, account);
+    return { fingerprint: fp };
+  }
+
+  /** Challenge step: returns a nonce for the client to sign */
+  challenge(): { nonce: string; serverId: string } {
+    const nonce = generateNonce();
+    this.db.set(`_auth/nonces/${nonce}`, { createdAt: Date.now() }, { ttl: this.options.nonceTtl });
+    return { nonce, serverId: this.serverFingerprint };
+  }
+
+  /** Verify a signed nonce. Returns token + expiry or null. */
+  verify(publicKeyBase64: string, signatureBase64: string, nonce: string): { token: string; expiresAt: number } | null {
+    // Check nonce exists (one-time use)
+    const nonceData = this.db.get(`_auth/nonces/${nonce}`);
+    if (!nonceData) return null;
+    // Delete nonce immediately (prevent replay)
+    this.db.delete(`_auth/nonces/${nonce}`);
+
+    // Verify signature
+    const pubKeyDer = Buffer.from(publicKeyBase64, 'base64');
+    const sig = Buffer.from(signatureBase64, 'base64');
+    if (!verifySignature(Buffer.from(nonce), sig, new Uint8Array(pubKeyDer))) return null;
+
+    const fp = fingerprint(publicKeyBase64);
+
+    // Check if root
+    const root = this.db.get('_auth/root') as { fingerprint: string } | null;
+    const isRoot = root?.fingerprint === fp;
+
+    // Resolve account — direct account or device→account
+    let accountFp = '';
+    let roles: string[] = [];
+
+    const account = this.db.get(`_auth/accounts/${fp}`) as KeyAuthAccount | null;
+    if (account) {
+      accountFp = fp;
+      roles = account.roles;
+      this.db.set(`_auth/accounts/${fp}/lastAuth`, Date.now());
+    } else {
+      // O(1) device lookup via reverse index
+      const resolved = this._resolveDevice(fp);
+      if (resolved) {
+        accountFp = resolved.accountFp;
+        roles = resolved.roles;
+        this.db.set(`_auth/accounts/${accountFp}/devices/${fp}/lastAuth`, Date.now());
+      } else if (!isRoot) {
+        return null; // Unknown key
+      }
+    }
+
+    // Create session
+    const sid = generateSessionId();
+    const expiresAt = Date.now() + this.options.sessionTtl * 1000;
+    const session: KeyAuthSession = {
+      fingerprint: fp,
+      accountFingerprint: accountFp,
+      roles,
+      isRoot,
+      createdAt: Date.now(),
+      expiresAt,
+    };
+    this.db.set(`_auth/sessions/${sid}`, session, { ttl: this.options.sessionTtl });
+
+    const payload: KeyAuthTokenPayload = {
+      sid, fp, accountFp, roles, root: isRoot, exp: expiresAt,
+    };
+    const token = encodeToken(payload, this.serverPrivateKey);
+    return { token, expiresAt };
+  }
+
+  /** Link a device to an account (requires password to decrypt account key) */
+  linkDevice(accountFp: string, password: string, devicePublicKeyBase64: string, deviceName?: string): { fingerprint: string } | null {
+    const account = this.db.get(`_auth/accounts/${accountFp}`) as KeyAuthAccount | null;
+    if (!account) return null;
+    // Device-registered accounts have no encrypted private key
+    if (!account.encryptedPrivateKey) return null;
+
+    let accountPrivateKey: Uint8Array;
+    try {
+      accountPrivateKey = decryptPrivateKey(
+        account.encryptedPrivateKey, account.salt, account.iv, account.authTag, password,
+      );
+    } catch {
+      return null; // Wrong password
+    }
+
+    const deviceFp = fingerprint(devicePublicKeyBase64);
+    const linkedAt = Date.now();
+    const certData = Buffer.from(`${devicePublicKeyBase64}:${accountFp}:${linkedAt}`);
+    const certificate = signData(certData, accountPrivateKey);
+
+    // Wipe account private key from memory
+    accountPrivateKey.fill(0);
+
+    const device: KeyAuthDevice = {
+      publicKey: devicePublicKeyBase64,
+      fingerprint: deviceFp,
+      accountFingerprint: accountFp,
+      certificate: certificate.toString('base64'),
+      name: deviceName,
+      linkedAt,
+      lastAuth: 0,
+    };
+    this.db.set(`_auth/accounts/${accountFp}/devices/${deviceFp}`, device);
+    // Reverse index for O(1) device→account lookup
+    this.db.set(`_auth/deviceIndex/${deviceFp}`, accountFp);
+    return { fingerprint: deviceFp };
+  }
+
+  /** Validate a token, return context or null */
+  validateToken(token: string): KeyAuthContext | null {
+    const payload = decodeToken(token, this.serverPublicKey);
+    if (!payload) return null;
+    // Check expiry (with clock skew tolerance)
+    if (payload.exp + this.options.clockSkew * 1000 < Date.now()) return null;
+    // Check session still exists
+    const session = this.db.get(`_auth/sessions/${payload.sid}`);
+    if (!session) return null;
+    return {
+      sid: payload.sid,
+      fingerprint: payload.fp,
+      accountFingerprint: payload.accountFp,
+      roles: payload.roles,
+      isRoot: payload.root,
+    };
+  }
+
+  /** Change account password (re-encrypt same key pair, fingerprint stable) — atomic via update */
+  changePassword(accountFp: string, oldPassword: string, newPassword: string): boolean {
+    const account = this.db.get(`_auth/accounts/${accountFp}`) as KeyAuthAccount | null;
+    if (!account) return false;
+    // Device-registered accounts have no encrypted private key
+    if (!account.encryptedPrivateKey) return false;
+
+    let privateKey: Uint8Array;
+    try {
+      privateKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, oldPassword);
+    } catch {
+      return false;
+    }
+
+    const enc = encryptPrivateKey(privateKey, newPassword);
+    privateKey.fill(0); // Wipe
+
+    // Atomic: single update call writes all fields together
+    this.db.update({
+      [`_auth/accounts/${accountFp}/encryptedPrivateKey`]: enc.encrypted,
+      [`_auth/accounts/${accountFp}/salt`]: enc.salt,
+      [`_auth/accounts/${accountFp}/iv`]: enc.iv,
+      [`_auth/accounts/${accountFp}/authTag`]: enc.authTag,
+    });
+    return true;
+  }
+
+  /** Revoke a device */
+  revokeDevice(accountFp: string, deviceFp: string): void {
+    this.db.delete(`_auth/accounts/${accountFp}/devices/${deviceFp}`);
+    this.db.delete(`_auth/deviceIndex/${deviceFp}`);
+    this._invalidateDeviceSessions(deviceFp);
+  }
+
+  /** Check if any accounts exist (safe to call unauthenticated — no sensitive data) */
+  hasAccounts(): boolean {
+    return this.db.getShallow('_auth/accounts').length > 0;
+  }
+
+  /** Get public account info (no secrets). Returns null if not found. */
+  getAccountInfo(accountFp: string): { fingerprint: string; displayName?: string; roles: string[]; isRoot: boolean; createdAt: number } | null {
+    const account = this.db.get(`_auth/accounts/${accountFp}`) as KeyAuthAccount | null;
+    if (!account) return null;
+    const root = this.db.get('_auth/root') as { fingerprint: string } | null;
+    return {
+      fingerprint: account.fingerprint,
+      displayName: account.displayName,
+      roles: account.roles,
+      isRoot: root?.fingerprint === account.fingerprint,
+      createdAt: account.createdAt,
+    };
+  }
+
+  /** Revoke a session */
+  revokeSession(sid: string): void {
+    this.db.delete(`_auth/sessions/${sid}`);
+  }
+
+  // --- IAM ---
+
+  createRole(role: KeyAuthRole): void {
+    this.db.set(`_auth/roles/${role.id}`, role);
+  }
+
+  deleteRole(roleId: string): void {
+    this.db.delete(`_auth/roles/${roleId}`);
+  }
+
+  updateAccountRoles(accountFp: string, roles: string[]): void {
+    this.db.set(`_auth/accounts/${accountFp}/roles`, roles);
+  }
+
+  listAccounts(): KeyAuthAccount[] {
+    const shallow = this.db.getShallow('_auth/accounts');
+    return shallow.map(e => this.db.get(`_auth/accounts/${e.key}`) as KeyAuthAccount).filter(Boolean);
+  }
+
+  listRoles(): KeyAuthRole[] {
+    const shallow = this.db.getShallow('_auth/roles');
+    return shallow.map(e => this.db.get(`_auth/roles/${e.key}`) as KeyAuthRole).filter(Boolean);
+  }
+
+  getRole(roleId: string): KeyAuthRole | null {
+    return this.db.get(`_auth/roles/${roleId}`) as KeyAuthRole | null;
+  }
+
+  /** List devices linked to an account */
+  listDevices(accountFp: string): KeyAuthDevice[] {
+    const shallow = this.db.getShallow(`_auth/accounts/${accountFp}/devices`);
+    return shallow.map(e => this.db.get(`_auth/accounts/${accountFp}/devices/${e.key}`) as KeyAuthDevice).filter(Boolean);
+  }
+
+  /** List sessions, optionally filtered by account fingerprint */
+  listSessions(accountFp?: string): (KeyAuthSession & { sid: string })[] {
+    const shallow = this.db.getShallow('_auth/sessions');
+    const sessions = shallow.map(e => {
+      const s = this.db.get(`_auth/sessions/${e.key}`) as KeyAuthSession | null;
+      return s ? { ...s, sid: e.key } : null;
+    }).filter(Boolean) as (KeyAuthSession & { sid: string })[];
+    if (accountFp) return sessions.filter(s => s.accountFingerprint === accountFp);
+    return sessions;
+  }
+
+  /** Request QR-based cross-device approval (Device B calls this) */
+  requestApproval(publicKeyBase64: string): { requestId: string } {
+    const requestId = generateNonce();
+    this.db.set(`_auth/approvals/${requestId}`, {
+      publicKey: publicKeyBase64,
+      status: 'pending',
+      createdAt: Date.now(),
+    }, { ttl: 300 });
+    return { requestId };
+  }
+
+  /** Approve a pending device request (Device A, authenticated, calls this) */
+  approveDevice(requestId: string, approverAccountFp: string): { fingerprint: string; token: string; expiresAt: number } | null {
+    const approval = this.db.get(`_auth/approvals/${requestId}`) as { publicKey: string; status: string } | null;
+    if (!approval || approval.status !== 'pending') return null;
+
+    // Register the device under approver's account
+    const deviceFp = fingerprint(approval.publicKey);
+    const linkedAt = Date.now();
+    const device: KeyAuthDevice = {
+      publicKey: approval.publicKey,
+      fingerprint: deviceFp,
+      accountFingerprint: approverAccountFp,
+      certificate: '',
+      name: `QR-approved-${deviceFp.slice(0, 8)}`,
+      linkedAt,
+      lastAuth: 0,
+    };
+    this.db.set(`_auth/accounts/${approverAccountFp}/devices/${deviceFp}`, device);
+    this.db.set(`_auth/deviceIndex/${deviceFp}`, approverAccountFp);
+
+    // Create session for Device B
+    const account = this.db.get(`_auth/accounts/${approverAccountFp}`) as KeyAuthAccount | null;
+    const roles = account?.roles ?? [];
+    const sid = generateSessionId();
+    const expiresAt = Date.now() + this.options.sessionTtl * 1000;
+    const session: KeyAuthSession = {
+      fingerprint: deviceFp,
+      accountFingerprint: approverAccountFp,
+      roles,
+      isRoot: false,
+      createdAt: Date.now(),
+      expiresAt,
+    };
+    this.db.set(`_auth/sessions/${sid}`, session, { ttl: this.options.sessionTtl });
+
+    const payload: KeyAuthTokenPayload = {
+      sid, fp: deviceFp, accountFp: approverAccountFp, roles, root: false, exp: expiresAt,
+    };
+    const token = encodeToken(payload, this.serverPrivateKey);
+
+    // Mark approval as approved with token
+    this.db.set(`_auth/approvals/${requestId}`, {
+      ...approval,
+      status: 'approved',
+      accountFp: approverAccountFp,
+      token,
+      expiresAt,
+    }, { ttl: 300 });
+
+    return { fingerprint: deviceFp, token, expiresAt };
+  }
+
+  /** Poll approval status (Device B polls this) */
+  pollApproval(requestId: string): { status: 'pending' | 'approved' | 'expired'; token?: string; expiresAt?: number } | null {
+    const approval = this.db.get(`_auth/approvals/${requestId}`) as { status: string; token?: string; expiresAt?: number } | null;
+    if (!approval) return { status: 'expired' };
+    return {
+      status: approval.status as 'pending' | 'approved',
+      token: approval.token,
+      expiresAt: approval.expiresAt,
+    };
+  }
+
+  /** Auth callback compatible with TransportOptions.auth */
+  authCallback(): (token: string) => Record<string, unknown> | null {
+    return (token: string) => {
+      const ctx = this.validateToken(token);
+      if (!ctx) return null;
+      return ctx as unknown as Record<string, unknown>;
+    };
+  }
+
+  // --- Internal ---
+
+  /** Resolve a device fingerprint to its account via reverse index (O(1)) */
+  private _resolveDevice(deviceFp: string): { accountFp: string; roles: string[] } | null {
+    const accountFp = this.db.get(`_auth/deviceIndex/${deviceFp}`) as string | null;
+    if (!accountFp) return null;
+    const account = this.db.get(`_auth/accounts/${accountFp}`) as KeyAuthAccount | null;
+    if (!account) return null;
+    // Verify device still exists under account
+    const device = this.db.get(`_auth/accounts/${accountFp}/devices/${deviceFp}`);
+    if (!device) return null;
+    return { accountFp, roles: account.roles ?? [] };
+  }
+
+  /** Invalidate all sessions for a given device fingerprint */
+  private _invalidateDeviceSessions(deviceFp: string): void {
+    const sessions = this.db.getShallow('_auth/sessions');
+    for (const entry of sessions) {
+      const session = this.db.get(`_auth/sessions/${entry.key}`) as KeyAuthSession | null;
+      if (session?.fingerprint === deviceFp) {
+        this.db.delete(`_auth/sessions/${entry.key}`);
+      }
+    }
+  }
+
+  get publicKey(): string {
+    return Buffer.from(this.serverPublicKey).toString('base64');
+  }
+
+  get fp(): string {
+    return this.serverFingerprint;
+  }
+}

package/src/server/ReplicationEngine.ts

@@ -34,7 +34,7 @@ export class ReplicationOptions {
   primaryUrl?: string;
   primaryAuth?: () => string | Promise<string>;
   replicaId?: string;
-  excludePrefixes: string[] = ['_repl', '_streams', '_mq', '_admin'];
+  excludePrefixes: string[] = ['_repl', '_streams', '_mq', '_admin', '_auth'];
   /** Bootstrap replica from primary's full state before applying _repl stream */
   fullBootstrap: boolean = true;
   compact?: CompactOptions;

package/src/server/RulesEngine.ts

@@ -17,6 +17,8 @@ export interface PathRule {
 
 export class RulesEngineOptions {
   rules: Record<string, PathRule> = {};
+  /** When true, deny operations that don't match any rule (default: open) */
+  defaultDeny: boolean = false;
 }
 
 interface CompiledPathRule {
@@ -69,10 +71,10 @@ export class RulesEngine {
       }
     }
 
-    if (!bestMatch) return true;
+    if (!bestMatch) return !this.options.defaultDeny;
 
     const fn = bestMatch.rule[op];
-    if (fn === undefined) return true;
+    if (fn === undefined) return !this.options.defaultDeny;
 
     const ctx: RuleContext = {
       auth,