@harness-fe/mcp-server 4.0.0-next.2 → 4.0.0-next.3

package/src/auth.ts

@@ -1,248 +0,0 @@
-/**
- * Token-based auth for the bridge's HTTP + WS surfaces.
- *
- * Loopback (127.*, localhost, ::1) — auth disabled by default; the daemon
- * trusts everything that can reach the loopback socket. As soon as the
- * daemon is bound to a non-loopback host (e.g. 0.0.0.0 for LAN debugging),
- * the CLI requires a token and this module enforces it on every HTTP route
- * and WS upgrade.
- *
- * Why a single module: dashboard / replay viewer / events handler /
- * MCP HTTP transport all live behind the same bridge HTTP server. Bridge
- * wraps requests with `isAuthorized` once, so individual handlers never
- * see unauthenticated traffic and don't carry auth code.
- */
-
-import { createHash, timingSafeEqual } from 'node:crypto';
-import type { IncomingMessage, ServerResponse } from 'node:http';
-
-export const DEFAULT_COOKIE_NAME = 'harness_fe_token';
-export const DEFAULT_LOGIN_PATH = '/__auth';
-const WS_SUBPROTOCOL_PREFIX = 'harness-fe.token.';
-
-export interface AuthOptions {
-    /** Expected token. Empty/undefined disables token auth. */
-    token?: string;
-    /**
-     * Custom authorization predicate. When supplied, runs *instead of* the
-     * token check on every HTTP request and WS upgrade. Synchronous: the
-     * WS upgrade handshake completes inline. For host-injected auth that
-     * needs an async lookup, cache the result in a cookie via the host's
-     * own middleware and have `authorize` read the cookie.
-     */
-    authorize?: (req: IncomingMessage) => boolean;
-    /** Cookie name set after a successful login. Default: harness_fe_token. */
-    cookieName?: string;
-    /** POST path that consumes the login form. Default: /__auth. */
-    loginPath?: string;
-}
-
-export function isAuthEnabled(opts: AuthOptions): boolean {
-    return !!(opts.token || opts.authorize);
-}
-
-/** Pull token from header / cookie / query / WS subprotocol (first match wins). */
-export function extractToken(req: IncomingMessage, opts: AuthOptions = {}): string | undefined {
-    const auth = req.headers.authorization;
-    if (typeof auth === 'string' && auth.startsWith('Bearer ')) {
-        const v = auth.slice(7).trim();
-        if (v) return v;
-    }
-
-    const cookieName = opts.cookieName ?? DEFAULT_COOKIE_NAME;
-    const cookies = parseCookieHeader(req.headers.cookie);
-    if (cookies[cookieName]) return decodeURIComponent(cookies[cookieName]);
-
-    const url = req.url ?? '';
-    const qi = url.indexOf('?');
-    if (qi >= 0) {
-        const params = new URLSearchParams(url.slice(qi + 1));
-        const t = params.get('token');
-        if (t) return t;
-    }
-
-    const subproto = req.headers['sec-websocket-protocol'];
-    if (typeof subproto === 'string') {
-        for (const p of subproto.split(',')) {
-            const trimmed = p.trim();
-            if (trimmed.startsWith(WS_SUBPROTOCOL_PREFIX)) {
-                return trimmed.slice(WS_SUBPROTOCOL_PREFIX.length);
-            }
-        }
-    }
-
-    return undefined;
-}
-
-/**
- * Constant-time token compare. Hashing both sides first means we always
- * compare equal-length buffers, sidestepping the length-leak that a raw
- * timingSafeEqual on user input would have.
- */
-export function verifyToken(provided: string | undefined, expected: string): boolean {
-    if (!provided || !expected) return false;
-    const a = createHash('sha256').update(provided).digest();
-    const b = createHash('sha256').update(expected).digest();
-    return timingSafeEqual(a, b);
-}
-
-/** True if request is allowed (auth disabled, custom predicate accepts, or token matches). */
-export function isAuthorized(req: IncomingMessage, opts: AuthOptions): boolean {
-    if (!isAuthEnabled(opts)) return true;
-    // Custom predicate wins when supplied. Hosts that embed the daemon pass
-    // their own check here (e.g. JWT verification reading from a cookie).
-    if (opts.authorize) return opts.authorize(req);
-    return verifyToken(extractToken(req, opts), opts.token!);
-}
-
-/**
- * Write a 401 response. Browsers (Accept: text/html) get a minimal login
- * form they can post the token through; everything else gets JSON.
- */
-export function sendUnauthorized(
-    req: IncomingMessage,
-    res: ServerResponse,
-    opts: AuthOptions,
-): void {
-    // Custom-authorize mode is for host apps that own their own login UX —
-    // the built-in token form is never the right answer there. Always 401
-    // as JSON and let the host redirect.
-    const wantsLoginForm = !opts.authorize;
-    const accept = (req.headers.accept ?? '').toLowerCase();
-    const wantsHtml = accept.includes('text/html') && wantsLoginForm;
-    if (wantsHtml) {
-        res.statusCode = 401;
-        res.setHeader('content-type', 'text/html; charset=utf-8');
-        res.setHeader('cache-control', 'no-store');
-        res.end(renderLoginPage(opts, req.url ?? '/'));
-        return;
-    }
-    res.statusCode = 401;
-    res.setHeader('content-type', 'application/json; charset=utf-8');
-    res.setHeader('www-authenticate', 'Bearer realm="harness-fe"');
-    res.end(
-        JSON.stringify({
-            error: 'unauthorized',
-            message:
-                'Missing or invalid token. Provide Authorization: Bearer <token>, ?token=<token>, or the harness_fe_token cookie.',
-        }),
-    );
-}
-
-/**
- * Handle POST {loginPath}: read form body, verify token, set cookie, 303 → next.
- */
-export async function handleLoginPost(
-    req: IncomingMessage,
-    res: ServerResponse,
-    opts: AuthOptions,
-): Promise<void> {
-    if (!isAuthEnabled(opts) || opts.authorize) {
-        // Auth disabled, or the host owns auth via a custom predicate — the
-        // built-in login form isn't meaningful here. Redirect home.
-        res.statusCode = 303;
-        res.setHeader('location', '/');
-        res.end();
-        return;
-    }
-
-    const chunks: Buffer[] = [];
-    let total = 0;
-    const MAX = 4096;
-    for await (const c of req) {
-        const buf = c as Buffer;
-        total += buf.length;
-        if (total > MAX) {
-            res.statusCode = 413;
-            res.setHeader('content-type', 'text/plain; charset=utf-8');
-            res.end('payload too large');
-            return;
-        }
-        chunks.push(buf);
-    }
-    const body = Buffer.concat(chunks).toString('utf8');
-    const form = new URLSearchParams(body);
-    const token = form.get('token') ?? '';
-    const next = safeNext(form.get('next') ?? '/');
-
-    if (!verifyToken(token, opts.token!)) {
-        res.statusCode = 401;
-        res.setHeader('content-type', 'text/html; charset=utf-8');
-        res.setHeader('cache-control', 'no-store');
-        res.end(renderLoginPage(opts, next, 'Invalid token. Try again.'));
-        return;
-    }
-
-    const cookieName = opts.cookieName ?? DEFAULT_COOKIE_NAME;
-    // 30 days. HttpOnly so JS can't read it; SameSite=Lax so cross-tab nav works.
-    const cookie = `${cookieName}=${encodeURIComponent(token)}; Path=/; HttpOnly; SameSite=Lax; Max-Age=2592000`;
-    res.statusCode = 303;
-    res.setHeader('set-cookie', cookie);
-    res.setHeader('location', next);
-    res.end();
-}
-
-/**
- * Allow only same-origin relative paths as the post-login redirect. Anything
- * else degrades to "/" so a crafted form can't redirect to an external site.
- */
-function safeNext(next: string): string {
-    if (typeof next !== 'string') return '/';
-    if (!next.startsWith('/')) return '/';
-    if (next.startsWith('//')) return '/';
-    return next;
-}
-
-function parseCookieHeader(raw: string | undefined): Record<string, string> {
-    if (!raw) return {};
-    const out: Record<string, string> = {};
-    for (const part of raw.split(';')) {
-        const eq = part.indexOf('=');
-        if (eq < 0) continue;
-        const k = part.slice(0, eq).trim();
-        const v = part.slice(eq + 1).trim();
-        if (k) out[k] = v;
-    }
-    return out;
-}
-
-function escapeHtml(s: string): string {
-    return s.replace(/[&<>"']/g, (c) => {
-        switch (c) {
-            case '&': return '&amp;';
-            case '<': return '&lt;';
-            case '>': return '&gt;';
-            case '"': return '&quot;';
-            default: return '&#39;';
-        }
-    });
-}
-
-function renderLoginPage(opts: AuthOptions, next: string, error?: string): string {
-    const loginPath = opts.loginPath ?? DEFAULT_LOGIN_PATH;
-    const safeN = escapeHtml(safeNext(next));
-    const errBlock = error
-        ? `<p style="color:#c0392b;margin:0 0 12px">${escapeHtml(error)}</p>`
-        : '';
-    return `<!doctype html>
-<html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
-<title>harness-fe — sign in</title>
-<style>
-body{font:14px/1.4 -apple-system,BlinkMacSystemFont,system-ui,sans-serif;background:#fafafa;color:#222;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}
-form{background:#fff;border:1px solid #e5e7eb;border-radius:8px;padding:24px;max-width:360px;width:100%;box-shadow:0 4px 12px rgba(0,0,0,.04)}
-h1{font-size:16px;margin:0 0 12px}
-input[type=password]{display:block;width:100%;box-sizing:border-box;padding:10px;border:1px solid #d1d5db;border-radius:6px;font-size:14px;margin-bottom:12px}
-button{display:block;width:100%;padding:10px;background:#111;color:#fff;border:0;border-radius:6px;font-size:14px;cursor:pointer}
-.muted{color:#666;font-size:12px;margin-top:12px}
-</style></head>
-<body>
-<form method="post" action="${escapeHtml(loginPath)}" autocomplete="off">
-  <h1>harness-fe</h1>
-  ${errBlock}
-  <input type="password" name="token" placeholder="token" autofocus required>
-  <input type="hidden" name="next" value="${safeN}">
-  <button type="submit">Sign in</button>
-  <p class="muted">Paste the token from the daemon startup banner.</p>
-</form>
-</body></html>`;
-}

package/src/bridge-auth.test.ts

@@ -1,196 +0,0 @@
-import { afterEach, describe, expect, it } from 'vitest';
-import { WebSocket } from 'ws';
-import { Bridge } from './bridge.js';
-
-const cleanups: Array<() => Promise<void> | void> = [];
-
-afterEach(async () => {
-    while (cleanups.length) {
-        const fn = cleanups.shift();
-        if (fn) await fn();
-    }
-});
-
-async function startBridge(opts: Parameters<typeof Bridge.prototype.constructor>[0] = {}): Promise<{
-    bridge: Bridge;
-    baseUrl: string;
-}> {
-    const bridge = new Bridge({
-        port: 0,
-        host: '127.0.0.1',
-        store: null,
-        taskStore: null,
-        autoPurge: { enabled: false },
-        ...opts,
-    });
-    await bridge.start();
-    cleanups.push(() => bridge.stop());
-    const port = bridge.getBoundPort()!;
-    return { bridge, baseUrl: `http://127.0.0.1:${port}` };
-}
-
-async function request(
-    url: string,
-    init: { method?: string; headers?: Record<string, string>; body?: string } = {},
-): Promise<{ status: number; headers: Record<string, string>; text: string }> {
-    const res = await fetch(url, init);
-    const headers: Record<string, string> = {};
-    res.headers.forEach((v, k) => {
-        headers[k] = v;
-    });
-    const text = await res.text();
-    return { status: res.status, headers, text };
-}
-
-describe('Bridge — token auth on HTTP routes', () => {
-    it('serves requests without token when auth disabled', async () => {
-        const { baseUrl } = await startBridge();
-        const res = await request(baseUrl + '/');
-        // dashboard isn't wired (store=null), so 404 — but it's a 404 from
-        // the bridge handler, not 401.
-        expect(res.status).toBe(404);
-    });
-
-    it('returns 401 JSON to API clients when token missing', async () => {
-        const { baseUrl } = await startBridge({ auth: { token: 's3cret' } });
-        const res = await request(baseUrl + '/');
-        expect(res.status).toBe(401);
-        expect(res.headers['www-authenticate']).toContain('Bearer');
-        expect(res.headers['content-type']).toContain('application/json');
-    });
-
-    it('returns HTML login page to browsers', async () => {
-        const { baseUrl } = await startBridge({ auth: { token: 's3cret' } });
-        const res = await request(baseUrl + '/', { headers: { accept: 'text/html' } });
-        expect(res.status).toBe(401);
-        expect(res.headers['content-type']).toContain('text/html');
-        expect(res.text).toContain('<form');
-        expect(res.text).toContain('name="token"');
-    });
-
-    it('accepts request with valid Bearer token', async () => {
-        const { baseUrl } = await startBridge({ auth: { token: 's3cret' } });
-        const res = await request(baseUrl + '/', { headers: { authorization: 'Bearer s3cret' } });
-        // Falls through to 404 (no httpHandler since store=null) — but NOT 401.
-        expect(res.status).not.toBe(401);
-    });
-
-    it('accepts request with valid cookie', async () => {
-        const { baseUrl } = await startBridge({ auth: { token: 's3cret' } });
-        const res = await request(baseUrl + '/', { headers: { cookie: 'harness_fe_token=s3cret' } });
-        expect(res.status).not.toBe(401);
-    });
-
-    it('accepts request with valid ?token= query', async () => {
-        const { baseUrl } = await startBridge({ auth: { token: 's3cret' } });
-        const res = await request(baseUrl + '/?token=s3cret');
-        expect(res.status).not.toBe(401);
-    });
-
-    it('POST /__auth with valid token sets cookie and 303-redirects', async () => {
-        const { baseUrl } = await startBridge({ auth: { token: 's3cret' } });
-        const res = await fetch(baseUrl + '/__auth', {
-            method: 'POST',
-            headers: { 'content-type': 'application/x-www-form-urlencoded' },
-            body: 'token=s3cret&next=/dashboard',
-            redirect: 'manual',
-        });
-        expect(res.status).toBe(303);
-        const setCookie = res.headers.get('set-cookie') ?? '';
-        expect(setCookie).toMatch(/harness_fe_token=s3cret/);
-        expect(setCookie).toMatch(/HttpOnly/);
-        expect(setCookie).toMatch(/SameSite=Lax/);
-        expect(res.headers.get('location')).toBe('/dashboard');
-    });
-
-    it('POST /__auth with wrong token re-renders login with error', async () => {
-        const { baseUrl } = await startBridge({ auth: { token: 's3cret' } });
-        const res = await fetch(baseUrl + '/__auth', {
-            method: 'POST',
-            headers: { 'content-type': 'application/x-www-form-urlencoded' },
-            body: 'token=wrong&next=/',
-            redirect: 'manual',
-        });
-        expect(res.status).toBe(401);
-        const text = await res.text();
-        expect(text).toContain('Invalid token');
-    });
-
-    it('POST /__auth ignores external "next" — falls back to /', async () => {
-        const { baseUrl } = await startBridge({ auth: { token: 's3cret' } });
-        const res = await fetch(baseUrl + '/__auth', {
-            method: 'POST',
-            headers: { 'content-type': 'application/x-www-form-urlencoded' },
-            body: 'token=s3cret&next=//evil.example/',
-            redirect: 'manual',
-        });
-        expect(res.status).toBe(303);
-        expect(res.headers.get('location')).toBe('/');
-    });
-});
-
-describe('Bridge — WS upgrade auth', () => {
-    it('rejects WS upgrade when token missing', async () => {
-        const { bridge } = await startBridge({ auth: { token: 's3cret' } });
-        const wsUrl = `ws://127.0.0.1:${bridge.getBoundPort()}/`;
-        const err: { code?: string; message?: string } = await new Promise((resolve) => {
-            const ws = new WebSocket(wsUrl);
-            ws.once('error', (e: NodeJS.ErrnoException) => resolve({ code: e.code, message: e.message }));
-            ws.once('open', () => {
-                ws.close();
-                resolve({ message: 'unexpectedly opened' });
-            });
-        });
-        // ws library surfaces the 401 as "Unexpected server response: 401".
-        expect(err.message ?? '').toMatch(/401|Unauthorized|unexpected/i);
-    });
-
-    it('accepts WS upgrade with valid Bearer header', async () => {
-        const { bridge } = await startBridge({ auth: { token: 's3cret' } });
-        const wsUrl = `ws://127.0.0.1:${bridge.getBoundPort()}/`;
-        const opened: boolean = await new Promise((resolve) => {
-            const ws = new WebSocket(wsUrl, { headers: { authorization: 'Bearer s3cret' } });
-            const t = setTimeout(() => resolve(false), 2000);
-            ws.once('open', () => {
-                clearTimeout(t);
-                ws.close();
-                resolve(true);
-            });
-            ws.once('error', () => {
-                clearTimeout(t);
-                resolve(false);
-            });
-        });
-        expect(opened).toBe(true);
-    });
-
-    it('accepts WS upgrade with valid ?token= query', async () => {
-        const { bridge } = await startBridge({ auth: { token: 's3cret' } });
-        const wsUrl = `ws://127.0.0.1:${bridge.getBoundPort()}/?token=s3cret`;
-        const opened: boolean = await new Promise((resolve) => {
-            const ws = new WebSocket(wsUrl);
-            const t = setTimeout(() => resolve(false), 2000);
-            ws.once('open', () => {
-                clearTimeout(t);
-                ws.close();
-                resolve(true);
-            });
-            ws.once('error', () => {
-                clearTimeout(t);
-                resolve(false);
-            });
-        });
-        expect(opened).toBe(true);
-    });
-});
-
-describe('Bridge — viewer base URL with non-loopback host', () => {
-    it('rewrites 0.0.0.0 binds to a routable LAN IP for outbound URLs', async () => {
-        const { bridge } = await startBridge({ host: '0.0.0.0', auth: { token: 'x' } });
-        const url = bridge.getViewerBaseUrl();
-        expect(url).toBeDefined();
-        // Either a real LAN IP, or 127.0.0.1 if the test machine has no
-        // non-internal interfaces — never the literal 0.0.0.0.
-        expect(url).not.toContain('0.0.0.0');
-    });
-});