@ian2018cs/agenthub 0.1.1 → 0.1.2

package/server/routes/auth.js

@@ -1,9 +1,10 @@
 import express from 'express';
 import bcrypt from 'bcrypt';
 import { v4 as uuidv4 } from 'uuid';
-import { userDb, db } from '../database/db.js';
+import { userDb, verificationDb, domainWhitelistDb } from '../database/db.js';
 import { generateToken, authenticateToken } from '../middleware/auth.js';
 import { initUserDirectories } from '../services/user-directories.js';
+import { sendVerificationCode, isSmtpConfigured } from '../services/email.js';
 
 const router = express.Router();
 
@@ -11,9 +12,10 @@ const router = express.Router();
 router.get('/status', async (req, res) => {
   try {
     const hasUsers = await userDb.hasUsers();
-    res.json({ 
+    res.json({
       needsSetup: !hasUsers,
-      isAuthenticated: false // Will be overridden by frontend if token exists
+      isAuthenticated: false, // Will be overridden by frontend if token exists
+      smtpConfigured: isSmtpConfigured()
     });
   } catch (error) {
     console.error('Auth status error:', error);
@@ -21,37 +23,106 @@ router.get('/status', async (req, res) => {
   }
 });
 
-// User registration - first user becomes admin
-router.post('/register', async (req, res) => {
+// Send verification code to email
+router.post('/send-code', async (req, res) => {
   try {
-    const { username, password } = req.body;
+    const { email } = req.body;
+    const ipAddress = req.ip || req.socket?.remoteAddress;
 
-    if (!username || !password) {
-      return res.status(400).json({ error: 'Username and password are required' });
+    // Validate email format
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!email || !emailRegex.test(email)) {
+      return res.status(400).json({ error: '请输入有效的邮箱地址' });
+    }
+
+    // Check if SMTP is configured
+    if (!isSmtpConfigured()) {
+      return res.status(500).json({ error: 'SMTP 未配置，请联系管理员' });
     }
 
-    if (username.length < 3 || password.length < 6) {
-      return res.status(400).json({
-        error: 'Username must be at least 3 characters, password at least 6 characters'
-      });
+    // Check rate limit
+    const rateCheck = verificationDb.canSendCode(email);
+    if (!rateCheck.allowed) {
+      if (rateCheck.error === 'rate_limit_email') {
+        return res.status(429).json({
+          error: '发送过于频繁，请稍后再试',
+          waitSeconds: rateCheck.waitSeconds
+        });
+      }
+      return res.status(429).json({ error: '今日发送次数已达上限' });
     }
 
-    // Check if this is the first user (becomes admin)
-    const userCount = userDb.getUserCount();
-    const role = userCount === 0 ? 'admin' : 'user';
-    const uuid = uuidv4();
+    // Determine if this is login or registration
+    const existingUser = userDb.getUserByEmail(email);
+    const type = existingUser ? 'login' : 'register';
 
-    // Hash password
-    const saltRounds = 12;
-    const passwordHash = await bcrypt.hash(password, saltRounds);
+    // For new registrations, check domain whitelist
+    if (type === 'register') {
+      if (!domainWhitelistDb.isEmailAllowed(email)) {
+        return res.status(403).json({ error: '该邮箱域名不在允许注册的列表中' });
+      }
+    }
+
+    // Generate and store code
+    const { code } = verificationDb.createCode(email, type, ipAddress);
+
+    // Send email
+    await sendVerificationCode(email, code);
 
-    // Create user with full details
-    const user = userDb.createUserFull(username, passwordHash, uuid, role);
+    res.json({
+      success: true,
+      type, // 'login' or 'register' - frontend can show appropriate message
+      message: '验证码已发送'
+    });
+
+  } catch (error) {
+    console.error('Send code error:', error);
+    res.status(500).json({ error: '发送验证码失败，请稍后再试' });
+  }
+});
+
+// Verify code and login/register
+router.post('/verify-code', async (req, res) => {
+  try {
+    const { email, code } = req.body;
+
+    if (!email || !code) {
+      return res.status(400).json({ error: '邮箱和验证码不能为空' });
+    }
 
-    // Initialize user directories (creates .claude.json with hasCompletedOnboarding=true)
-    await initUserDirectories(uuid);
+    // Verify the code
+    const verification = verificationDb.verifyCode(email, code);
 
-    // Generate token
+    if (!verification.valid) {
+      // Increment attempts for failed verification
+      verificationDb.incrementAttempts(email, code);
+
+      if (verification.error === 'max_attempts') {
+        return res.status(429).json({ error: '验证码尝试次数过多，请重新获取' });
+      }
+      return res.status(401).json({ error: '验证码无效或已过期' });
+    }
+
+    let user = userDb.getUserByEmail(email);
+
+    // If user doesn't exist, create new user (registration)
+    if (!user) {
+      const userCount = userDb.getUserCount();
+      const role = userCount === 0 ? 'admin' : 'user';
+      const uuid = uuidv4();
+
+      user = userDb.createUserWithEmail(email, uuid, role);
+
+      // Initialize user directories
+      await initUserDirectories(uuid);
+    }
+
+    // Check if user is disabled
+    if (user.status === 'disabled') {
+      return res.status(403).json({ error: '账户已被禁用' });
+    }
+
+    // Generate token with 30-day expiration
     const token = generateToken(user);
 
     // Update last login
@@ -61,7 +132,8 @@ router.post('/register', async (req, res) => {
       success: true,
       user: {
         id: user.id,
-        username: user.username,
+        email: user.email,
+        username: user.username || user.email,
         uuid: user.uuid,
         role: user.role
       },
@@ -69,37 +141,38 @@ router.post('/register', async (req, res) => {
     });
 
   } catch (error) {
-    console.error('Registration error:', error);
-    if (error.code === 'SQLITE_CONSTRAINT_UNIQUE') {
-      res.status(409).json({ error: 'Username already exists' });
-    } else {
-      res.status(500).json({ error: 'Internal server error' });
-    }
+    console.error('Verify code error:', error);
+    res.status(500).json({ error: 'Internal server error' });
   }
 });
 
-// User login
+// User login with username/password (for admin-created accounts)
 router.post('/login', async (req, res) => {
   try {
     const { username, password } = req.body;
 
     if (!username || !password) {
-      return res.status(400).json({ error: 'Username and password are required' });
+      return res.status(400).json({ error: '用户名和密码不能为空' });
     }
 
     const user = userDb.getUserByUsername(username);
     if (!user) {
-      return res.status(401).json({ error: 'Invalid username or password' });
+      return res.status(401).json({ error: '用户名或密码错误' });
+    }
+
+    // Check if user has a password (admin-created account)
+    if (!user.password_hash) {
+      return res.status(401).json({ error: '此账户不支持密码登录' });
     }
 
     // Check if user is disabled
     if (user.status === 'disabled') {
-      return res.status(403).json({ error: 'Account has been disabled' });
+      return res.status(403).json({ error: '账户已被禁用' });
     }
 
     const isValidPassword = await bcrypt.compare(password, user.password_hash);
     if (!isValidPassword) {
-      return res.status(401).json({ error: 'Invalid username or password' });
+      return res.status(401).json({ error: '用户名或密码错误' });
     }
 
     const token = generateToken(user);
@@ -110,6 +183,7 @@ router.post('/login', async (req, res) => {
       user: {
         id: user.id,
         username: user.username,
+        email: user.email,
         uuid: user.uuid,
         role: user.role
       },
@@ -127,7 +201,8 @@ router.get('/user', authenticateToken, (req, res) => {
   res.json({
     user: {
       id: req.user.id,
-      username: req.user.username,
+      username: req.user.username || req.user.email,
+      email: req.user.email,
       uuid: req.user.uuid,
       role: req.user.role
     }
@@ -141,4 +216,4 @@ router.post('/logout', authenticateToken, (req, res) => {
   res.json({ success: true, message: 'Logged out successfully' });
 });
 
-export default router;
+export default router;

package/server/services/email.js

@@ -0,0 +1,90 @@
+import nodemailer from 'nodemailer';
+
+// SMTP configuration from environment variables
+const getSmtpConfig = () => {
+  const config = {
+    host: process.env.SMTP_SERVER,
+    port: parseInt(process.env.SMTP_PORT) || 587,
+    secure: process.env.SMTP_USE_TLS === 'true', // true for 465, false for other ports
+    auth: {
+      user: process.env.SMTP_USERNAME,
+      pass: process.env.SMTP_PASSWORD,
+    },
+  };
+
+  // Handle opportunistic TLS (STARTTLS)
+  if (process.env.SMTP_OPPORTUNISTIC_TLS === 'true') {
+    config.secure = false;
+    config.tls = {
+      rejectUnauthorized: false, // Allow self-signed certificates
+    };
+  }
+
+  return config;
+};
+
+// Check if SMTP is configured
+export const isSmtpConfigured = () => {
+  return !!(process.env.SMTP_SERVER && process.env.SMTP_USERNAME && process.env.SMTP_PASSWORD);
+};
+
+// Create transporter lazily (only when needed)
+let transporter = null;
+
+const getTransporter = () => {
+  if (!transporter) {
+    if (!isSmtpConfigured()) {
+      throw new Error('SMTP is not configured. Please set SMTP_SERVER, SMTP_USERNAME, and SMTP_PASSWORD environment variables.');
+    }
+    transporter = nodemailer.createTransport(getSmtpConfig());
+  }
+  return transporter;
+};
+
+// Send verification code email
+export const sendVerificationCode = async (email, code) => {
+  const transport = getTransporter();
+  const fromAddress = process.env.SMTP_FROM || process.env.SMTP_USERNAME;
+
+  const mailOptions = {
+    from: fromAddress,
+    to: email,
+    subject: 'AgentHub 登录验证码',
+    html: `
+      <div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; max-width: 600px; margin: 0 auto; padding: 20px;">
+        <div style="text-align: center; margin-bottom: 30px;">
+          <h1 style="color: #1a1a1a; font-size: 24px; margin: 0;">AgentHub</h1>
+        </div>
+        <div style="background-color: #f8f9fa; border-radius: 8px; padding: 30px; text-align: center;">
+          <h2 style="color: #1a1a1a; font-size: 20px; margin: 0 0 20px 0;">您的验证码</h2>
+          <div style="font-size: 36px; font-weight: bold; color: #2563eb; letter-spacing: 8px; margin: 20px 0; font-family: monospace;">
+            ${code}
+          </div>
+          <p style="color: #666; font-size: 14px; margin: 20px 0 0 0;">
+            验证码有效期为 <strong>5 分钟</strong>，请尽快使用。
+          </p>
+        </div>
+        <div style="margin-top: 30px; padding-top: 20px; border-top: 1px solid #eee; text-align: center;">
+          <p style="color: #999; font-size: 12px; margin: 0;">
+            如果您没有请求此验证码，请忽略此邮件。
+          </p>
+        </div>
+      </div>
+    `,
+    text: `您的 AgentHub 登录验证码是：${code}，有效期 5 分钟。如果您没有请求此验证码，请忽略此邮件。`,
+  };
+
+  return transport.sendMail(mailOptions);
+};
+
+// Verify SMTP connection
+export const verifySmtpConnection = async () => {
+  try {
+    const transport = getTransporter();
+    await transport.verify();
+    return { success: true };
+  } catch (error) {
+    console.error('SMTP connection verification failed:', error);
+    return { success: false, error: error.message };
+  }
+};