@camstack/server 1.0.0 → 1.0.1

package/dist/api/core/auth.router.js

@@ -0,0 +1,286 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthRouter = createAuthRouter;
+/**
+ * Auth router — core API for login/logout/me.
+ *
+ * Login validates credentials via the `user-management` capability
+ * (owned by the local-auth addon) and signs a JWT.
+ *
+ * JWT signing stays in the server — it's a transport-level concern
+ * (the server owns the secret and the HTTP session).
+ *
+ * External auth providers are listed via the `auth-provider` cap collection.
+ */
+const zod_1 = require("zod");
+const trpc_middleware_js_1 = require("../trpc/trpc.middleware.js");
+/**
+ * Login response — discriminated on `requiresTotp`.
+ *
+ *   • `requiresTotp: false` (or absent in the legacy path): the
+ *     credentials were sufficient, `token` is the real session JWT.
+ *   • `requiresTotp: true`: the user has TOTP enrolled. `token` is a
+ *     short-lived (5 min) challenge token, NOT a session. The client
+ *     prompts for a 6-digit code and submits to `loginVerifyTotp`
+ *     with `{challengeToken, code}`. Only on success does the server
+ *     mint the real session.
+ */
+const LoginResultSchema = zod_1.z.object({
+    token: zod_1.z.string(),
+    user: zod_1.z.object({
+        id: zod_1.z.string(),
+        username: zod_1.z.string(),
+        isAdmin: zod_1.z.boolean(),
+    }),
+    requiresTotp: zod_1.z.boolean().optional(),
+});
+const AuthProviderSummarySchema = zod_1.z.object({
+    id: zod_1.z.string(),
+    name: zod_1.z.string(),
+    icon: zod_1.z.string(),
+    flowType: zod_1.z.string(),
+});
+/** Wire shape of the authenticated user returned by `auth.me`. */
+const MeSchema = zod_1.z
+    .object({
+    id: zod_1.z.string(),
+    username: zod_1.z.string(),
+    isAdmin: zod_1.z.boolean(),
+    permissions: zod_1.z.object({
+        isAdmin: zod_1.z.boolean(),
+        allowedProviders: zod_1.z.union([zod_1.z.literal('*'), zod_1.z.array(zod_1.z.string())]),
+        allowedDevices: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()),
+    }),
+    isApiKey: zod_1.z.boolean(),
+    agentId: zod_1.z.string().optional(),
+})
+    .nullable();
+function createAuthRouter(auth, registry) {
+    return (0, trpc_middleware_js_1.trpcRouter)({
+        login: trpc_middleware_js_1.publicProcedure
+            .input(zod_1.z.object({ username: zod_1.z.string(), password: zod_1.z.string() }))
+            .output(LoginResultSchema)
+            .mutation(async ({ input }) => {
+            const userMgmt = registry?.getSingleton('user-management');
+            if (!userMgmt) {
+                // The local-auth addon owns this cap. When this fires the
+                // addon either failed to initialize or is still booting.
+                // Check the server log for `[hub/local-auth]` errors —
+                // common cause is a settings-store regression that breaks
+                // the `users` collection query path.
+                throw new Error('Login unavailable — `user-management` capability not registered. ' +
+                    'The `local-auth` addon failed to initialize; check server logs ' +
+                    'for an error tagged `[hub/local-auth]`.');
+            }
+            const user = await userMgmt.validateCredentials({
+                username: input.username,
+                password: input.password,
+            });
+            if (!user)
+                throw new Error('Invalid credentials');
+            // ── TOTP gate ────────────────────────────────────────────────
+            // After credentials validate, check whether the user has
+            // active 2FA enrollment. If yes, mint a SHORT-LIVED challenge
+            // token instead of the real session — the client must follow
+            // up via `loginVerifyTotp` with a valid 6-digit code before
+            // we hand out the actual JWT. The challenge token carries
+            // `kind: 'totp-challenge'` so it can't be replayed against
+            // protected endpoints (the auth middleware rejects anything
+            // without the standard session shape).
+            const totpStatus = typeof userMgmt.getTotpStatus === 'function'
+                ? await userMgmt.getTotpStatus({ userId: user.id })
+                : { enabled: false };
+            if (totpStatus.enabled) {
+                const challengeToken = auth.signTotpChallengeToken({
+                    userId: user.id,
+                    username: user.username,
+                    isAdmin: user.isAdmin,
+                });
+                return {
+                    token: challengeToken,
+                    user: { id: user.id, username: user.username, isAdmin: user.isAdmin },
+                    requiresTotp: true,
+                };
+            }
+            // Snapshot `scopes` into the JWT payload. Admins ignore the
+            // field (middleware bypass); for non-admins this drives the
+            // entire scope-access check until the user logs out + back in.
+            // setUserScopes mutations take effect on next login — old JWTs
+            // carry the snapshot from issue time. This is the standard JWT
+            // staleness tradeoff; if you need immediate revocation, force a
+            // logout from the admin UI.
+            const token = auth.signToken({
+                userId: user.id,
+                username: user.username,
+                isAdmin: user.isAdmin,
+                allowedProviders: user.allowedProviders ?? '*',
+                allowedDevices: user.allowedDevices ?? {},
+                scopes: user.scopes ?? [],
+            });
+            return {
+                token,
+                user: { id: user.id, username: user.username, isAdmin: user.isAdmin },
+                requiresTotp: false,
+            };
+        }),
+        /**
+         * Second leg of the 2FA login. Accepts the challenge token minted
+         * by `login` (when `requiresTotp: true`) plus the operator-entered
+         * 6-digit code. Re-validates both, then mints the real session.
+         *
+         * Failure modes:
+         *   • Invalid/expired challenge token → 401 (session timed out,
+         *     restart login).
+         *   • Code doesn't match → 401 (try again with a fresh code from
+         *     the authenticator app).
+         *   • User vanished between leg 1 and leg 2 → 401 (operator was
+         *     deleted concurrently — rare).
+         */
+        loginVerifyTotp: trpc_middleware_js_1.publicProcedure
+            .input(zod_1.z.object({ challengeToken: zod_1.z.string(), code: zod_1.z.string() }))
+            .output(LoginResultSchema)
+            .mutation(async ({ input }) => {
+            const claims = auth.verifyTotpChallengeToken(input.challengeToken);
+            if (!claims) {
+                throw new Error('Invalid or expired TOTP challenge — please re-enter your password');
+            }
+            const userMgmt = registry?.getSingleton('user-management');
+            if (!userMgmt) {
+                throw new Error('Login unavailable — `user-management` capability not registered');
+            }
+            const verify = typeof userMgmt.verifyTotp === 'function'
+                ? await userMgmt.verifyTotp({ userId: claims.userId, code: input.code.trim() })
+                : { valid: false };
+            if (!verify.valid) {
+                throw new Error('Invalid TOTP code');
+            }
+            // Re-fetch the user record so scopes / allowedDevices reflect
+            // any admin change made between the two legs. Without this we
+            // could mint a stale-scope session.
+            const fresh = typeof userMgmt.listUsers === 'function'
+                ? (await userMgmt.listUsers()).find((u) => u.id === claims.userId)
+                : null;
+            if (!fresh) {
+                throw new Error('User no longer exists');
+            }
+            const sessionToken = auth.signToken({
+                userId: fresh.id,
+                username: fresh.username,
+                isAdmin: fresh.isAdmin,
+                allowedProviders: fresh.allowedProviders ?? '*',
+                allowedDevices: fresh.allowedDevices ?? {},
+                scopes: fresh.scopes ?? [],
+            });
+            return {
+                token: sessionToken,
+                user: { id: fresh.id, username: fresh.username, isAdmin: fresh.isAdmin },
+                requiresTotp: false,
+            };
+        }),
+        me: trpc_middleware_js_1.protectedProcedure
+            .input(zod_1.z.void())
+            .output(MeSchema)
+            .query(({ ctx }) => ctx.user),
+        // ── Self-service profile operations ───────────────────────────────
+        //
+        // These route through the `user-management` capability provider but
+        // bind `userId` to the CALLER's session identity (`ctx.user.id`)
+        // — i.e. every authenticated user can manage THEIR OWN password and
+        // TOTP enrollment, without the admin gate that the corresponding
+        // cap methods enforce on the trpc layer.
+        //
+        // Provider methods themselves don't check admin status, so calling
+        // them directly here is fine. The trpc admin-gate on the cap router
+        // exists only to block third-party tampering — operators acting on
+        // themselves bypass it intentionally.
+        changeOwnPassword: trpc_middleware_js_1.protectedProcedure
+            .input(zod_1.z.object({
+            currentPassword: zod_1.z.string().min(1),
+            newPassword: zod_1.z.string().min(8),
+        }))
+            .output(zod_1.z.object({ success: zod_1.z.literal(true) }))
+            .mutation(async ({ input, ctx }) => {
+            const userMgmt = registry?.getSingleton('user-management');
+            if (!userMgmt)
+                throw new Error('user-management capability not available');
+            if (!ctx.user)
+                throw new Error('Not authenticated');
+            // Re-validate the current password against the live store to
+            // confirm session identity → password ownership match. Stops a
+            // stolen session-token from rotating credentials silently.
+            const ok = await userMgmt.validateCredentials({
+                username: ctx.user.username,
+                password: input.currentPassword,
+            });
+            if (!ok)
+                throw new Error('Current password is incorrect');
+            await userMgmt.resetPassword({ id: ctx.user.id, newPassword: input.newPassword });
+            return { success: true };
+        }),
+        setupOwnTotp: trpc_middleware_js_1.protectedProcedure
+            .input(zod_1.z.void())
+            .output(zod_1.z.object({ secret: zod_1.z.string(), otpauthUrl: zod_1.z.string() }))
+            .mutation(async ({ ctx }) => {
+            const userMgmt = registry?.getSingleton('user-management');
+            if (!userMgmt)
+                throw new Error('user-management capability not available');
+            if (!ctx.user)
+                throw new Error('Not authenticated');
+            return userMgmt.setupTotp({ userId: ctx.user.id });
+        }),
+        confirmOwnTotp: trpc_middleware_js_1.protectedProcedure
+            .input(zod_1.z.object({ code: zod_1.z.string().min(1) }))
+            .output(zod_1.z.object({ success: zod_1.z.literal(true) }))
+            .mutation(async ({ input, ctx }) => {
+            const userMgmt = registry?.getSingleton('user-management');
+            if (!userMgmt)
+                throw new Error('user-management capability not available');
+            if (!ctx.user)
+                throw new Error('Not authenticated');
+            return userMgmt.confirmTotp({ userId: ctx.user.id, code: input.code });
+        }),
+        disableOwnTotp: trpc_middleware_js_1.protectedProcedure
+            .input(zod_1.z.void())
+            .output(zod_1.z.object({ success: zod_1.z.literal(true) }))
+            .mutation(async ({ ctx }) => {
+            const userMgmt = registry?.getSingleton('user-management');
+            if (!userMgmt)
+                throw new Error('user-management capability not available');
+            if (!ctx.user)
+                throw new Error('Not authenticated');
+            return userMgmt.disableTotp({ userId: ctx.user.id });
+        }),
+        getOwnTotpStatus: trpc_middleware_js_1.protectedProcedure
+            .input(zod_1.z.void())
+            .output(zod_1.z.object({ enabled: zod_1.z.boolean(), confirmedAt: zod_1.z.number().nullable() }))
+            .query(async ({ ctx }) => {
+            const userMgmt = registry?.getSingleton('user-management');
+            if (!userMgmt || !ctx.user)
+                return { enabled: false, confirmedAt: null };
+            return userMgmt.getTotpStatus({ userId: ctx.user.id });
+        }),
+        logout: trpc_middleware_js_1.protectedProcedure
+            .input(zod_1.z.void())
+            .output(zod_1.z.object({ success: zod_1.z.literal(true) }))
+            .mutation(() => ({ success: true })),
+        listProviders: trpc_middleware_js_1.publicProcedure
+            .input(zod_1.z.void())
+            .output(zod_1.z.array(AuthProviderSummarySchema).readonly())
+            .query(() => {
+            if (!registry)
+                return [];
+            // Validate each auth-provider entry independently. A single
+            // malformed entry (e.g. an auth addon that registers without an
+            // `icon`) must NOT sink the whole array through the tRPC output
+            // validator — that would 500 the query and lock every login
+            // method out of the UI. Drop the bad entry, keep the rest.
+            const out = [];
+            for (const entry of registry.getCollection('auth-provider')) {
+                const parsed = AuthProviderSummarySchema.safeParse(entry);
+                if (parsed.success)
+                    out.push(parsed.data);
+            }
+            return out;
+        }),
+    });
+}

package/dist/api/core/bulk-update-coordinator.js

@@ -0,0 +1,229 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BulkUpdateCoordinator = void 0;
+/* eslint-disable @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-argument -- The server installs @camstack/types@0.1.38 (last published) in server/backend/node_modules, while the workspace has 0.1.39 with the new BulkUpdate* types. ESLint's type-checker resolves against 0.1.38 and treats the new imports as `any`. Runtime is correct because Node module resolution walks up to root node_modules → workspace symlink. This disable mirrors the pattern in cap-providers.ts (same root cause). Will resolve when 0.1.39 is published and the local dist is synced. */
+const node_crypto_1 = require("node:crypto");
+const types_1 = require("@camstack/types");
+const DEFAULT_CLEANUP_AFTER_MS = 5 * 60 * 1_000;
+class BulkUpdateCoordinator {
+    deps;
+    states = new Map();
+    cancelFlags = new Map();
+    /**
+     * Tracks wall-clock time (ms) when each bulk completed. Used for lazy
+     * cleanup in `get()` — avoids scheduling a fake-timer `setTimeout` that
+     * would be eagerly fired by `vi.runAllTimersAsync()` in tests.
+     */
+    completedWallMs = new Map();
+    /** Tracks which nodeIds currently have an active (non-completed) bulk update. */
+    activeNodeIds = new Set();
+    now;
+    cleanupAfterMs;
+    /** Wall-clock source. Fake timers intercept `Date.now`, so tests can advance via `advanceTimersByTimeAsync`. */
+    wallNow;
+    constructor(deps) {
+        this.deps = deps;
+        this.now = deps.clock ?? (() => Date.now());
+        this.cleanupAfterMs = deps.cleanupAfterMs ?? DEFAULT_CLEANUP_AFTER_MS;
+        this.wallNow = () => Date.now();
+    }
+    // ── Public API ────────────────────────────────────────────────────
+    start(input) {
+        if (this.activeNodeIds.has(input.nodeId)) {
+            throw new Error(`Bulk update already in progress for node ${input.nodeId}`);
+        }
+        const id = (0, node_crypto_1.randomUUID)();
+        const items = input.items.map((i) => ({
+            name: i.name,
+            isSystem: i.isSystem,
+            // fromVersion: the cap interface receives name+version+isSystem only;
+            // the caller (cap-providers.ts) may enrich this with the current version
+            // if available. Empty string is acceptable per plan spec.
+            fromVersion: '',
+            toVersion: i.version,
+            status: 'queued',
+        }));
+        const state = {
+            id,
+            nodeId: input.nodeId,
+            startedAtMs: this.now(),
+            total: items.length,
+            completed: 0,
+            failed: 0,
+            current: null,
+            phase: 'regular',
+            cancelled: false,
+            items,
+        };
+        this.states.set(id, state);
+        this.activeNodeIds.add(input.nodeId);
+        const cancelFlag = { cancelled: false };
+        this.cancelFlags.set(id, cancelFlag);
+        // Emit initial state so clients see the bulk as started immediately
+        this.emit(state);
+        void this.runLoop(id, cancelFlag).catch((err) => {
+            this.deps.logger.error('BulkUpdateCoordinator: loop crashed unexpectedly', err);
+        });
+        return { id };
+    }
+    get(id) {
+        const state = this.states.get(id);
+        if (state === undefined)
+            return null;
+        // Lazy cleanup: purge if the wall-clock elapsed since completion exceeds threshold.
+        // This avoids scheduling a long-lived setTimeout that would be eagerly fired
+        // by vi.runAllTimersAsync() in tests.
+        const completedWall = this.completedWallMs.get(id);
+        if (completedWall !== undefined && this.wallNow() - completedWall >= this.cleanupAfterMs) {
+            this.purge(id);
+            return null;
+        }
+        return state;
+    }
+    list(nodeId) {
+        const all = [...this.states.keys()]
+            .map((id) => this.get(id)) // get() applies lazy-cleanup
+            .filter((s) => s !== null);
+        return nodeId === undefined ? all : all.filter((s) => s.nodeId === nodeId);
+    }
+    cancel(id) {
+        const state = this.states.get(id);
+        const flag = this.cancelFlags.get(id);
+        if (state === undefined || flag === undefined)
+            return { cancelled: false };
+        // Once restarting, the hub restart is committed — cancel has no effect.
+        if (state.phase === 'restarting')
+            return { cancelled: false };
+        // Already completed.
+        if (state.completedAtMs !== undefined)
+            return { cancelled: false };
+        flag.cancelled = true;
+        this.mutate(id, (s) => ({ ...s, cancelled: true }));
+        return { cancelled: true };
+    }
+    // ── Internal loop ─────────────────────────────────────────────────
+    async runLoop(id, cancelFlag) {
+        const initial = this.states.get(id);
+        // ── Phase 1: regular addons ──────────────────────────────────────
+        this.transitionPhase(id, 'regular');
+        for (const item of initial.items.filter((i) => !i.isSystem)) {
+            if (cancelFlag.cancelled)
+                break;
+            await this.processItem(id, item, false);
+        }
+        // ── Phase 2: system packages (deferRestart: true) ────────────────
+        if (!cancelFlag.cancelled && initial.items.some((i) => i.isSystem)) {
+            this.transitionPhase(id, 'system');
+            for (const item of initial.items.filter((i) => i.isSystem)) {
+                if (cancelFlag.cancelled)
+                    break;
+                await this.processItem(id, item, true);
+            }
+            // ── Phase 3: single restart ──────────────────────────────────
+            const anySystemPendingRestart = this.states
+                .get(id)
+                .items.some((i) => i.isSystem && i.status === 'done-pending-restart');
+            if (anySystemPendingRestart && !cancelFlag.cancelled) {
+                this.transitionPhase(id, 'restarting');
+                try {
+                    await this.deps.restartServer({ confirm: true });
+                    // NOTE: In production, restartServer kills+respawns the hub process.
+                    // Code below this point will not execute in that scenario.
+                    // If the mock/stub returns (e.g. in tests), we fall through to finalizing.
+                }
+                catch (err) {
+                    // Restart failed but the npm installs already completed. Promote all
+                    // done-pending-restart items to done with a caveat error so the UI
+                    // can inform the user that a manual restart is needed.
+                    this.deps.logger.error('BulkUpdateCoordinator: restart failed', err);
+                    const errMsg = err instanceof Error ? err.message : String(err);
+                    for (const it of this.states.get(id).items) {
+                        if (it.status === 'done-pending-restart') {
+                            this.setItemStatus(id, it.name, 'done', {
+                                error: `Restart failed; manual restart required (${errMsg})`,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        // ── Phase 4: finalize ────────────────────────────────────────────
+        // Reached when:
+        //  a) no system packages at all, OR
+        //  b) restart failed (process continued), OR
+        //  c) cancelled before the restart phase.
+        this.transitionPhase(id, 'finalizing');
+        this.completeBulk(id);
+    }
+    async processItem(id, item, isSystem) {
+        this.setItemStatus(id, item.name, 'updating', { startedAtMs: this.now() });
+        this.mutate(id, (s) => ({ ...s, current: item.name }));
+        this.emit(this.states.get(id));
+        try {
+            if (isSystem) {
+                await this.deps.updateFrameworkPackage({
+                    packageName: item.name,
+                    version: item.toVersion,
+                    deferRestart: true,
+                });
+                this.setItemStatus(id, item.name, 'done-pending-restart', { completedAtMs: this.now() });
+            }
+            else {
+                await this.deps.updateAddon({ name: item.name, version: item.toVersion });
+                this.setItemStatus(id, item.name, 'done', { completedAtMs: this.now() });
+            }
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            this.setItemStatus(id, item.name, 'failed', { error: msg, completedAtMs: this.now() });
+        }
+        this.mutate(id, (s) => ({ ...s, current: null }));
+        this.emit(this.states.get(id));
+    }
+    // ── State mutation helpers ────────────────────────────────────────
+    setItemStatus(id, name, status, fields = {}) {
+        this.mutate(id, (s) => {
+            const items = s.items.map((it) => (it.name === name ? { ...it, status, ...fields } : it));
+            // completed = all terminal states: done | done-pending-restart | failed
+            const completed = items.filter((it) => it.status === 'done' || it.status === 'done-pending-restart' || it.status === 'failed').length;
+            const failed = items.filter((it) => it.status === 'failed').length;
+            return { ...s, items, completed, failed };
+        });
+    }
+    transitionPhase(id, phase) {
+        this.mutate(id, (s) => ({ ...s, phase }));
+        this.emit(this.states.get(id));
+    }
+    completeBulk(id) {
+        this.mutate(id, (s) => ({ ...s, completedAtMs: this.now(), current: null }));
+        this.emit(this.states.get(id));
+        // Free the nodeId slot so a new bulk for the same node can be started
+        const nodeId = this.states.get(id).nodeId;
+        this.activeNodeIds.delete(nodeId);
+        // Record wall-clock completion time for lazy cleanup in `get()`.
+        // We intentionally avoid scheduling a setTimeout here: a long-lived
+        // setTimeout (5 min) would be eagerly fired by vi.runAllTimersAsync()
+        // in tests, causing `get()` to return null immediately after the run.
+        // Instead, `get()` lazily checks whether the cleanup threshold has
+        // elapsed using Date.now() — which fake timers DO advance via
+        // advanceTimersByTimeAsync(), making the cleanup testable without
+        // a long-running timer.
+        this.completedWallMs.set(id, this.wallNow());
+    }
+    purge(id) {
+        this.states.delete(id);
+        this.cancelFlags.delete(id);
+        this.completedWallMs.delete(id);
+    }
+    /** Immutably update the state for the given id. No-op if id is unknown. */
+    mutate(id, update) {
+        const current = this.states.get(id);
+        if (current === undefined)
+            return;
+        this.states.set(id, update(current));
+    }
+    emit(state) {
+        this.deps.eventBus.emit(types_1.EventCategory.AddonsBulkUpdateProgress, state);
+    }
+}
+exports.BulkUpdateCoordinator = BulkUpdateCoordinator;