@cuongtran001/kanna 0.39.2

package/src/server/auth.test.ts

@@ -0,0 +1,329 @@
+import { afterEach, describe, expect, test } from "bun:test"
+import { mkdtemp, rm } from "node:fs/promises"
+import { tmpdir } from "node:os"
+import path from "node:path"
+import { persistProjectUpload } from "./uploads"
+import { startKannaServer } from "./server"
+
+const tempDirs: string[] = []
+
+afterEach(async () => {
+  await Promise.all(tempDirs.splice(0).map((dir) => rm(dir, { recursive: true, force: true })))
+})
+
+async function startPasswordServer(options: { trustProxy?: boolean; port?: number } = {}) {
+  const projectDir = await mkdtemp(path.join(tmpdir(), "kanna-auth-test-"))
+  const dataDir = await mkdtemp(path.join(tmpdir(), "kanna-auth-data-"))
+  tempDirs.push(projectDir)
+  tempDirs.push(dataDir)
+  const server = await startKannaServer({
+    dataDir,
+    port: options.port ?? 4320,
+    strictPort: true,
+    password: "secret",
+    trustProxy: options.trustProxy ?? false,
+  })
+  const project = await server.store.openProject(projectDir, "Project")
+  return { server, projectDir, project }
+}
+
+function extractCookie(response: Response) {
+  const header = response.headers.get("set-cookie")
+  expect(header).toBeTruthy()
+  return header!.split(";", 1)[0]
+}
+
+describe("password auth", () => {
+  test("serves the app shell to unauthenticated browser requests", async () => {
+    const { server } = await startPasswordServer()
+
+    try {
+      const response = await fetch(`http://localhost:${server.port}/chat/demo`, { headers: { Accept: "text/html" } })
+      expect(response.status).toBe(200)
+      expect(response.headers.get("cache-control")).toBe("no-store")
+      expect(response.headers.get("content-type")).toContain("text/html")
+      expect(await response.text()).toContain('id="root"')
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("serves health checks without authentication", async () => {
+    const { server } = await startPasswordServer()
+
+    try {
+      const response = await fetch(`http://localhost:${server.port}/health`, { redirect: "manual" })
+      expect(response.status).toBe(200)
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("blocks unauthenticated api requests", async () => {
+    const { server } = await startPasswordServer()
+
+    try {
+      const response = await fetch(`http://localhost:${server.port}/api/projects/project-1/uploads`, { redirect: "manual" })
+      expect(response.status).toBe(401)
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("redirects /auth/login back into the app", async () => {
+    const { server } = await startPasswordServer()
+
+    try {
+      const response = await fetch(`http://localhost:${server.port}/auth/login?next=%2Fchat%2Fdemo`, { redirect: "manual" })
+      expect(response.status).toBe(302)
+      expect(response.headers.get("location")).toBe(`http://localhost:${server.port}/chat/demo`)
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("sets a session cookie after a successful login", async () => {
+    const { server } = await startPasswordServer()
+
+    try {
+      const response = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: `http://localhost:${server.port}`,
+        },
+      })
+
+      expect(response.status).toBe(200)
+      expect(extractCookie(response)).toContain("kanna_session=")
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("rejects an invalid password", async () => {
+    const { server } = await startPasswordServer()
+
+    try {
+      const response = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "wrong", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: `http://localhost:${server.port}`,
+        },
+      })
+
+      expect(response.status).toBe(401)
+      expect(response.headers.get("set-cookie")).toBeNull()
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("rejects cross-origin login attempts", async () => {
+    const { server } = await startPasswordServer()
+
+    try {
+      const response = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: "http://evil.test",
+        },
+      })
+
+      expect(response.status).toBe(403)
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("allows authenticated access to protected routes", async () => {
+    const { server, project, projectDir } = await startPasswordServer()
+
+    try {
+      const attachment = await persistProjectUpload({
+        projectId: project.id,
+        localPath: projectDir,
+        fileName: "hello.txt",
+        bytes: new TextEncoder().encode("hello from upload"),
+        fallbackMimeType: "text/plain",
+      })
+
+      const loginResponse = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: `http://localhost:${server.port}`,
+        },
+      })
+      const cookie = extractCookie(loginResponse)
+
+      const healthResponse = await fetch(`http://localhost:${server.port}/health`, {
+        headers: {
+          Cookie: cookie,
+        },
+      })
+      expect(healthResponse.status).toBe(200)
+
+      const contentResponse = await fetch(`http://localhost:${server.port}${attachment.contentUrl}`, {
+        headers: {
+          Cookie: cookie,
+        },
+      })
+      expect(contentResponse.status).toBe(200)
+      expect(await contentResponse.text()).toBe("hello from upload")
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("ignores forwarded proto when trustProxy is off", async () => {
+    const { server } = await startPasswordServer({ port: 54321 })
+
+    try {
+      const response = await fetch(`http://localhost:${server.port}/auth/login?next=%2F`, {
+        redirect: "manual",
+        headers: {
+          "X-Forwarded-Proto": "https",
+        },
+      })
+      expect(response.status).toBe(302)
+      expect(response.headers.get("location")).toBe(`http://localhost:${server.port}/`)
+
+      const loginResponse = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: "https://evil.test",
+          "X-Forwarded-Proto": "https",
+        },
+      })
+      expect(loginResponse.status).toBe(403)
+
+      const goodLoginResponse = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: `http://localhost:${server.port}`,
+          "X-Forwarded-Proto": "https",
+        },
+      })
+      expect(goodLoginResponse.status).toBe(200)
+      const cookieHeader = goodLoginResponse.headers.get("set-cookie") ?? ""
+      expect(cookieHeader).not.toContain("Secure")
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("honors forwarded proto when trustProxy is on", async () => {
+    const { server } = await startPasswordServer({ port: 54322, trustProxy: true })
+
+    try {
+      const redirect = await fetch(`http://localhost:${server.port}/auth/login?next=%2F`, {
+        redirect: "manual",
+        headers: {
+          "X-Forwarded-Proto": "https",
+        },
+      })
+      expect(redirect.status).toBe(302)
+      expect(redirect.headers.get("location")).toBe(`https://localhost:${server.port}/`)
+
+      const loginResponse = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: `https://localhost:${server.port}`,
+          "X-Forwarded-Proto": "https",
+        },
+      })
+      expect(loginResponse.status).toBe(200)
+      expect(loginResponse.headers.get("set-cookie") ?? "").toContain("Secure")
+
+      const evilResponse = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: `http://localhost:${server.port}`,
+        },
+      })
+      expect(evilResponse.status).toBe(200)
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("ignores invalid forwarded proto values", async () => {
+    const { server } = await startPasswordServer({ port: 54323, trustProxy: true })
+
+    try {
+      const redirect = await fetch(`http://localhost:${server.port}/auth/login?next=%2F`, {
+        redirect: "manual",
+        headers: {
+          "X-Forwarded-Proto": "ftp",
+        },
+      })
+      expect(redirect.status).toBe(302)
+      expect(redirect.headers.get("location")).toBe(`http://localhost:${server.port}/`)
+
+      const loginResponse = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: `http://localhost:${server.port}`,
+          "X-Forwarded-Proto": "ftp",
+        },
+      })
+      expect(loginResponse.status).toBe(200)
+      expect(loginResponse.headers.get("set-cookie") ?? "").not.toContain("Secure")
+    } finally {
+      await server.stop()
+    }
+  })
+
+  test("clears the session cookie on logout", async () => {
+    const { server } = await startPasswordServer()
+
+    try {
+      const loginResponse = await fetch(`http://localhost:${server.port}/auth/login`, {
+        method: "POST",
+        body: JSON.stringify({ password: "secret", next: "/" }),
+        headers: {
+          "Content-Type": "application/json",
+          Origin: `http://localhost:${server.port}`,
+        },
+      })
+      const cookie = extractCookie(loginResponse)
+
+      const logoutResponse = await fetch(`http://localhost:${server.port}/auth/logout`, {
+        method: "POST",
+        headers: {
+          Cookie: cookie,
+          Origin: `http://localhost:${server.port}`,
+        },
+      })
+
+      expect(logoutResponse.status).toBe(200)
+      expect(logoutResponse.headers.get("set-cookie")).toContain("Max-Age=0")
+
+      const healthResponse = await fetch(`http://localhost:${server.port}/health`, {
+        headers: {
+          Cookie: cookie,
+        },
+      })
+      expect(healthResponse.status).toBe(200)
+    } finally {
+      await server.stop()
+    }
+  })
+})

package/src/server/auth.ts

@@ -0,0 +1,204 @@
+import { randomBytes, timingSafeEqual } from "node:crypto"
+
+const SESSION_COOKIE_NAME = "kanna_session"
+
+export interface AuthStatusPayload {
+  enabled: boolean
+  authenticated: boolean
+}
+
+export interface AuthManager {
+  isAuthenticated(req: Request): boolean
+  validateOrigin(req: Request): boolean
+  redirectToApp(req: Request): Response
+  handleLogin(req: Request, nextPath: string): Promise<Response>
+  handleLogout(req: Request): Response
+  handleStatus(req: Request): Response
+}
+
+function parseCookies(header: string | null) {
+  const cookies = new Map<string, string>()
+  if (!header) return cookies
+
+  for (const segment of header.split(";")) {
+    const trimmed = segment.trim()
+    if (!trimmed) continue
+    const separator = trimmed.indexOf("=")
+    if (separator <= 0) continue
+    const key = trimmed.slice(0, separator).trim()
+    const value = trimmed.slice(separator + 1).trim()
+    cookies.set(key, decodeURIComponent(value))
+  }
+
+  return cookies
+}
+
+function sanitizeNextPath(nextPath: string | null | undefined) {
+  if (!nextPath || typeof nextPath !== "string") return "/"
+  if (!nextPath.startsWith("/")) return "/"
+  if (nextPath.startsWith("//")) return "/"
+  if (nextPath.startsWith("/auth/login")) return "/"
+  return nextPath
+}
+
+function forwardedProto(req: Request): "http" | "https" | null {
+  const xfp = req.headers.get("x-forwarded-proto")
+  if (!xfp) return null
+  const value = xfp.split(",")[0]?.trim().toLowerCase()
+  return value === "http" || value === "https" ? value : null
+}
+
+function effectiveOrigin(req: Request, trustProxy: boolean): string {
+  const url = new URL(req.url)
+  if (!trustProxy) return url.origin
+  const proto = forwardedProto(req)
+  const scheme = proto ?? url.protocol.replace(":", "")
+  return `${scheme}://${url.host}`
+}
+
+function shouldUseSecureCookie(req: Request, trustProxy: boolean) {
+  if (trustProxy) {
+    const proto = forwardedProto(req)
+    if (proto) return proto === "https"
+  }
+  return new URL(req.url).protocol === "https:"
+}
+
+function buildCookie(name: string, value: string, req: Request, trustProxy: boolean, extras: string[] = []) {
+  const parts = [
+    `${name}=${encodeURIComponent(value)}`,
+    "Path=/",
+    "HttpOnly",
+    "SameSite=Strict",
+  ]
+
+  if (shouldUseSecureCookie(req, trustProxy)) {
+    parts.push("Secure")
+  }
+
+  parts.push(...extras)
+  return parts.join("; ")
+}
+
+async function readLoginForm(req: Request) {
+  const contentType = req.headers.get("content-type") ?? ""
+
+  if (contentType.includes("application/json")) {
+    const payload = await req.json() as { password?: unknown; next?: unknown }
+    return {
+      password: typeof payload.password === "string" ? payload.password : "",
+      nextPath: sanitizeNextPath(typeof payload.next === "string" ? payload.next : "/"),
+    }
+  }
+
+  const formData = await req.formData()
+  return {
+    password: String(formData.get("password") ?? ""),
+    nextPath: sanitizeNextPath(String(formData.get("next") ?? "/")),
+  }
+}
+
+export interface AuthManagerOptions {
+  /**
+   * When true, the auth layer trusts X-Forwarded-Proto to decide whether the
+   * public origin is http or https. The hostname always comes from the Host
+   * header (never X-Forwarded-Host) because X-Forwarded-Host is passed
+   * through by some tunnels unmodified and would otherwise allow open
+   * redirects.
+   * Enable only when the server is reachable solely through a trusted reverse
+   * proxy such as cloudflared.
+   */
+  trustProxy?: boolean
+}
+
+export function createAuthManager(password: string, options: AuthManagerOptions = {}): AuthManager {
+  const sessions = new Set<string>()
+  const expectedPassword = Buffer.from(password)
+  const trustProxy = options.trustProxy ?? false
+
+  function getSessionToken(req: Request) {
+    return parseCookies(req.headers.get("cookie")).get(SESSION_COOKIE_NAME) ?? null
+  }
+
+  function isAuthenticated(req: Request) {
+    const sessionToken = getSessionToken(req)
+    return Boolean(sessionToken && sessions.has(sessionToken))
+  }
+
+  function validateOrigin(req: Request) {
+    const origin = req.headers.get("origin")
+    if (!origin) return true
+    if (origin === new URL(req.url).origin) return true
+    if (!trustProxy) return false
+    return origin === effectiveOrigin(req, trustProxy)
+  }
+
+  function createSessionCookie(req: Request) {
+    const sessionToken = randomBytes(32).toString("base64url")
+    sessions.add(sessionToken)
+    return buildCookie(SESSION_COOKIE_NAME, sessionToken, req, trustProxy)
+  }
+
+  function clearSessionCookie(req: Request) {
+    const sessionToken = getSessionToken(req)
+    if (sessionToken) {
+      sessions.delete(sessionToken)
+    }
+    return buildCookie(SESSION_COOKIE_NAME, "", req, trustProxy, ["Max-Age=0"])
+  }
+
+  function verifyPassword(candidate: string) {
+    const actual = Buffer.from(candidate)
+    if (actual.length !== expectedPassword.length) {
+      return false
+    }
+    return timingSafeEqual(actual, expectedPassword)
+  }
+
+  function handleStatus(req: Request) {
+    return Response.json({
+      enabled: true,
+      authenticated: isAuthenticated(req),
+    } satisfies AuthStatusPayload)
+  }
+
+  function redirectToApp(req: Request) {
+    const currentUrl = new URL(req.url)
+    return Response.redirect(new URL(sanitizeNextPath(currentUrl.searchParams.get("next")), effectiveOrigin(req, trustProxy)), 302)
+  }
+
+  async function handleLogin(req: Request, fallbackNextPath: string) {
+    if (!validateOrigin(req)) {
+      return Response.json({ error: "Forbidden" }, { status: 403 })
+    }
+
+    const { password: candidate, nextPath } = await readLoginForm(req)
+    if (!verifyPassword(candidate)) {
+      return Response.json({ error: "Invalid password" }, { status: 401 })
+    }
+
+    const response = Response.json({ ok: true, nextPath: sanitizeNextPath(nextPath || fallbackNextPath) })
+
+    response.headers.set("Set-Cookie", createSessionCookie(req))
+    return response
+  }
+
+  function handleLogout(req: Request) {
+    if (!validateOrigin(req)) {
+      return Response.json({ error: "Forbidden" }, { status: 403 })
+    }
+
+    const response = Response.json({ ok: true })
+    response.headers.set("Set-Cookie", clearSessionCookie(req))
+    return response
+  }
+
+  return {
+    isAuthenticated,
+    validateOrigin,
+    redirectToApp,
+    handleLogin,
+    handleLogout,
+    handleStatus,
+  }
+}