@ian2018cs/agenthub 0.1.1 → 0.1.2

package/server/builtin-skills/deploy-frontend/scripts/deploy.py

@@ -14,6 +14,31 @@ import time
 # 默认 nginx 基础目录（可在这里修改）
 DEFAULT_NGINX_BASE_DIR = "/home/xubuntu001/AI/nginx"
 
+def run_docker_command(cmd, **kwargs):
+    """
+    运行 docker 命令，自动处理权限问题
+
+    Args:
+        cmd: 命令列表
+        **kwargs: 传递给 subprocess.run 的其他参数
+
+    Returns:
+        subprocess.CompletedProcess 对象
+    """
+    try:
+        # 首先尝试直接运行
+        return subprocess.run(cmd, **kwargs)
+    except (subprocess.CalledProcessError, PermissionError) as e:
+        # 如果失败，尝试使用 sg docker -c 运行
+        if 'check' in kwargs:
+            del kwargs['check']  # sg 会处理 check
+
+        # 将命令转换为 sg docker -c 格式
+        cmd_str = ' '.join(str(arg) for arg in cmd)
+        sg_cmd = ['sg', 'docker', '-c', cmd_str]
+
+        return subprocess.run(sg_cmd, **kwargs)
+
 def find_available_port(start_port=8080, max_attempts=100):
     """查找可用端口"""
     for port in range(start_port, start_port + max_attempts):
@@ -58,7 +83,7 @@ def create_nginx_conf(project_id, port, nginx_base_dir):
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript;
 
     # 缓存静态资源
-    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {{
+    location ~* \\.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {{
         expires 1y;
         add_header Cache-Control "public, immutable";
     }}
@@ -78,7 +103,7 @@ def reload_nginx(nginx_base_dir):
         raise RuntimeError(f"docker-compose.yml 不存在: {compose_file}")
 
     # 检查容器是否运行
-    result = subprocess.run(
+    result = run_docker_command(
         ["docker", "ps", "--filter", "name=nginx-web", "--format", "{{.Names}}"],
         capture_output=True,
         text=True,
@@ -88,15 +113,15 @@ def reload_nginx(nginx_base_dir):
     if "nginx-web" not in result.stdout:
         # 容器未运行，启动它
         print("启动 nginx 容器...")
-        subprocess.run(
-            ["docker-compose", "up", "-d"],
+        run_docker_command(
+            ["docker", "compose", "up", "-d"],
             cwd=nginx_base_dir,
             check=True
         )
     else:
         # 重新加载配置
         print("重新加载 nginx 配置...")
-        subprocess.run(
+        run_docker_command(
             ["docker", "exec", "nginx-web", "nginx", "-s", "reload"],
             check=True
         )

package/server/database/db.js

@@ -63,6 +63,23 @@ const runMigrations = () => {
     const tableInfo = db.prepare("PRAGMA table_info(users)").all();
     const columnNames = tableInfo.map(col => col.name);
 
+    // Create verification_codes table for email login
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS verification_codes (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        email TEXT NOT NULL,
+        code TEXT NOT NULL,
+        type TEXT DEFAULT 'login' CHECK(type IN ('login', 'register')),
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        expires_at DATETIME NOT NULL,
+        attempts INTEGER DEFAULT 0,
+        used BOOLEAN DEFAULT 0,
+        ip_address TEXT
+      )
+    `);
+    db.exec('CREATE INDEX IF NOT EXISTS idx_verification_codes_email ON verification_codes(email)');
+    db.exec('CREATE INDEX IF NOT EXISTS idx_verification_codes_expires ON verification_codes(expires_at)');
+
     // Create usage_records table for tracking token usage
     db.exec(`
       CREATE TABLE IF NOT EXISTS usage_records (
@@ -138,6 +155,25 @@ const runMigrations = () => {
     // Create index for status (safe to run even if already exists)
     db.exec('CREATE INDEX IF NOT EXISTS idx_users_status ON users(status)');
 
+    // Add email column if not exists (for email verification login)
+    if (!columnNames.includes('email')) {
+      console.log('Running migration: Adding email column');
+      db.exec('ALTER TABLE users ADD COLUMN email TEXT');
+    }
+    db.exec('CREATE UNIQUE INDEX IF NOT EXISTS idx_users_email ON users(email)');
+
+    // Create email domain whitelist table
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS email_domain_whitelist (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain TEXT UNIQUE NOT NULL,
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        created_by INTEGER,
+        FOREIGN KEY (created_by) REFERENCES users(id)
+      )
+    `);
+    db.exec('CREATE INDEX IF NOT EXISTS idx_email_domain_whitelist_domain ON email_domain_whitelist(domain)');
+
     console.log('Database migrations completed successfully');
   } catch (error) {
     console.error('Error running migrations:', error.message);
@@ -282,7 +318,7 @@ const userDb = {
   getAllUsers: () => {
     try {
       return db.prepare(
-        'SELECT id, username, uuid, role, status, created_at, last_login FROM users ORDER BY created_at DESC'
+        'SELECT id, username, email, uuid, role, status, created_at, last_login FROM users ORDER BY created_at DESC'
       ).all();
     } catch (err) {
       throw err;
@@ -314,6 +350,142 @@ const userDb = {
     } catch (err) {
       throw err;
     }
+  },
+
+  // Get user by email
+  getUserByEmail: (email) => {
+    try {
+      return db.prepare('SELECT * FROM users WHERE email = ? AND is_active = 1').get(email);
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Create user with email (for email verification login)
+  createUserWithEmail: (email, uuid, role) => {
+    try {
+      const stmt = db.prepare(
+        'INSERT INTO users (email, uuid, role) VALUES (?, ?, ?)'
+      );
+      const result = stmt.run(email, uuid, role);
+      return { id: result.lastInsertRowid, email, uuid, role };
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Check if email exists
+  emailExists: (email) => {
+    try {
+      const row = db.prepare('SELECT COUNT(*) as count FROM users WHERE email = ?').get(email);
+      return row.count > 0;
+    } catch (err) {
+      throw err;
+    }
+  }
+};
+
+// Verification codes database operations
+const verificationDb = {
+  // Generate and store verification code
+  createCode: (email, type = 'login', ipAddress = null) => {
+    try {
+      const code = Math.floor(100000 + Math.random() * 900000).toString(); // 6-digit code
+      const expiresAt = new Date(Date.now() + 5 * 60 * 1000).toISOString(); // 5 minutes
+
+      const stmt = db.prepare(`
+        INSERT INTO verification_codes (email, code, type, expires_at, ip_address)
+        VALUES (?, ?, ?, ?, ?)
+      `);
+      const result = stmt.run(email, code, type, expiresAt, ipAddress);
+      return { id: result.lastInsertRowid, code };
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Verify code and check if valid
+  verifyCode: (email, code) => {
+    try {
+      const now = new Date().toISOString();
+
+      // Find valid, unused code
+      const record = db.prepare(`
+        SELECT * FROM verification_codes
+        WHERE email = ? AND code = ? AND used = 0 AND expires_at > ?
+        ORDER BY created_at DESC LIMIT 1
+      `).get(email, code, now);
+
+      if (!record) {
+        return { valid: false, error: 'invalid_code' };
+      }
+
+      if (record.attempts >= 5) {
+        return { valid: false, error: 'max_attempts' };
+      }
+
+      // Mark as used
+      db.prepare('UPDATE verification_codes SET used = 1 WHERE id = ?').run(record.id);
+
+      return { valid: true, type: record.type };
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Increment attempt count
+  incrementAttempts: (email, code) => {
+    try {
+      db.prepare(`
+        UPDATE verification_codes SET attempts = attempts + 1
+        WHERE email = ? AND code = ? AND used = 0
+      `).run(email, code);
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Check rate limit for sending codes
+  canSendCode: (email) => {
+    try {
+      const oneMinuteAgo = new Date(Date.now() - 60 * 1000).toISOString();
+      const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000).toISOString();
+
+      // Check per-email rate limit (1 per minute)
+      const recentByEmail = db.prepare(`
+        SELECT COUNT(*) as count FROM verification_codes
+        WHERE email = ? AND created_at > ?
+      `).get(email, oneMinuteAgo);
+
+      if (recentByEmail.count >= 1) {
+        return { allowed: false, error: 'rate_limit_email', waitSeconds: 60 };
+      }
+
+      // Check per-email hourly limit (10 per hour)
+      const hourlyByEmail = db.prepare(`
+        SELECT COUNT(*) as count FROM verification_codes
+        WHERE email = ? AND created_at > ?
+      `).get(email, oneHourAgo);
+
+      if (hourlyByEmail.count >= 10) {
+        return { allowed: false, error: 'rate_limit_hourly' };
+      }
+
+      return { allowed: true };
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Cleanup expired codes
+  cleanupExpired: () => {
+    try {
+      const now = new Date().toISOString();
+      const result = db.prepare('DELETE FROM verification_codes WHERE expires_at < ?').run(now);
+      return result.changes;
+    } catch (err) {
+      throw err;
+    }
   }
 };
 
@@ -516,9 +688,81 @@ const usageDb = {
   }
 };
 
+// Email domain whitelist database operations
+const domainWhitelistDb = {
+  // Get all whitelisted domains
+  getAllDomains: () => {
+    try {
+      return db.prepare('SELECT * FROM email_domain_whitelist ORDER BY domain ASC').all();
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Add a domain to whitelist
+  addDomain: (domain, createdBy = null) => {
+    try {
+      const normalizedDomain = domain.toLowerCase().trim();
+      const stmt = db.prepare('INSERT INTO email_domain_whitelist (domain, created_by) VALUES (?, ?)');
+      const result = stmt.run(normalizedDomain, createdBy);
+      return { id: result.lastInsertRowid, domain: normalizedDomain };
+    } catch (err) {
+      if (err.code === 'SQLITE_CONSTRAINT_UNIQUE') {
+        throw new Error('域名已存在');
+      }
+      throw err;
+    }
+  },
+
+  // Remove a domain from whitelist
+  removeDomain: (id) => {
+    try {
+      const result = db.prepare('DELETE FROM email_domain_whitelist WHERE id = ?').run(id);
+      return result.changes > 0;
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Check if email domain is allowed
+  isEmailAllowed: (email) => {
+    try {
+      // First check if whitelist is empty (allow all if no restrictions)
+      const count = db.prepare('SELECT COUNT(*) as count FROM email_domain_whitelist').get();
+      if (count.count === 0) {
+        return true; // No whitelist configured, allow all
+      }
+
+      // Extract domain from email
+      const domain = email.toLowerCase().split('@')[1];
+      if (!domain) {
+        return false;
+      }
+
+      // Check if domain is in whitelist
+      const row = db.prepare('SELECT id FROM email_domain_whitelist WHERE domain = ?').get(domain);
+      return !!row;
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Get whitelist count
+  getCount: () => {
+    try {
+      const row = db.prepare('SELECT COUNT(*) as count FROM email_domain_whitelist').get();
+      return row.count;
+    } catch (err) {
+      throw err;
+    }
+  }
+};
+
 export {
   db,
   initializeDatabase,
   userDb,
-  usageDb
+  usageDb,
+  verificationDb,
+  domainWhitelistDb
 };

package/server/database/init.sql

@@ -2,10 +2,14 @@
 PRAGMA foreign_keys = ON;
 
 -- Users table (multi-user system)
+-- Supports two login methods:
+-- 1. Email verification code (email field, no password_hash)
+-- 2. Username/password (username + password_hash, created by admin)
 CREATE TABLE IF NOT EXISTS users (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
-    username TEXT UNIQUE NOT NULL,
-    password_hash TEXT NOT NULL,
+    username TEXT UNIQUE,
+    password_hash TEXT,
+    email TEXT UNIQUE,
     uuid TEXT,
     role TEXT DEFAULT 'user' CHECK(role IN ('admin', 'user')),
     status TEXT DEFAULT 'active' CHECK(status IN ('active', 'disabled')),
@@ -20,4 +24,32 @@ CREATE TABLE IF NOT EXISTS users (
 -- Indexes for performance (base indexes only)
 -- Note: Indexes for uuid, role, status are created in migrations to support upgrades
 CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
-CREATE INDEX IF NOT EXISTS idx_users_active ON users(is_active);
+CREATE INDEX IF NOT EXISTS idx_users_active ON users(is_active);
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+
+-- Verification codes table for email login
+CREATE TABLE IF NOT EXISTS verification_codes (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    email TEXT NOT NULL,
+    code TEXT NOT NULL,
+    type TEXT DEFAULT 'login' CHECK(type IN ('login', 'register')),
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    expires_at DATETIME NOT NULL,
+    attempts INTEGER DEFAULT 0,
+    used BOOLEAN DEFAULT 0,
+    ip_address TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_verification_codes_email ON verification_codes(email);
+CREATE INDEX IF NOT EXISTS idx_verification_codes_expires ON verification_codes(expires_at);
+
+-- Email domain whitelist for registration
+CREATE TABLE IF NOT EXISTS email_domain_whitelist (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    domain TEXT UNIQUE NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    created_by INTEGER,
+    FOREIGN KEY (created_by) REFERENCES users(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_email_domain_whitelist_domain ON email_domain_whitelist(domain);

package/server/middleware/auth.js

@@ -65,17 +65,18 @@ const authenticateToken = async (req, res, next) => {
   }
 };
 
-// Generate JWT token (never expires)
+// Generate JWT token with 30-day expiration
 const generateToken = (user) => {
   return jwt.sign(
     {
       userId: user.id,
-      username: user.username,
+      username: user.username || user.email,
+      email: user.email,
       uuid: user.uuid,
       role: user.role
     },
-    JWT_SECRET
-    // No expiration - token lasts forever
+    JWT_SECRET,
+    { expiresIn: '30d' } // 30-day expiration
   );
 };
 

package/server/routes/admin.js

@@ -1,7 +1,9 @@
 import express from 'express';
-import { userDb } from '../database/db.js';
+import bcrypt from 'bcrypt';
+import { v4 as uuidv4 } from 'uuid';
+import { userDb, domainWhitelistDb } from '../database/db.js';
 import { authenticateToken } from '../middleware/auth.js';
-import { deleteUserDirectories } from '../services/user-directories.js';
+import { deleteUserDirectories, initUserDirectories } from '../services/user-directories.js';
 
 const router = express.Router();
 
@@ -28,6 +30,58 @@ router.get('/users', (req, res) => {
   }
 });
 
+// Create a new user with username and password (admin only)
+router.post('/users', async (req, res) => {
+  try {
+    const { username, password } = req.body;
+
+    if (!username || !password) {
+      return res.status(400).json({ error: '用户名和密码不能为空' });
+    }
+
+    if (username.length < 3 || password.length < 6) {
+      return res.status(400).json({
+        error: '用户名至少3个字符，密码至少6个字符'
+      });
+    }
+
+    // Check if username already exists
+    const existingUser = userDb.getUserByUsername(username);
+    if (existingUser) {
+      return res.status(409).json({ error: '用户名已存在' });
+    }
+
+    // Hash password
+    const saltRounds = 12;
+    const passwordHash = await bcrypt.hash(password, saltRounds);
+
+    // Create user
+    const uuid = uuidv4();
+    const user = userDb.createUserFull(username, passwordHash, uuid, 'user');
+
+    // Initialize user directories
+    await initUserDirectories(uuid);
+
+    res.json({
+      success: true,
+      user: {
+        id: user.id,
+        username: user.username,
+        uuid: user.uuid,
+        role: user.role
+      }
+    });
+
+  } catch (error) {
+    console.error('Error creating user:', error);
+    if (error.code === 'SQLITE_CONSTRAINT_UNIQUE') {
+      res.status(409).json({ error: '用户名已存在' });
+    } else {
+      res.status(500).json({ error: '创建用户失败' });
+    }
+  }
+});
+
 // Update user status
 router.patch('/users/:id', (req, res) => {
   try {
@@ -86,4 +140,61 @@ router.delete('/users/:id', async (req, res) => {
   }
 });
 
+// ==================== Email Domain Whitelist ====================
+
+// Get all whitelisted domains
+router.get('/email-domains', (req, res) => {
+  try {
+    const domains = domainWhitelistDb.getAllDomains();
+    res.json({ domains });
+  } catch (error) {
+    console.error('Error fetching email domains:', error);
+    res.status(500).json({ error: '获取域名列表失败' });
+  }
+});
+
+// Add a domain to whitelist
+router.post('/email-domains', (req, res) => {
+  try {
+    const { domain } = req.body;
+
+    if (!domain) {
+      return res.status(400).json({ error: '域名不能为空' });
+    }
+
+    // Validate domain format
+    const domainRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$/;
+    if (!domainRegex.test(domain)) {
+      return res.status(400).json({ error: '域名格式无效' });
+    }
+
+    const result = domainWhitelistDb.addDomain(domain, req.user.id);
+    res.json({ success: true, domain: result });
+  } catch (error) {
+    console.error('Error adding email domain:', error);
+    if (error.message === '域名已存在') {
+      res.status(409).json({ error: error.message });
+    } else {
+      res.status(500).json({ error: '添加域名失败' });
+    }
+  }
+});
+
+// Remove a domain from whitelist
+router.delete('/email-domains/:id', (req, res) => {
+  try {
+    const { id } = req.params;
+    const success = domainWhitelistDb.removeDomain(parseInt(id));
+
+    if (success) {
+      res.json({ success: true, message: '域名已删除' });
+    } else {
+      res.status(404).json({ error: '域名不存在' });
+    }
+  } catch (error) {
+    console.error('Error removing email domain:', error);
+    res.status(500).json({ error: '删除域名失败' });
+  }
+});
+
 export default router;