npm - @hienlh/ppm - Versions diffs - 0.7.27 → 0.7.28 - Mend

@hienlh/ppm 0.7.27 → 0.7.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/src/lib/account-crypto.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from "node:fs";
 import { resolve } from "node:path";
 import { homedir } from "node:os";
@@ -39,6 +39,57 @@ export function encrypt(plaintext: string): string {
   return `${iv.toString("hex")}:${tag.toString("hex")}:${enc.toString("hex")}`;
 }
+// ---------------------------------------------------------------------------
+// Password-based encryption for portable export (cross-machine)
+// ---------------------------------------------------------------------------
+interface EncryptedExport {
+  version: 1;
+  kdf: "scrypt";
+  salt: string;    // hex, 32 bytes
+  iv: string;      // hex, 12 bytes
+  authTag: string; // hex, 16 bytes
+  ciphertext: string; // base64
+}
+/** Encrypt payload with user password → portable encrypted JSON blob */
+export function encryptWithPassword(plaintext: string, password: string): string {
+  const salt = randomBytes(32);
+  const iv = randomBytes(12);
+  // scrypt N=16384 (r=8, p=1) → 16MB mem, ~50ms — secure & within Node/Bun default limits
+  const key = scryptSync(password, salt, 32, { N: 16384, r: 8, p: 1 });
+  const cipher = createCipheriv(ALGO, key, iv);
+  const enc = Buffer.concat([cipher.update(plaintext, "utf-8"), cipher.final()]);
+  const envelope: EncryptedExport = {
+    version: 1,
+    kdf: "scrypt",
+    salt: salt.toString("hex"),
+    iv: iv.toString("hex"),
+    authTag: cipher.getAuthTag().toString("hex"),
+    ciphertext: enc.toString("base64"),
+  };
+  return JSON.stringify(envelope);
+}
+/** Decrypt portable encrypted JSON blob with user password → plaintext */
+export function decryptWithPassword(blob: string, password: string): string {
+  let envelope: EncryptedExport;
+  try { envelope = JSON.parse(blob); } catch { throw new Error("Invalid backup format"); }
+  if (envelope.version !== 1 || envelope.kdf !== "scrypt") throw new Error("Unsupported backup version");
+  const salt = Buffer.from(envelope.salt, "hex");
+  const iv = Buffer.from(envelope.iv, "hex");
+  const authTag = Buffer.from(envelope.authTag, "hex");
+  const ciphertext = Buffer.from(envelope.ciphertext, "base64");
+  const key = scryptSync(password, salt, 32, { N: 16384, r: 8, p: 1 });
+  const decipher = createDecipheriv(ALGO, key, iv);
+  decipher.setAuthTag(authTag);
+  try {
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf-8");
+  } catch {
+    throw new Error("Wrong password or corrupted backup");
+  }
+}
 /** Decrypt "iv:authTag:ciphertext" → plaintext */
 export function decrypt(encoded: string): string {
   const parts = encoded.split(":");

package/src/server/routes/accounts.ts CHANGED Viewed

@@ -153,19 +153,28 @@ accountsRoutes.post("/oauth/refresh/:id", async (c) => {
   }
 });
-/** GET /api/accounts/export — download encrypted accounts backup */
-accountsRoutes.get("/export", (c) => {
-  const blob = accountService.exportEncrypted();
-  c.header("Content-Disposition", "attachment; filename=ppm-accounts-backup.json");
-  c.header("Content-Type", "application/json");
-  return c.body(blob);
+/** POST /api/accounts/export — download password-encrypted accounts backup */
+accountsRoutes.post("/export", async (c) => {
+  try {
+    const { password, accountIds } = await c.req.json() as { password: string; accountIds?: string[] };
+    if (!password) return c.json(err("Password required"), 400);
+    await accountService.refreshBeforeExport(accountIds);
+    const blob = accountService.exportEncrypted(password, accountIds);
+    c.header("Content-Disposition", "attachment; filename=ppm-accounts-backup.json");
+    c.header("Content-Type", "application/json");
+    return c.body(blob);
+  } catch (e) {
+    return c.json(err((e as Error).message), 400);
+  }
 });
-/** POST /api/accounts/import — restore accounts from backup */
+/** POST /api/accounts/import — restore accounts from password-encrypted backup */
 accountsRoutes.post("/import", async (c) => {
   try {
-    const body = await c.req.text();
-    const count = accountService.importEncrypted(body);
+    const { data, password } = await c.req.json() as { data: string; password: string };
+    if (!data) return c.json(err("Backup data required"), 400);
+    if (!password) return c.json(err("Password required"), 400);
+    const count = accountService.importEncrypted(data, password);
     return c.json(ok({ imported: count }));
   } catch (e) {
     return c.json(err((e as Error).message), 400);

package/src/services/account.service.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { randomUUID, createHash, randomBytes } from "node:crypto";
-import { encrypt, decrypt } from "../lib/account-crypto.ts";
+import { encrypt, decrypt, encryptWithPassword, decryptWithPassword } from "../lib/account-crypto.ts";
 import {
   getAccounts,
   getAccountById,
@@ -57,6 +57,12 @@ export interface OAuthProfileData {
   };
 }
+/** Check if a token string looks like our encrypted format "iv:authTag:ciphertext" (all hex) */
+function looksEncrypted(value: string): boolean {
+  const parts = value.split(":");
+  return parts.length === 3 && parts.every((p) => /^[0-9a-f]+$/i.test(p));
+}
 const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
 const OAUTH_AUTH_URL = "https://claude.ai/oauth/authorize";
 const OAUTH_TOKEN_URL = "https://api.anthropic.com/v1/oauth/token";
@@ -506,14 +512,40 @@ class AccountService {
   // Export / Import encrypted backup
   // ---------------------------------------------------------------------------
-  exportEncrypted(): string {
-    // Export raw DB rows (tokens are already encrypted) as JSON
-    const rows = getAccounts();
-    return JSON.stringify(rows, null, 2);
+  /** Refresh all OAuth tokens before export so they're fresh on the target machine */
+  async refreshBeforeExport(accountIds?: string[]): Promise<void> {
+    const accounts = accountIds?.length
+      ? accountIds.map((id) => this.getWithTokens(id)).filter(Boolean) as AccountWithTokens[]
+      : this.list().map((a) => this.getWithTokens(a.id)).filter(Boolean) as AccountWithTokens[];
+    for (const acc of accounts) {
+      if (!acc.accessToken.startsWith("sk-ant-oat")) continue; // only OAuth tokens
+      if (!acc.expiresAt) continue;
+      try {
+        await this.refreshAccessToken(acc.id);
+      } catch {
+        // Best-effort — skip accounts whose refresh token is already invalid
+      }
+    }
+  }
+  exportEncrypted(password: string, accountIds?: string[]): string {
+    // Fetch requested accounts (or all), decrypt tokens, encrypt whole payload with user password
+    const rows = accountIds?.length
+      ? accountIds.map((id) => getAccountById(id)).filter(Boolean) as AccountRow[]
+      : getAccounts();
+    const portable = rows.map((row) => {
+      let accessToken = row.access_token;
+      let refreshToken = row.refresh_token;
+      try { accessToken = decrypt(accessToken); } catch { /* already plaintext or corrupt */ }
+      try { refreshToken = decrypt(refreshToken); } catch { /* already plaintext or corrupt */ }
+      return { ...row, access_token: accessToken, refresh_token: refreshToken };
+    });
+    return encryptWithPassword(JSON.stringify(portable), password);
   }
-  importEncrypted(json: string): number {
-    const rows = JSON.parse(json) as AccountRow[];
+  importEncrypted(blob: string, password: string): number {
+    const plaintext = decryptWithPassword(blob, password);
+    const rows = JSON.parse(plaintext) as AccountRow[];
     if (!Array.isArray(rows)) throw new Error("Invalid backup format");
     let count = 0;
     for (const row of rows) {
@@ -521,12 +553,17 @@ class AccountService {
       // Skip if account already exists (by id or email)
       if (getAccountById(row.id)) continue;
       if (row.email && this.list().some((a) => a.email === row.email)) continue;
+      // Re-encrypt with this machine's key
+      let accessToken = row.access_token;
+      let refreshToken = row.refresh_token;
+      if (!looksEncrypted(accessToken)) accessToken = encrypt(accessToken);
+      if (!looksEncrypted(refreshToken)) refreshToken = encrypt(refreshToken);
       insertAccount({
         id: row.id,
         label: row.label,
         email: row.email,
-        access_token: row.access_token,
-        refresh_token: row.refresh_token,
+        access_token: accessToken,
+        refresh_token: refreshToken,
         expires_at: row.expires_at,
         status: row.status ?? "active",
         cooldown_until: row.cooldown_until,

package/src/web/components/chat/usage-badge.tsx CHANGED Viewed

@@ -295,7 +295,7 @@ export function UsageDetailPanel({ usage, visible, onClose, onReload, loading, l
         <div className="flex items-center gap-1">
           {onReload && (
             <button
-              onClick={() => { setRefreshing(true); onReload(); }}
+              onClick={() => { onReload(); loadAll(); }}
               disabled={loading || refreshing}
               className="text-xs text-text-subtle hover:text-text-primary px-1 disabled:opacity-50 cursor-pointer"
               title="Refresh"