@ian2018cs/agenthub 0.1.0 → 0.1.2

package/server/database/db.js

@@ -21,25 +21,25 @@ const c = {
     dim: (text) => `${colors.dim}${text}${colors.reset}`,
 };
 
-// Use DATABASE_PATH environment variable if set, otherwise use default location
-// Resolve relative paths from project root (one level up from server/)
+// Use DATABASE_PATH environment variable if set, otherwise use DATA_DIR/auth.db
+// DATA_DIR defaults to ./data relative to project root
+const PROJECT_ROOT = path.join(__dirname, '../..');
+const DATA_DIR = process.env.DATA_DIR || path.join(PROJECT_ROOT, 'data');
 const DB_PATH = process.env.DATABASE_PATH
-  ? path.resolve(path.join(__dirname, '../..'), process.env.DATABASE_PATH)
-  : path.join(__dirname, 'auth.db');
+  ? path.resolve(PROJECT_ROOT, process.env.DATABASE_PATH)
+  : path.join(DATA_DIR, 'auth.db');
 const INIT_SQL_PATH = path.join(__dirname, 'init.sql');
 
-// Ensure database directory exists if custom path is provided
-if (process.env.DATABASE_PATH) {
-  const dbDir = path.dirname(DB_PATH);
-  try {
-    if (!fs.existsSync(dbDir)) {
-      fs.mkdirSync(dbDir, { recursive: true });
-      console.log(`Created database directory: ${dbDir}`);
-    }
-  } catch (error) {
-    console.error(`Failed to create database directory ${dbDir}:`, error.message);
-    throw error;
+// Ensure database directory exists
+const dbDir = path.dirname(DB_PATH);
+try {
+  if (!fs.existsSync(dbDir)) {
+    fs.mkdirSync(dbDir, { recursive: true });
+    console.log(`Created database directory: ${dbDir}`);
   }
+} catch (error) {
+  console.error(`Failed to create database directory ${dbDir}:`, error.message);
+  throw error;
 }
 
 // Create database connection
@@ -50,6 +50,7 @@ const appInstallPath = path.join(__dirname, '../..');
 console.log('');
 console.log(c.dim('═'.repeat(60)));
 console.log(`${c.info('[INFO]')} App Installation: ${c.bright(appInstallPath)}`);
+console.log(`${c.info('[INFO]')} Data Directory: ${c.dim(path.relative(appInstallPath, DATA_DIR))}`);
 console.log(`${c.info('[INFO]')} Database: ${c.dim(path.relative(appInstallPath, DB_PATH))}`);
 if (process.env.DATABASE_PATH) {
   console.log(`       ${c.dim('(Using custom DATABASE_PATH from environment)')}`);
@@ -62,6 +63,23 @@ const runMigrations = () => {
     const tableInfo = db.prepare("PRAGMA table_info(users)").all();
     const columnNames = tableInfo.map(col => col.name);
 
+    // Create verification_codes table for email login
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS verification_codes (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        email TEXT NOT NULL,
+        code TEXT NOT NULL,
+        type TEXT DEFAULT 'login' CHECK(type IN ('login', 'register')),
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        expires_at DATETIME NOT NULL,
+        attempts INTEGER DEFAULT 0,
+        used BOOLEAN DEFAULT 0,
+        ip_address TEXT
+      )
+    `);
+    db.exec('CREATE INDEX IF NOT EXISTS idx_verification_codes_email ON verification_codes(email)');
+    db.exec('CREATE INDEX IF NOT EXISTS idx_verification_codes_expires ON verification_codes(expires_at)');
+
     // Create usage_records table for tracking token usage
     db.exec(`
       CREATE TABLE IF NOT EXISTS usage_records (
@@ -137,6 +155,25 @@ const runMigrations = () => {
     // Create index for status (safe to run even if already exists)
     db.exec('CREATE INDEX IF NOT EXISTS idx_users_status ON users(status)');
 
+    // Add email column if not exists (for email verification login)
+    if (!columnNames.includes('email')) {
+      console.log('Running migration: Adding email column');
+      db.exec('ALTER TABLE users ADD COLUMN email TEXT');
+    }
+    db.exec('CREATE UNIQUE INDEX IF NOT EXISTS idx_users_email ON users(email)');
+
+    // Create email domain whitelist table
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS email_domain_whitelist (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain TEXT UNIQUE NOT NULL,
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        created_by INTEGER,
+        FOREIGN KEY (created_by) REFERENCES users(id)
+      )
+    `);
+    db.exec('CREATE INDEX IF NOT EXISTS idx_email_domain_whitelist_domain ON email_domain_whitelist(domain)');
+
     console.log('Database migrations completed successfully');
   } catch (error) {
     console.error('Error running migrations:', error.message);
@@ -281,7 +318,7 @@ const userDb = {
   getAllUsers: () => {
     try {
       return db.prepare(
-        'SELECT id, username, uuid, role, status, created_at, last_login FROM users ORDER BY created_at DESC'
+        'SELECT id, username, email, uuid, role, status, created_at, last_login FROM users ORDER BY created_at DESC'
       ).all();
     } catch (err) {
       throw err;
@@ -313,6 +350,142 @@ const userDb = {
     } catch (err) {
       throw err;
     }
+  },
+
+  // Get user by email
+  getUserByEmail: (email) => {
+    try {
+      return db.prepare('SELECT * FROM users WHERE email = ? AND is_active = 1').get(email);
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Create user with email (for email verification login)
+  createUserWithEmail: (email, uuid, role) => {
+    try {
+      const stmt = db.prepare(
+        'INSERT INTO users (email, uuid, role) VALUES (?, ?, ?)'
+      );
+      const result = stmt.run(email, uuid, role);
+      return { id: result.lastInsertRowid, email, uuid, role };
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Check if email exists
+  emailExists: (email) => {
+    try {
+      const row = db.prepare('SELECT COUNT(*) as count FROM users WHERE email = ?').get(email);
+      return row.count > 0;
+    } catch (err) {
+      throw err;
+    }
+  }
+};
+
+// Verification codes database operations
+const verificationDb = {
+  // Generate and store verification code
+  createCode: (email, type = 'login', ipAddress = null) => {
+    try {
+      const code = Math.floor(100000 + Math.random() * 900000).toString(); // 6-digit code
+      const expiresAt = new Date(Date.now() + 5 * 60 * 1000).toISOString(); // 5 minutes
+
+      const stmt = db.prepare(`
+        INSERT INTO verification_codes (email, code, type, expires_at, ip_address)
+        VALUES (?, ?, ?, ?, ?)
+      `);
+      const result = stmt.run(email, code, type, expiresAt, ipAddress);
+      return { id: result.lastInsertRowid, code };
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Verify code and check if valid
+  verifyCode: (email, code) => {
+    try {
+      const now = new Date().toISOString();
+
+      // Find valid, unused code
+      const record = db.prepare(`
+        SELECT * FROM verification_codes
+        WHERE email = ? AND code = ? AND used = 0 AND expires_at > ?
+        ORDER BY created_at DESC LIMIT 1
+      `).get(email, code, now);
+
+      if (!record) {
+        return { valid: false, error: 'invalid_code' };
+      }
+
+      if (record.attempts >= 5) {
+        return { valid: false, error: 'max_attempts' };
+      }
+
+      // Mark as used
+      db.prepare('UPDATE verification_codes SET used = 1 WHERE id = ?').run(record.id);
+
+      return { valid: true, type: record.type };
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Increment attempt count
+  incrementAttempts: (email, code) => {
+    try {
+      db.prepare(`
+        UPDATE verification_codes SET attempts = attempts + 1
+        WHERE email = ? AND code = ? AND used = 0
+      `).run(email, code);
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Check rate limit for sending codes
+  canSendCode: (email) => {
+    try {
+      const oneMinuteAgo = new Date(Date.now() - 60 * 1000).toISOString();
+      const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000).toISOString();
+
+      // Check per-email rate limit (1 per minute)
+      const recentByEmail = db.prepare(`
+        SELECT COUNT(*) as count FROM verification_codes
+        WHERE email = ? AND created_at > ?
+      `).get(email, oneMinuteAgo);
+
+      if (recentByEmail.count >= 1) {
+        return { allowed: false, error: 'rate_limit_email', waitSeconds: 60 };
+      }
+
+      // Check per-email hourly limit (10 per hour)
+      const hourlyByEmail = db.prepare(`
+        SELECT COUNT(*) as count FROM verification_codes
+        WHERE email = ? AND created_at > ?
+      `).get(email, oneHourAgo);
+
+      if (hourlyByEmail.count >= 10) {
+        return { allowed: false, error: 'rate_limit_hourly' };
+      }
+
+      return { allowed: true };
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Cleanup expired codes
+  cleanupExpired: () => {
+    try {
+      const now = new Date().toISOString();
+      const result = db.prepare('DELETE FROM verification_codes WHERE expires_at < ?').run(now);
+      return result.changes;
+    } catch (err) {
+      throw err;
+    }
   }
 };
 
@@ -515,9 +688,81 @@ const usageDb = {
   }
 };
 
+// Email domain whitelist database operations
+const domainWhitelistDb = {
+  // Get all whitelisted domains
+  getAllDomains: () => {
+    try {
+      return db.prepare('SELECT * FROM email_domain_whitelist ORDER BY domain ASC').all();
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Add a domain to whitelist
+  addDomain: (domain, createdBy = null) => {
+    try {
+      const normalizedDomain = domain.toLowerCase().trim();
+      const stmt = db.prepare('INSERT INTO email_domain_whitelist (domain, created_by) VALUES (?, ?)');
+      const result = stmt.run(normalizedDomain, createdBy);
+      return { id: result.lastInsertRowid, domain: normalizedDomain };
+    } catch (err) {
+      if (err.code === 'SQLITE_CONSTRAINT_UNIQUE') {
+        throw new Error('域名已存在');
+      }
+      throw err;
+    }
+  },
+
+  // Remove a domain from whitelist
+  removeDomain: (id) => {
+    try {
+      const result = db.prepare('DELETE FROM email_domain_whitelist WHERE id = ?').run(id);
+      return result.changes > 0;
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Check if email domain is allowed
+  isEmailAllowed: (email) => {
+    try {
+      // First check if whitelist is empty (allow all if no restrictions)
+      const count = db.prepare('SELECT COUNT(*) as count FROM email_domain_whitelist').get();
+      if (count.count === 0) {
+        return true; // No whitelist configured, allow all
+      }
+
+      // Extract domain from email
+      const domain = email.toLowerCase().split('@')[1];
+      if (!domain) {
+        return false;
+      }
+
+      // Check if domain is in whitelist
+      const row = db.prepare('SELECT id FROM email_domain_whitelist WHERE domain = ?').get(domain);
+      return !!row;
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Get whitelist count
+  getCount: () => {
+    try {
+      const row = db.prepare('SELECT COUNT(*) as count FROM email_domain_whitelist').get();
+      return row.count;
+    } catch (err) {
+      throw err;
+    }
+  }
+};
+
 export {
   db,
   initializeDatabase,
   userDb,
-  usageDb
+  usageDb,
+  verificationDb,
+  domainWhitelistDb
 };

package/server/database/init.sql

@@ -2,10 +2,14 @@
 PRAGMA foreign_keys = ON;
 
 -- Users table (multi-user system)
+-- Supports two login methods:
+-- 1. Email verification code (email field, no password_hash)
+-- 2. Username/password (username + password_hash, created by admin)
 CREATE TABLE IF NOT EXISTS users (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
-    username TEXT UNIQUE NOT NULL,
-    password_hash TEXT NOT NULL,
+    username TEXT UNIQUE,
+    password_hash TEXT,
+    email TEXT UNIQUE,
     uuid TEXT,
     role TEXT DEFAULT 'user' CHECK(role IN ('admin', 'user')),
     status TEXT DEFAULT 'active' CHECK(status IN ('active', 'disabled')),
@@ -20,4 +24,32 @@ CREATE TABLE IF NOT EXISTS users (
 -- Indexes for performance (base indexes only)
 -- Note: Indexes for uuid, role, status are created in migrations to support upgrades
 CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
-CREATE INDEX IF NOT EXISTS idx_users_active ON users(is_active);
+CREATE INDEX IF NOT EXISTS idx_users_active ON users(is_active);
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+
+-- Verification codes table for email login
+CREATE TABLE IF NOT EXISTS verification_codes (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    email TEXT NOT NULL,
+    code TEXT NOT NULL,
+    type TEXT DEFAULT 'login' CHECK(type IN ('login', 'register')),
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    expires_at DATETIME NOT NULL,
+    attempts INTEGER DEFAULT 0,
+    used BOOLEAN DEFAULT 0,
+    ip_address TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_verification_codes_email ON verification_codes(email);
+CREATE INDEX IF NOT EXISTS idx_verification_codes_expires ON verification_codes(expires_at);
+
+-- Email domain whitelist for registration
+CREATE TABLE IF NOT EXISTS email_domain_whitelist (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    domain TEXT UNIQUE NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    created_by INTEGER,
+    FOREIGN KEY (created_by) REFERENCES users(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_email_domain_whitelist_domain ON email_domain_whitelist(domain);

package/server/middleware/auth.js

@@ -65,17 +65,18 @@ const authenticateToken = async (req, res, next) => {
   }
 };
 
-// Generate JWT token (never expires)
+// Generate JWT token with 30-day expiration
 const generateToken = (user) => {
   return jwt.sign(
     {
       userId: user.id,
-      username: user.username,
+      username: user.username || user.email,
+      email: user.email,
       uuid: user.uuid,
       role: user.role
     },
-    JWT_SECRET
-    // No expiration - token lasts forever
+    JWT_SECRET,
+    { expiresIn: '30d' } // 30-day expiration
   );
 };
 

package/server/routes/admin.js

@@ -1,7 +1,9 @@
 import express from 'express';
-import { userDb } from '../database/db.js';
+import bcrypt from 'bcrypt';
+import { v4 as uuidv4 } from 'uuid';
+import { userDb, domainWhitelistDb } from '../database/db.js';
 import { authenticateToken } from '../middleware/auth.js';
-import { deleteUserDirectories } from '../services/user-directories.js';
+import { deleteUserDirectories, initUserDirectories } from '../services/user-directories.js';
 
 const router = express.Router();
 
@@ -28,6 +30,58 @@ router.get('/users', (req, res) => {
   }
 });
 
+// Create a new user with username and password (admin only)
+router.post('/users', async (req, res) => {
+  try {
+    const { username, password } = req.body;
+
+    if (!username || !password) {
+      return res.status(400).json({ error: '用户名和密码不能为空' });
+    }
+
+    if (username.length < 3 || password.length < 6) {
+      return res.status(400).json({
+        error: '用户名至少3个字符，密码至少6个字符'
+      });
+    }
+
+    // Check if username already exists
+    const existingUser = userDb.getUserByUsername(username);
+    if (existingUser) {
+      return res.status(409).json({ error: '用户名已存在' });
+    }
+
+    // Hash password
+    const saltRounds = 12;
+    const passwordHash = await bcrypt.hash(password, saltRounds);
+
+    // Create user
+    const uuid = uuidv4();
+    const user = userDb.createUserFull(username, passwordHash, uuid, 'user');
+
+    // Initialize user directories
+    await initUserDirectories(uuid);
+
+    res.json({
+      success: true,
+      user: {
+        id: user.id,
+        username: user.username,
+        uuid: user.uuid,
+        role: user.role
+      }
+    });
+
+  } catch (error) {
+    console.error('Error creating user:', error);
+    if (error.code === 'SQLITE_CONSTRAINT_UNIQUE') {
+      res.status(409).json({ error: '用户名已存在' });
+    } else {
+      res.status(500).json({ error: '创建用户失败' });
+    }
+  }
+});
+
 // Update user status
 router.patch('/users/:id', (req, res) => {
   try {
@@ -86,4 +140,61 @@ router.delete('/users/:id', async (req, res) => {
   }
 });
 
+// ==================== Email Domain Whitelist ====================
+
+// Get all whitelisted domains
+router.get('/email-domains', (req, res) => {
+  try {
+    const domains = domainWhitelistDb.getAllDomains();
+    res.json({ domains });
+  } catch (error) {
+    console.error('Error fetching email domains:', error);
+    res.status(500).json({ error: '获取域名列表失败' });
+  }
+});
+
+// Add a domain to whitelist
+router.post('/email-domains', (req, res) => {
+  try {
+    const { domain } = req.body;
+
+    if (!domain) {
+      return res.status(400).json({ error: '域名不能为空' });
+    }
+
+    // Validate domain format
+    const domainRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$/;
+    if (!domainRegex.test(domain)) {
+      return res.status(400).json({ error: '域名格式无效' });
+    }
+
+    const result = domainWhitelistDb.addDomain(domain, req.user.id);
+    res.json({ success: true, domain: result });
+  } catch (error) {
+    console.error('Error adding email domain:', error);
+    if (error.message === '域名已存在') {
+      res.status(409).json({ error: error.message });
+    } else {
+      res.status(500).json({ error: '添加域名失败' });
+    }
+  }
+});
+
+// Remove a domain from whitelist
+router.delete('/email-domains/:id', (req, res) => {
+  try {
+    const { id } = req.params;
+    const success = domainWhitelistDb.removeDomain(parseInt(id));
+
+    if (success) {
+      res.json({ success: true, message: '域名已删除' });
+    } else {
+      res.status(404).json({ error: '域名不存在' });
+    }
+  } catch (error) {
+    console.error('Error removing email domain:', error);
+    res.status(500).json({ error: '删除域名失败' });
+  }
+});
+
 export default router;