@fentz26/envcp 1.0.1 → 1.0.2

package/src/server/unified.ts

@@ -3,9 +3,8 @@ import { RESTAdapter } from '../adapters/rest.js';
 import { OpenAIAdapter } from '../adapters/openai.js';
 import { GeminiAdapter } from '../adapters/gemini.js';
 import { EnvCPServer } from '../mcp/server.js';
-import { setCorsHeaders, sendJson, parseBody, validateApiKey } from '../utils/http.js';
+import { setCorsHeaders, sendJson, parseBody, validateApiKey, RateLimiter, rateLimitMiddleware } from '../utils/http.js';
 import * as http from 'http';
-import * as url from 'url';
 
 export class UnifiedServer {
   private config: EnvCPConfig;
@@ -18,6 +17,7 @@ export class UnifiedServer {
   private geminiAdapter: GeminiAdapter | null = null;
   private mcpServer: EnvCPServer | null = null;
   private httpServer: http.Server | null = null;
+  private rateLimiter: RateLimiter = new RateLimiter(60, 60000);
 
   constructor(config: EnvCPConfig, serverConfig: ServerConfig, projectPath: string, password?: string) {
     this.config = config;
@@ -29,8 +29,7 @@ export class UnifiedServer {
   // Detect client type from request headers
   detectClientType(req: http.IncomingMessage): ClientType {
     const userAgent = req.headers['user-agent']?.toLowerCase() || '';
-    const contentType = req.headers['content-type'] || '';
-    const pathname = url.parse(req.url || '/', true).pathname || '/';
+    const pathname = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`).pathname;
 
     // Check for OpenAI-style requests
     if (pathname.startsWith('/v1/chat') ||
@@ -111,7 +110,7 @@ export class UnifiedServer {
 
     // Auto or All mode - unified server that routes based on detection
     this.httpServer = http.createServer(async (req, res) => {
-      setCorsHeaders(res);
+      setCorsHeaders(res, undefined, req.headers.origin);
 
       if (req.method === 'OPTIONS') {
         res.writeHead(204);
@@ -119,6 +118,10 @@ export class UnifiedServer {
         return;
       }
 
+      if (!rateLimitMiddleware(this.rateLimiter, req, res)) {
+        return;
+      }
+
       // API key validation
       if (api_key) {
         const providedKey = (req.headers['x-api-key'] ||
@@ -130,8 +133,8 @@ export class UnifiedServer {
         }
       }
 
-      const parsedUrl = url.parse(req.url || '/', true);
-      const pathname = parsedUrl.pathname || '/';
+      const parsedUrl = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+      const pathname = parsedUrl.pathname;
 
       // Root endpoint - show server info and detected mode
       if (pathname === '/' && req.method === 'GET') {
@@ -159,7 +162,7 @@ export class UnifiedServer {
       }
 
       // Force mode query param
-      const forceMode = parsedUrl.query.mode as string | undefined;
+      const forceMode = parsedUrl.searchParams.get('mode') || undefined;
       if (forceMode && ['rest', 'openai', 'gemini'].includes(forceMode)) {
         clientType = forceMode as ClientType;
       }
@@ -201,11 +204,19 @@ export class UnifiedServer {
           },
         });
 
-      } catch (error: any) {
-        sendJson(res, 500, { error: error.message });
+      } catch (error: unknown) {
+        const message = error instanceof Error ? error.message : String(error);
+        sendJson(res, 500, { error: message });
       }
     });
 
+    const shutdown = () => {
+      this.stop();
+      process.exit(0);
+    };
+    process.on('SIGTERM', shutdown);
+    process.on('SIGINT', shutdown);
+
     return new Promise((resolve) => {
       this.httpServer!.listen(port, host, () => {
         resolve();
@@ -215,7 +226,7 @@ export class UnifiedServer {
 
   private async handleRESTRequest(req: http.IncomingMessage, res: http.ServerResponse): Promise<void> {
     // Delegate to REST adapter's internal handling
-    const parsedUrl = url.parse(req.url || '/', true);
+    const parsedUrl = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
     const pathname = parsedUrl.pathname || '/';
     const segments = pathname.split('/').filter(Boolean);
 
@@ -224,7 +235,7 @@ export class UnifiedServer {
       return;
     }
 
-    const body = await parseBody(req);
+    const body = (req.method === 'POST' || req.method === 'PUT' || req.method === 'PATCH') ? await parseBody(req) : {};
 
     try {
       if (segments[0] === 'api') {
@@ -262,7 +273,7 @@ export class UnifiedServer {
             return;
           }
           if (segments[2] && req.method === 'GET') {
-            const result = await this.restAdapter.callTool('envcp_get', { name: segments[2], show_value: parsedUrl.query.show_value === 'true' });
+            const result = await this.restAdapter.callTool('envcp_get', { name: segments[2], show_value: parsedUrl.searchParams.get('show_value') === 'true' });
             sendJson(res, 200, { success: true, data: result, timestamp: new Date().toISOString() });
             return;
           }
@@ -295,8 +306,9 @@ export class UnifiedServer {
 
       sendJson(res, 404, { success: false, error: 'Not found', timestamp: new Date().toISOString() });
 
-    } catch (error: any) {
-      sendJson(res, 500, { success: false, error: error.message, timestamp: new Date().toISOString() });
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      sendJson(res, 500, { success: false, error: message, timestamp: new Date().toISOString() });
     }
   }
 
@@ -306,9 +318,9 @@ export class UnifiedServer {
       return;
     }
 
-    const parsedUrl = url.parse(req.url || '/', true);
+    const parsedUrl = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
     const pathname = parsedUrl.pathname || '/';
-    const body = await parseBody(req);
+    const body = req.method === 'POST' ? await parseBody(req) : {};
 
     try {
       if (pathname === '/v1/models' && req.method === 'GET') {
@@ -366,8 +378,9 @@ export class UnifiedServer {
 
       sendJson(res, 404, { error: { message: 'Not found', type: 'not_found' } });
 
-    } catch (error: any) {
-      sendJson(res, 500, { error: { message: error.message, type: 'internal_error' } });
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      sendJson(res, 500, { error: { message, type: 'internal_error' } });
     }
   }
 
@@ -377,9 +390,9 @@ export class UnifiedServer {
       return;
     }
 
-    const parsedUrl = url.parse(req.url || '/', true);
+    const parsedUrl = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
     const pathname = parsedUrl.pathname || '/';
-    const body = await parseBody(req);
+    const body = req.method === 'POST' ? await parseBody(req) : {};
 
     try {
       if (pathname === '/v1/tools' && req.method === 'GET') {
@@ -436,8 +449,9 @@ export class UnifiedServer {
 
       sendJson(res, 404, { error: { code: 404, message: 'Not found', status: 'NOT_FOUND' } });
 
-    } catch (error: any) {
-      sendJson(res, 500, { error: { code: 500, message: error.message, status: 'INTERNAL' } });
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      sendJson(res, 500, { error: { code: 500, message, status: 'INTERNAL' } });
     }
   }
 

package/src/storage/index.ts

@@ -7,6 +7,7 @@ export class StorageManager {
   private storePath: string;
   private encrypted: boolean;
   private password?: string;
+  private cache: Record<string, Variable> | null = null;
 
   constructor(storePath: string, encrypted: boolean = true) {
     this.storePath = storePath;
@@ -14,31 +15,42 @@ export class StorageManager {
   }
 
   setPassword(password: string): void {
-    this.password = password;
+    if (this.password !== password) {
+      this.password = password;
+      this.cache = null;
+    }
   }
 
   async load(): Promise<Record<string, Variable>> {
+    if (this.cache !== null) {
+      return this.cache;
+    }
+
     if (!await fs.pathExists(this.storePath)) {
-      return {};
+      this.cache = {};
+      return this.cache;
     }
 
     const data = await fs.readFile(this.storePath, 'utf8');
-    
+
     if (this.encrypted && this.password) {
       try {
         const decrypted = decrypt(data, this.password);
-        return JSON.parse(decrypted);
+        this.cache = JSON.parse(decrypted);
+        return this.cache!;
       } catch (error) {
         throw new Error('Failed to decrypt storage. Invalid password or corrupted data.');
       }
     }
 
-    return JSON.parse(data);
+    this.cache = JSON.parse(data);
+    return this.cache!;
   }
 
   async save(variables: Record<string, Variable>): Promise<void> {
+    this.cache = variables;
     const data = JSON.stringify(variables, null, 2);
-    
+
     await fs.ensureDir(path.dirname(this.storePath));
 
     if (this.encrypted && this.password) {
@@ -78,6 +90,10 @@ export class StorageManager {
   async exists(): Promise<boolean> {
     return fs.pathExists(this.storePath);
   }
+
+  invalidateCache(): void {
+    this.cache = null;
+  }
 }
 
 export class LogManager {

package/src/types.ts

@@ -16,8 +16,10 @@ export const EnvCPConfigSchema = z.object({
     allow_ai_write: z.boolean().default(false),
     allow_ai_delete: z.boolean().default(false),
     allow_ai_export: z.boolean().default(false),
+    allow_ai_execute: z.boolean().default(false),
     allow_ai_active_check: z.boolean().default(false),
     require_user_reference: z.boolean().default(true),
+    allowed_commands: z.array(z.string()).optional(),
     require_confirmation: z.boolean().default(true),
     mask_values: z.boolean().default(true),
     audit_log: z.boolean().default(true),

package/src/utils/http.ts

@@ -3,8 +3,14 @@ import * as http from 'http';
 
 const MAX_BODY_SIZE = 1024 * 1024; // 1MB
 
-export function setCorsHeaders(res: http.ServerResponse, allowedOrigin: string = '127.0.0.1'): void {
-  res.setHeader('Access-Control-Allow-Origin', allowedOrigin);
+export function setCorsHeaders(res: http.ServerResponse, allowedOrigin?: string, requestOrigin?: string): void {
+  const localOrigins = ['http://127.0.0.1', 'http://localhost', 'http://[::1]'];
+  let origin = allowedOrigin || '*';
+  if (!allowedOrigin && requestOrigin) {
+    const matches = localOrigins.some(lo => requestOrigin.startsWith(lo));
+    origin = matches ? requestOrigin : '';
+  }
+  res.setHeader('Access-Control-Allow-Origin', origin);
   res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
   res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-Key, X-Goog-Api-Key, OpenAI-Organization');
 }
@@ -43,3 +49,71 @@ export function validateApiKey(provided: string | undefined, expected: string):
   if (provided.length !== expected.length) return false;
   return crypto.timingSafeEqual(Buffer.from(provided), Buffer.from(expected));
 }
+
+export class RateLimiter {
+  private requests: Map<string, number[]> = new Map();
+  private maxRequests: number;
+  private windowMs: number;
+  private cleanupTimer: ReturnType<typeof setInterval>;
+
+  constructor(maxRequests: number = 60, windowMs: number = 60000) {
+    this.maxRequests = maxRequests;
+    this.windowMs = windowMs;
+    // Periodically clean up stale entries
+    this.cleanupTimer = setInterval(() => this.cleanup(), windowMs * 2);
+    if (this.cleanupTimer.unref) this.cleanupTimer.unref();
+  }
+
+  isAllowed(key: string): boolean {
+    const now = Date.now();
+    const timestamps = this.requests.get(key) || [];
+    const recent = timestamps.filter(t => now - t < this.windowMs);
+
+    if (recent.length >= this.maxRequests) {
+      this.requests.set(key, recent);
+      return false;
+    }
+
+    recent.push(now);
+    this.requests.set(key, recent);
+    return true;
+  }
+
+  getRemainingRequests(key: string): number {
+    const now = Date.now();
+    const timestamps = this.requests.get(key) || [];
+    const recent = timestamps.filter(t => now - t < this.windowMs);
+    return Math.max(0, this.maxRequests - recent.length);
+  }
+
+  private cleanup(): void {
+    const now = Date.now();
+    for (const [key, timestamps] of this.requests) {
+      const recent = timestamps.filter(t => now - t < this.windowMs);
+      if (recent.length === 0) {
+        this.requests.delete(key);
+      } else {
+        this.requests.set(key, recent);
+      }
+    }
+  }
+
+  destroy(): void {
+    clearInterval(this.cleanupTimer);
+  }
+}
+
+export function rateLimitMiddleware(
+  limiter: RateLimiter,
+  req: http.IncomingMessage,
+  res: http.ServerResponse
+): boolean {
+  const key = req.socket.remoteAddress || 'unknown';
+  if (!limiter.isAllowed(key)) {
+    res.setHeader('Retry-After', '60');
+    sendJson(res, 429, { error: 'Too many requests' });
+    return false;
+  }
+  res.setHeader('X-RateLimit-Remaining', String(limiter.getRemainingRequests(key)));
+  return true;
+}

package/src/utils/session.ts

@@ -2,6 +2,7 @@ import * as fs from 'fs-extra';
 import * as path from 'path';
 import { Session, SessionSchema } from '../types.js';
 import { generateId, encrypt, decrypt } from './crypto.js';
+import * as crypto from 'crypto';
 
 export class SessionManager {
   private sessionPath: string;
@@ -23,7 +24,7 @@ export class SessionManager {
   async create(password: string): Promise<Session> {
     const now = new Date();
     const expires = new Date(now.getTime() + this.timeoutMinutes * 60 * 1000);
-    
+
     this.session = {
       id: generateId(),
       created: now.toISOString(),
@@ -31,17 +32,19 @@ export class SessionManager {
       extensions: 0,
       last_access: now.toISOString(),
     };
-    
+
     this.password = password;
-    
+
+    // Store a verification hash instead of the raw password
+    const passwordHash = crypto.createHash('sha256').update(password).digest('hex');
     const sessionData = JSON.stringify({
       session: this.session,
-      password: password,
+      passwordHash,
     });
-    
+
     const encrypted = encrypt(sessionData, password);
     await fs.writeFile(this.sessionPath, encrypted, 'utf8');
-    
+
     return this.session;
   }
 
@@ -61,7 +64,8 @@ export class SessionManager {
       const decrypted = decrypt(encrypted, pwd);
       const data = JSON.parse(decrypted);
       this.session = SessionSchema.parse(data.session);
-      this.password = data.password;
+      // Password is verified by successful decryption — no longer stored in file
+      this.password = pwd;
       
       if (new Date() > new Date(this.session.expires)) {
         await this.destroy();
@@ -102,9 +106,10 @@ export class SessionManager {
     this.session.extensions += 1;
     this.session.last_access = now.toISOString();
 
+    const passwordHash = crypto.createHash('sha256').update(this.password).digest('hex');
     const sessionData = JSON.stringify({
       session: this.session,
-      password: this.password,
+      passwordHash,
     });
 
     const encrypted = encrypt(sessionData, this.password);