@fyresmith/hive-server 4.0.0 → 5.0.0

package/routes/auth.js

@@ -1,98 +1,423 @@
-import { Router } from 'express';
-import DiscordOauth2 from 'discord-oauth2';
+import { Router, urlencoded } from 'express';
 import jwt from 'jsonwebtoken';
-import { randomBytes } from 'crypto';
+import {
+  authenticateAccount,
+  createAccount,
+  getAccountById,
+} from '../lib/accountState.js';
+import {
+  hashToken,
+  issueBootstrapToken,
+  issueDownloadTicket,
+  signClaimSessionToken,
+  verifyClaimSessionToken,
+} from '../lib/authTokens.js';
+import { sendInviteShellBundle } from '../lib/bundleBuilder.js';
+import {
+  consumeInviteDownloadTicket,
+  consumeMemberBootstrapSecretByToken,
+  getInvite,
+  loadManagedState,
+  pairMember,
+  setInviteDownloadTicket,
+  setMemberBootstrapSecret,
+} from '../lib/managedState.js';
 
 const router = Router();
-const oauth = new DiscordOauth2();
-
-/**
- * CSRF state map: state → { timestamp }
- * Entries expire after 10 minutes.
- * @type {Map<string, {ts: number}>}
- */
-const stateMap = new Map();
-const STATE_TTL_MS = 10 * 60 * 1000;
-
-function pruneStates() {
-  const now = Date.now();
-  for (const [key, val] of stateMap) {
-    if (now - val.ts > STATE_TTL_MS) stateMap.delete(key);
-  }
-}
-
-// ---------------------------------------------------------------------------
-// GET /auth/login
-// ---------------------------------------------------------------------------
-router.get('/login', (req, res) => {
-  pruneStates();
-  const state = randomBytes(16).toString('hex');
-  stateMap.set(state, { ts: Date.now() });
-
-  const url = oauth.generateAuthUrl({
-    clientId: process.env.DISCORD_CLIENT_ID,
-    scope: ['identify', 'guilds'],
-    redirectUri: process.env.DISCORD_REDIRECT_URI,
-    state,
-  });
-
-  res.redirect(url);
+const CLAIM_SESSION_COOKIE = 'hive_claim_session';
+const DOWNLOAD_TICKET_COOKIE = 'hive_bundle_ticket';
+
+router.use(urlencoded({ extended: false }));
+
+function getVaultPath() {
+  const value = String(process.env.VAULT_PATH ?? '').trim();
+  if (!value) throw new Error('VAULT_PATH env var is required');
+  return value;
+}
+
+function getServerUrl(req) {
+  return process.env.HIVE_SERVER_URL?.trim() || `${req.protocol}://${req.get('host')}`;
+}
+
+function escapeHtml(value) {
+  return String(value ?? '')
+    .replaceAll('&', '&amp;')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+    .replaceAll("'", '&#39;');
+}
+
+function errorPage(message) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><title>Hive — Error</title>
+<style>body{font-family:system-ui,sans-serif;max-width:560px;margin:80px auto;padding:0 16px;color:#333}
+h1{color:#c0392b}p{line-height:1.6}.muted{color:#666}</style></head>
+<body><h1>Error</h1><p>${escapeHtml(message)}</p></body></html>`;
+}
+
+function infoPage(title, bodyHtml) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><title>Hive — ${escapeHtml(title)}</title>
+<style>
+body{font-family:system-ui,sans-serif;max-width:680px;margin:80px auto;padding:0 16px;color:#222}
+h1{margin:0 0 12px}p{line-height:1.6;color:#444}
+a.button,button{display:inline-block;background:#2d6cdf;color:#fff;border:none;padding:10px 16px;border-radius:8px;text-decoration:none;cursor:pointer}
+.card{border:1px solid #ddd;border-radius:10px;padding:16px;margin:14px 0;background:#fafafa}
+label{display:block;font-weight:600;margin:0 0 6px}
+input{width:100%;box-sizing:border-box;padding:10px;border:1px solid #ccc;border-radius:8px;margin-bottom:12px}
+.muted{color:#666}
+.grid{display:grid;gap:16px;grid-template-columns:1fr 1fr}
+@media (max-width:700px){.grid{grid-template-columns:1fr}}
+</style></head>
+<body>
+<h1>${escapeHtml(title)}</h1>
+${bodyHtml}
+</body></html>`;
+}
+
+function parseCookies(req) {
+  const raw = String(req.headers.cookie ?? '');
+  const cookies = {};
+  for (const chunk of raw.split(';')) {
+    const [name, ...rest] = chunk.split('=');
+    const key = String(name ?? '').trim();
+    if (!key) continue;
+    cookies[key] = decodeURIComponent(rest.join('=').trim());
+  }
+  return cookies;
+}
+
+function isSecureRequest(req) {
+  if (req.secure) return true;
+  const xf = String(req.headers['x-forwarded-proto'] ?? '').toLowerCase();
+  return xf.includes('https');
+}
+
+function setClaimSessionCookie(req, res, token) {
+  const secure = isSecureRequest(req) ? '; Secure' : '';
+  res.setHeader(
+    'Set-Cookie',
+    `${CLAIM_SESSION_COOKIE}=${encodeURIComponent(token)}; Path=/; HttpOnly; SameSite=Lax; Max-Age=604800${secure}`,
+  );
+}
+
+function clearClaimSessionCookie(req, res) {
+  const secure = isSecureRequest(req) ? '; Secure' : '';
+  res.setHeader(
+    'Set-Cookie',
+    `${CLAIM_SESSION_COOKIE}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0${secure}`,
+  );
+}
+
+function setDownloadTicketCookie(req, res, ticket) {
+  const secure = isSecureRequest(req) ? '; Secure' : '';
+  res.setHeader(
+    'Set-Cookie',
+    `${DOWNLOAD_TICKET_COOKIE}=${encodeURIComponent(ticket)}; Path=/auth; HttpOnly; SameSite=Lax; Max-Age=1200${secure}`,
+  );
+}
+
+function clearDownloadTicketCookie(req, res) {
+  const secure = isSecureRequest(req) ? '; Secure' : '';
+  res.setHeader(
+    'Set-Cookie',
+    `${DOWNLOAD_TICKET_COOKIE}=; Path=/auth; HttpOnly; SameSite=Lax; Max-Age=0${secure}`,
+  );
+}
+
+function getClaimSession(req) {
+  const cookies = parseCookies(req);
+  const token = String(cookies[CLAIM_SESSION_COOKIE] ?? '').trim();
+  if (!token) return null;
+  try {
+    const decoded = verifyClaimSessionToken(token);
+    return {
+      accountId: String(decoded.accountId ?? ''),
+      displayName: String(decoded.displayName ?? ''),
+      emailNorm: String(decoded.emailNorm ?? ''),
+    };
+  } catch {
+    return null;
+  }
+}
+
+function getDownloadTicket(req) {
+  const cookies = parseCookies(req);
+  return String(cookies[DOWNLOAD_TICKET_COOKIE] ?? '').trim();
+}
+
+async function loadInviteOrThrow(code) {
+  const inviteCode = String(code ?? '').trim();
+  if (!inviteCode) {
+    throw new Error('Missing invite code.');
+  }
+
+  let state;
+  try {
+    state = await loadManagedState(getVaultPath());
+  } catch {
+    throw new Error('Server error loading vault state.');
+  }
+  if (!state) {
+    throw new Error('Managed vault is not initialized.');
+  }
+
+  const invite = await getInvite(getVaultPath(), inviteCode);
+  if (!invite) throw new Error('Invite code not found.');
+  if (invite.revokedAt) throw new Error('This invite code has been revoked.');
+  if (invite.usedAt) throw new Error('This invite code has already been used.');
+
+  return { state, inviteCode, invite };
+}
+
+function renderInviteClaimPage({ code, session, vaultName }) {
+  const displayName = escapeHtml(vaultName || 'Hive Vault');
+  const title = `Join ${displayName}`;
+
+  if (session) {
+    return infoPage(title, `
+      <p>You've been invited to join <strong>${displayName}</strong>.</p>
+      <p>You are signed in as <strong>${escapeHtml(session.displayName)}</strong>.</p>
+      <p>Continue to pair this identity and generate a downloadable vault package.</p>
+      <form method="POST" action="/auth/claim/complete">
+        <input type="hidden" name="code" value="${escapeHtml(code)}">
+        <button type="submit">Join + Continue</button>
+      </form>
+      <p class="muted">This invite is single-use.</p>
+    `);
+  }
+
+  return infoPage(title, `
+    <p>You've been invited to join <strong>${displayName}</strong>. Sign in or create an account to claim this invite and download your managed vault package.</p>
+    <div class="grid">
+      <div class="card">
+        <h3>Create Account</h3>
+        <form method="POST" action="/auth/claim/signup">
+          <input type="hidden" name="code" value="${escapeHtml(code)}">
+          <label>Email</label>
+          <input type="email" name="email" required placeholder="you@example.com">
+          <label>Display Name</label>
+          <input type="text" name="displayName" minlength="1" maxlength="32" required placeholder="Your name">
+          <label>Password</label>
+          <input type="password" name="password" minlength="8" required>
+          <button type="submit">Create & Continue</button>
+        </form>
+      </div>
+      <div class="card">
+        <h3>Sign In</h3>
+        <form method="POST" action="/auth/claim/signin">
+          <input type="hidden" name="code" value="${escapeHtml(code)}">
+          <label>Email</label>
+          <input type="email" name="email" required placeholder="you@example.com">
+          <label>Password</label>
+          <input type="password" name="password" minlength="8" required>
+          <button type="submit">Sign In & Continue</button>
+        </form>
+      </div>
+    </div>
+  `);
+}
+
+function renderClaimSuccessPage(vaultName) {
+  const displayName = escapeHtml(vaultName || 'Hive Vault');
+  return infoPage(`${displayName} is Ready`, `
+    <p>Your invite has been claimed. Download the preconfigured vault package, extract it, then open the folder in Obsidian desktop.</p>
+    <p><a class="button" href="/auth/bundle">Download ${displayName}.zip</a></p>
+    <div class="card">
+      <p><strong>After download:</strong></p>
+      <p>1) Extract zip to a folder</p>
+      <p>2) Open that folder as a vault in Obsidian desktop</p>
+      <p>3) Hive will finish bootstrap and sync on first open</p>
+    </div>
+    <p class="muted">The download link is single-use and expires quickly.</p>
+  `);
+}
+
+router.get('/claim', async (req, res) => {
+  const code = String(req.query.code ?? '').trim();
+  try {
+    const { state } = await loadInviteOrThrow(code);
+    const session = getClaimSession(req);
+    return res.send(renderInviteClaimPage({ code, session, vaultName: state.vaultName }));
+  } catch (err) {
+    return res.status(400).send(errorPage(err instanceof Error ? err.message : String(err)));
+  }
 });
 
-// ---------------------------------------------------------------------------
-// GET /auth/callback
-// ---------------------------------------------------------------------------
-router.get('/callback', async (req, res) => {
-  const { code, state } = req.query;
+router.post('/claim/signup', async (req, res) => {
+  const code = String(req.body?.code ?? '').trim();
+  const email = String(req.body?.email ?? '').trim();
+  const password = String(req.body?.password ?? '');
+  const displayName = String(req.body?.displayName ?? '').trim();
 
-  if (!state || !stateMap.has(state)) {
-    return res.status(400).send('Invalid or expired state parameter.');
+  try {
+    await loadInviteOrThrow(code);
+    const account = await createAccount({
+      vaultPath: getVaultPath(),
+      email,
+      password,
+      displayName,
+    });
+    const sessionToken = signClaimSessionToken(account);
+    setClaimSessionCookie(req, res, sessionToken);
+    return res.redirect(`/auth/claim?code=${encodeURIComponent(code)}`);
+  } catch (err) {
+    return res.status(400).send(errorPage(err instanceof Error ? err.message : String(err)));
   }
-  stateMap.delete(state);
+});
+
+router.post('/claim/signin', async (req, res) => {
+  const code = String(req.body?.code ?? '').trim();
+  const email = String(req.body?.email ?? '').trim();
+  const password = String(req.body?.password ?? '');
 
-  if (!code) {
-    return res.status(400).send('Missing authorization code.');
+  try {
+    await loadInviteOrThrow(code);
+    const account = await authenticateAccount({
+      vaultPath: getVaultPath(),
+      email,
+      password,
+    });
+    const sessionToken = signClaimSessionToken(account);
+    setClaimSessionCookie(req, res, sessionToken);
+    return res.redirect(`/auth/claim?code=${encodeURIComponent(code)}`);
+  } catch (err) {
+    return res.status(400).send(errorPage(err instanceof Error ? err.message : String(err)));
+  }
+});
+
+router.post('/claim/complete', async (req, res) => {
+  const code = String(req.body?.code ?? '').trim();
+  const session = getClaimSession(req);
+  if (!session?.accountId) {
+    return res.status(401).send(errorPage('Sign in is required before claiming this invite.'));
   }
 
   try {
-    // Exchange code for access token
-    const tokenData = await oauth.tokenRequest({
-      clientId: process.env.DISCORD_CLIENT_ID,
-      clientSecret: process.env.DISCORD_CLIENT_SECRET,
-      redirectUri: process.env.DISCORD_REDIRECT_URI,
+    await loadInviteOrThrow(code);
+
+    const account = await getAccountById(getVaultPath(), session.accountId);
+    if (!account) {
+      clearClaimSessionCookie(req, res);
+      return res.status(401).send(errorPage('Sign in session is invalid. Please sign in again.'));
+    }
+
+    const result = await pairMember({
+      vaultPath: getVaultPath(),
       code,
-      scope: ['identify', 'guilds'],
-      grantType: 'authorization_code',
+      user: {
+        id: account.id,
+        username: account.displayName,
+        avatarUrl: '',
+      },
     });
 
-    const accessToken = tokenData.access_token;
-
-    // Verify guild membership
-    const guilds = await oauth.getUserGuilds(accessToken);
-    const isMember = guilds.some((g) => g.id === process.env.DISCORD_GUILD_ID);
-    if (!isMember) {
-      return res.status(403).send('Access denied: you are not a member of the required Discord server.');
+    if (!result.paired) {
+      return res.status(400).send(errorPage('This account is already paired. Ask your owner for a new invite if needed.'));
     }
 
-    // Fetch user profile
-    const user = await oauth.getUser(accessToken);
-    const { id, username, avatar } = user;
-    const avatarUrl = avatar
-      ? `https://cdn.discordapp.com/avatars/${id}/${avatar}.png`
-      : `https://cdn.discordapp.com/embed/avatars/${parseInt(id) % 5}.png`;
-
-    // Sign JWT
-    const token = jwt.sign(
-      { id, username, avatarUrl },
-      process.env.JWT_SECRET,
-      { expiresIn: '30d' }
-    );
-
-    // Redirect to Obsidian URI handler
-    res.redirect(`obsidian://hive-auth?token=${encodeURIComponent(token)}`);
+    const ticket = issueDownloadTicket();
+    await setInviteDownloadTicket({
+      vaultPath: getVaultPath(),
+      code,
+      memberId: account.id,
+      ticketHash: ticket.tokenHash,
+      expiresAt: ticket.expiresAt,
+    });
+    setDownloadTicketCookie(req, res, ticket.token);
+    return res.redirect('/auth/claim/success');
+  } catch (err) {
+    return res.status(400).send(errorPage(err instanceof Error ? err.message : String(err)));
+  }
+});
+
+router.get('/claim/success', async (req, res) => {
+  const ticket = getDownloadTicket(req);
+  if (!ticket) {
+    return res.status(400).send(errorPage('No active download ticket. Please claim an invite again.'));
+  }
+  try {
+    const state = await loadManagedState(getVaultPath());
+    return res.send(renderClaimSuccessPage(state?.vaultName));
+  } catch (err) {
+    return res.status(400).send(errorPage(err instanceof Error ? err.message : String(err)));
+  }
+});
+
+router.get('/bundle', async (req, res) => {
+  const ticket = getDownloadTicket(req);
+  if (!ticket) {
+    return res.status(400).send(errorPage('Missing download ticket.'));
+  }
+
+  try {
+    const consumed = await consumeInviteDownloadTicket({
+      vaultPath: getVaultPath(),
+      ticketHash: hashToken(ticket),
+    });
+    clearDownloadTicketCookie(req, res);
+
+    const bootstrap = issueBootstrapToken({
+      memberId: consumed.memberId,
+      vaultId: consumed.vaultId,
+    });
+
+    await setMemberBootstrapSecret({
+      vaultPath: getVaultPath(),
+      userId: consumed.memberId,
+      tokenHash: hashToken(bootstrap.token),
+      expiresAt: bootstrap.expiresAt,
+    });
+
+    const bundleState = await loadManagedState(getVaultPath());
+
+    await sendInviteShellBundle(res, {
+      serverUrl: getServerUrl(req),
+      vaultId: consumed.vaultId,
+      bootstrapToken: bootstrap.token,
+      vaultName: bundleState?.vaultName,
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return res.status(400).send(errorPage(message));
+  }
+});
+
+router.post('/bootstrap/exchange', async (req, res) => {
+  const bootstrapToken = String(req.body?.bootstrapToken ?? '').trim();
+  const vaultId = String(req.body?.vaultId ?? '').trim();
+
+  if (!bootstrapToken || !vaultId) {
+    return res.status(400).json({ ok: false, error: 'bootstrapToken and vaultId are required' });
+  }
+
+  try {
+    const consumed = await consumeMemberBootstrapSecretByToken({
+      vaultPath: getVaultPath(),
+      tokenHash: hashToken(bootstrapToken),
+      vaultId,
+    });
+
+    const user = {
+      id: consumed.member.id,
+      username: consumed.member.username,
+      avatarUrl: '',
+    };
+
+    const token = jwt.sign(user, process.env.JWT_SECRET, { expiresIn: '30d' });
+
+    return res.json({
+      ok: true,
+      token,
+      user,
+      serverUrl: getServerUrl(req),
+    });
   } catch (err) {
-    console.error('[auth] OAuth callback error:', err);
-    res.status(500).send('Authentication failed. Please try again.');
+    const message = err instanceof Error ? err.message : String(err);
+    return res.status(400).json({ ok: false, error: message });
   }
 });