@ian2018cs/agenthub 0.1.0 → 0.1.2

package/server/routes/auth.js

@@ -1,9 +1,10 @@
 import express from 'express';
 import bcrypt from 'bcrypt';
 import { v4 as uuidv4 } from 'uuid';
-import { userDb, db } from '../database/db.js';
+import { userDb, verificationDb, domainWhitelistDb } from '../database/db.js';
 import { generateToken, authenticateToken } from '../middleware/auth.js';
 import { initUserDirectories } from '../services/user-directories.js';
+import { sendVerificationCode, isSmtpConfigured } from '../services/email.js';
 
 const router = express.Router();
 
@@ -11,9 +12,10 @@ const router = express.Router();
 router.get('/status', async (req, res) => {
   try {
     const hasUsers = await userDb.hasUsers();
-    res.json({ 
+    res.json({
       needsSetup: !hasUsers,
-      isAuthenticated: false // Will be overridden by frontend if token exists
+      isAuthenticated: false, // Will be overridden by frontend if token exists
+      smtpConfigured: isSmtpConfigured()
     });
   } catch (error) {
     console.error('Auth status error:', error);
@@ -21,37 +23,106 @@ router.get('/status', async (req, res) => {
   }
 });
 
-// User registration - first user becomes admin
-router.post('/register', async (req, res) => {
+// Send verification code to email
+router.post('/send-code', async (req, res) => {
   try {
-    const { username, password } = req.body;
+    const { email } = req.body;
+    const ipAddress = req.ip || req.socket?.remoteAddress;
 
-    if (!username || !password) {
-      return res.status(400).json({ error: 'Username and password are required' });
+    // Validate email format
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!email || !emailRegex.test(email)) {
+      return res.status(400).json({ error: '请输入有效的邮箱地址' });
+    }
+
+    // Check if SMTP is configured
+    if (!isSmtpConfigured()) {
+      return res.status(500).json({ error: 'SMTP 未配置，请联系管理员' });
     }
 
-    if (username.length < 3 || password.length < 6) {
-      return res.status(400).json({
-        error: 'Username must be at least 3 characters, password at least 6 characters'
-      });
+    // Check rate limit
+    const rateCheck = verificationDb.canSendCode(email);
+    if (!rateCheck.allowed) {
+      if (rateCheck.error === 'rate_limit_email') {
+        return res.status(429).json({
+          error: '发送过于频繁，请稍后再试',
+          waitSeconds: rateCheck.waitSeconds
+        });
+      }
+      return res.status(429).json({ error: '今日发送次数已达上限' });
     }
 
-    // Check if this is the first user (becomes admin)
-    const userCount = userDb.getUserCount();
-    const role = userCount === 0 ? 'admin' : 'user';
-    const uuid = uuidv4();
+    // Determine if this is login or registration
+    const existingUser = userDb.getUserByEmail(email);
+    const type = existingUser ? 'login' : 'register';
 
-    // Hash password
-    const saltRounds = 12;
-    const passwordHash = await bcrypt.hash(password, saltRounds);
+    // For new registrations, check domain whitelist
+    if (type === 'register') {
+      if (!domainWhitelistDb.isEmailAllowed(email)) {
+        return res.status(403).json({ error: '该邮箱域名不在允许注册的列表中' });
+      }
+    }
+
+    // Generate and store code
+    const { code } = verificationDb.createCode(email, type, ipAddress);
+
+    // Send email
+    await sendVerificationCode(email, code);
 
-    // Create user with full details
-    const user = userDb.createUserFull(username, passwordHash, uuid, role);
+    res.json({
+      success: true,
+      type, // 'login' or 'register' - frontend can show appropriate message
+      message: '验证码已发送'
+    });
+
+  } catch (error) {
+    console.error('Send code error:', error);
+    res.status(500).json({ error: '发送验证码失败，请稍后再试' });
+  }
+});
+
+// Verify code and login/register
+router.post('/verify-code', async (req, res) => {
+  try {
+    const { email, code } = req.body;
+
+    if (!email || !code) {
+      return res.status(400).json({ error: '邮箱和验证码不能为空' });
+    }
 
-    // Initialize user directories (creates .claude.json with hasCompletedOnboarding=true)
-    await initUserDirectories(uuid);
+    // Verify the code
+    const verification = verificationDb.verifyCode(email, code);
 
-    // Generate token
+    if (!verification.valid) {
+      // Increment attempts for failed verification
+      verificationDb.incrementAttempts(email, code);
+
+      if (verification.error === 'max_attempts') {
+        return res.status(429).json({ error: '验证码尝试次数过多，请重新获取' });
+      }
+      return res.status(401).json({ error: '验证码无效或已过期' });
+    }
+
+    let user = userDb.getUserByEmail(email);
+
+    // If user doesn't exist, create new user (registration)
+    if (!user) {
+      const userCount = userDb.getUserCount();
+      const role = userCount === 0 ? 'admin' : 'user';
+      const uuid = uuidv4();
+
+      user = userDb.createUserWithEmail(email, uuid, role);
+
+      // Initialize user directories
+      await initUserDirectories(uuid);
+    }
+
+    // Check if user is disabled
+    if (user.status === 'disabled') {
+      return res.status(403).json({ error: '账户已被禁用' });
+    }
+
+    // Generate token with 30-day expiration
     const token = generateToken(user);
 
     // Update last login
@@ -61,7 +132,8 @@ router.post('/register', async (req, res) => {
       success: true,
       user: {
         id: user.id,
-        username: user.username,
+        email: user.email,
+        username: user.username || user.email,
         uuid: user.uuid,
         role: user.role
       },
@@ -69,37 +141,38 @@ router.post('/register', async (req, res) => {
     });
 
   } catch (error) {
-    console.error('Registration error:', error);
-    if (error.code === 'SQLITE_CONSTRAINT_UNIQUE') {
-      res.status(409).json({ error: 'Username already exists' });
-    } else {
-      res.status(500).json({ error: 'Internal server error' });
-    }
+    console.error('Verify code error:', error);
+    res.status(500).json({ error: 'Internal server error' });
   }
 });
 
-// User login
+// User login with username/password (for admin-created accounts)
 router.post('/login', async (req, res) => {
   try {
     const { username, password } = req.body;
 
     if (!username || !password) {
-      return res.status(400).json({ error: 'Username and password are required' });
+      return res.status(400).json({ error: '用户名和密码不能为空' });
     }
 
     const user = userDb.getUserByUsername(username);
     if (!user) {
-      return res.status(401).json({ error: 'Invalid username or password' });
+      return res.status(401).json({ error: '用户名或密码错误' });
+    }
+
+    // Check if user has a password (admin-created account)
+    if (!user.password_hash) {
+      return res.status(401).json({ error: '此账户不支持密码登录' });
     }
 
     // Check if user is disabled
     if (user.status === 'disabled') {
-      return res.status(403).json({ error: 'Account has been disabled' });
+      return res.status(403).json({ error: '账户已被禁用' });
     }
 
     const isValidPassword = await bcrypt.compare(password, user.password_hash);
     if (!isValidPassword) {
-      return res.status(401).json({ error: 'Invalid username or password' });
+      return res.status(401).json({ error: '用户名或密码错误' });
     }
 
     const token = generateToken(user);
@@ -110,6 +183,7 @@ router.post('/login', async (req, res) => {
       user: {
         id: user.id,
         username: user.username,
+        email: user.email,
         uuid: user.uuid,
         role: user.role
       },
@@ -127,7 +201,8 @@ router.get('/user', authenticateToken, (req, res) => {
   res.json({
     user: {
       id: req.user.id,
-      username: req.user.username,
+      username: req.user.username || req.user.email,
+      email: req.user.email,
       uuid: req.user.uuid,
       role: req.user.role
     }
@@ -141,4 +216,4 @@ router.post('/logout', authenticateToken, (req, res) => {
   res.json({ success: true, message: 'Logged out successfully' });
 });
 
-export default router;
+export default router;

package/server/routes/skills.js

@@ -5,6 +5,7 @@ import { spawn } from 'child_process';
 import multer from 'multer';
 import AdmZip from 'adm-zip';
 import { getUserPaths, getPublicPaths, DATA_DIR } from '../services/user-directories.js';
+import { markBuiltinSkillRemoved, isBuiltinSkillPath } from '../services/builtin-skills.js';
 
 const router = express.Router();
 
@@ -238,6 +239,8 @@ router.get('/', async (req, res) => {
             if (repoMatch) {
               repository = `${repoMatch[1]}/${repoMatch[2]}`;
             }
+          } else if (realPath.includes('/builtin-skills/')) {
+            source = 'builtin';
           }
         }
 
@@ -374,12 +377,14 @@ router.delete('/:name', async (req, res) => {
     // Check the symlink target to determine source
     let realPath = null;
     let isImported = false;
+    let isBuiltin = false;
 
     try {
       const stat = await fs.lstat(linkPath);
       if (stat.isSymbolicLink()) {
         realPath = await fs.realpath(linkPath);
         isImported = realPath.includes('/skills-import/');
+        isBuiltin = isBuiltinSkillPath(realPath);
       }
     } catch (err) {
       return res.status(404).json({ error: 'Skill not found' });
@@ -395,6 +400,9 @@ router.delete('/:name', async (req, res) => {
       } catch (err) {
         console.error('Error removing imported skill files:', err);
       }
+    } else if (isBuiltin) {
+      // Mark as removed so it won't be re-added on next sync
+      await markBuiltinSkillRemoved(userUuid, name);
     }
 
     res.json({ success: true, message: 'Skill deleted' });

package/server/services/builtin-skills.js

@@ -0,0 +1,147 @@
+import { promises as fs } from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { getUserPaths } from './user-directories.js';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// Path to built-in skills directory
+const BUILTIN_SKILLS_DIR = path.join(__dirname, '../builtin-skills');
+
+// State file version for future migrations
+const STATE_VERSION = 1;
+
+/**
+ * Get list of all available built-in skills
+ */
+export async function getBuiltinSkills() {
+  const skills = [];
+
+  try {
+    const entries = await fs.readdir(BUILTIN_SKILLS_DIR, { withFileTypes: true });
+
+    for (const entry of entries) {
+      if (entry.isDirectory() && !entry.name.startsWith('.')) {
+        const skillPath = path.join(BUILTIN_SKILLS_DIR, entry.name);
+
+        // Check for SKILLS.md or SKILL.md
+        const skillsFile = path.join(skillPath, 'SKILLS.md');
+        const skillFile = path.join(skillPath, 'SKILL.md');
+
+        try {
+          // Try SKILLS.md first, then SKILL.md
+          let found = false;
+          try {
+            await fs.access(skillsFile);
+            found = true;
+          } catch {
+            await fs.access(skillFile);
+            found = true;
+          }
+
+          if (found) {
+            skills.push({
+              name: entry.name,
+              path: skillPath
+            });
+          }
+        } catch {
+          // Skip if neither file exists
+        }
+      }
+    }
+  } catch (err) {
+    if (err.code !== 'ENOENT') {
+      console.error('Error reading builtin skills:', err);
+    }
+  }
+
+  return skills;
+}
+
+/**
+ * Get path to user's builtin skills state file
+ */
+function getStatePath(userUuid) {
+  const userPaths = getUserPaths(userUuid);
+  return path.join(userPaths.claudeDir, '.builtin-skills-state.json');
+}
+
+/**
+ * Load user's builtin skills state
+ */
+export async function loadBuiltinSkillsState(userUuid) {
+  try {
+    const statePath = getStatePath(userUuid);
+    const content = await fs.readFile(statePath, 'utf-8');
+    return JSON.parse(content);
+  } catch {
+    return {
+      version: STATE_VERSION,
+      removedSkills: []
+    };
+  }
+}
+
+/**
+ * Save user's builtin skills state
+ */
+export async function saveBuiltinSkillsState(userUuid, state) {
+  const statePath = getStatePath(userUuid);
+  await fs.writeFile(statePath, JSON.stringify(state, null, 2));
+}
+
+/**
+ * Initialize built-in skills for a user
+ * Creates symlinks for all built-in skills not in user's removed list
+ */
+export async function initBuiltinSkills(userUuid) {
+  const userPaths = getUserPaths(userUuid);
+  const builtinSkills = await getBuiltinSkills();
+  const state = await loadBuiltinSkillsState(userUuid);
+
+  for (const skill of builtinSkills) {
+    // Skip if user has explicitly removed this skill
+    if (state.removedSkills.includes(skill.name)) {
+      continue;
+    }
+
+    const linkPath = path.join(userPaths.skillsDir, skill.name);
+
+    try {
+      // Check if link already exists
+      await fs.lstat(linkPath);
+      // Link exists, skip
+    } catch {
+      // Link doesn't exist, create it
+      try {
+        await fs.symlink(skill.path, linkPath);
+        console.log(`Created builtin skill symlink: ${skill.name}`);
+      } catch (err) {
+        console.error(`Error creating builtin skill symlink ${skill.name}:`, err);
+      }
+    }
+  }
+}
+
+/**
+ * Mark a built-in skill as removed by user
+ */
+export async function markBuiltinSkillRemoved(userUuid, skillName) {
+  const state = await loadBuiltinSkillsState(userUuid);
+
+  if (!state.removedSkills.includes(skillName)) {
+    state.removedSkills.push(skillName);
+    await saveBuiltinSkillsState(userUuid, state);
+  }
+}
+
+/**
+ * Check if a path is a built-in skill
+ */
+export function isBuiltinSkillPath(realPath) {
+  return realPath?.includes('/builtin-skills/') ?? false;
+}
+
+export { BUILTIN_SKILLS_DIR };

package/server/services/email.js

@@ -0,0 +1,90 @@
+import nodemailer from 'nodemailer';
+
+// SMTP configuration from environment variables
+const getSmtpConfig = () => {
+  const config = {
+    host: process.env.SMTP_SERVER,
+    port: parseInt(process.env.SMTP_PORT) || 587,
+    secure: process.env.SMTP_USE_TLS === 'true', // true for 465, false for other ports
+    auth: {
+      user: process.env.SMTP_USERNAME,
+      pass: process.env.SMTP_PASSWORD,
+    },
+  };
+
+  // Handle opportunistic TLS (STARTTLS)
+  if (process.env.SMTP_OPPORTUNISTIC_TLS === 'true') {
+    config.secure = false;
+    config.tls = {
+      rejectUnauthorized: false, // Allow self-signed certificates
+    };
+  }
+
+  return config;
+};
+
+// Check if SMTP is configured
+export const isSmtpConfigured = () => {
+  return !!(process.env.SMTP_SERVER && process.env.SMTP_USERNAME && process.env.SMTP_PASSWORD);
+};
+
+// Create transporter lazily (only when needed)
+let transporter = null;
+
+const getTransporter = () => {
+  if (!transporter) {
+    if (!isSmtpConfigured()) {
+      throw new Error('SMTP is not configured. Please set SMTP_SERVER, SMTP_USERNAME, and SMTP_PASSWORD environment variables.');
+    }
+    transporter = nodemailer.createTransport(getSmtpConfig());
+  }
+  return transporter;
+};
+
+// Send verification code email
+export const sendVerificationCode = async (email, code) => {
+  const transport = getTransporter();
+  const fromAddress = process.env.SMTP_FROM || process.env.SMTP_USERNAME;
+
+  const mailOptions = {
+    from: fromAddress,
+    to: email,
+    subject: 'AgentHub 登录验证码',
+    html: `
+      <div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; max-width: 600px; margin: 0 auto; padding: 20px;">
+        <div style="text-align: center; margin-bottom: 30px;">
+          <h1 style="color: #1a1a1a; font-size: 24px; margin: 0;">AgentHub</h1>
+        </div>
+        <div style="background-color: #f8f9fa; border-radius: 8px; padding: 30px; text-align: center;">
+          <h2 style="color: #1a1a1a; font-size: 20px; margin: 0 0 20px 0;">您的验证码</h2>
+          <div style="font-size: 36px; font-weight: bold; color: #2563eb; letter-spacing: 8px; margin: 20px 0; font-family: monospace;">
+            ${code}
+          </div>
+          <p style="color: #666; font-size: 14px; margin: 20px 0 0 0;">
+            验证码有效期为 <strong>5 分钟</strong>，请尽快使用。
+          </p>
+        </div>
+        <div style="margin-top: 30px; padding-top: 20px; border-top: 1px solid #eee; text-align: center;">
+          <p style="color: #999; font-size: 12px; margin: 0;">
+            如果您没有请求此验证码，请忽略此邮件。
+          </p>
+        </div>
+      </div>
+    `,
+    text: `您的 AgentHub 登录验证码是：${code}，有效期 5 分钟。如果您没有请求此验证码，请忽略此邮件。`,
+  };
+
+  return transport.sendMail(mailOptions);
+};
+
+// Verify SMTP connection
+export const verifySmtpConnection = async () => {
+  try {
+    const transport = getTransporter();
+    await transport.verify();
+    return { success: true };
+  } catch (error) {
+    console.error('SMTP connection verification failed:', error);
+    return { success: false, error: error.message };
+  }
+};

package/server/services/user-directories.js

@@ -1,5 +1,6 @@
 import { promises as fs } from 'fs';
 import path from 'path';
+import { initBuiltinSkills } from './builtin-skills.js';
 
 // Base data directory (configurable via env)
 const DATA_DIR = process.env.DATA_DIR || path.join(process.cwd(), 'data');
@@ -85,6 +86,9 @@ export async function initUserDirectories(userUuid) {
   await fs.writeFile(usageScanStatePath, JSON.stringify(scanState, null, 2));
   console.log(`Created .usage-scan-state.json for user ${userUuid}`);
 
+  // Initialize built-in skills
+  await initBuiltinSkills(userUuid);
+
   return paths;
 }