@girardmedia/bootspring 2.2.0 → 2.3.0

package/core/auth.js

@@ -1,737 +0,0 @@
-/**
- * Bootspring Auth Module
- *
- * Manages authentication tokens stored in ~/.bootspring/
- */
-
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const crypto = require('crypto');
-
-const BOOTSPRING_DIR = path.join(os.homedir(), '.bootspring');
-const CREDENTIALS_FILE = path.join(BOOTSPRING_DIR, 'credentials.json');
-const CONFIG_FILE = path.join(BOOTSPRING_DIR, 'config.json');
-const DEVICE_FILE = path.join(BOOTSPRING_DIR, 'device.json');
-
-// Simple encryption key derived from machine ID
-const getEncryptionKey = () => {
-  const machineId = os.hostname() + os.userInfo().username;
-  return crypto.createHash('sha256').update(machineId).digest();
-};
-
-/**
- * Ensure ~/.bootspring directory exists
- */
-function ensureDir() {
-  if (!fs.existsSync(BOOTSPRING_DIR)) {
-    fs.mkdirSync(BOOTSPRING_DIR, { recursive: true, mode: 0o700 });
-  }
-}
-
-/**
- * Encrypt data
- * @throws {Error} If encryption fails - never falls back to plaintext
- */
-function encrypt(data) {
-  const key = getEncryptionKey();
-  const iv = crypto.randomBytes(16);
-  const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
-  let encrypted = cipher.update(JSON.stringify(data), 'utf8', 'hex');
-  encrypted += cipher.final('hex');
-  return { iv: iv.toString('hex'), data: encrypted, v: 1 };
-}
-
-/**
- * Decrypt data
- * @throws {Error} If decryption fails - indicates corrupted or tampered credentials
- */
-function decrypt(encrypted) {
-  // Check if data is in encrypted format (has iv, data, and optionally v)
-  if (!encrypted || typeof encrypted !== 'object' || !encrypted.iv || !encrypted.data) {
-    // Legacy unencrypted data - migrate on next save but don't fail
-    // This handles the transition from old plaintext storage
-    if (encrypted && typeof encrypted === 'object' && (encrypted.token || encrypted.apiKey)) {
-      console.error('[bootspring] Migrating legacy unencrypted credentials to encrypted storage');
-      return encrypted;
-    }
-    throw new Error('Invalid credential format');
-  }
-
-  const key = getEncryptionKey();
-  const iv = Buffer.from(encrypted.iv, 'hex');
-  const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
-  let decrypted = decipher.update(encrypted.data, 'hex', 'utf8');
-  decrypted += decipher.final('utf8');
-  return JSON.parse(decrypted);
-}
-
-/**
- * Get stored credentials
- * @returns {object|null} Decrypted credentials or null if not available
- */
-function getCredentials() {
-  try {
-    if (fs.existsSync(CREDENTIALS_FILE)) {
-      const raw = JSON.parse(fs.readFileSync(CREDENTIALS_FILE, 'utf-8'));
-      const decrypted = decrypt(raw);
-
-      // If we got legacy unencrypted data, re-encrypt it immediately
-      if (raw && typeof raw === 'object' && !raw.iv && !raw.data) {
-        saveCredentials(decrypted);
-      }
-
-      return decrypted;
-    }
-  } catch (err) {
-    // Log decryption failures for debugging but don't expose details
-    console.error('[bootspring] Failed to read credentials:', err.message);
-  }
-  return null;
-}
-
-/**
- * Save credentials (encrypted)
- * @param {object} credentials - Credentials to save
- * @throws {Error} If encryption or file write fails
- */
-function saveCredentials(credentials) {
-  ensureDir();
-
-  // Never store API keys in credentials - only tokens
-  const sanitized = { ...credentials };
-  if (sanitized.apiKey) {
-    // API keys should only be in memory or env vars, not on disk
-    console.error('[bootspring] Warning: API keys should not be stored in credentials. Use project-scoped tokens instead.');
-    delete sanitized.apiKey;
-  }
-
-  const encrypted = encrypt(sanitized);
-  fs.writeFileSync(
-    CREDENTIALS_FILE,
-    JSON.stringify(encrypted, null, 2),
-    { mode: 0o600 }
-  );
-}
-
-/**
- * Clear credentials (logout)
- */
-function clearCredentials() {
-  try {
-    if (fs.existsSync(CREDENTIALS_FILE)) {
-      fs.unlinkSync(CREDENTIALS_FILE);
-    }
-  } catch {
-    // Ignore delete errors
-  }
-}
-
-/**
- * Get auth token (JWT)
- */
-function getToken() {
-  const creds = getCredentials();
-  if (!creds) return null;
-
-  // Check if token is expired
-  if (creds.expiresAt && new Date(creds.expiresAt) < new Date()) {
-    return null; // Token expired
-  }
-
-  return creds.token;
-}
-
-/**
- * Check if the current token is expiring soon
- * @param {number} [thresholdMs=300000] - Threshold in milliseconds (default 5 minutes)
- * @returns {{ expiringSoon: boolean, expiresAt: string|null, msUntilExpiry: number }}
- */
-function getTokenExpiryStatus(thresholdMs = 5 * 60 * 1000) {
-  const creds = getCredentials();
-  if (!creds || !creds.expiresAt) {
-    return { expiringSoon: false, expiresAt: null, msUntilExpiry: 0 };
-  }
-
-  const expiresAt = new Date(creds.expiresAt).getTime();
-  const now = Date.now();
-  const msUntilExpiry = expiresAt - now;
-
-  return {
-    expiringSoon: msUntilExpiry > 0 && msUntilExpiry <= thresholdMs,
-    expired: msUntilExpiry <= 0,
-    expiresAt: creds.expiresAt,
-    msUntilExpiry: Math.max(0, msUntilExpiry)
-  };
-}
-
-/**
- * Get API key from project's .bootspring.json (for AI assistant sharing)
- */
-function findNearestProjectConfigPath() {
-  let dir = process.cwd();
-  for (let i = 0; i < 10; i++) {
-    const configPath = path.join(dir, '.bootspring.json');
-    if (fs.existsSync(configPath)) {
-      return configPath;
-    }
-    const parent = path.dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return null;
-}
-
-function readNearestProjectConfig() {
-  try {
-    const configPath = findNearestProjectConfigPath();
-    if (!configPath) {
-      return null;
-    }
-    const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
-    return { path: configPath, config };
-  } catch {
-    // Ignore errors
-  }
-  return null;
-}
-
-function writeNearestProjectConfig(configPath, config) {
-  try {
-    fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function getProjectScopedSessionState() {
-  const projectConfig = readNearestProjectConfig();
-  if (!projectConfig || !projectConfig.config.projectAuth) {
-    return null;
-  }
-
-  const projectAuth = projectConfig.config.projectAuth;
-  if (
-    typeof projectAuth.token !== 'string' ||
-    projectAuth.token.length === 0 ||
-    typeof projectAuth.expiresAt !== 'string' ||
-    projectAuth.expiresAt.length === 0
-  ) {
-    return null;
-  }
-
-  return {
-    token: projectAuth.token,
-    expiresAt: projectAuth.expiresAt,
-    issuedAt: typeof projectAuth.issuedAt === 'string' ? projectAuth.issuedAt : new Date().toISOString(),
-    source: typeof projectAuth.source === 'string' ? projectAuth.source : undefined,
-    migratedFromLegacyApiKey: Boolean(projectAuth.migratedFromLegacyApiKey)
-  };
-}
-
-let legacyProjectApiKeyWarned = false;
-
-function getLegacyProjectApiKey() {
-  const projectConfig = readNearestProjectConfig();
-  if (!projectConfig) {
-    return null;
-  }
-
-  const legacyApiKey = projectConfig.config.apiKey;
-  if (typeof legacyApiKey === 'string' && legacyApiKey.length > 0) {
-    return legacyApiKey;
-  }
-  return null;
-}
-
-function getProjectScopedToken() {
-  const projectAuth = getProjectScopedSessionState();
-  if (!projectAuth) {
-    return null;
-  }
-
-  const expiresAt = new Date(projectAuth.expiresAt).getTime();
-  if (!Number.isFinite(expiresAt)) {
-    return null;
-  }
-
-  // Consider token expired slightly early to avoid boundary race conditions.
-  if (Date.now() >= expiresAt - 60_000) {
-    return null;
-  }
-
-  return projectAuth.token;
-}
-
-/**
- * Get stored API key
- * @deprecated API keys are no longer stored on disk. Returns null.
- * Use environment variable BOOTSPRING_API_KEY or project-scoped tokens instead.
- */
-function getStoredApiKey() {
-  // API keys are no longer stored in credentials for security
-  // They should only come from env vars or be exchanged for scoped tokens
-  return null;
-}
-
-/**
- * Backwards-compatible alias for legacy .bootspring.json project API key.
- */
-function getProjectApiKey() {
-  return getLegacyProjectApiKey();
-}
-
-/**
- * Get API key (if using API key auth)
- * Checks:
- * 1) env var
- * 2) short-lived project scoped token in .bootspring.json
- * 3) encrypted credential API key
- * 4) legacy .bootspring.json apiKey (migration fallback only)
- */
-function getApiKey() {
-  // 1. Environment variable (for CI/CD)
-  const envApiKey = process.env.BOOTSPRING_API_KEY;
-  if (envApiKey) {
-    return envApiKey;
-  }
-
-  // If a valid JWT session exists, prefer session auth and suppress API-key fallback.
-  if (getToken()) {
-    return null;
-  }
-
-  // 2. Project-scoped short-lived token.
-  const projectScopedToken = getProjectScopedToken();
-  if (projectScopedToken) {
-    return projectScopedToken;
-  }
-
-  // 3. Encrypted credentials file.
-  const storedApiKey = getStoredApiKey();
-  if (storedApiKey) {
-    return storedApiKey;
-  }
-
-  // 4. Legacy project API key fallback (read-only migration path).
-  const legacyApiKey = getLegacyProjectApiKey();
-  if (legacyApiKey) {
-    if (!legacyProjectApiKeyWarned) {
-      legacyProjectApiKeyWarned = true;
-      console.warn(
-        '[bootspring] Using legacy .bootspring.json apiKey fallback. ' +
-        'Run `bootspring auth login --api-key <key>` to migrate to short-lived project tokens.'
-      );
-    }
-    return legacyApiKey;
-  }
-
-  return null;
-}
-
-/**
- * Check if using API key authentication
- */
-function isApiKeyAuth() {
-  if (process.env.BOOTSPRING_API_KEY) {
-    return true;
-  }
-
-  if (getToken()) {
-    return false;
-  }
-
-  return Boolean(
-    getProjectScopedToken() ||
-    getStoredApiKey() ||
-    getLegacyProjectApiKey()
-  );
-}
-
-/**
- * Get refresh token
- */
-function getRefreshToken() {
-  const creds = getCredentials();
-  return creds?.refreshToken || null;
-}
-
-/**
- * Check if user is authenticated
- */
-function isAuthenticated() {
-  return !!getToken() || !!getApiKey();
-}
-
-/**
- * Get user info from stored credentials
- */
-function getUser() {
-  const creds = getCredentials();
-  return creds?.user || null;
-}
-
-/**
- * Get user's current tier
- * Checks environment variable first, then stored credentials
- */
-function getTier() {
-  // Environment variable takes precedence (for CI/CD and sandboxed AI assistants)
-  const envTier = process.env.BOOTSPRING_USER_TIER;
-  if (envTier) {
-    return envTier.toLowerCase();
-  }
-
-  const user = getUser();
-  return user?.tier || 'free';
-}
-
-/**
- * Save login response (JWT auth)
- */
-function login(response) {
-  // Calculate expiration time
-  const expiresIn = response.expiresIn || '15m';
-  const expiresMs = parseExpiry(expiresIn);
-  const expiresAt = new Date(Date.now() + expiresMs).toISOString();
-
-  saveCredentials({
-    token: response.token,
-    refreshToken: response.refreshToken,
-    expiresAt,
-    user: response.user
-  });
-}
-
-/**
- * Save API key to project's .bootspring.json (for AI assistant sharing)
- */
-function saveApiKeyToProject(apiKey) {
-  try {
-    const projectConfig = readNearestProjectConfig();
-    if (!projectConfig) {
-      return false;
-    }
-
-    const config = { ...projectConfig.config };
-    config.apiKey = apiKey;
-    return writeNearestProjectConfig(projectConfig.path, config);
-  } catch {
-    // Ignore errors - project config save is best-effort
-  }
-  return false;
-}
-
-/**
- * Clear API key from project's .bootspring.json in current working tree.
- */
-function clearProjectApiKey() {
-  try {
-    const projectConfig = readNearestProjectConfig();
-    if (!projectConfig) {
-      return false;
-    }
-
-    const config = { ...projectConfig.config };
-    if (!Object.prototype.hasOwnProperty.call(config, 'apiKey')) {
-      return false;
-    }
-
-    delete config.apiKey;
-    return writeNearestProjectConfig(projectConfig.path, config);
-  } catch {
-    // Ignore errors - project config cleanup is best-effort
-  }
-  return false;
-}
-
-/**
- * Save API key session
- * Note: API keys are NOT stored on disk. Only user info is saved.
- * The API key should be exchanged for a short-lived scoped token immediately.
- * @param {string} apiKey - API key (kept in memory only, not stored)
- * @param {object} user - User info to store
- */
-function loginWithApiKey(apiKey, user) {
-  // Only save user info, NOT the API key itself
-  // API key should be exchanged for scoped token via api-client.js
-  if (user !== undefined) {
-    const credentials = { user };
-    saveCredentials(credentials);
-  }
-
-  // Clear any legacy API keys from project config
-  clearProjectApiKey();
-}
-
-/**
- * Update tokens (after refresh)
- */
-function updateTokens(response) {
-  const creds = getCredentials() || {};
-  const expiresIn = response.expiresIn || '15m';
-  const expiresMs = parseExpiry(expiresIn);
-  const expiresAt = new Date(Date.now() + expiresMs).toISOString();
-
-  saveCredentials({
-    ...creds,
-    token: response.token,
-    refreshToken: response.refreshToken,
-    expiresAt
-  });
-}
-
-/**
- * Parse expiry string (e.g., '15m', '1h', '7d')
- */
-function parseExpiry(expiry) {
-  const match = expiry.match(/^(\d+)([mhd])$/);
-  if (!match) return 15 * 60 * 1000; // Default 15 minutes
-
-  const value = parseInt(match[1]);
-  const unit = match[2];
-
-  switch (unit) {
-    case 'm': return value * 60 * 1000;
-    case 'h': return value * 60 * 60 * 1000;
-    case 'd': return value * 24 * 60 * 60 * 1000;
-    default: return 15 * 60 * 1000;
-  }
-}
-
-function saveProjectScopedSession(token, options = {}) {
-  try {
-    const projectConfig = readNearestProjectConfig();
-    if (!projectConfig || !token) {
-      return false;
-    }
-
-    const resolvedExpiresAt = (() => {
-      if (options.expiresAt) {
-        return options.expiresAt;
-      }
-      if (typeof options.expiresIn === 'number' && Number.isFinite(options.expiresIn)) {
-        return new Date(Date.now() + options.expiresIn * 1000).toISOString();
-      }
-      if (typeof options.expiresIn === 'string') {
-        return new Date(Date.now() + parseExpiry(options.expiresIn)).toISOString();
-      }
-      return new Date(Date.now() + 15 * 60 * 1000).toISOString();
-    })();
-
-    const nextConfig = {
-      ...projectConfig.config,
-      projectAuth: {
-        token,
-        expiresAt: resolvedExpiresAt,
-        issuedAt: new Date().toISOString(),
-        source: options.source || 'api-key-exchange',
-        migratedFromLegacyApiKey: Boolean(options.migratedFromLegacyApiKey)
-      }
-    };
-
-    if (options.migratedFromLegacyApiKey && Object.prototype.hasOwnProperty.call(nextConfig, 'apiKey')) {
-      delete nextConfig.apiKey;
-    }
-
-    return writeNearestProjectConfig(projectConfig.path, nextConfig);
-  } catch {
-    // Ignore errors - project scoped session save is best-effort.
-  }
-  return false;
-}
-
-function clearProjectScopedSession() {
-  try {
-    const projectConfig = readNearestProjectConfig();
-    if (!projectConfig || !projectConfig.config.projectAuth) {
-      return false;
-    }
-
-    const nextConfig = { ...projectConfig.config };
-    delete nextConfig.projectAuth;
-    return writeNearestProjectConfig(projectConfig.path, nextConfig);
-  } catch {
-    // Ignore errors - project scoped session cleanup is best-effort.
-  }
-  return false;
-}
-
-/**
- * Logout
- */
-function logout() {
-  clearCredentials();
-  clearProjectScopedSession();
-  clearProjectApiKey();
-}
-
-/**
- * Get global config
- */
-function getConfig() {
-  try {
-    if (fs.existsSync(CONFIG_FILE)) {
-      return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf-8'));
-    }
-  } catch {
-    // Ignore
-  }
-  return {};
-}
-
-/**
- * Save global config
- */
-function saveConfig(config) {
-  ensureDir();
-  fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
-}
-
-/**
- * Get credentials file path (for display)
- */
-function getCredentialsPath() {
-  return CREDENTIALS_FILE;
-}
-
-/**
- * Generate a stable device fingerprint based on machine characteristics
- * This creates a unique identifier for this device that persists across sessions
- * @returns {string} Device fingerprint hash
- */
-function generateDeviceFingerprint() {
-  const components = [
-    os.hostname(),
-    os.userInfo().username,
-    os.platform(),
-    os.arch(),
-    os.cpus()[0]?.model || 'unknown-cpu',
-    os.homedir(),
-    // Network interfaces (stable MAC addresses)
-    Object.values(os.networkInterfaces())
-      .flat()
-      .filter(iface => iface && !iface.internal && iface.mac !== '00:00:00:00:00:00')
-      .map(iface => iface.mac)
-      .sort()
-      .join(',')
-  ];
-
-  return crypto
-    .createHash('sha256')
-    .update(components.join('|'))
-    .digest('hex');
-}
-
-/**
- * Get or create persistent device ID
- * The device ID is generated once and stored for consistency
- * @returns {object} Device info { deviceId, fingerprint, createdAt }
- */
-function getDeviceInfo() {
-  ensureDir();
-
-  try {
-    if (fs.existsSync(DEVICE_FILE)) {
-      const stored = JSON.parse(fs.readFileSync(DEVICE_FILE, 'utf-8'));
-      // Verify fingerprint still matches (detect if copied to another machine)
-      const currentFingerprint = generateDeviceFingerprint();
-      if (stored.fingerprint === currentFingerprint) {
-        return stored;
-      }
-      // Fingerprint mismatch - device file was copied, regenerate
-    }
-  } catch {
-    // Ignore read errors, regenerate
-  }
-
-  // Generate new device info
-  const deviceInfo = {
-    deviceId: crypto.randomUUID(),
-    fingerprint: generateDeviceFingerprint(),
-    createdAt: new Date().toISOString(),
-    platform: os.platform(),
-    arch: os.arch(),
-    hostname: os.hostname()
-  };
-
-  fs.writeFileSync(DEVICE_FILE, JSON.stringify(deviceInfo, null, 2), { mode: 0o600 });
-  return deviceInfo;
-}
-
-/**
- * Get device ID for authentication requests
- * @returns {string} Device ID
- */
-function getDeviceId() {
-  return getDeviceInfo().deviceId;
-}
-
-/**
- * Get full device context for authentication
- * Includes device ID plus current session info for server-side tracking
- * @returns {object} Device context for auth requests
- */
-function getDeviceContext() {
-  const info = getDeviceInfo();
-  return {
-    deviceId: info.deviceId,
-    platform: info.platform,
-    arch: info.arch,
-    hostname: info.hostname,
-    cliVersion: require('../package.json').version,
-    nodeVersion: process.version,
-    timezone: Intl.DateTimeFormat().resolvedOptions().timeZone
-  };
-}
-
-/**
- * Clear device info (for testing or reset)
- */
-function clearDeviceInfo() {
-  try {
-    if (fs.existsSync(DEVICE_FILE)) {
-      fs.unlinkSync(DEVICE_FILE);
-    }
-  } catch {
-    // Ignore delete errors
-  }
-}
-
-module.exports = {
-  BOOTSPRING_DIR,
-  ensureDir,
-  getCredentials,
-  saveCredentials,
-  clearCredentials,
-  getToken,
-  getTokenExpiryStatus,
-  getApiKey,
-  getProjectApiKey,
-  getProjectScopedToken,
-  getStoredApiKey,
-  getLegacyProjectApiKey,
-  isApiKeyAuth,
-  getRefreshToken,
-  isAuthenticated,
-  getUser,
-  getTier,
-  login,
-  loginWithApiKey,
-  saveApiKeyToProject,
-  saveProjectScopedSession,
-  clearProjectScopedSession,
-  clearProjectApiKey,
-  updateTokens,
-  logout,
-  getConfig,
-  saveConfig,
-  getCredentialsPath,
-  // Device fingerprinting
-  generateDeviceFingerprint,
-  getDeviceInfo,
-  getDeviceId,
-  getDeviceContext,
-  clearDeviceInfo
-};