@fyresmith/hive-server 4.0.0 → 5.0.0

package/lib/accountState.js

@@ -0,0 +1,189 @@
+import { randomUUID, scrypt as scryptCb, timingSafeEqual } from 'crypto';
+import { existsSync } from 'fs';
+import { mkdir, readFile, writeFile } from 'fs/promises';
+import { dirname, join, resolve } from 'path';
+import { promisify } from 'util';
+
+const scrypt = promisify(scryptCb);
+
+const STATE_VERSION = 1;
+const STATE_REL_PATH = join('.hive', 'accounts-state.json');
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+function normalizeEmail(value) {
+  return String(value ?? '').trim().toLowerCase();
+}
+
+function parseEmail(value) {
+  const email = String(value ?? '').trim();
+  const emailNorm = normalizeEmail(email);
+  if (!emailNorm || !emailNorm.includes('@')) {
+    throw new Error('A valid email is required');
+  }
+  return { email, emailNorm };
+}
+
+function normalizeDisplayName(value) {
+  const displayName = String(value ?? '').trim();
+  if (!displayName || displayName.length > 32) {
+    throw new Error('Display name must be 1-32 characters');
+  }
+  return displayName;
+}
+
+function normalizeAccount(raw) {
+  if (!raw || typeof raw !== 'object') return null;
+  const id = String(raw.id ?? '').trim();
+  const email = String(raw.email ?? '').trim();
+  const emailNorm = normalizeEmail(raw.emailNorm ?? email);
+  const displayName = String(raw.displayName ?? '').trim();
+  const passwordHash = String(raw.passwordHash ?? '').trim();
+  const passwordSalt = String(raw.passwordSalt ?? '').trim();
+  const createdAt = String(raw.createdAt ?? '').trim();
+  const updatedAt = String(raw.updatedAt ?? '').trim();
+
+  if (!id || !emailNorm || !displayName || !passwordHash || !passwordSalt || !createdAt || !updatedAt) {
+    return null;
+  }
+
+  return {
+    id,
+    email,
+    emailNorm,
+    displayName,
+    passwordHash,
+    passwordSalt,
+    createdAt,
+    updatedAt,
+  };
+}
+
+function normalizeState(raw) {
+  const source = raw && typeof raw === 'object' ? raw : {};
+  const accountsRaw = source.accounts && typeof source.accounts === 'object' ? source.accounts : {};
+
+  const accounts = {};
+  for (const [id, value] of Object.entries(accountsRaw)) {
+    const normalized = normalizeAccount(value);
+    if (normalized) {
+      accounts[id] = normalized;
+    }
+  }
+
+  return {
+    version: STATE_VERSION,
+    accounts,
+  };
+}
+
+async function hashPassword(password, salt) {
+  const input = String(password ?? '');
+  if (input.length < 8) {
+    throw new Error('Password must be at least 8 characters');
+  }
+  const derived = await scrypt(input, salt, 64);
+  return Buffer.from(derived).toString('hex');
+}
+
+export function getAccountsStatePath(vaultPath) {
+  return join(resolve(vaultPath), STATE_REL_PATH);
+}
+
+export async function loadAccountsState(vaultPath) {
+  const filePath = getAccountsStatePath(vaultPath);
+  if (!existsSync(filePath)) {
+    return normalizeState(null);
+  }
+  const raw = await readFile(filePath, 'utf-8');
+  const parsed = JSON.parse(raw);
+  return normalizeState(parsed);
+}
+
+export async function saveAccountsState(vaultPath, state) {
+  const filePath = getAccountsStatePath(vaultPath);
+  const normalized = normalizeState(state);
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, `${JSON.stringify(normalized, null, 2)}\n`, 'utf-8');
+  return normalized;
+}
+
+export async function createAccount({ vaultPath, email, password, displayName }) {
+  const { emailNorm } = parseEmail(email);
+  const nextDisplayName = normalizeDisplayName(displayName);
+
+  const state = await loadAccountsState(vaultPath);
+  const existing = Object.values(state.accounts).find((row) => row.emailNorm === emailNorm);
+  if (existing) {
+    throw new Error('An account already exists for this email');
+  }
+
+  const id = randomUUID();
+  const passwordSalt = randomUUID();
+  const passwordHash = await hashPassword(password, passwordSalt);
+  const ts = nowIso();
+
+  state.accounts[id] = {
+    id,
+    email: String(email ?? '').trim(),
+    emailNorm,
+    displayName: nextDisplayName,
+    passwordHash,
+    passwordSalt,
+    createdAt: ts,
+    updatedAt: ts,
+  };
+
+  await saveAccountsState(vaultPath, state);
+  return toPublicAccount(state.accounts[id]);
+}
+
+export async function createOwnerAccount({ vaultPath, email, displayName, password }) {
+  return createAccount({
+    vaultPath,
+    email,
+    password,
+    displayName,
+  });
+}
+
+export async function authenticateAccount({ vaultPath, email, password }) {
+  const { emailNorm } = parseEmail(email);
+  const state = await loadAccountsState(vaultPath);
+  const account = Object.values(state.accounts).find((row) => row.emailNorm === emailNorm);
+  if (!account) {
+    throw new Error('Invalid email or password');
+  }
+
+  const derived = await hashPassword(password, account.passwordSalt);
+  const actual = Buffer.from(account.passwordHash, 'hex');
+  const incoming = Buffer.from(derived, 'hex');
+  if (actual.length !== incoming.length || !timingSafeEqual(actual, incoming)) {
+    throw new Error('Invalid email or password');
+  }
+
+  return toPublicAccount(account);
+}
+
+export async function getAccountById(vaultPath, accountId) {
+  const id = String(accountId ?? '').trim();
+  if (!id) return null;
+
+  const state = await loadAccountsState(vaultPath);
+  const account = state.accounts[id];
+  if (!account) return null;
+  return toPublicAccount(account);
+}
+
+export function toPublicAccount(account) {
+  return {
+    id: account.id,
+    email: account.email,
+    emailNorm: account.emailNorm,
+    displayName: account.displayName,
+    createdAt: account.createdAt,
+    updatedAt: account.updatedAt,
+  };
+}

package/lib/authTokens.js

@@ -0,0 +1,75 @@
+import { createHash, randomBytes } from 'crypto';
+import jwt from 'jsonwebtoken';
+
+const PURPOSE_CLAIM_SESSION = 'claim-session';
+
+function getJwtSecret() {
+  const secret = String(process.env.JWT_SECRET ?? '').trim();
+  if (!secret) {
+    throw new Error('JWT_SECRET is required');
+  }
+  return secret;
+}
+
+function parsePositiveInt(value, fallback) {
+  const parsed = parseInt(String(value ?? '').trim(), 10);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    return fallback;
+  }
+  return parsed;
+}
+
+function downloadTicketTtlMinutes() {
+  return parsePositiveInt(process.env.HIVE_BUNDLE_GRANT_TTL_MINUTES, 15);
+}
+
+function bootstrapTokenTtlHours() {
+  return parsePositiveInt(process.env.HIVE_BOOTSTRAP_TOKEN_TTL_HOURS, 24);
+}
+
+export function hashToken(token) {
+  return createHash('sha256').update(String(token ?? ''), 'utf-8').digest('hex');
+}
+
+export function signClaimSessionToken(account) {
+  const payload = {
+    purpose: PURPOSE_CLAIM_SESSION,
+    accountId: account.id,
+    displayName: account.displayName,
+    emailNorm: account.emailNorm,
+  };
+
+  return jwt.sign(payload, getJwtSecret(), { expiresIn: '7d' });
+}
+
+export function verifyClaimSessionToken(token) {
+  const decoded = jwt.verify(String(token ?? ''), getJwtSecret());
+  if (!decoded || decoded.purpose !== PURPOSE_CLAIM_SESSION) {
+    throw new Error('Invalid session token');
+  }
+  return decoded;
+}
+
+export function issueDownloadTicket() {
+  const ttlMinutes = downloadTicketTtlMinutes();
+  const ttlMs = ttlMinutes * 60 * 1000;
+  const token = randomBytes(32).toString('hex');
+  return {
+    token,
+    tokenHash: hashToken(token),
+    expiresAt: new Date(Date.now() + ttlMs).toISOString(),
+  };
+}
+
+export function issueBootstrapToken({ memberId, vaultId }) {
+  const ttlHours = bootstrapTokenTtlHours();
+  const ttlMs = ttlHours * 60 * 60 * 1000;
+  const token = randomBytes(32).toString('hex');
+
+  return {
+    token,
+    memberId,
+    vaultId,
+    expiresAt: new Date(Date.now() + ttlMs).toISOString(),
+  };
+}

package/lib/bundleBuilder.js

@@ -0,0 +1,169 @@
+import { existsSync } from 'fs';
+import { readdir, readFile } from 'fs/promises';
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import { basename, join, resolve } from 'path';
+
+const require = createRequire(import.meta.url);
+const { ZipFile } = require('yazl');
+
+const PLUGIN_ID = 'hive';
+const DEFAULT_DENY_PATHS = ['.git', '.hive', '.hive-quarantine', '.DS_Store', 'Thumbs.db'];
+
+const ASSETS_ROOT = resolve(fileURLToPath(new URL('../assets/', import.meta.url)));
+const TEMPLATE_ROOT = join(ASSETS_ROOT, 'template-vault');
+const PLUGIN_ROOT = join(ASSETS_ROOT, 'plugin', PLUGIN_ID);
+
+function requireAssetPath(path, label) {
+  if (!existsSync(path)) {
+    throw new Error(`Missing packaged ${label} at ${path}`);
+  }
+  return path;
+}
+
+async function readPluginAsset(filename) {
+  const root = requireAssetPath(PLUGIN_ROOT, 'plugin assets');
+  const abs = join(root, filename);
+  if (!existsSync(abs)) {
+    throw new Error(`Missing plugin asset at ${abs}`);
+  }
+  return readFile(abs);
+}
+
+async function readTemplateFiles() {
+  const root = requireAssetPath(TEMPLATE_ROOT, 'template vault');
+  const files = [];
+
+  async function walk(currentAbs, relPrefix) {
+    const entries = await readdir(currentAbs, { withFileTypes: true });
+    for (const entry of entries) {
+      const abs = join(currentAbs, entry.name);
+      const rel = relPrefix ? `${relPrefix}/${entry.name}` : entry.name;
+      if (entry.isDirectory()) {
+        await walk(abs, rel);
+      } else if (entry.isFile()) {
+        const content = await readFile(abs);
+        files.push({ relPath: rel.replace(/\\/g, '/'), content });
+      }
+    }
+  }
+
+  await walk(root, '');
+  return files;
+}
+
+function sanitizeVaultName(name) {
+  const safe = String(name ?? '').trim().replace(/[/\\:*?"<>|]/g, '').replace(/\s+/g, ' ').trim();
+  return safe || 'Hive Vault';
+}
+
+function renderReadme(serverUrl, vaultName) {
+  return [
+    `# ${sanitizeVaultName(vaultName)}`,
+    '',
+    '1. Extract this zip to a folder.',
+    '2. Open that folder as a vault in Obsidian desktop.',
+    '3. Hive will complete secure first-run bootstrap and sync automatically.',
+    '',
+    `Hive server: ${serverUrl}`,
+  ].join('\n');
+}
+
+function getBundleDenyPaths() {
+  const custom = String(process.env.HIVE_BUNDLE_DENY_PATHS ?? '')
+    .split(',')
+    .map((value) => value.trim())
+    .filter(Boolean);
+  return new Set([...DEFAULT_DENY_PATHS, ...custom]);
+}
+
+function isDeniedPath(path, denyPaths) {
+  const normalized = String(path ?? '').replace(/\\/g, '/');
+  for (const deny of denyPaths) {
+    if (normalized === deny || normalized.startsWith(`${deny}/`)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+export async function sendInviteShellBundle(res, {
+  serverUrl,
+  vaultId,
+  bootstrapToken,
+  vaultName,
+}) {
+  const templateFiles = await readTemplateFiles();
+  const mainJs = await readPluginAsset('main.js');
+  const manifestJson = await readPluginAsset('manifest.json');
+  const stylesCss = await readPluginAsset('styles.css');
+
+  const zip = new ZipFile();
+  const denyPaths = getBundleDenyPaths();
+
+  const safeName = sanitizeVaultName(vaultName);
+  const rootPrefix = `${safeName}/`;
+
+  const binding = {
+    version: 1,
+    managed: true,
+    serverUrl,
+    vaultId,
+    createdAt: new Date().toISOString(),
+  };
+
+  const pluginData = {
+    serverUrl,
+    token: null,
+    bootstrapToken,
+    user: null,
+  };
+
+  const appConfig = {
+    communityPluginEnabled: true,
+  };
+
+  const pluginRoot = `${rootPrefix}.obsidian/plugins/${PLUGIN_ID}`;
+
+  const addBuffer = (buffer, targetPath) => {
+    if (isDeniedPath(targetPath, denyPaths)) {
+      throw new Error(`Bundle output path denied by policy: ${targetPath}`);
+    }
+    zip.addBuffer(buffer, targetPath);
+  };
+
+  const overwritePaths = new Set([
+    '.obsidian/app.json',
+    '.obsidian/community-plugins.json',
+    '.obsidian/hive-managed.json',
+    'README.md',
+  ]);
+
+  for (const file of templateFiles) {
+    if (overwritePaths.has(file.relPath)) continue;
+    const target = `${rootPrefix}${file.relPath}`;
+    addBuffer(file.content, target);
+  }
+
+  addBuffer(Buffer.from(`${JSON.stringify(binding, null, 2)}\n`, 'utf-8'), `${rootPrefix}.obsidian/hive-managed.json`);
+  addBuffer(mainJs, `${pluginRoot}/main.js`);
+  addBuffer(manifestJson, `${pluginRoot}/manifest.json`);
+  addBuffer(stylesCss, `${pluginRoot}/styles.css`);
+  addBuffer(Buffer.from(`${JSON.stringify(pluginData, null, 2)}\n`, 'utf-8'), `${pluginRoot}/data.json`);
+  addBuffer(Buffer.from(`${JSON.stringify([PLUGIN_ID], null, 2)}\n`, 'utf-8'), `${rootPrefix}.obsidian/community-plugins.json`);
+  addBuffer(Buffer.from(`${JSON.stringify(appConfig, null, 2)}\n`, 'utf-8'), `${rootPrefix}.obsidian/app.json`);
+  addBuffer(Buffer.from(`${renderReadme(serverUrl, vaultName)}\n`, 'utf-8'), `${rootPrefix}README.md`);
+
+  const name = `${safeName}.zip`;
+  res.setHeader('Content-Type', 'application/zip');
+  res.setHeader('Content-Disposition', `attachment; filename="${basename(name)}"`);
+
+  await new Promise((resolvePromise, rejectPromise) => {
+    zip.outputStream.on('error', rejectPromise);
+    res.on('error', rejectPromise);
+    res.on('finish', resolvePromise);
+
+    zip.outputStream.pipe(res);
+    zip.end();
+  });
+}

package/lib/dashboardAuth.js

@@ -0,0 +1,80 @@
+import jwt from 'jsonwebtoken';
+
+export const COOKIE_NAME = 'hive_dashboard_session';
+const PURPOSE = 'dashboard-session';
+
+function getJwtSecret() {
+  const secret = String(process.env.JWT_SECRET ?? '').trim();
+  if (!secret) throw new Error('JWT_SECRET is required');
+  return secret;
+}
+
+function parseCookies(req) {
+  const raw = String(req.headers.cookie ?? '');
+  const cookies = {};
+  for (const chunk of raw.split(';')) {
+    const [name, ...rest] = chunk.split('=');
+    const key = String(name ?? '').trim();
+    if (!key) continue;
+    cookies[key] = decodeURIComponent(rest.join('=').trim());
+  }
+  return cookies;
+}
+
+function isSecureRequest(req) {
+  if (req.secure) return true;
+  const xf = String(req.headers['x-forwarded-proto'] ?? '').toLowerCase();
+  return xf.includes('https');
+}
+
+export function signDashboardSessionToken(accountId) {
+  return jwt.sign(
+    { purpose: PURPOSE, accountId, role: 'owner' },
+    getJwtSecret(),
+    { expiresIn: '24h' },
+  );
+}
+
+export function verifyDashboardSessionToken(token) {
+  const decoded = jwt.verify(String(token ?? ''), getJwtSecret());
+  if (!decoded || decoded.purpose !== PURPOSE) {
+    throw new Error('Invalid dashboard session token');
+  }
+  return decoded;
+}
+
+export function getDashboardSession(req) {
+  const cookies = parseCookies(req);
+  const token = String(cookies[COOKIE_NAME] ?? '').trim();
+  if (!token) return null;
+  try {
+    return verifyDashboardSessionToken(token);
+  } catch {
+    return null;
+  }
+}
+
+export function setDashboardCookie(req, res, token) {
+  const secure = isSecureRequest(req) ? '; Secure' : '';
+  res.setHeader(
+    'Set-Cookie',
+    `${COOKIE_NAME}=${encodeURIComponent(token)}; Path=/dashboard; HttpOnly; SameSite=Lax; Max-Age=86400${secure}`,
+  );
+}
+
+export function clearDashboardCookie(req, res) {
+  const secure = isSecureRequest(req) ? '; Secure' : '';
+  res.setHeader(
+    'Set-Cookie',
+    `${COOKIE_NAME}=; Path=/dashboard; HttpOnly; SameSite=Lax; Max-Age=0${secure}`,
+  );
+}
+
+export function requireDashboardAuth(req, res, next) {
+  const session = getDashboardSession(req);
+  if (!session?.accountId) {
+    return res.redirect('/dashboard/login');
+  }
+  req.dashboardSession = session;
+  next();
+}